robin/Robin_PHD
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Mums proof reading from the weekend

Browse Source
This commit is contained in:
Robin Clark 2010-09-27 20:43:01 +01:00
parent 459d924cae
commit 3e3ec9a563
9 changed files with 63 additions and 57 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
component_failure_modes_definition/component_failure_modes_definition.tex
View File

@ -32,11 +32,11 @@ Mathematical constraints and definitions are made using set theory.
\section{Introduction}
This chapter describes the data types and concepts for the Failure Mode Modular De-composition (FMMD) method.
When analysing a safety critical system using
this technique, we need clearly defined failure modes for
this methodology, we need clearly defined failure modes for
all the components that are used to model the system.
In our model we have a constraint that
In our model, we have a constraint that
the component failure modes must be mutually exclusive.
When this constraint is complied with we can use the FMMD method to
When this constraint is complied with, we can use the FMMD method to
build hierarchical bottom-up models of failure mode behaviour.
%This and the definition of a component are
%described in this chapter.
@ -62,8 +62,8 @@ build hierarchical bottom-up models of failure mode behaviour.
\label{fig:component}
\end{figure}
Let us first define a component. This is anything which we use to build a
product or system with.
Let us first define a component. This is anything with which we use to build a
product or system.
It could be something quite complicated
like an integrated microcontroller, or quite simple like the humble resistor.
We can define a
@ -136,7 +136,7 @@ to see how they could be caused. Some apply statistical techniques to
determine the likelihood of component failures
causing specific system level errors. For example, Bayes theorem \ref{bayes}, the relation between a conditional probability and its inverse,
can be applied to specific failure modes in components and the probability of them causing given system level errors.
Another top down technique is to apply cost benefit analysis
Another top down methodology is to apply cost benefit analysis
to determine which faults are the highest priority to fix\cite{bfmea}.
The aim of FMMD analysis is to produce complete failure
models of safety critical systems from the bottom-up,
@ -198,8 +198,9 @@ and creates a new {\dc} from it.
%must consider all the failure modes of the components in the functional
%group.
The newly created {\dc} requires a set of failure modes of its own.
These failure modes are the failure mode behaviour of the {\fg} that it was derived from.
Because these new failure modes were derived from a {\fg} we can call
These failure modes are the failure mode behaviour of the {\fg} from which it was derived.
%
Because these new failure modes were derived from a {\fg}, we can call
these `derived~failure~modes'.
%It then creates a new derived~component object, and associates it to this new set of derived~failure~modes.
We thus have a `new' component, or system building block, but with a known and traceable
@ -309,8 +310,8 @@ fm : \mathcal{FG} \rightarrow \mathcal{F}
\paragraph{Design Descision/Constraint}
An important factor in defining a set of failure modes is that they
should be represent the failure modes as simply and minimally as possible.
It should not be possible, for instance for
should represent the failure modes as simply and minimally as possible.
It should not be possible, for instance, for
a component to have two or more failure modes active at once.
Were this to be the case, we would have to consider additional combinations of
failure modes within the component.
@ -348,7 +349,7 @@ An example of a component with an obvious set of ``unitary~state'' failure mode
Electrical resistors can fail by going OPEN or SHORTED.
For a given resistor R we can apply the
the function $fm$ to find its set of failure modes thus $ fm(R) = \{R_{SHORTED}, R_{OPEN}\} $.
function $fm$ to find its set of failure modes thus $ fm(R) = \{R_{SHORTED}, R_{OPEN}\} $.
A resistor cannot fail with both conditions open and short active at the same time! The conditions
OPEN and SHORT are thus mutually exclusive.
Because of this, the failure mode set $F=fm(R)$ is `unitary~state'.
@ -356,13 +357,13 @@ Because of this, the failure mode set $F=fm(R)$ is `unitary~state'.
Thus because both fault modes cannot be active at the same time, the intersection of $ R_{SHORTED} $ and $ R_{OPEN} $ cannot exist.
The intersection of these is therefore the empty set, $$ R_{SHORTED} \cap R_{OPEN} = \emptyset $$,
The intersection of these is therefore the empty set, $ R_{SHORTED} \cap R_{OPEN} = \emptyset $,
therefore
$ fm(R) \in \mathcal{U} $.
We can make this a general case by taking a set $F$ (where $f_1, f_2 \in F$) representing a collection
We can make this a general case by taking a set $F$ (with $f_1, f_2 \in F$) representing a collection
of component failure modes.
We can define a boolean function {\ensuremath{\mathcal{ACTIVE}}} that returns
whether a fault mode is active (true) or dormant (false).
@ -394,7 +395,7 @@ All components must have unitary state failure modes to be used with the FMMD me
Where a complex component is used, for instance a microcontroller
with several modules that could all fail simultaneously, a process
of reduction into smaller theoretical components will have to be made
\footnote{A modern microcontroller will typically have several modules, which are configurged to operate on
\footnote{A modern microcontroller will typically have several modules, which are configured to operate on
pre-assigned pins on the device. Typically voltage inputs (\adcten / \adctw), digital input and outputs,
PWM (pulse width modulation), UARTs and other modules will be found on simple cheap microcontrollers \cite{pic18f2523}}.
For instance the voltage reading functions which consist

4
eulerg/eulerg.tex
View File

@ -164,7 +164,7 @@ As the relationships {\em enclosure} and {\em pair-wise intersection} are mutual
and {\em enclosure} is transitive and {\em pair-wise intersection} is not, we can represent
an {\em enclosure} relationship as a directed vertice and
{\pic} as non-directed on the same graph.
Figures \ref{fig:eulerg1} and \ref{fig:eulerg_enc} show euler diagrams with corresponding
Figures \ref{fig:eulerg1} and \ref{fig:eulerg_enc} show Euler diagrams with corresponding
graphs. The next section will introduce the concept of a {\pic}
and will present graphs where both enclosure and pair-wise
intersection are represented on the same graph.
@ -310,7 +310,7 @@ that are not, or would not become members of the {\pic} $P$.
\end{definition}
That is to say, the the number of zones within a {\pic} is not affected by changes in the diagram
that do not alter the {\pic}.
This allows us to analyses {\pic}s separately, thus reducing the $2^N$ overhead of analysing an Euler diagram for available zones.
This allows us to analyse {\pic}s separately, thus reducing the $2^N$ overhead of analysing an Euler diagram for available zones.
\pagebreak[3]
\subsection{Available Zone Searching}

34
fmmd_concept/fmmd_concept.tex
View File

@ -28,7 +28,7 @@ The Failure Mode Modular De-composition
(FMMD) methodology presented here provides a more detailed and analytical
modelling system from which
the data models from FTA, FMEA and the statistical approach can be
derived from.
derived.
It also applies analysis stages to the failure mode analysis process
ensuring that all component failure modes must be considered in the model.
@ -40,7 +40,7 @@ paper
{
chapter
}
presents a bottom up modular technique, a variant of FMEA, where instead of looking
presents a bottom up modular methodology, a extension and refinement of FMEA, where instead of looking
at individual component failure modes and deciding on their impact on the SYSTEM
it uses the component failure modes, to build modules or derived components.
This methodology has been named Failure Mode Modular De-composition (FMMD)
@ -77,8 +77,8 @@ This places a burden of taking individual component failure modes
and trying to determine what affects this will have at SYSTEM level.
Justifications for this methodology are often statistical and Bayes Theorem \cite{probstat}
is often cited.
This lacks precision, or in order words, determinability prediction accuracy,
as often the compoinent failure mode cannt be proven to cause a SYSTEM level failure, only to make it more likely.
This lacks precision, or in other words, determinability prediction accuracy,
as often the component failure mode cannt be proven to cause a SYSTEM level failure, only to make it more likely.
Also, it can miss combinations of failure modes that will cause SYSTEM level errors.
\subsection { Statistical Analyis }
@ -86,16 +86,16 @@ Also, it can miss combinations of failure modes that will cause SYSTEM level err
This uses MTFF and other statisical models to determine the probability of
failures occurring. A component failure mode, given its MTTF
the probability oif detecting the fault and its safety safety relevant validation time $\tau$,
the probability of detecting the fault and its safety relevant validation time $\tau$,
contributes a simple risk factor that is summed
in to give a final risk result. Thus a statistical
model can be implemented on a spreadsheet, where each component
has a calculated risk, and estimated risk importance
and these are all summed to give the final asssement figure.
and these are all summed to give the final assement figure.
The Statistical Analysis method is used from two perspectives,
Probability of Failure on Demand (PFD), and Probability of Failure
in contiuous Operation, Failure in Time (FIT) and measured in failures per billion ($10^9$) hours of operation.
in continuous Operation, Failure in Time (FIT) and measured in failures per billion ($10^9$) hours of operation.
For instance with the anti-lock system on a automobile braking
system, we would be interested in PFD.
For a continuously running nuclear powerstation
@ -106,7 +106,7 @@ lack of determinability prediction accuracy, as FMEA above.
By this we may have the MTTF of some critical component failure
modes, but we can only guess, in most cases what the safety case outcome
will be if it occurrs.
will be if it occurs.
This leads to having components within a SYSTEM partitioned into different
safety level zones \cite{en61508}. This is a vague way of determining
@ -123,7 +123,7 @@ of the Safety Integrity Levels (SIL) of EN61508 \cite{en61508}.
\item All component failure modes must be considered in the model.
\item It should be easy to integrate mechanical, electronic and software models.
\item It should be re-usable, in that commonly used modules can be re-used in other designs/projects.
\item It should have a formal babsis, that is to say it should be able to produce mathematical proofs
\item It should have a formal basis, that is to say, it should be able to produce mathematical proofs
for its results.
\item It should be capable of producing reliability and danger evaluation statistics.
\item It should be easy to use.
@ -150,11 +150,11 @@ An industrial burner is a nice example of a safety critical system.
It has some lethal risks and some environmental.
It could, by igniting an explosive mixture, cause an explosion.
By burning incorrect proportions of fuel and air, it could be ineffecient and waste
resources, or worse could cause poisinous burning (typically carbon monoxide, but also
where flame temperature is very high, can produce NOX emmissions)
resources, or worse could cause poisonous burning (typically carbon monoxide, but also
where flame temperature is very high, can produce NOX emmissions).
To prevent igniting an explosive mixture, air is pumped though the furnace
chanber on start-up, and this is verified with an air pressure switch.
chamber on start-up, and this is verified with an air pressure switch.
NEED A DIAGRAM HERE
@ -177,7 +177,7 @@ The flame scanner is thus a two resistor voltage divider.
\subsection{The Flame Scanner}
\subsubsection{Macro FTA perspective}
SHOW ALL TOP LEVEL FAULTS. EXPLOSION, POISINOUS BURNING CO, POISINOUS BURNING NOX, FAILS TO LIGHT etc
SHOW ALL TOP LEVEL FAULTS. EXPLOSION, POISONOUS BURNING CO, POISONOUS BURNING NOX, FAILS TO LIGHT etc
Follow the explosion tree down to flame scanner fails ON, and OFF
@ -188,12 +188,12 @@ Each of the resistors is considered critical, in the statistical case, and so th
is added inot the DANGEROUS section.
For FMEA the resistor failures add up to the SYSTEM level, show this is inappropriate
and makes several jumps in applied knowledge, thus bayes theorem etc
and makes several jumps in applied knowledge, thus Bayes theorem etc
\subsubsection{Micro FMMD perspective}
Here show how the flame scanner becomes a black box, or component in itsself.
Here show how the flame scanner becomes a black box, or component in itself.
How it is now available to be integrated into higher level designs.
%and then an ignition position is checked.
@ -217,8 +217,8 @@ air pressure sensor
\section{Base Level Components}
A common factor with all safety critical systems, is
the bought in components. Be these
electrical, mechanical or firmware, they all
base level -or- bought in components. Be these
electrical, mechanical or firmware, they should all
have known failure modes.
\subsection { Failure modes defining the component}

15
fmmdset/fmmdset.tex
View File

@ -7,7 +7,7 @@
\begin{abstract}
This paper describes a process for analysing safety critical systems, to formally prove how safe the
designs and built -in safety measures are. It provides
the rigourous method for creating a fault effects model of a system from the bottom up using {\bc} level fault modes.
the rigorous method for creating a fault effects model of a system from the bottom up using {\bc} level fault modes.
Using symptom extraction, and taking {\fgs} of components, a fault behaviour
hierarchy is built, forming a fault model tree.
From the fault model trees,
@ -21,7 +21,7 @@ EN298, EN61508, EN12067, EN230, UL1998.
{
This chapter describes a process for analysing safety critical systems, to formally prove how safe the
designs and built -in safety measures are. It provides
the rigourous method for creating a fault effects model of a system from the bottom up using {\bc} level fault modes.
the rigorous method for creating a fault effects model of a system from the bottom up using {\bc} level fault modes.
Using symptom extraction, and taking {\fgs} of components, a fault behaviour
hierarchy is built, forming a fault model tree.
From the fault model trees,
@ -41,8 +41,7 @@ EN298, EN61508, EN12067, EN230, UL1998.
The purpose of the FMMD methodology is to apply formal techniques to
the assessment of safety critical designs, aiding in identifying detected and undetected faults
\footnote{Undetectable faults
are faults which may occur but are not self~detected, or are impossible to detect by the system.}.
\footnote{Undetectable faults are faults which may occur but are not self~detected, or are impossible to detect by the system.}.
Formal methods are just beginning to be specified in some safety standards.\footnote{Formal methods
such as the Z notation appear as `highly recommended' techniques in the EN61508 standard\cite{en61508}, but
apply only to software currently.} However, some standards are now implying the handling of
@ -73,7 +72,7 @@ The statistical method
requires additional Mean Time To Failure (MTTF) data for all part failure modes.
The FMMD methodology applies defined stages and processes that will
create a modular fault mode hierarchy. From this
create a modular fault mode hierarchy. From this,
complete fault analysis trees can be determined. It uses a modular approach, so that repeated sections
of system design can be modelled once, and re-used.
%formally prove safety critical
@ -107,7 +106,7 @@ components that interact and naturally form {\fgs}. The initial {\fgs} are thus
From the point of view of fault analysis, we are not interested in the components themselves, but in the ways in which they can fail.
For this study a {\fg} will mean a collection of components.
In order to determine the symptoms or failure modes of a {\fg}
In order to determine the symptoms or failure modes of a {\fg},
we need to consider all failure modes of its components.
By analysing the fault behaviour of a `{\fg}' with respect these failure modes
we can derive a new set of possible failure modes.
@ -294,7 +293,7 @@ In FTA\cite{nucfta}\cite{nasafta} terminology, these paths through the tree are
A hierarchy of levels of faults becoming more abstract at each level should
converge to a small sub-set of system level errors.
This thinning out of the number of system level errors is borne out in practise;
This thinning out of the number of system level errors is borne out in practice;
real time control systems often have a small number of major reportable faults (typically $ < 50$),
even though they may have accompanying diagnostic data.
@ -541,7 +540,7 @@ simply be given a different index number and re-used.
It is common in safety critical systems to use redundancy.
Two or sometimes three control systems will be assigned to the same process.
An arbittration system, the arbiter, will decide which channel may control
An arbitration system, the arbiter, will decide which channel may control
the equipment.
Where a system has several independent parallel control channels, each one can be a separate FMMD hierarchy.

8
symptom_ex_process/algorithm.tex
View File

@ -290,7 +290,7 @@ the test case failure modes will cause.
In the case of a simple
electronic circuit, we could calculate the effect on voltages
within the circuit given certain component failure modes, for instance.
The affect of these unusual volatges would then be a failure
The affect of these unusual voltages would then be a failure
mode of the functional group and become the result of the test case.
When each test case has been analysed, we have a set of
results. These are the failure modes of the functional group.
@ -460,7 +460,7 @@ $$ \bowtie: \mathcal{FG} \rightarrow \mathcal{DC} $$
\end{algorithmic}
\end{algorithm}
The symptom abstraction technique allows us to take a functional group of components,
The symptom abstraction methodology allows us to take a functional group of components,
analyse the failure
mode behaviour and create a new entity, a derived~component, that has its own set of failure modes.
The checks and constraints applied in the algorithm ensure that all component failure
@ -475,7 +475,7 @@ as the hierarchy progresses upwards.
%This is seen by casual observation of real life Systems. NEED A GOOD REF HERE
At the highest levels the number of faults
is significantly less than the sum of its component failure modes.
A Sound system might have, for instance only four faults at its highest or System level,
A sound system might have, for instance only four faults at its highest or system level,
\small
$$ SoundSystemFaults = \{TUNER\_FAULT, CD\_FAULT, SOUND\_OUT\_FAULT, IPOD\_FAULT\}$$
\normalsize
@ -483,7 +483,7 @@ The number of causes for any of these faults is very large.
It does not matter to the user, which combination of component failure~modes caused the fault.
But as the hierarchy goes up in abstraction level, the number of faults goes down.
\subsection{Tracable Fault Modes}
\subsection{Traceable Fault Modes}
Because the fault modes are determined from the bottom-up, the causes
for all high level faults naturally form trees.

2
symptom_ex_process/introduction.tex
View File

@ -7,7 +7,7 @@ and then determining how that {\fg} can fail.
%
With this information, we can treat the {\fg}
as a component in its own right.
This new component, is a derived from the {\fg}.
This new component, is derived from the {\fg}.
In the field of safety engineering this derived component corresponds to a low~level sub-system.
%The technique uses a graphical notation, based on Euler\cite{eulerviz} and Constraint diagrams\cite{constraint} to model failure modes and failure mode common symptom collection. The technique is designed for making building blocks for a hierarchical fault model.
%

8
symptom_ex_process/process.tex
View File

@ -191,13 +191,13 @@ $c\_2$ & $fs\_7$ & $g_{7}$ & SP2\\ \hline
Table~\ref{tab:fexsymptoms} shows the analysis process.
As we are only looking at single fault possibilities for this example each test case
is represented by one failure mode.
Chosen combinations of Component failure modes become test cases\footnote{The test case stage is necessary because for more complex analysis we have to consider the effects of combinations of component failure modes}.
Chosen combinations of component failure modes become test cases\footnote{The test case stage is necessary because for more complex analysis we have to consider the effects of combinations of component failure modes.}.
The test cases are analysed w.r.t. the functional~group.
These become functional~group~failure~modes ($g$'s).
The functional~group~failure~modes are how the functional group fails for the test~case, rather than how the components failed.
For the sake of example, let us consider the fault symptoms of the {\fg} $FG$ to be $\{g_2, g_4, g_5\}$
As failure modes, these
As failure modes, these are
identical from the perspective of the functional~group.
That is to say, the way in which functional~group fails if $g_2$, $g_4$ or $g_5$ % failure modes
occur, is going to be the same.
@ -234,7 +234,7 @@ We can thus apply the function $fm$ on this newly derived component thus:
$$ fm(DC) = \{ SP1, SP2, SP3 \} $$
Note that $g_6$ has \textbf{not dissappeared from the analysis process}.
Note that $g_6$ has \textbf{not disappeared from the analysis process}.
Were the designer to have overlooked this test case, it would appear as a failure mode of the derived component.
i.e. were it not to have been grouped in $SP3$, $ fm(DC)$ would have been $ \{ SP1, SP2, g_6 \}$.
Because the process can be computerised, we can easily flag symptoms that have not been
@ -253,7 +253,7 @@ from base level components cannot be overlooked.
The process must not allow failure modes to be ignored or forgotten (see project aims in section \ref{requirements}).
}
%
The newly derived component $DC$ is availble for use to form higher level functional groups, and we can thus
The newly derived component $DC$ is available for use to form higher level functional groups, and we can thus
consider DC as being in the set of components i.e. $DC \in \mathcal{C}$
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

6
symptom_ex_process/sys_abs.tex
View File

@ -1,3 +1,9 @@
%%
%%
%% OBSOLETE DO NOT EDIT
%%
%%
%%
\section{The Symptom Extraction Process}
% TO DO: separate these two:

14
symptom_ex_process/topbot.tex
View File

@ -3,20 +3,20 @@
\subsection{Static Analysis}
In the field of safety critical engineering; to comply with
European Law a product must be certified under the appropriate `EN' standard.
In the field of safety critical engineering, to comply with
European Law, a product must be certified under the appropriate `EN' standard.
Typically environmental stress, EMC, electrical stressing, endurance tests,
software~inspections and project~management quality reviews are applied \cite{sccs}.
Static testing is also applied. This is theoretical analysis of the design of the product from the safety
perspective.
Three main techniques are currently used,
Three main methodologies are currently used,
Statistical failure models, FMEA (Failure mode Effects Analysis) and FTA (Fault Tree Analysis).
The FMMD technique is a static modelling methodology, aimed primarily as design verification for
The FMMD process is a static modelling methodology, aimed primarily as design verification for
safety critical systems.
However, FMMD also provides the mathematical framework
to assist in the production of the three traditional methods of static analysis.
From the model created by the FMMD technique, statistical, FTA and FMEA models
From the model created by the FMMD methodology, statistical, FTA and FMEA models
can be derived.
FMMD can model electrical, mechanical and software using a common notation,
and can thus model an entire electro mechanical software controlled system.
@ -60,7 +60,7 @@ Top down formal fault isolation/finding techniques for electronics are described
%% this study needs to use this term to keep the interested/in context.
The term `sub-system' is typically used in top down methodologies.
It has two equivalents in FMMD.
Both {\fg} and {\dc} correspond to the top doiwn concept of a `sub-system'.
Both {\fg} and {\dc} correspond to the top down concept of a `sub-system'.
In FMMD a {\fg} becomes a {\dc} after analysis.
The term sub-system will be used alongside both {\fg} and {\dc} where necessary.
@ -73,7 +73,7 @@ Systems, the sub-systems themselves may be broken down into simpler sub-systems.
A top down hierarchy is shown in figure \ref{fig:tdh}.
\subsection{FMMD - Bottom~up Analysis}
The FMMD technique does not follow the `natural fault finding' or top down approach,
The FMMD methodology does not follow the `natural fault finding' or top down approach,
it instead works from the bottom up.
Starting with a collection of base~components that form
a simple functional group, the effect of all component error modes are