diff --git a/papers/fmmd_software_hardware/software_fmea.tex b/papers/fmmd_software_hardware/software_fmea.tex index e6dd0ba..0f3ab0a 100644 --- a/papers/fmmd_software_hardware/software_fmea.tex +++ b/papers/fmmd_software_hardware/software_fmea.tex @@ -122,7 +122,7 @@ failure mode of the component or sub-system}}} } %\title{Developing a rigorous bottom-up modular static failure mode modelling methodology} -\title{Applying FMEA across the Software/Hardware Interface} +\title{Applying FMMD across the Software/Hardware Interface} %\nodate \maketitle diff --git a/submission_thesis/CH4_FMMD/copy.tex b/submission_thesis/CH4_FMMD/copy.tex index a0c91e0..54b3f5a 100644 --- a/submission_thesis/CH4_FMMD/copy.tex +++ b/submission_thesis/CH4_FMMD/copy.tex @@ -20,13 +20,22 @@ Mathematical constraints and definitions are made using set theory.} { \section{Overview} This chapter defines the FMMD process and related concepts and calculations. +FMMD is in essence modularised FMEA. Rather than taking each component failure mode +and extrapolating top level or system failure symptoms from it, +small groups of components are collected into {\fgs} and analysed, +and then {\dcs} are used to represent the {fgs}. +These {\dcs} are used to then build further {\fgs} until a hierarchy of {\fgs} +and {\dcs} has been built, converging to a final {\dc} +at the top of the hierarchy. + Firstly, %what is meant by the terms components, failure~modes, derived~components, functional~groups, component fault modes and `unitary~state' component fault modes are defined. % The general concept of the cardinality constrained powerset is introduced -and calculations for it described, and then performance -calculations (comparing traditional FMEA and FMMD). % under `unitary state' fault mode conditions. +and calculations for it described, and performance +calculations (comparing traditional FMEA and FMMD) +are presented. % under `unitary state' fault mode conditions. % Data types and their relationships are described using UML. Mathematical constraints and definitions are made using set theory. @@ -44,14 +53,14 @@ chapter } describes the data types and concepts for the Failure Mode Modular De-composition (FMMD) method. When analysing a safety critical system using -this methodology, we need clearly defined failure modes for -all the components that are used to model the system. +any form of Failure Mode Effects Analysis (FMEA), we need clearly defined failure modes for +all the components that are used in a given system. % -In our model, we have a constraint that -the component failure modes must be mutually exclusive within individual components. +We introduce a constraint that +component failure modes must be mutually exclusive within individual components. This concept is later developed as the condition of `unitary state' fault modes. -When this constraint is complied with, we can use the FMMD method to -build hierarchical bottom-up models of failure mode behaviour. +%When this constraint is complied with, we can use the FMMD method to +%build hierarchical bottom-up models of failure mode behaviour. %This and the definition of a component are %described in this chapter. %When building a system from components, @@ -92,21 +101,153 @@ defines a `part' thus The term component, in American English, can mean a building block or a part. In British-English a component generally is given to mean the definition for part above. For this study, we will use {\bc} to mean a `part', and component -to mean a part or a sub-assembly. +to mean a part or a sub-assembly. Definitions used in FMMD is given in table~\ref{tbl:fmmd_defs} + +%% +\subsection{Systems, functional groups, sub-systems and failure modes} + +It is helpful here to define the terms, `system', `functional~group', `component', `base~component', `symptom' and `derived~component/sub-system'. +These are listed in table~\ref{tab:symexdef}. + +A system, is any coherent entity that would be sold as a product. % safety critical product. +A sub-system is a system that is part of some larger system. +For instance a stereo amplifier separate/slave is a sub-system. The +whole sound system, consists perhaps of the following `sub-systems': +CD-player, tuner, amplifier~separate, loudspeakers and ipod~interface. + +%Thinking like this is a top~down analysis approach +%and is the way in which FTA\cite{nucfta} analyses a System +%and breaks it down. +\paragraph{Sub-systems, {\fgs} and components.} +A sub-system will be composed of components, which +may themselves be sub-systems. However each `component' +will have a fault/failure behaviour and it should +always be possible to obtain a set of failure modes +for each `component'. +%In FMMD terms a sub-system is a derived component. + +If we look at the sound system example, +the CD~player could fail in several distinct ways, +and this could have been caused by a number of component failure modes. +%no matter what has happened to it or has gone wrong inside it. + + +Using the reasoning that working from the bottom up forces the consideration of all possible +component failures (which can be missed in a top~down approach \cite{faa}[Ch.9]) +we are presented with a problem. Which initial collections of base components should we choose? + +For instance in the CD~player example; if we start at the bottom, we are presented with +a massive list of base~components, resistors, motors, user~switches, laser~diodes, all sorts! +Clearly, working from the bottom~up, we need to pick small +collections of components that work together in some way. +These are termed `functional~groups'. For instance the circuitry that powers the laser diode +to illuminate the CD might contain a handful of components, and as such would make a good candidate +to be one of the base level functional~groups. + +\paragraph{Functional group to {\dc} process outline.} +In choosing the lowest level (base component) sub-systems we would look +for the smallest `functional~groups' of components within a system. +We can define a functional~group as a set of components that interact +to perform a specific function. + +When we have analysed the fault behaviour of a functional group, we can treat it as a `black box'. +The fault behaviour will consist of a set of `symptoms' caused by combinations +of its component failure modes. +We can thus make a new `component' derived from the functional~group. +The symptoms of the {\fg} are the failure modes of this new `derived component'. + +%We can now call our functional~group a sub-system or a derived~component. +%The goal here is to know how it will behave under fault conditions ! +%Imagine buying one such `sub~system' from a very honest vendor. +%One of those sir, yes but be warned it may fail in these distinct ways, here +%in the honest data sheet the set of failure modes is listed! + + +%This type of thinking is starting to become more commonplace in product literature, with the emergence +%of reliability safety standards such as IOC1508\cite{sccs},EN61508\cite{en61508}. +%FIT (Failure in Time - expected number of failures per billion hours of operation) values +%are published for some micro-controllers. A micro~controller +%is a complex sub-system in its self and could be considered a `black~box' with a given reliability. +%\footnote{Microchip sources give an FIT of 4 for their PIC18 series micro~controllers\cite{microchip}, The DOD +%1991 reliability manual\cite{mil1991} applies a FIT of 100 for this generic type of component} + +Electrical components have detailed datasheets associated with them. A useful extension of this could +be failure modes of the component, with environmental factors and MTTF statistics. +Currently this sort of failure mode information is generally only available for generic component types \cite{mil1991}. + +\begin{table}[h] +\center +\begin{tabular}{||p{3cm}|p{10cm}||} + +\hline \hline + {\em Definition } & {\em Description} \\ \hline + +System & A product designed to + work as a coherent entity \\ \hline + + +Sub-system & A part of a system, +-or- derived component sub-systems may contain sub-systems. + derived~components may be derived + from derived components + Constraint: This object must have a defined set of failure~modes \\ \hline + +Failure mode & A way in which a system, + sub-system or component can fail \\ \hline + +Functional Group & A collection of sub-systems and/or + components that interact to + perform a specific function \\ \hline + +Symptom & A failure mode of a functional group, caused by + a combination of its component failure modes \\ \hline + +Base Component & Any bought in component, or + lowest level module/or part + Constraint: This object must have a defined set of failure~modes \\ \hline + +Unitary State & A component may be in only one of its failure modes at a time. \\ + \hline +\end{tabular} +\caption{Failure Mode Modular De-composition: definitions and terms} +\label{tab:fmmd_defs} +\end{table} + + +% \begin{table}[h+] +% \caption{CANbus messages id} +% \begin{tabular}{|p{1cm}|p{10cm}|} +% \hline \hline +% \textbf{Bit Field} & \textbf{Description} \\ \hline \hline +% 29 & Priority bit, set to zero gives the can message high priority in physical layer arbitration.\\ \hline +% 27-26 & extended source unit, 2 bits (shift left by 4).\\ \hline +% 25-24 & extended local unit, 2 bits (shift left by 4).\\ \hline +% 20 & unit to unit bit. This means message for communication between UNITS on the CANbus, not peripheral devices.\\ \hline +% 19-16 & source unit address (see bits 27-26).\\ \hline +% 15-12 & local unit address (see bits 25-24).\\ \hline +% 11 & broadcast bit (for time signals etc.).\\ \hline +% 10-5 & can handle (6 bit peripheral identifier, used in conjunction with six bit local address).\\ \hline +% 4 & peripheral bit, set to 0 indicates a message from a UNIT, to 1 from a peripheral.\\ \hline +% 3-0 & CAN ID message. For messages between peripherals and units, this identifies the message type. \\ +% \hline \hline +% \end{tabular} +% \label{tbl:fmmd_defs} +% \end{table} What components all have in common is that they can fail, and fail in a number of well defined ways. For common base-components there is established literature for the failure modes for the system designer to consider (often with accompanying statistical failure rates)~\cite{mil1991}~\cite{en298}~\cite{fmd91}. For instance, a simple resistor is generally considered to fail in two ways, it can go open circuit or it can short. -Thus we can associate a set of faults to this component $ResistorFaultModes=\{OPEN, SHORT\}$. +Thus we can associate a set of faults to this component $ResistorFaultModes=\{OPEN, SHORT\}$\footnote{The failure modes of the resistor +are discussed in section~\ref{sec:resistorfm}.}. The UML diagram in figure \ref{fig:component} shows a component as a data structure with its associated failure modes. From this diagram we see that each component must have at least one failure mode. To clearly show that the failure modes are mutually exclusive states, or unitary states associated with one component, -each failure mode is referenced back to only one component. +each failure mode is referenced back to only one component. This constraint is discussed in section~\ref{sec:unitarystate}. %%-%% MTTF STATS CHAPTER MAYBE ?? %%-%% @@ -119,7 +260,9 @@ each failure mode is referenced back to only one component. Controlled products are typically built using a large number of base-components and these are traditionally kept in a `parts~list'. -For a safety critical product this is usually a formal document and is used by quality inspectors to ensure the correct parts are being fitted. +For a safety critical product this is usually a formal document +and is used for ordering systems from third parties, and by quality inspectors +to ensure the correct parts are being fitted. %The parts list is shown for completeness here, as people involved with Printed Circuit Board (PCB) and electronics production, verification and testing would want to know where it lies in the model. The parts list is not actively used in the FMMD method, but is shown in the UML model for completeness. For the UML diagram in figure \ref{fig:componentpl} the parts list is simply a collection of components. @@ -144,7 +287,7 @@ not require a vendor reference, but must be named locally in the FMMD model. We can term `modularising a system', to mean recursively breaking it into smaller sections for analysis. When modularising a system from the top~down, as in Fault Tree Analysis~\cite{nasafta}\cite{nucfta} (FTA), it is common to term the modules identified as sub-systems. -When building from the bottom up, it is more meaningful to call them `derived~components'. +When modularising failure mode behaviour from the bottom up, it is more meaningful to call them `derived~components'. @@ -197,7 +340,7 @@ especially where there are non obvious top-level faults. In order to analyse from the bottom-up, we need to take small groups of components from the parts~list that naturally work together to perform a simple function. -The components to include in a {\fg} are chosen by a human, the analyst. +The components to include in a {\fg} are chosen by hand.%a human, the analyst. %We can represent the `Functional~Group' as a class. When we have a `{\fg}' we can look at the components it contains, @@ -207,8 +350,8 @@ and from this determine the failure modes of all the components that belong to i % % expand 21sep2010 %The `{\fg}' as used by the analyst is a collection of component failures modes. -The analysts interest is in the ways in which the components within the {\fg} -can fail. +%The analysts interest is in the ways in which the components within the {\fg} +%can fail. % All the failure modes of all the components within an {\fg} are collected. As each component mode holds a set of failure modes, the {\fg} represents a set of sets of failure modes. @@ -243,7 +386,7 @@ is dealt with in detail using an algorithmic description, in section \ref{sec:sy } % define difference between a \fg and a \dc -A {\fg} is a collection of components, a {\dc} is a new `theorectical' +A {\fg} is a collection of components, a {\dc} is a new `theoretical' component which has a set of failure modes, which corresponds to the failure symptoms from the {\fg} from which it was derived. % @@ -273,15 +416,15 @@ The UML representation (in figure \ref{fig:cfg}) shows a `functional group' hav The symbol $\bowtie$ is used to indicate the analysis process that takes a functional group and converts it into a new component. \begin{definition} -With $\mathcal{FG}$ represeting the set of all functional groups, and $\mathcal{DC}$ the set of all derived components, -this can be expressed as $$ \bowtie : \mathcal{FG} \rightarrow \mathcal{DC} $$ . +With $\mathcal{\FG}$ representing the set of all functional groups, and $\mathcal{{\DC}}$ the set of all derived components, +this can be expressed as $$ \bowtie : \mathcal{\FG} \rightarrow \mathcal{{\DC}} $$ . \end{definition} \begin{figure}[h] \centering \includegraphics[width=400pt,bb=0 0 712 286,keepaspectratio=true]{./CH4_FMMD/cfg.png} % cfg.png: 712x286 pixel, 72dpi, 25.12x10.09 cm, bb=0 0 712 286 - \caption{UML Meta model for FMMD hierarchy} + \caption{Basic UML Meta model for FMMD hierarchy} \label{fig:cfg} \end{figure} @@ -369,7 +512,7 @@ The flat set of failure modes $FSF$ we are after can be found by applying functi in the functional~group and taking the union of them thus: %%$$ FSF = \bigcup_{j=1}^{N} fm(C_j) $$ -$$ FSF = \bigcup_{c \in FG} fm(c) $$ +$$ FSF = \bigcup_{c \in FG} fm(c) \; .$$ We can actually overload the notation for the function $fm$ % FM and define it for the set components within a functional group $\mathcal{FG}$ (i.e. where $\mathcal{FG} \subset \mathcal{C} $) @@ -417,7 +560,7 @@ a set of failure modes where only one failure mode can be active at a time; or borrowing from the terms of statistics, the failure mode being an event that is mutually exclusive with a set $F$. We can define a set of failure mode sets called $\mathcal{U}$ to represent this -property for a set of failure modes.. +property for a set of failure modes. \begin{definition} We can define a set $\mathcal{U}$ which is a set of sets of failure modes, where @@ -485,7 +628,7 @@ clearly defined way and generally stay in that state. However, where a complex component is used, for instance a microcontroller with several modules that could all fail simultaneously, a process of reduction into smaller theoretical components will have to be made. -This is termed `heuristic~de-composition'. +We can term this `heuristic~de-composition'. A modern micro-controller will typically have several modules, which are configured to operate on pre-assigned pins on the device. Typically voltage inputs (\adcten / \adctw), digital input and outputs, PWM (pulse width modulation), UARTs and other modules will be found on simple cheap microcontrollers~\cite{pic18f2523}. @@ -518,7 +661,7 @@ simultaneously. Note that the `unitary state' conditions apply to failure modes within a component. This does not preclude the possibility of two or more components failing simultaneously. % -The scenarios presented deal with possibility of two or more components failing simultaneously. +%The scenarios presented deal with possibility of two or more components failing simultaneously. % It is an implied requirement of EN298~\cite{en298} for instance to consider double simultaneous faults\footnote{Under the conditions @@ -759,7 +902,7 @@ associated with the test cases, complete coverage would be verified. \section{Component Failure Modes and Statistical Sample Space} %\paragraph{NOT WRITTEN YET PLEASE IGNORE} A sample space is defined as the set of all possible outcomes. -For a component in FMMD analysis, this set of all possible outcomes is its normal--or--correct +For a component in FMMD analysis, this set of all possible outcomes is its normal (or `correct') operating state and all its failure modes. We can consider failure modes as events in the sample space. % @@ -789,7 +932,8 @@ such as Bayes theorem~\cite{probstat}. The current failure modelling methodologies (FMEA, FMECA, FTA, FMEDA) all use Bayesian statistics to justify their methodologies~\cite{nucfta}\cite{nasafta}. That is to say, a base component or a sub-system failure -has a probability of causing given system level failures. +has a probability of causing given system level failures\footnote{FMECA has a $\beta$ value that directly corresponds +to the probability that a given part failure mode will cause a given system level failure/event.}. Another way to view this is to consider the failure modes of component, with the $OK$ state, as a universal set $\Omega$, where @@ -900,28 +1044,39 @@ We can express their probabilities as $P(B_4) = P(B_1 \cap B_3)$ and $P(B_5) = P In this section we examine the entities used in FMMD and their relationships. We have been building parts of the data structure up until now, -and we can now complete the picture. +and can now complete the picture. For the complete UML data model we need to consider the System as a data structure. The `parts~list' is the key reference point and starting point. % in the data structure. Our base components are kept here. -From these the initial {\fgs} are formed, and from the {\fgs} -{\dcs}. Two other data types/entities are required however: we need to model environmental and operational states and +From these the initial {\fgs} are formed, and from the first {\fgs} +the first {\dcs}. Two other data types/entities are required +however: we need to model environmental and operational states and where they fit into the data structure. -A real life system will be expected to perform in a given environment. +A system will be expected to perform in a given environment. Environment in the context of this study means external influences the System could be expected to work under. A typical data sheet for an electrical component will give a working temperature range for instance. Mechanical components could be specified for stress and loading limits. + +Systems or sub-systems may have distict operational states. For instancea sefty critical controller +may have a LOCKOUT state where it has detected a serious problem and will not continue to operate until +authorised human intervention takes place. +A safety critical circuit may have a self test mode. + +Operational states and environmental conditions must be factored into the UML model. + \paragraph{Environmental Modelling.} The external influences/environment could typically be temperature ranges, levels of electrical interference, high voltage contamination on supply lines, radiation levels etc. -Environmental influences will affect specific components in specific ways. +Environmental influences will affect specific components in specific ways.\footnote{A good example of a part +affected by environmental conditions, in this case temperature, is the opto-isolator +which is typically affected at around \oc{60}. Most electrical components are far more robust than this~\cite{tlp181}.}. Environmental analysis is thus applicable to components. Environmental influences, such as over stress due to voltage can be eliminated by down-rating of components as discussed in section~\ref{downrate}. @@ -976,12 +1131,12 @@ are added to UML diagram in figure \ref{fig:cfg} and represented in figure \ref %% XXX bit of a loose end here, maybe delete this -\subsection{Ontological work on FMEA} - -Ontological work on FMEA reviewed so far, has concentrated on -formalising the natural language process of FMEA and thus -defining relationships between components, failure modes and top level outcomes -an overview of this work may found here~\cite{ontfmea}. +% \subsection{Ontological work on FMEA} +% +% Ontological work on FMEA reviewed so far, has concentrated on +% formalising the natural language process of FMEA and thus +% defining relationships between components, failure modes and top level outcomes +% an overview of this work may found here~\cite{ontfmea}. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% @@ -998,13 +1153,13 @@ We can define a function $fm$ that returns a set of failure modes $F$, for the component $c$. Let the set of all possible components be $\mathcal{C}$ -and let the set of all possible failure modes be $\mathcal{F}$. +and let the set of all possible failure modes be $\mathcal{\FG}$. We now define the function $fm$ as \begin{equation} \label{eqn:fm} -fm : \mathcal{C} \rightarrow \mathcal{P}\mathcal{F}. +fm : \mathcal{C} \rightarrow \mathcal{P}\mathcal{\FG}. \end{equation} This is defined by, where $c$ is a component and $F$ is a set of failure modes, $ fm ( c ) = F. $ @@ -1109,22 +1264,27 @@ are always orders of magnitude smaller than sum of {\fms} in its base components %the number of failure modes in its sub-systems/components.. -\section{Examples of Derived Component like concepts in safety literature} +\subsection{Derived Component like concepts in safety literature} -Idea stage on this section, integrated circuits and some compond parts (like digital resistors) -are treated like base components. i.e. this sets a precedent for {\dcs}. +Integrated components such as OP-AMPS are already treated as {\dcs} +in literature. +An Op-AMP is an integrated circuit comprising some hundred or so individual components +but in the literature ~\ref{fmd91} is is described as a simple component with a set of failure modes. -RE WRITE ---- concept is that some complicated components, like 741 are treated as simple components -in the literature. - -\begin{itemize} - \item Look at OPAMP circuits, pick one (say $\mu$741) -% \item Digital transistor perhaps, inside two resistors and a transistor. -% \item outline a proposed FMMD analysis -% \item Show FMD-91 OPAMP failure modes -- compare with FMMD -\end{itemize} - -% The gas burner standard (EN298~\cite{en298}), only considers OPEN and SHORT for resistors +% Idea stage on this section, integrated circuits and some compond parts (like digital resistors) +% are treated like base components. i.e. this sets a precedent for {\dcs}. +% +% RE WRITE ---- concept is that some complicated components, like 741 are treated as simple components +% in the literature. +% +% \begin{itemize} +% \item Look at OPAMP circuits, pick one (say $\mu$741) +% % \item Digital transistor perhaps, inside two resistors and a transistor. +% % \item outline a proposed FMMD analysis +% % \item Show FMD-91 OPAMP failure modes -- compare with FMMD +% \end{itemize} +% +% % The gas burner standard (EN298~\cite{en298}), only considers OPEN and SHORT for resistors % (and for some types of resistors OPEN only). % FMD-91~\cite{fmd91}(the US military failure modes guide) also includes `parameter change' in its description of resistor failure modes. % Now a resistor will generally only suffer parameter change when over stressed. @@ -1140,33 +1300,33 @@ in the literature. % Two areas that cannot be automated. Choosing {\fgs} and the analysis/symptom collection process itself. -\subsection{{\fgs} Sharing components and Hierarchy} - -With electronics we need to follow the signal path to make sense of failure modes -effects on other parts of the circuit further down that path. -%{\fgs} will naturally have to be in the position of starter -A power-supply is naturally first in a signal path (or failure reasoning path). -That is to say, if the power-supply is faulty, its failure modes are likely to affect -the {\fgs} that have to use it. - -This means that most electronic components should be placed higher in an FMMD -hierarchy than the power-supply. -A shorted de-coupling capactitor caused a `symptom' of the power-supply, -and an open de-coupling capactitor should be considered a `failure~mode' relevant to the logic chip. -% to consider. - -If components can be shared between functional groups, this means that components -must be shareable between {\fgs} at different levels in the FMMD hierarchy. -This hierarchy and an optionally shared de-coupling capacitor (with line highlighted in red and dashed) are shown -in figure~\ref{fig:shared_component}. - -\begin{figure} - \centering - \includegraphics[width=250pt,keepaspectratio=true]{CH5_Examples/shared_component.png} - % shared_component.png: 729x670 pixel, 72dpi, 25.72x23.64 cm, bb=0 0 729 670 - \caption{Optionally shared Component} - \label{fig:shared_component} -\end{figure} +% \subsection{{\fgs} Sharing components and Hierarchy} +% +% With electronics we need to follow the signal path to make sense of failure modes +% effects on other parts of the circuit further down that path. +% %{\fgs} will naturally have to be in the position of starter +% A power-supply is naturally first in a signal path (or failure reasoning path). +% That is to say, if the power-supply is faulty, its failure modes are likely to affect +% the {\fgs} that have to use it. +% +% This means that most electronic components should be placed higher in an FMMD +% hierarchy than the power-supply. +% A shorted de-coupling capactitor caused a `symptom' of the power-supply, +% and an open de-coupling capactitor should be considered a `failure~mode' relevant to the logic chip. +% % to consider. +% +% If components can be shared between functional groups, this means that components +% must be shareable between {\fgs} at different levels in the FMMD hierarchy. +% This hierarchy and an optionally shared de-coupling capacitor (with line highlighted in red and dashed) are shown +% in figure~\ref{fig:shared_component}. +% +% \begin{figure} +% \centering +% \includegraphics[width=250pt,keepaspectratio=true]{CH5_Examples/shared_component.png} +% % shared_component.png: 729x670 pixel, 72dpi, 25.72x23.64 cm, bb=0 0 729 670 +% \caption{Optionally shared Component} +% \label{fig:shared_component} +% \end{figure} % \subsection{Hierarchy and structure} % By having this structure, the logic circuit element, can accept failure modes from the @@ -1286,10 +1446,10 @@ we overload the comparison complexity thus: The potential divider discussed in section~\ref{potdivfmmd} has four failure modes and two components and therefore has $CC$ of 4. $$CC(potdiv) = \sum_{n=1}^{2} |2|.(|1|) = 4 $$ -Even considering a $fictitious$ system with just 81 components (with these components +Even considering a $example$ system with just 81 components (with these components having 3 failure modes each) we would have an $CC$ of -$$CC(fictitious) = \sum_{n=1}^{81} |3|.(|80|) = 19440 .$$ +$$CC(example) = \sum_{n=1}^{81} |3|.(|80|) = 19440 .$$ Ensuring all component failure modes are checked against all other components in a system -- applying FMEA rigorously -- could be termed @@ -1571,13 +1731,21 @@ For Functional Group 2 (FG2), let us map: FS5 & \mapsto & S6 \\ FS6 & \mapsto & S5 \end{eqnarray*} -Thus a derived component, DC2, has the failure modes defined by $fm(DC2) = \{ S4, S5, S6 \}$. -An example using the $Pt100$ circuit for double simultaneous failure analysis is given in section~\ref{sec:pt100}. +Thus a derived component, DC2, has the failure modes defined by $fm(DC2) = \{ S4, S5, S6 \}$ +and these are the result of considering double simultaneous failures of its components. -XXXXXXXXXXXXXXXXXXXXXXXXXX -This AUTOMATIC check can reveal WHEN double checking no longer necessary -in the hierarchy to cover dub sum !!!!! YESSSS +A commonly used temperature measuring circuit, the $Pt100$, is analysed +for double simultaneous failure analysis in section~\ref{sec:pt100}. + +A software tool tracking the analysis process +could check, that, all possible single and double +failure modes combinations have been analysed as failure scenarios. + +%single +%XXXXXXXXXXXXXXXXXXXXXXXXXX +%This AUTOMATIC check can reveal WHEN double checking no longer necessary +%in the hierarchy to cover dub sum !!!!! YESSSS @@ -1775,104 +1943,34 @@ of components\cite{mil1992}. %} % -\subsection{Systems, functional groups, sub-systems and failure modes} - -It is helpful here to define the terms, `system', `functional~group', `component', `base~component', `symptom' and `derived~component/sub-system'. -These are listed in table~\ref{tab:symexdef}. - -A system, is any coherent entity that would be sold as a product. % safety critical product. -A sub-system is a system that is part of some larger system. -For instance a stereo amplifier separate/slave is a sub-system. The -whole sound system, consists perhaps of the following `sub-systems': -CD-player, tuner, amplifier~separate, loudspeakers and ipod~interface. - -%Thinking like this is a top~down analysis approach -%and is the way in which FTA\cite{nucfta} analyses a System -%and breaks it down. -\paragraph{Sub-systems, {\fgs} and components.} -A sub-system will be composed of components, which -may themselves be sub-systems. However each `component' -will have a fault/failure behaviour and it should -always be possible to obtain a set of failure modes -for each `component'. -%In FMMD terms a sub-system is a derived component. - -If we look at the sound system example, -the CD~player could fail in several distinct ways, -and this could have been caused by a number of component failure modes. -%no matter what has happened to it or has gone wrong inside it. - - -Using the reasoning that working from the bottom up forces the consideration of all possible -component failures (which can be missed in a top~down approach \cite{faa}[Ch.9]) -we are presented with a problem. Which initial collections of base components should we choose? - -For instance in the CD~player example; if we start at the bottom, we are presented with -a massive list of base~components, resistors, motors, user~switches, laser~diodes, all sorts! -Clearly, working from the bottom~up, we need to pick small -collections of components that work together in some way. -These are termed `functional~groups'. For instance the circuitry that powers the laser diode -to illuminate the CD might contain a handful of components, and as such would make a good candidate -to be one of the base level functional~groups. - -\paragraph{Functional group to {\dc} process outline.} -In choosing the lowest level (base component) sub-systems we would look -for the smallest `functional~groups' of components within a system. -We can define a functional~group as a set of components that interact -to perform a specific function. - -When we have analysed the fault behaviour of a functional group, we can treat it as a `black box'. -The fault behaviour will consist of a set of `symptoms' caused by combinations -of its component failure modes. -We can thus make a new `component' derived from the functional~group. -The symptoms of the {\fg} are the failure modes of this new `derived component'. - -%We can now call our functional~group a sub-system or a derived~component. -%The goal here is to know how it will behave under fault conditions ! -%Imagine buying one such `sub~system' from a very honest vendor. -%One of those sir, yes but be warned it may fail in these distinct ways, here -%in the honest data sheet the set of failure modes is listed! - - -%This type of thinking is starting to become more commonplace in product literature, with the emergence -%of reliability safety standards such as IOC1508\cite{sccs},EN61508\cite{en61508}. -%FIT (Failure in Time - expected number of failures per billion hours of operation) values -%are published for some micro-controllers. A micro~controller -%is a complex sub-system in its self and could be considered a `black~box' with a given reliability. -%\footnote{Microchip sources give an FIT of 4 for their PIC18 series micro~controllers\cite{microchip}, The DOD -%1991 reliability manual\cite{mil1991} applies a FIT of 100 for this generic type of component} - -Electrical components have detailed datasheets associated with them. A useful extension of this could -be failure modes of the component, with environmental factors and MTTF statistics. -Currently this sort of failure mode information is generally only available for generic component types \cite{mil1991}. %\vspace{0.3cm} -\begin{table}[h] -\center -\begin{tabular}{||l|l||} \hline \hline - {\em Definition } & {\em Description} \\ \hline -System & A product designed to \\ - & work as a coherent entity \\ \hline -Sub-system & A part of a system, \\ --or- derived component & sub-systems may contain sub-systems. \\ - & derived~components may be derived \\ - & from derived components \\ - & Constraint: This object must have a defined set of failure~modes \\ \hline -Failure mode & A way in which a system, \\ - & sub-system or component can fail \\ \hline -Functional Group & A collection of sub-systems and/or \\ - & components that interact to \\ - & perform a specific function \\ \hline -Symptom & A failure mode of a functional group, caused by \\ - & a combination of its component failure modes \\ \hline -Base Component & Any bought in component, or \\ - & lowest level module/or part \\ - & Constraint: This object must have a defined set of failure~modes \\ \hline - \hline -\end{tabular} -\caption{Symptom Extraction Definitions} -\label{tab:symexdef} -\end{table} +% \begin{table}[h] +% \center +% \begin{tabular}{||l|l||} \hline \hline +% {\em Definition } & {\em Description} \\ \hline +% System & A product designed to \\ +% & work as a coherent entity \\ \hline +% Sub-system & A part of a system, \\ +% -or- derived component & sub-systems may contain sub-systems. \\ +% & derived~components may be derived \\ +% & from derived components \\ +% & Constraint: This object must have a defined set of failure~modes \\ \hline +% Failure mode & A way in which a system, \\ +% & sub-system or component can fail \\ \hline +% Functional Group & A collection of sub-systems and/or \\ +% & components that interact to \\ +% & perform a specific function \\ \hline +% Symptom & A failure mode of a functional group, caused by \\ +% & a combination of its component failure modes \\ \hline +% Base Component & Any bought in component, or \\ +% & lowest level module/or part \\ +% & Constraint: This object must have a defined set of failure~modes \\ \hline +% \hline +% \end{tabular} +% \caption{Symptom Extraction Definitions} +% \label{tab:symexdef} +% \end{table} \fmodegloss @@ -2407,15 +2505,15 @@ The function $fm$ applied to a component returns the failure modes for that comp Thus its domain is the set of all components $\mathcal{C}$ and its range is the powerset of all failure modes $\mathcal{P}\,\mathcal{F}$. -$$ fm : \mathcal{C} \rightarrow \mathcal{P}\,\mathcal{F} $$ +$$ fm : \mathcal{C} \rightarrow \mathcal{P}\,\mathcal{\FG} $$ -A {\fg} is a collection of components such that $\mathcal{FG} \in \mathcal{P}\,\mathcal{C}$. +A {\fg} is a collection of components such that $\mathcal{\FG} \in \mathcal{P}\,\mathcal{C}$. -The function $fm$ can be overloaded with a functional group $\mathcal{FG}$ as its domain -and the powerset of all failure modes as its range. +The function $fm$ can be overloaded with a functional group $\mathcal{\FG}$ as its domain +and the power-set of all failure modes as its range. -$$ fm: \mathcal{FG} \rightarrow \mathcal{P}\,\mathcal{F} $$ +$$ fm: \mathcal{\FG} \rightarrow \mathcal{P}\,\mathcal{F} $$ % %%Let $FG$ be the set of components in the functional group under analysis, and $c$ diff --git a/submission_thesis/CH5_Examples/copy.tex b/submission_thesis/CH5_Examples/copy.tex index d4f32b6..e862f3a 100644 --- a/submission_thesis/CH5_Examples/copy.tex +++ b/submission_thesis/CH5_Examples/copy.tex @@ -48,7 +48,7 @@ Failure modes for part types can be found in the literature~\cite{fmd91}\cite{mi -\paragraph {Definitions} +\paragraph {Definitions: for practical FMMD analysis} \begin{itemize} \item {\bc} - is taken to mean a `part' as defined above~\cite{scse}[p.619]. We should be able to define a set of failure modes for every {\bc}. diff --git a/submission_thesis/style.tex b/submission_thesis/style.tex index f230bec..1b0561e 100644 --- a/submission_thesis/style.tex +++ b/submission_thesis/style.tex @@ -23,6 +23,7 @@ \newcommand{\fm}{\em failure~mode} \newcommand{\fms}{\em failure~modes} \newcommand{\FG}{\ensuremath{{G}}} +\newcommand{\DC}{\ensuremath{{DC}}} \newcommand{\fg}{\em functional~group} \newcommand{\fgs}{\em functional~groups} \newcommand{\dc}{\em derived~component}