FINAL DRAFT: Last comments from supervisors.
This commit is contained in:
parent
9c62a90548
commit
463b660eac
@ -93,7 +93,7 @@ improve the product safety, or identify theoretical weaknesses in the design.
|
||||
This paper proposes a new theoretical methodology for creating failure mode models of % safety critical i
|
||||
systems.
|
||||
It has a common notation for mechanical, electronic and software domains and is modular and hierarchical.
|
||||
The method provide advantages in rigour and efficiency when compared to current methodologies.
|
||||
The method provides advantages in rigour and efficiency when compared to current methodologies.
|
||||
|
||||
}
|
||||
|
||||
@ -118,7 +118,7 @@ Comprehensive overviews of these methodologies maybe found
|
||||
in ~\cite{safeware,sccs}.
|
||||
|
||||
\paragraph{Fault Tree Analysis (FTA)}
|
||||
FTA~\cite{nucfta,nasafta} is a top down methodology in which a hierarchical diagram is drawn for
|
||||
FTA~\cite{nasafta,nucfta} is a top down methodology in which a hierarchical diagram is drawn for
|
||||
each undesirable top level failure/event, presenting the conditions that must arise to cause
|
||||
the event.
|
||||
%
|
||||
@ -183,20 +183,22 @@ can reveal.
|
||||
|
||||
%\subsection{Bottom-up approach: }
|
||||
|
||||
%\paragraph{State Explosion problem for FMEA, FMECA, FMEDA.}
|
||||
\paragraph{State Explosion problem for FMEA, FMECA, FMEDA.}
|
||||
The bottom-up techniques all suffer from % a problem of
|
||||
state explosion.
|
||||
To perform the analysis rigorously, we would need to consider the effect
|
||||
of a component failure against all other components. Adding environmental
|
||||
and operational states further increases this effect.
|
||||
and operational states further increases the state explosion.
|
||||
|
||||
Let $N$ be the number of components in our system, and $K$ be the average number of component failure modes
|
||||
(ways in which a component can fail). The approximate total number of base component failure modes
|
||||
is $N \times K$. To examine the effect that one failure mode has on all
|
||||
the other components %\footnote{A %base
|
||||
%component failure will typically affect the sub-system
|
||||
%it is part of, and create a failure effect at the system level.}
|
||||
will be $(N-1) \times N \times K$. %, in effect a very large set cross product.
|
||||
is $N \times K$.
|
||||
%
|
||||
The total number of cases to examine, to determine the effect of all failure modes
|
||||
on all
|
||||
components
|
||||
will be approximately $(N-1) \times N \times K$. %, in effect a very large set cross product.
|
||||
%
|
||||
If $E$ is the number of environmental conditions to consider
|
||||
in a system, and $A$ the number of applied/operational states (or modes of the system),
|
||||
the bottom-up analyst is presented with two
|
||||
@ -245,18 +247,18 @@ To look in detail at half a million fault~scenarios is obviously impractical.
|
||||
|
||||
%\section{Requirements for a new static failure mode Analysis methodology}
|
||||
|
||||
\section{Desireable Criteria.}
|
||||
From the deficiencies outlined above, ideally we can form a set of desirable criteria for a better methodology.
|
||||
\section{Desirable Criteria.}
|
||||
From the deficiencies outlined above, ideally we can form a set of desirable criteria for an enhanced failure mode methodology.
|
||||
{ %\small
|
||||
\label{criteria}
|
||||
\begin{enumerate}
|
||||
%\begin{itemize}
|
||||
\label{fmmdreq}
|
||||
\item Address the state explosion problem. % 1
|
||||
\item Ensure that all component failure modes be considered in the model. % 2
|
||||
\item Ensure that all component failure modes are considered in the model. % 2
|
||||
\item Be easy to integrate mechanical, electronic and software models \cite{sccs}[p.287]. %3
|
||||
\item Be modular, in that commonly used {\fgs} can be re-used in other designs/projects. %4
|
||||
\item It should have a formal basis, that is to say, be able to produce mathematical traceability %5
|
||||
\item Have a formal basis, i.e. be able to produce mathematical traceability %5
|
||||
for its results, such as error causation trees.%, reliability and safety statistics.
|
||||
%\item It should be easy to use, ideally using a
|
||||
%graphical syntax (as opposed to a formal symbolic/mathematical text based language).
|
||||
@ -344,11 +346,11 @@ This seems essential to satisfy criterion 2.
|
||||
The proposed methodology is therefore a bottom-up process
|
||||
starting with base~components.
|
||||
%
|
||||
Because we are only modelling failure modes, which could arise from
|
||||
Since we are only modelling failure modes, which could arise from
|
||||
mechanical, electronic or software components,
|
||||
criteria 3 is satisfied.
|
||||
criterion 3 is satisfied.
|
||||
%
|
||||
In order to address the state explosion problem, the process must be modular and hierarchical
|
||||
In order to address the state explosion problem, the process should be modular and hierarchical,
|
||||
dealing with small groups of components at a time; this should address criterion 1.
|
||||
|
||||
|
||||
@ -366,7 +368,7 @@ there will be a corresponding resultant failure, or `symptom', from the perspect
|
||||
%
|
||||
%From the perspective of the {\fg} failures of components will be symptoms.
|
||||
It is conjectured that many symptoms will be common. That is to say
|
||||
that component failures, will often cause the same symptoms of failure
|
||||
that component failures will often cause the same symptoms of failure
|
||||
from the perspective of a {\fg}.
|
||||
|
||||
|
||||
@ -378,7 +380,7 @@ criterion 6 is satisfied.
|
||||
%
|
||||
With a collection of the {\fg} failure symptoms, we can create a {\dc}.
|
||||
The failure modes of this new {\dc} are the symptoms of the {\fg} it was derived from.
|
||||
This satisfies criterion 3, as we can now treat {\dcs} as pre-analysed
|
||||
This satisfies criterion 4, as we can now treat {\dcs} as pre-analysed
|
||||
modules available for re-use.
|
||||
|
||||
By using {\dcs} in higher level functional groups, a hierarchy can be built representing
|
||||
@ -456,9 +458,7 @@ to balance them against the positive input, giving the voltage gain ($G_v$)
|
||||
defined by $ G_v = 1 + \frac{R2}{R1} $ at the output.
|
||||
|
||||
|
||||
|
||||
|
||||
A functional group, is an ideally small in number collection of components,
|
||||
A functional group, is an ideally small collection of components
|
||||
that interact to provide
|
||||
a function or task within a system.
|
||||
As the resistors work to provide a specific function, that of a potential divider,
|
||||
@ -467,7 +467,7 @@ Using the EN298 specification for resistor failure ~\cite{en298}[App.A]
|
||||
we can assign failure modes of $OPEN$ and $SHORT$ to the resistors.
|
||||
\ifthenelse {\boolean{dag}}
|
||||
{
|
||||
We can now represent a resistor in terms of its failure modes as a directed acyclic graph (DAG)
|
||||
We represent a resistor and its failure modes as a directed acyclic graph (DAG)
|
||||
(see figure \ref{fig:rdag}).
|
||||
\begin{figure}[h+]
|
||||
\centering
|
||||
@ -588,20 +588,20 @@ in table~\ref{pdfmea}.
|
||||
|
||||
\ifthenelse {\boolean{dag}}
|
||||
{
|
||||
For this example we can look at single failure modes only.
|
||||
For this example we look at single failure modes only.
|
||||
For each failure mode in our {\fg} `potential~divider'
|
||||
we can assign a {\fc} number (see table \ref{pdfmea}).
|
||||
Each {\fc} is analysed to determine the `symptom'
|
||||
on the potential dividers' operation. For instance
|
||||
were the resistor $R_1$ to go open, the circuit would not be grounded and the
|
||||
of the potential dividers' operation. For instance
|
||||
if resistor $R_1$ was to go open, then the circuit would not be grounded and the
|
||||
voltage output from it would float high (+ve).
|
||||
This would mean the symptom of the failed potential divider, would be that it
|
||||
This would mean the symptom of the failed potential divider would be that it
|
||||
gives a high voltage output.%We can now consider the {\fg}
|
||||
%as a component in its own right, and its symptoms as its failure modes.
|
||||
|
||||
From table \ref{pdfmea} we can see that resistor
|
||||
failures modes lead to some common `symptoms'.
|
||||
By drawing connecting lines in a graph, from the failure modes to the symptoms
|
||||
By drawing directed edges, from the failure modes to the symptoms
|
||||
we can show the relationships between the component failure modes and resultant symptoms.
|
||||
%The {\fg} can now be considered a derived component.
|
||||
This is represented in the DAG in figure \ref{fig:fg1adag}.
|
||||
@ -884,7 +884,7 @@ Let us consider, for the sake of example, that the voltage follower (very low ga
|
||||
amplification chracteristics from FS2 and FS6 can be considered as low output from the OPAMP for the application
|
||||
in hand (say milli-volt signal amplification).
|
||||
|
||||
For this amplifier configuration we have three failure modes, $AMPHigh, AMPLow, LowPass$.%see figure~\ref{fig:fgampb}.
|
||||
For this amplifier configuration we have three failure modes; $AMPHigh, AMPLow, LowPass$.%see figure~\ref{fig:fgampb}.
|
||||
\ifthenelse {\boolean{pld}}
|
||||
{
|
||||
We can now derive a `component' to represent this amplifier configuration (see figure ~\ref{fig:noninvampa}).
|
||||
@ -1135,7 +1135,7 @@ Table \ref{tbl:comparison} compares the current methodologies and FMMD using the
|
||||
\item{State Explosion is reduced,}
|
||||
%State Explosion is reduced,
|
||||
because small collections of components are dealt with in functional groups
|
||||
to produce derived components which are used in an hierarchical manner.
|
||||
which are used to create derived components which are then used in an hierarchical manner.
|
||||
|
||||
\item{All component failure modes must be considered in the model.}
|
||||
%All component failure modes must be considered in the model.
|
||||
@ -1159,11 +1159,10 @@ commonly used {\dcs} can be re-used in a design% (for instance self checking dig
|
||||
or even in other projects where the same {\dc} is used.
|
||||
|
||||
|
||||
\item{ It should have a formal basis, data should be available to produce mathematical proofs
|
||||
for its results}
|
||||
\item{ Formal basis: data should be available to produce mathematical proofs and traceability.}
|
||||
%It should have a formal basis, data should be available to produce mathematical proofs
|
||||
%for its results
|
||||
because the failure mode model of a system is a hierarchy of {\fg}s and {\dcs}
|
||||
Because the failure mode model of a system is a hierarchy of {\fg}s and {\dcs}
|
||||
system level failure modes are traceable back down the fault tree to
|
||||
component level failure modes.
|
||||
%
|
||||
@ -1195,8 +1194,8 @@ By breaking the problem of failure mode analysis into small stages
|
||||
and building a hierarchy, the problems associated with the cross products of
|
||||
all failure modes within a system are reduced.
|
||||
% by an exponential order.
|
||||
This is because the multiple failure modes are considered
|
||||
within {\fgs} which have fewer failure modes to consider
|
||||
This is because the multiple failure modes considered
|
||||
within {\fgs} have fewer failure modes to consider
|
||||
at each FMMD stage.
|
||||
Where appropriate, multiple simultaneous failures can be modelled by
|
||||
introducing {\fc} %test~cases
|
||||
@ -1240,7 +1239,9 @@ where the conjunction of failure modes is considered.
|
||||
%This new approach is called
|
||||
Failure Mode Modular De-Composition (FMMD) is designed
|
||||
to be a more rigorous and `data~complete' model than
|
||||
the current four approaches, that is to say,
|
||||
the current four approaches
|
||||
%
|
||||
That is,
|
||||
from an FMMD model, we should be able to
|
||||
derive outline models that the other four methodologies would have been
|
||||
able to create. As this approach is modular, many of the results of
|
||||
|
||||
Loading…
Reference in New Issue
Block a user