diff --git a/mybib.bib b/mybib.bib index d5b06d8..79406a8 100644 --- a/mybib.bib +++ b/mybib.bib @@ -972,6 +972,17 @@ keywords={control engineering computing;control systems;failure analysis;formal doi={10.1109/HASE.2011.10}, ISSN={1530-2059},} + BibTeX | EndNote | ACM Ref + +@book{Pfeiffer:2003:ENC:1199616, + author = {Pfeiffer, Olaf and Ayre, Andrew and Keydel, Christian}, + title = {Embedded Networking with CAN and CANopen}, + year = {2003}, + isbn = {0929392787}, + publisher = {Annabooks}, +} + + @PHDTHESIS{clark, AUTHOR = "Robin Clark", diff --git a/papers/JOURNAL_fmea_sw_hw/sw_hw_fmea.tex b/papers/JOURNAL_fmea_sw_hw/sw_hw_fmea.tex index c7bd3e0..411982a 100644 --- a/papers/JOURNAL_fmea_sw_hw/sw_hw_fmea.tex +++ b/papers/JOURNAL_fmea_sw_hw/sw_hw_fmea.tex @@ -119,36 +119,49 @@ failure mode of the component or sub-system}}} \abstract{ % \em %\input{abs} -%The certification process of safety critical products for European and -%other international standards often demand environmental stress, -%endurance and Electro Magnetic Compatibility (EMC) testing. Theoretical, or 'static testing', -%is often also required. -% -%Failure Mode Effects Analysis (FMEA), is a bottom-up technique that aims to assess the effect all -%component failure modes on a system. -%It is used both as a design tool (to determine weaknesses), and is a requirement of certification of safety critical products. -%FMEA has been successfully applied to mechanical, electrical and hybrid electro-mechanical systems. -% -%Work on software FMEA (SFMEA) is beginning, but -%at present no technique for SFMEA that -%integrates hardware and software models % known to the authors -%exists. +The certification process of safety critical products for European and +other international standards often demand environmental stress, +endurance and Electro Magnetic Compatibility (EMC) testing. Theoretical, or 'static testing', +is often also required. + +Failure Mode Effects Analysis (FMEA)~\cite{iec60812}, is a bottom-up technique that aims to assess the effect all +component failure modes on a system. +It is used both as a design tool (to determine weaknesses), and is a requirement of certification of safety critical products. +FMEA has been successfully applied to mechanical, electrical and hybrid electro-mechanical systems. + + +This paper discusses the benefits and drawback of current +FMEA techniques and then proposes a modular FMEA methodology, Failure Mode Modular De-Composition (FMMD)~\cite{clark} +that has the advantages of traceable failure modes through the model +hierarchy, increases test effeciency and has +the ability to model integrated hardware and software systems. + +% Work on software FMEA (SFMEA) is beginning, but +% at present no technique for SFMEA that +% integrates hardware and software models % known to the authors +% exists. % % +% +% % +% %Failure modes in components in say a sensor, could be traced +% %up through the electronics and then through the controlling software. +% % +% %Presently Failure Mode Effects Analysis (FMEA), stops at the glass ceiling of the computer program. +% This paper takes, from the literature, new and emerging methodologies +% for software FMEA, applies them to a simple example system, and then +% reaches conclusions about the effectiveness and failure mode +% coverage of the combined FMEA techniques. -% -%Failure modes in components in say a sensor, could be traced -%up through the electronics and then through the controlling software. -% -%Presently Failure Mode Effects Analysis (FMEA), stops at the glass ceiling of the computer program. -This paper takes, from the literature, new and emerging methodologies -for software FMEA, applies them to a simple example system, and then -reaches conclusions about the effectiveness and failure mode -coverage of the combined FMEA techniques. - -This paper presents a worked example of FMEA applied to an +This paper presents a simple worked example of FMMD applied to an integrated electronics/software system, the industry standard {\ft} signalling loop. % +} + + + +\section{Introduction} + %FMEA methodologies trace from the 1940's and were designed to %model simple electro-mechanical systems. % @@ -225,7 +238,7 @@ This paper is a condensed version of the PhD thesis entitled `failure Mode Modul %What FMEA is, briefly variants... -Failure Mode Effects Analysis is the process of taking +FMEA~\cite{iec60812} is the process of taking component failure modes, %and by reasoning, tracing their effects through a system and determining what system level failure modes could be caused. @@ -236,8 +249,7 @@ endurance and Electro Magnetic Compatibility (EMC) testing. % Theoretical, or `static~testing', is often also required. % -Failure Mode effects Analysis (FMEA)~\cite{iec60812} is a tool used -for static testing. +FMEA is a tool used for static testing. % For many types of safety critical system in the European Union, product design testing and FMEA is legally mandatory~\cite{en230,en298}. @@ -256,7 +268,7 @@ was designed. % \begin{itemize} % \item Deisgn FMEA (DFMEA) is FMEA applied at the design or approvals stage~\cite{en298, en230} % where the aim is to ensure that single component failures (at least) cannot -% cause unacceptable system level events~\cite{fmea}, +% cause unacceptable system level events~\cite{~\cite{iec60812}fmea}, % \item Failure Mode Effect Criticality Analysis (FMECA) is applied to determine the most potentially dangerous or damaging % failure modes to fix, using FMEA in conjunction with severity and failure probability figures~\cite{fmeca,mil1991,fmd91}, % \item Failure Mode Effects and Diagnostics Analysis, is FMEA peformed to @@ -435,15 +447,15 @@ on anything but a small hypothetical system. Because modern electronics has become more complex the number of basic components has risen dramatically. To add to this components used to fulfil common functions are often Integrated Circuits (ICs).. -Typical examples include voltage regulators, op-amps, micro-controller~\cite{pic18f2523}, memory modules and +Typical examples include voltage regulators, op-amps, micro-controllers~\cite{pic18f2523}, memory modules and protocol handlers~\cite{mcp2515}. To build any of these component from scratch would be very expensive and time consuming, but these IC `components' have very high internal transistor counts, and each have their own unique failure mode behaviour. -Modern electronics has already jumped the gun of the basic component failure mode mapped to +Thus modern electronics has already jumped the gun of the base component failure mode mapped to a system failure paradigm. -The automotive industry, because of mass production, must make products that are very safe but are -under financial pressure to keep their products affordable. +The automotive industry, because of mass production, must make products that are very safe but + financial pressure keeps their products affordable. % This leads to specialist firms producing modules, such as automatic braking systems, that are assembled to make a automobile. @@ -452,6 +464,8 @@ Performing failure analysis using the basic component single failure modes to system failure mapping, would be very difficult: this would require expert knowledge of the design behaviour and component types used in each module. % +\paragraph{Automotive SIL (ASIL) --- modularisation of FMEDA} +% The EN61508 variant for automotive use, as defined in standard ISO~26262, is known as Automotive SIL (ASIL)~\cite{Kafka20122}. % Because of the modular approach forced on automotive designers @@ -461,6 +475,7 @@ This allows automotive designers to use pre-certified modules in their designs and applies broad statistical guidelines to achieving particular safety levels by use of redundancy and automated diagnostics etc. % +\paragraph{Indenture levels --- modularisation of FMECA} The US military standard for FMECA~\cite{fmeca}, describes a very broad modularity regime, that it terms `indenture' levels. Indenture levels are arranged from the top down and identify finer and finer grained modules. For instance, an aircraft @@ -468,12 +483,14 @@ may be the first indenture level, and the next may be an identifiable module suc an altitude radar: within that finer grained modules may be identified until the base components are listed. Note that this is a top down approach and this can introduce errors into the reliability calculations~\cite{MILSTD1629short}. - +% +\paragraph{Modularisation in Software} +% It is interesting to compare the development of FMEA methodologies with software. Software expanded in complexity faster than electronics, and to cope with this software languages developed modularity (function call trees, classes and finally distributed processing mechanisms). - -FMEA has had, by necessity, started to start to include some modular features, but none yet +% +FMEA has, by necessity, started to include some modular features but none yet have defined mechanisms for ensuring that all failure modes from a module must be considered in the analysis of the module(s) that incorporate it. @@ -492,17 +509,18 @@ a software call tree where the highest indenture levels would be its leaf functi % There is no equivalent of the software `class'. % -In the real world however there is, consider CANOpen standard sensors, these are%~\footnote{CANopen sensors...} -modules connected by an industrial data bus~\cite{canspec, caninauto}. +In the real world however there are. +Off the shelf sensors can be purchased which communicate using standard protocols~\cite{Pfeiffer:2003:ENC:1199616}. % consider CANOpen standard sensors, these are%~\footnote{CANopen sensors...} +%modules connected by an industrial data bus. % These not only typically have electrical and mechanical -components, they have a firmware and communication bus aspects. +components, they have a firmware and communication bus aspects~\cite{canspec, caninauto}. % These type of modules combine hardware, electronics, software, communications and distributed programming. % Current FMEA techniques struggle with software alone, and also, fail to integrate the analysis of hardware and software -systems~\cite{sfmea, embedsfmea, modelsfmea, sfmeaa, sfmeainterface }. +systems~\cite{sfmea, embedsfmea, modelsfmea, sfmeaa}. %, sfmeainterface }. % @@ -583,7 +601,7 @@ A summary of deficiencies in current FMEA methodologies is listed below: %\item FMEA type methodologies were designed for simple electro-mechanical systems of the 1940's to 1960's, \item State explosion - %impossible very difficult/time consuming to perform FMEA exhaustively, %rigorously - \item Difficult to re-use previous analysis work, + \item Difficult to re-use previous analysis work~\cite{rudov2009language}, \item Very difficult to model simultaneous/multiple failures, \item Software and hardware models are separate (if the software is modelled at all) meaning the software interface may not be correctly modelled, %\item reasoning distance -- component failure to system level symptom process is undefined in regard @@ -609,9 +627,9 @@ in an improved FMEA methodology, \item avoid state explosion (i.e. XFMEA is impractical by hand~\cite{cbds}), \item encourage exhaustive checking within each modular, %(total failure coverage within {\fgs} all interacting component and failure modes checked), \item traceable reasoning inherent in system failure models,% to aid repeatability and checking, - \item re-usable i.e. it should be possible to re-use analysis~\cite{rudov2009language}, + \item re-usable i.e. it should be possible to re-use analysis, \item possibility to analyse simultaneous/multiple failures, - \item one to one mapping from {\bc} {\fms} to system level failures (see section~\ref{sec:onetoone}), + %\item one to one mapping from {\bc} {\fms} to system level failures (see section~\ref{sec:onetoone}), \item modular --- i.e. usable in a distributed system. % \item \end{itemize} @@ -620,24 +638,135 @@ in an improved FMEA methodology, \section{Proposed Methodology: Failure Mode Modular De-composition (FMMD)} +\section{The proposed Methodology} +\label{fmmdproc} +In essence, this methodology beginning with low level modules (or {\fgs}) +which are analysed and assigned a failure mode behaviour. +They are then considered as higher level components with +their own failure mode behaviour. These higher level components +are then collected to form {\fgs} and so on until a hierarchy is built +representing the entire system. - - - - - - - - -\paragraph{A more-complete Failure Mode Model} +% Any new static failure mode methodology must ensure that it +% represents all component failure modes and it therefore should be bottom-up, +% starting with individual component failure modes. +To ensure all component failure modes are modelled, the new methodology must be bottom-up. +% +%This seems essential to satisfy criterion 2. +%The proposed methodology is therefore a bottom-up process +A {\em {\fg}}, is defined as a small collection of components +that interact to provide +a function or task within a system. +% +Starting with base~components small {\fgs} are chosen and each component failure mode considered in the +context of the {\fg}. +% +%% GARK +% +The component failures are termed {\em{\fcs}}. %`test~cases'. +For each {\fc} +there will be a corresponding resultant failure, or `symptom', from the perspective of the {\fg}. +% +% MAYBE NEED TO DESCRIBE WHAT A SYMPTOM IS HERE +% +%From the perspective of the {\fg} failures of components will be symptoms. +It is conjectured that many symptoms will be common. That is to say +that component failures will often cause the same symptoms of failure +from the perspective of a {\fg}. +% +% +A common symptom collection stage is now applied. Here common symptoms are collected +from the results of the {\fcs}. +%Because it is possible to model combinations of failures, criterion 6 is satisfied. +% +With a collection of the {\fg} failure symptoms, we can create a {\em{\dc}}. +The failure modes of this new {\dc} are the symptoms of the {\fg} it was derived from. +%This satisfies criterion 4, as we can now treat {\dcs} as pre-analysed +%modules available for re-use. +% +% +By using {\dcs} in higher level functional groups, a hierarchy can be built representing +the failure mode behaviour of a system. Because the hierarchy maintains information +linking the symptoms to component failure modes (via {\fcs}). + +Reasoning connections from base component failures to top level failures can now be made +by tracing cause and effect though the hierarchy of modules. +%The traceability should satisfy criterion 5. +An advantage of performing FMEA in this modular way, is that the +{\fgs} are small in terms of the numbers of components. This means the $O(N^2)$ effect +of the reasoning distance is greatly reduced for the overall project. +This addresses the state explosion problem of XFMEA. +It also means that modules are re-usable (analogous to software classes). +% +% +A practical example of a hardware FMEA performed both traditionally and using FMMD may be found in~\cite{syssafe2011} +and examples of `reasoning~distance' efficiency savings can be found in~\cite{clark}[Ch.7]. +% +\paragraph{Integrating software into the FMMD model} +% +%With modular FMEA i.e. FMMD %(FMMD) +%the concepts of failure~modes +%of components, {\fgs} and symptoms of failure have been defined. % for a functional group. +% +A programmatic function has similar attributes to an FMMD {\fg}. % with these concepts. %a {\fg} as defined by the FMMD process. +% +An FMMD {\fg} is placed into a hierarchy, likewise +a software function is typically placed into the hierarchy of its call-tree. +% +A software function calls other functions and uses data sources %via hardware interaction +which could be viewed as its `components': +it has outputs, i.e. it can perform actions on data or hardware. +%which will be used by other functions that may call it. +% +It is shown below that a software function can be mapped to an FMMD {\fg}: its failure modes +are the failure modes of the software components %(other functions +it calls %) +and/or the hardware from which it reads values. +Its outputs are the data it changes, or the hardware actions it performs. +%% +%% Talk about how software specification will often say how hardware +%% will react and how to interpret readings---but they do not +%% always cover the failure modes of the hardware being interfaced too. +% +When a +software function has been analysed---using failure conditions of its inputs as a source of failure modes---its symptoms of failure +can be defined (i.e. how functions that call it will see its failure mode behaviour). +% +% +FMMD is applied to software functions by viewing functions in terms of their failure mode behaviour. +% +That is to say, using FMMD, software functions are treated like {\fgs} of electronic components. +% +% +As software already fits into a hierarchy, there one less analysis decision to make when compared +to analysing electronics. +% +For electrical and mechanical systems, although the original system designers +concepts of modularity and sub-systems in design may provide guidance, +applying FMMD means deciding on the members for {\fgs} and the subsequent hierarchy. + + + + + + + +% +% +% +% +%% +% +% +% +% +%% +% +% +% % -In order to obtain a more complete failure mode model of -a hybrid electronic/software system we need to analyse -the hardware, the software, the hardware the software runs on (i.e. the software's medium), -and the software/hardware interface. % -HFMEA is a well established technique and needs no further description in this paper. % \section{Example for analysis} % : How can we apply FMEA} %