robin/Robin_PHD
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Started...... the most difficult bit is starting

Browse Source
This commit is contained in:
Robin Clark 2011-05-29 18:07:02 +01:00
parent 64e9d38464
commit 469b8b6f8f
1 changed files with 171 additions and 52 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

223
fmmd_concept/System_safety_2011/submission.tex
View File

@ -12,7 +12,30 @@
\newboolean{paper}
\setboolean{paper}{true} % boolvar=true or false
\newcommand{\oc}{\ensuremath{^{o}{C}}}
\newcommand{\adctw}{{${\mathcal{ADC}}_{12}$}}
\newcommand{\adcten}{{${\mathcal{ADC}}_{10}$}}
\newcommand{\ohms}[1]{\ensuremath{#1\Omega}}
\newcommand{\fg}{\em functional~group}
\newcommand{\fgs}{\em functional~groups}
\newcommand{\dc}{\em derived~component}
\newcommand{\dcs}{\em derived~components}
\newcommand{\bc}{\em base~component}
\newcommand{\bcs}{\em base~components}
\newcommand{\irl}{in real life}
\newcommand{\enc}{\ensuremath{\stackrel{enc}{\longrightarrow}}}
\newcommand{\pin}{\ensuremath{\stackrel{pi}{\longleftrightarrow}}}
%\newcommand{\pic}{\em pure~intersection~chain}
\newcommand{\pic}{\em pair-wise~intersection~chain}
\newcommand{\wrt}{\em with~respect~to}
\newcommand{\abslevel}{\ensuremath{\Psi}}
\newcommand{\fmmdgloss}{\glossary{name={FMMD},description={Failure Mode Modular De-Composition, a bottom-up methodolgy for incrementally building failure mode models, using a procedure taking functional groups of components and creating derived components representing them, and in turn using the derived components to create higher level functional groups, and so on, that are used to build a failure mode model of a SYSTEM}}}
\newcommand{\fmodegloss}{\glossary{name={failure mode},description={The way in which a failure occurs. A component or sub-system may fail in a number of ways, and each of these is a
failure mode of the component or sub-system}}}
\newcommand{\fmeagloss}{\glossary{name={FMEA}, description={Failure Mode and Effects analysis (FMEA) is a process where each potential failure mode within a SYSTEM, is analysed to determine SYSTEM level failure modes, and to then classify them {\wrt} perceived severity}}}
\newcommand{\frategloss}{\glossary{name={failure rate}, description={The number of failure within a population (of size N), divided by N over a given time interval}}}
\newcommand{\pecgloss}{\glossary{name={PEC},description={A Programmable Electronic controller, will typically consist of sensors and actuators interfaced electronically, with some firmware/software component in overall control}}}
\newcommand{\bcfm}{base~component~failure~mode}
%\newtheorem{definition}{Definition:}
@ -31,64 +54,76 @@
%\innerfoot{{\small\bf R.P. Clark } }
% numbers at outer edges
\pagenumbering{arabic} % Arabic page numbers hereafter
\author{R.P.Clark}
\author{R.P.Clark$^1$ , Andrew~Fish$^2$ , John~Howse$^2$ , Chris Garret$^2$ \\
$^1${\em Energy Technology Control, Lewes,UK} \and $^2${\em University of Brighton, UK}
}
\title{Developing a rigorous bottom-up modular static failure mode modelling methodology}
\maketitle
\abstract{
This paper proposes a methodology for
creating failure mode models of safety critical systems, which
has a common notation
for mechanical, electronic and software domains and applies an
incremental and rigorous approach.
The four main static failure mode analysis methodologies were examined and
in the context of newer European safety standards, assessed.
Some of the deficiencies identified in these methodologies led to
a wish list for a more rigorous methodology.
%%
The certification process of safety critical products for European and
other international standards often involve environmental stress,
endurance and EMC testing. Theoretical, or 'static testing',
is often also required to highlight modifications that must be made to
improve the product safety, or identify theoretical weaknesses in the design.
This paper proposes a new theoretical methodology for creating failure mode models of safety critical systems.
It has a common notation for mechanical, electronic and software domains and is modular and hierarchical.
These properties provide advantages in rigour and efficiency when compared to current methodologies.
% This paper proposes a methodology for
% creating failure mode models of safety critical systems, which
% has a common notation
% for mechanical, electronic and software domains and applies an
% incremental and rigorous approach.
%
% The four main static failure mode analysis methodologies were examined and
% in the context of newer European safety standards, assessed.
% Some of the deficiencies identified in these methodologies led to
% a wish list for a more rigorous methodology.
% %%
%% What I have found
%%
From the wish list
%and considering some constraints determined from
%the evaluation of the four established methodologies,
a new
methodology is developed and proposed.
This has been named Failure Mode Modular De-Composition (FMMD).
%% Sell it
%%
In addition to addressing the traditional weaknesses of
Fault Tree Analysis (FTA), Fault Mode Effects Analysis (FMEA), Failure Mode Effects Criticality Analysis (FMECA)
and Failure Mode Effects and Diagnostic Analysis (FMEDA), FMMD provides the means to model multiple failure mode scenarios
as specified in newer European Safety Standards \cite{en298}.
The proposed methodology is bottom-up and can guarantee to leave no component failure mode un-handled.
It is also modular, meaning that the results of analysed components may be re-used in other projects.
% From the wish list
% %and considering some constraints determined from
% %the evaluation of the four established methodologies,
% a new
% methodology is developed and proposed.
% This has been named Failure Mode Modular De-Composition (FMMD).
%
% %% Sell it
% %%
% In addition to addressing the traditional weaknesses of
% Fault Tree Analysis (FTA), Fault Mode Effects Analysis (FMEA), Failure Mode Effects Criticality Analysis (FMECA)
% and Failure Mode Effects and Diagnostic Analysis (FMEDA), FMMD provides the means to model multiple failure mode scenarios
% as specified in newer European Safety Standards \cite{en298}.
% The proposed methodology is bottom-up and can guarantee to leave no component failure mode un-handled.
% It is also modular, meaning that the results of analysed components may be re-used in other projects.
}
\section{Introduction}
The certification process of safety critical products for European and
other international standards often involve environmental stress,
endurance and EMC testing. Theoretical, or 'static testing',
is often also required to highlight modifications that must be made to
improve the product safety, or identify theoretical weaknesses in the design.
This paper proposes a new theoretical methodology for creating failure mode models of safety critical systems.
It has a common notation for mechanical, electronic and software domains and is modular and hierarchical.
These properties provide advantages in rigour and efficiency when compared to current methodologies.
Current methodologies We briefly analyse the four current methodologies:
Fault Tree Analysis (FTA) is a top down methodology in which a diagram is drawn for
each undesirable top level event, presenting the conditions that must arise to cause
the event. It is suitable for large complicated systems with few undesirable top
level events and focuses on those events considered most important or most catastrophic.
Effects of duplication/redundancy of safety systems can be readily assessed.
\subsection{Current methodologies}
We briefly analyse the four current methodologies.
\subsubsection{Fault Tree Analysis (FTA)}
FTA is a top down methodology in which a diagram is drawn for
each undesirable top level event, presenting the conditions that must arise to cause
the event. It is suitable for large complicated systems with few undesirable top
level events and focuses on those events considered most important or most catastrophic.
Effects of duplication/redundancy of safety systems can be readily assessed.
It uses notations that are readily understood by engineers.
However, it cannot guarantee to model all base component failure modes
or be used to determine system level errors other than those modelled.
Each diagram is a separate model, creating duplication of modelled elements,
and there is no facility to cross check between diagrams. It has limited
support for environmental and operational states.
Fault Mode Effects Analysis (FMEA) is used principally in manufacturing.
\subsection{Fault Mode Effects Analysis FMEA)}
FMEA is used principally in manufacturing.
Each defect is assessed by its cost to repair and its frequency, using a
failure mode ratio. A list of failures and their cost is generated.
It is easy to identify single component failure to system failure scenarios
@ -98,12 +133,19 @@ problems from simultaneous failure modes. It does not consider environmental
or operational states in sub-systems or components. It cannot model
self-checking safety elements or other in-built safety features or
analyse how particular components may fail.
Failure Mode Criticality Analysis (FMECA) is a refinement of FMEA, using
\subsection{Failure Mode Criticality Analysis (FMECA)}
FMECA is a refinement of FMEA, using
two extra variables: the probability of a component failure mode occurring
and the probability that this will cause a top level failure, and the perceived
criticality. It gives better estimations of product reliability/safety and the
occurrence of particular system failure modes than FMEA but has similar deficiencies.
Failure Modes, Effects and Diagnostic Analysis (FMEDA) is a refinement of
\subsection{Failure Modes, Effects and Diagnostic Analysis (FMEDA)}
FMEDA is a refinement of
FMEA and FMECA and models self-checking safety elements. It assigns two
attributes to component failure modes: detectable/undetectable and safe/dangerous.
Statistical measures about the system can be made and used to classify a
@ -111,17 +153,89 @@ safety integrity level. It allows designs with in-built safety features to be as
Otherwise, it has similar deficiencies to FMEA but has limited support
for environmental and operational states in sub-systems or components,
via self checking statistical mitigation.
Requirements for an improved methodology The deficiencies identified in the
current methodologies are used to establish criteria for an improved methodology.
It must include all component failure modes and therefore should be bottom-up,
starting with individual component failure modes. Components should be broken
\subsection{Summary of Defeciencies in Current Methods}
\paragraph{Top Down approach} The top down technique FTA, introduces the possibility of missing base component
level failure modes~\cite{faa}[Ch.9]. Also one FTA treee is drawn for each top level
event, leading to repreated work, with limitied ability for cross checking.
\paragraph{State Explosion problem}
The bottom -up techniques all suffer from a problem of state explosion.
To perform the analysis rigorously, we need to consider the effect
of a component failure agiaist all other components. Adding environmental
and operational states further increases this effect.
Let N be the number of components in our system, and K be the average number of component failure modes
(ways in which a base~component can fail). The total number of base component failure modes
is $N \times K$. To examine the effect that one failure mode has on all
the other components\footnote{A base component failure will typically affect the sub-system
it is part of, and create a failure effect at the SYSTEM level.}
will be $(N-1) \times N \times K$, in effect a very large set cross product.
If $E$ is the number of applied states or environmental conditions to consider
in a system, and $A$ the number of applied states,
the job of the bottom-up analyst is presented with two
additional %cross product
factors,
$(N-1) \times N \times K \times E \times A$.
If we put some typical very small embedded system numbers\footnote{these figures would
be typical of a very simple temperature controller, with a micro-controller sensor
and heater circuit.} into this, say $N=100$, $K=2.5$, $A=2$, and $E=10$
we have $99 \times 100 \times 2.5 \times 10 \times 2 = 495000 $.
To look in detail at a half of a million test cases is obviously impractical.
% Requirements for an improved methodology The deficiencies identified in the
% current methodologies are used to establish criteria for an improved methodology.
\paragraph{Reasoning distance - complexity and reachability}
Tracing a component level failure up to a top level event, without rigour involving state explosion, involves
working heuistically. A base component failure will typically
be concepually removed by several stages from a top level event.
The reasoning distance can be determined by the number of components
that must interact to reach the top level event.
% could have a chapter on this.
% take a circuit or system and follow all the interactions
% to the components that cause the system level event.
\paragraph{Multiple Events from one base component failure mode}
A base component failure may mpotentially cause more than one
SYSTEM level failure mode.
It could be possible to identify one top level event asssociated with
a {\bcfm} and not investigate other possibilities.
\section{Requirements for a new static faiilure mode Analysis methodology}
A new methodology must ensure that it represents all component failure modes and it therefore should be bottom-up,
starting with individual component failure modes.
In order to control the state explosion problem, the process must be modular
and deal with small groups of components.
Components should be broken
down into small functional groups to enable the examination of the effect of a
component failure mode on the other components in the group.
Development of the new methodology An ontology is developed of
component failure mode on the other components in the group.
The functional group can now be considered as `derived component' with a known set
of failure symptoms. We can use this `derived component' to build higher level
functional groups.
This helps with the reasoning distance problem,
because we can trace failure modes back through complex interactions and have a structure to
base our reasoning on, at each stage.
Development of the new methodology
An ontology is developed of
failure modes and their relationship to environmental factors,
operational states and the hierarchical nature inherent in product design,
defining the relationships between the system as a whole, components,
failure modes, operational and environmental states. The ontology is used
failure modes, operational and environmental states.
DEVELOP UML MODELS
The ontology is used
to determine the nature of a hierarchy modelling the system, and to which
entities, various conditions/procedures are germane. From the ontology,
we determine that environmental effects relate to components, and
@ -143,6 +257,11 @@ designed to be intuitive and understandable. It uses well tested
visual techniques to represent the elements of the model and their
relationships. Software support for the development of models in this
notation has been designed and proof-of-concept tools have been implemented.
\section{Conclusion}
This new approach is called
Failure Mode Modular De-Composition (FMMD) and is designed
to be a superset of the current four approaches, that is to say,