work from yesterday lunchtime

2014-08-13 10:48:05 +01:00 · 2014-08-13 10:48:05 +01:00 · 4c87f0cd45
commit 4c87f0cd45
parent 2b5a98ea35
2 changed files with 197 additions and 57 deletions
--- a/mybib.bib
+++ b/mybib.bib
@ -972,6 +972,17 @@ keywords={control engineering computing;control systems;failure analysis;formal
 doi={10.1109/HASE.2011.10},
 ISSN={1530-2059},}
 BibTeX | EndNote | ACM Ref
@book{Pfeiffer:2003:ENC:1199616,
 author = {Pfeiffer, Olaf and Ayre, Andrew and Keydel, Christian},
 title = {Embedded Networking with CAN and CANopen},
 year = {2003},
 isbn = {0929392787},
 publisher = {Annabooks},
 } 
@PHDTHESIS{clark,
    AUTHOR = "Robin Clark",
--- a/papers/JOURNAL_fmea_sw_hw/sw_hw_fmea.tex
+++ b/papers/JOURNAL_fmea_sw_hw/sw_hw_fmea.tex
@ -119,36 +119,49 @@ failure mode of the component or sub-system}}}
 \abstract{ % \em 
 %\input{abs}
-%The certification process of safety critical products for European and 
+The certification process of safety critical products for European and 
-%other international standards often demand environmental stress, 
+other international standards often demand environmental stress, 
-%endurance and Electro Magnetic Compatibility (EMC) testing. Theoretical, or 'static testing',
+endurance and Electro Magnetic Compatibility (EMC) testing. Theoretical, or 'static testing',
-%is often also required. 
+is often also required. 
-%
+
-%Failure Mode Effects Analysis (FMEA), is a bottom-up technique that aims to assess the effect all
+Failure Mode Effects Analysis (FMEA)~\cite{iec60812}, is a bottom-up technique that aims to assess the effect all
-%component failure modes on a system.
+component failure modes on a system.
-%It is used both as a design tool (to determine weaknesses), and is a requirement of certification of safety critical products.
+It is used both as a design tool (to determine weaknesses), and is a requirement of certification of safety critical products.
-%FMEA has been successfully applied to mechanical, electrical and hybrid electro-mechanical systems.
+FMEA has been successfully applied to mechanical, electrical and hybrid electro-mechanical systems.
-% 
+
 This paper discusses the benefits and drawback of current
 FMEA techniques and then proposes a modular FMEA methodology, Failure Mode Modular De-Composition (FMMD)~\cite{clark}
 that has the advantages of traceable failure modes through the model
 hierarchy, increases test effeciency and has
 the ability to model integrated hardware and software systems.
 % Work on software FMEA (SFMEA) is beginning, but
 % at present no technique for SFMEA that
 % integrates hardware and software models % known to the authors 
 % exists.
 % %
 % 
-%Failure modes in components in say a sensor, could be traced
+% %
-%up through the electronics and then through the controlling software.
+% %Failure modes in components in say a sensor, could be traced
-%
+% %up through the electronics and then through the controlling software.
-%Presently Failure Mode Effects Analysis (FMEA), stops at the glass ceiling of the computer program.
+% %
-This paper takes, from the literature, new and emerging methodologies
+% %Presently Failure Mode Effects Analysis (FMEA), stops at the glass ceiling of the computer program.
-for software FMEA, applies them to a simple example system, and then
+% This paper takes, from the literature, new and emerging methodologies
-reaches conclusions about the effectiveness and failure mode
+% for software FMEA, applies them to a simple example system, and then
-coverage of the combined FMEA techniques.
+% reaches conclusions about the effectiveness and failure mode
 % coverage of the combined FMEA techniques.
-This paper presents a worked example of FMEA applied to an 
+This paper presents a simple worked example of FMMD applied to an 
 integrated electronics/software system, the industry standard
 {\ft} signalling loop.
 %
 }
 \section{Introduction}
 %FMEA methodologies trace from the  1940's and were designed to
 %model simple electro-mechanical systems.
 %
@ -225,7 +238,7 @@ This paper is a condensed version of the PhD thesis entitled `failure Mode Modul
 %What FMEA is, briefly variants...
-Failure Mode Effects Analysis is the process of taking 
+FMEA~\cite{iec60812} is the process of taking 
 component failure modes, %and by reasoning, 
 tracing their effects through a system
 and determining what system level failure modes could be caused.
@ -236,8 +249,7 @@ endurance and Electro Magnetic Compatibility (EMC) testing.
 %
 Theoretical, or `static~testing', is often also required. 
 %
-Failure Mode effects Analysis (FMEA)~\cite{iec60812} is a tool used
+FMEA is a tool used for static testing. 
 for static testing. 
 %
 For many types of safety critical system in the European Union, product design testing and FMEA
 is legally mandatory~\cite{en230,en298}.
@ -256,7 +268,7 @@ was designed.
 % \begin{itemize}
 %  \item Deisgn FMEA (DFMEA) is FMEA applied at the design or approvals stage~\cite{en298, en230}
 % where the aim is to ensure that single component failures (at least) cannot 
-% cause unacceptable system level events~\cite{fmea},
+% cause unacceptable system level events~\cite{~\cite{iec60812}fmea},
 %  \item Failure Mode Effect Criticality Analysis (FMECA)  is applied to determine the most potentially dangerous or damaging
 % failure modes to fix, using FMEA in conjunction with severity and failure probability figures~\cite{fmeca,mil1991,fmd91},
 %  \item Failure Mode Effects and Diagnostics Analysis, is FMEA peformed to
@ -435,15 +447,15 @@ on anything but a small hypothetical system.
 Because modern electronics has become more complex the number 
 of basic components has risen dramatically.
 To add to this components used to fulfil common functions are often Integrated Circuits (ICs).. 
-Typical examples include  voltage regulators, op-amps, micro-controller~\cite{pic18f2523}, memory modules and
+Typical examples include  voltage regulators, op-amps, micro-controllers~\cite{pic18f2523}, memory modules and
 protocol handlers~\cite{mcp2515}. To build any of these component from scratch would be very expensive and time consuming, 
 but these IC `components' have very high internal transistor counts, and each have their own unique
 failure mode behaviour.
-Modern electronics has already jumped the gun of the basic component failure mode mapped to
+Thus modern electronics has already jumped the gun of the base component failure mode mapped to
 a system failure paradigm.
-The automotive industry, because of mass production, must make products that are very safe but are
+The automotive industry, because of mass production, must make products that are very safe but  
-under financial pressure to keep their products affordable.
+ financial pressure   keeps their products affordable.
 %
 This leads to specialist firms producing modules, such as automatic braking systems, 
 that are assembled to make a automobile.
@ -452,6 +464,8 @@ Performing failure analysis using the basic component single failure modes to
 system failure mapping, would be very difficult: this would require expert knowledge
 of the design behaviour and component types used in each module.
 %
 \paragraph{Automotive SIL (ASIL) --- modularisation of FMEDA}
 %
 The EN61508 variant for automotive use, as defined in standard ISO~26262, is known as Automotive SIL (ASIL)~\cite{Kafka20122}.
 %
 Because of the modular approach  forced on automotive  designers  
@ -461,6 +475,7 @@ This allows automotive designers to use pre-certified modules in their designs
 and applies broad statistical guidelines to achieving particular safety levels by
 use of redundancy and automated diagnostics etc.
 %
 \paragraph{Indenture levels --- modularisation of FMECA}
 The US military standard for FMECA~\cite{fmeca}, describes a very broad modularity regime, that
 it terms `indenture' levels. Indenture levels are arranged from the top down
 and identify finer and finer grained modules. For instance, an aircraft
@ -468,12 +483,14 @@ may be the first indenture level, and the next may be an identifiable module suc
 an altitude radar: within that finer grained modules may be identified until
 the base components are listed. Note that this is a top down approach and 
 this can introduce errors into the reliability calculations~\cite{MILSTD1629short}.
-
+%
 \paragraph{Modularisation in Software}
 %
 It is interesting to compare the development of FMEA methodologies with software.
 Software expanded in complexity faster than electronics,
 and to cope with this software languages developed modularity (function call trees, classes and finally distributed processing mechanisms).
-
+%
-FMEA has had, by necessity, started to start to include some modular features, but none yet
+FMEA has, by necessity, started to include some modular features but none yet
 have defined mechanisms for ensuring that all failure modes
 from a module must be considered in the analysis of the module(s)
 that incorporate it.
@ -492,17 +509,18 @@ a software call tree where the highest indenture levels would be its leaf functi
 %
 There is no equivalent of the software `class'.
 %
-In the real world however there is, consider CANOpen standard sensors, these are%~\footnote{CANopen sensors...}
+In the real world however there are.
-modules connected by an industrial data bus~\cite{canspec, caninauto}. 
+Off the shelf sensors can be purchased which communicate using standard protocols~\cite{Pfeiffer:2003:ENC:1199616}. % consider CANOpen standard sensors, these are%~\footnote{CANopen sensors...}
 %modules connected by an industrial data bus. 
 %
 These not only typically have electrical and mechanical 
-components, they have a firmware and communication bus aspects.
+components, they have a firmware and communication bus aspects~\cite{canspec, caninauto}.
 %
 These type of modules combine hardware, electronics, software, communications
 and distributed programming.
 %
 Current FMEA techniques struggle with software alone, and also, fail to integrate the analysis of hardware and software
-systems~\cite{sfmea, embedsfmea, modelsfmea, sfmeaa, sfmeainterface }.
+systems~\cite{sfmea, embedsfmea, modelsfmea, sfmeaa}. %, sfmeainterface }.
 %
@ -583,7 +601,7 @@ A summary of deficiencies in current FMEA methodologies is listed below:
   %\item FMEA type methodologies were designed for simple electro-mechanical systems of the 1940's to 1960's,
   \item State explosion - %impossible 
   very difficult/time consuming to perform FMEA exhaustively, %rigorously
-   \item Difficult to re-use previous analysis work,
+   \item Difficult to re-use previous analysis work~\cite{rudov2009language},
   \item Very difficult to model simultaneous/multiple failures,
   \item Software and hardware models are separate (if the software is modelled at all) meaning the software interface may not be correctly modelled,
   %\item reasoning distance -- component failure to system level symptom process is undefined in regard 
@ -609,9 +627,9 @@ in an improved FMEA methodology,
    \item avoid state explosion (i.e. XFMEA is impractical by hand~\cite{cbds}),  
    \item encourage exhaustive checking within each modular, %(total failure coverage within {\fgs} all interacting component and failure modes checked),
    \item traceable reasoning inherent in system failure models,% to aid repeatability and checking,  
-    \item re-usable i.e. it should be possible to re-use analysis~\cite{rudov2009language},
+    \item re-usable i.e. it should be possible to re-use analysis,
    \item possibility to analyse simultaneous/multiple failures, 
-    \item one to one mapping from {\bc} {\fms} to system level failures (see section~\ref{sec:onetoone}),
+    %\item one to one mapping from {\bc} {\fms} to system level failures (see section~\ref{sec:onetoone}),
    \item modular --- i.e. usable in a distributed system.
  % \item  
 \end{itemize}
@ -620,24 +638,135 @@ in an improved FMEA methodology,
 \section{Proposed Methodology: Failure Mode Modular De-composition (FMMD)}
 \section{The proposed Methodology}
 \label{fmmdproc}
 In essence, this methodology beginning with low level modules (or {\fgs})
 which are analysed and assigned a failure mode behaviour.
 They are then considered as higher level components with
 their own failure mode behaviour. These higher level components 
 are then collected to form {\fgs} and so on until a hierarchy is built
 representing the entire system.
-
+% Any new static failure mode methodology must ensure that it 
-
+% represents all component failure modes and it therefore should be bottom-up, 
-
+% starting with individual component failure modes.
-
+To ensure all component failure modes are modelled, the new methodology must be bottom-up.
-
+%
-
+%This seems essential to satisfy criterion 2.
-
+%The proposed methodology is therefore a bottom-up process
-
+A {\em {\fg}}, is defined as a small collection of components
-\paragraph{A more-complete Failure Mode Model}
+that interact to provide
 a function or task within a system.
 %
 Starting with base~components small {\fgs} are chosen and each component failure mode considered in the 
 context of the {\fg}.
 %
 %% GARK
 %
 The component failures are termed {\em{\fcs}}. %`test~cases'. 
 For each {\fc}
 there will be a corresponding resultant failure, or `symptom', from the perspective of the {\fg}.
 %
 % MAYBE NEED TO DESCRIBE WHAT A SYMPTOM IS HERE
 %
 %From the perspective of the {\fg} failures of components will be symptoms.
 It is conjectured that many symptoms will be common. That is to say
 that component failures will often cause the same symptoms of failure
 from the perspective of a {\fg}.
 %
 %
 A common symptom collection stage is now applied. Here common symptoms are collected
 from the results of the {\fcs}. 
 %Because it is possible to model combinations of failures, criterion 6 is satisfied.
 %
 With a collection of the {\fg} failure symptoms, we can create a {\em{\dc}}.
 The failure modes of this new {\dc} are the symptoms of the {\fg} it was derived from.
 %This satisfies criterion 4, as we can now treat {\dcs} as pre-analysed
 %modules available for re-use.
 %
 %
 By using {\dcs} in higher level functional groups, a hierarchy can be built representing
 the failure mode behaviour of a system. Because the hierarchy maintains information 
 linking the symptoms  to component failure modes (via {\fcs}).
 Reasoning connections from base component failures to top level failures can now be made
 by tracing cause and effect though the hierarchy of modules.
 %The traceability should satisfy criterion 5.
 An advantage of performing FMEA in this modular way, is that the 
 {\fgs} are small in terms of the numbers of components. This means the $O(N^2)$ effect
 of the reasoning distance is greatly reduced for the overall project.
 This addresses the state explosion problem of XFMEA.
 It also means that modules are re-usable (analogous to software classes).
 %
 %
 A practical example of a hardware FMEA performed both traditionally and using FMMD may be found in~\cite{syssafe2011}
 and examples of `reasoning~distance' efficiency savings can be found in~\cite{clark}[Ch.7].
 % 
 \paragraph{Integrating software into the FMMD model}
 %
 %With modular FMEA i.e. FMMD %(FMMD) 
 %the concepts of failure~modes
 %of components, {\fgs} and symptoms of failure have been defined. % for a functional group.
 %
 A  programmatic function has similar attributes to an FMMD {\fg}. % with these concepts. %a {\fg} as defined by the FMMD process.
 %
 An FMMD {\fg} is placed into a hierarchy, likewise
 a software function is typically placed into the  hierarchy of its call-tree.
 %
 A software function calls other functions and uses data sources %via hardware interaction
 which could be viewed as its `components':
 it has outputs, i.e. it can perform actions  on data or hardware.
 %which will be used by other functions that may call it.
 %
 It is shown below that a software function can be mapped to an FMMD {\fg}: its failure modes
 are the failure modes of the software components %(other functions 
 it calls %)
 and/or the hardware from which it reads values.
 Its outputs are the data it changes, or the hardware actions it performs.
 %%
 %% Talk about how software specification will often say how hardware
 %% will react and how to interpret readings---but they do not
 %% always cover the failure modes of the hardware being interfaced too.
 %
 When  a 
 software function has been analysed---using failure conditions of its inputs as a source of failure modes---its symptoms of failure
 can be defined (i.e. how functions that call it will see its failure mode behaviour).
 %
 %
 FMMD is applied to software functions by viewing functions in terms of their failure mode behaviour. 
 %
 That is to say, using FMMD,  software functions are treated like {\fgs} of electronic components.
 %
 %
 As software already fits into a hierarchy, there one less analysis decision to make when compared
 to analysing electronics. 
 %
 For electrical and mechanical systems, although the original system designers
 concepts of modularity and sub-systems in design may provide guidance,
 applying FMMD means deciding on the members for {\fgs} and the subsequent hierarchy. 
 %
 %
 %
 %
 %%
 %
 %
 %
 %
 %%
 %
 %
 %
 %
 In order to obtain a more complete failure mode model of 
 a hybrid electronic/software system we need to analyse 
 the hardware, the software, the hardware the software runs on (i.e. the software's medium),
 and the software/hardware interface.
 %
 HFMEA is a well established technique and needs no further description in this paper.
 %
 \section{Example for analysis} % : How can we apply FMEA}
 %