robin/Robin_PHD
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

work from yesterday lunchtime

Browse Source
This commit is contained in:
Robin P. Clark 2014-08-13 10:48:05 +01:00
parent 2b5a98ea35
commit 4c87f0cd45
2 changed files with 197 additions and 57 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
mybib.bib
View File

@ -972,6 +972,17 @@ keywords={control engineering computing;control systems;failure analysis;formal
doi={10.1109/HASE.2011.10},
ISSN={1530-2059},}
BibTeX | EndNote | ACM Ref
@book{Pfeiffer:2003:ENC:1199616,
author = {Pfeiffer, Olaf and Ayre, Andrew and Keydel, Christian},
title = {Embedded Networking with CAN and CANopen},
year = {2003},
isbn = {0929392787},
publisher = {Annabooks},
}
@PHDTHESIS{clark,
AUTHOR = "Robin Clark",

243
papers/JOURNAL_fmea_sw_hw/sw_hw_fmea.tex
View File

@ -119,36 +119,49 @@ failure mode of the component or sub-system}}}
\abstract{ % \em
%\input{abs}
%The certification process of safety critical products for European and
%other international standards often demand environmental stress,
%endurance and Electro Magnetic Compatibility (EMC) testing. Theoretical, or 'static testing',
%is often also required.
%
%Failure Mode Effects Analysis (FMEA), is a bottom-up technique that aims to assess the effect all
%component failure modes on a system.
%It is used both as a design tool (to determine weaknesses), and is a requirement of certification of safety critical products.
%FMEA has been successfully applied to mechanical, electrical and hybrid electro-mechanical systems.
%
%Work on software FMEA (SFMEA) is beginning, but
%at present no technique for SFMEA that
%integrates hardware and software models % known to the authors
%exists.
The certification process of safety critical products for European and
other international standards often demand environmental stress,
endurance and Electro Magnetic Compatibility (EMC) testing. Theoretical, or 'static testing',
is often also required.
Failure Mode Effects Analysis (FMEA)~\cite{iec60812}, is a bottom-up technique that aims to assess the effect all
component failure modes on a system.
It is used both as a design tool (to determine weaknesses), and is a requirement of certification of safety critical products.
FMEA has been successfully applied to mechanical, electrical and hybrid electro-mechanical systems.
This paper discusses the benefits and drawback of current
FMEA techniques and then proposes a modular FMEA methodology, Failure Mode Modular De-Composition (FMMD)~\cite{clark}
that has the advantages of traceable failure modes through the model
hierarchy, increases test effeciency and has
the ability to model integrated hardware and software systems.
% Work on software FMEA (SFMEA) is beginning, but
% at present no technique for SFMEA that
% integrates hardware and software models % known to the authors
% exists.
% %
%
% %
% %Failure modes in components in say a sensor, could be traced
% %up through the electronics and then through the controlling software.
% %
% %Presently Failure Mode Effects Analysis (FMEA), stops at the glass ceiling of the computer program.
% This paper takes, from the literature, new and emerging methodologies
% for software FMEA, applies them to a simple example system, and then
% reaches conclusions about the effectiveness and failure mode
% coverage of the combined FMEA techniques.
%
%Failure modes in components in say a sensor, could be traced
%up through the electronics and then through the controlling software.
%
%Presently Failure Mode Effects Analysis (FMEA), stops at the glass ceiling of the computer program.
This paper takes, from the literature, new and emerging methodologies
for software FMEA, applies them to a simple example system, and then
reaches conclusions about the effectiveness and failure mode
coverage of the combined FMEA techniques.
This paper presents a worked example of FMEA applied to an
This paper presents a simple worked example of FMMD applied to an
integrated electronics/software system, the industry standard
{\ft} signalling loop.
%
}
\section{Introduction}
%FMEA methodologies trace from the 1940's and were designed to
%model simple electro-mechanical systems.
%
@ -225,7 +238,7 @@ This paper is a condensed version of the PhD thesis entitled `failure Mode Modul
%What FMEA is, briefly variants...
Failure Mode Effects Analysis is the process of taking
FMEA~\cite{iec60812} is the process of taking
component failure modes, %and by reasoning,
tracing their effects through a system
and determining what system level failure modes could be caused.
@ -236,8 +249,7 @@ endurance and Electro Magnetic Compatibility (EMC) testing.
%
Theoretical, or `static~testing', is often also required.
%
Failure Mode effects Analysis (FMEA)~\cite{iec60812} is a tool used
for static testing.
FMEA is a tool used for static testing.
%
For many types of safety critical system in the European Union, product design testing and FMEA
is legally mandatory~\cite{en230,en298}.
@ -256,7 +268,7 @@ was designed.
% \begin{itemize}
% \item Deisgn FMEA (DFMEA) is FMEA applied at the design or approvals stage~\cite{en298, en230}
% where the aim is to ensure that single component failures (at least) cannot
% cause unacceptable system level events~\cite{fmea},
% cause unacceptable system level events~\cite{~\cite{iec60812}fmea},
% \item Failure Mode Effect Criticality Analysis (FMECA) is applied to determine the most potentially dangerous or damaging
% failure modes to fix, using FMEA in conjunction with severity and failure probability figures~\cite{fmeca,mil1991,fmd91},
% \item Failure Mode Effects and Diagnostics Analysis, is FMEA peformed to
@ -435,15 +447,15 @@ on anything but a small hypothetical system.
Because modern electronics has become more complex the number
of basic components has risen dramatically.
To add to this components used to fulfil common functions are often Integrated Circuits (ICs)..
Typical examples include voltage regulators, op-amps, micro-controller~\cite{pic18f2523}, memory modules and
Typical examples include voltage regulators, op-amps, micro-controllers~\cite{pic18f2523}, memory modules and
protocol handlers~\cite{mcp2515}. To build any of these component from scratch would be very expensive and time consuming,
but these IC `components' have very high internal transistor counts, and each have their own unique
failure mode behaviour.
Modern electronics has already jumped the gun of the basic component failure mode mapped to
Thus modern electronics has already jumped the gun of the base component failure mode mapped to
a system failure paradigm.
The automotive industry, because of mass production, must make products that are very safe but are
under financial pressure to keep their products affordable.
The automotive industry, because of mass production, must make products that are very safe but
financial pressure keeps their products affordable.
%
This leads to specialist firms producing modules, such as automatic braking systems,
that are assembled to make a automobile.
@ -452,6 +464,8 @@ Performing failure analysis using the basic component single failure modes to
system failure mapping, would be very difficult: this would require expert knowledge
of the design behaviour and component types used in each module.
%
\paragraph{Automotive SIL (ASIL) --- modularisation of FMEDA}
%
The EN61508 variant for automotive use, as defined in standard ISO~26262, is known as Automotive SIL (ASIL)~\cite{Kafka20122}.
%
Because of the modular approach forced on automotive designers
@ -461,6 +475,7 @@ This allows automotive designers to use pre-certified modules in their designs
and applies broad statistical guidelines to achieving particular safety levels by
use of redundancy and automated diagnostics etc.
%
\paragraph{Indenture levels --- modularisation of FMECA}
The US military standard for FMECA~\cite{fmeca}, describes a very broad modularity regime, that
it terms `indenture' levels. Indenture levels are arranged from the top down
and identify finer and finer grained modules. For instance, an aircraft
@ -468,12 +483,14 @@ may be the first indenture level, and the next may be an identifiable module suc
an altitude radar: within that finer grained modules may be identified until
the base components are listed. Note that this is a top down approach and
this can introduce errors into the reliability calculations~\cite{MILSTD1629short}.
%
\paragraph{Modularisation in Software}
%
It is interesting to compare the development of FMEA methodologies with software.
Software expanded in complexity faster than electronics,
and to cope with this software languages developed modularity (function call trees, classes and finally distributed processing mechanisms).
FMEA has had, by necessity, started to start to include some modular features, but none yet
%
FMEA has, by necessity, started to include some modular features but none yet
have defined mechanisms for ensuring that all failure modes
from a module must be considered in the analysis of the module(s)
that incorporate it.
@ -492,17 +509,18 @@ a software call tree where the highest indenture levels would be its leaf functi
%
There is no equivalent of the software `class'.
%
In the real world however there is, consider CANOpen standard sensors, these are%~\footnote{CANopen sensors...}
modules connected by an industrial data bus~\cite{canspec, caninauto}.
In the real world however there are.
Off the shelf sensors can be purchased which communicate using standard protocols~\cite{Pfeiffer:2003:ENC:1199616}. % consider CANOpen standard sensors, these are%~\footnote{CANopen sensors...}
%modules connected by an industrial data bus.
%
These not only typically have electrical and mechanical
components, they have a firmware and communication bus aspects.
components, they have a firmware and communication bus aspects~\cite{canspec, caninauto}.
%
These type of modules combine hardware, electronics, software, communications
and distributed programming.
%
Current FMEA techniques struggle with software alone, and also, fail to integrate the analysis of hardware and software
systems~\cite{sfmea, embedsfmea, modelsfmea, sfmeaa, sfmeainterface }.
systems~\cite{sfmea, embedsfmea, modelsfmea, sfmeaa}. %, sfmeainterface }.
%
@ -583,7 +601,7 @@ A summary of deficiencies in current FMEA methodologies is listed below:
%\item FMEA type methodologies were designed for simple electro-mechanical systems of the 1940's to 1960's,
\item State explosion - %impossible
very difficult/time consuming to perform FMEA exhaustively, %rigorously
\item Difficult to re-use previous analysis work,
\item Difficult to re-use previous analysis work~\cite{rudov2009language},
\item Very difficult to model simultaneous/multiple failures,
\item Software and hardware models are separate (if the software is modelled at all) meaning the software interface may not be correctly modelled,
%\item reasoning distance -- component failure to system level symptom process is undefined in regard
@ -609,9 +627,9 @@ in an improved FMEA methodology,
\item avoid state explosion (i.e. XFMEA is impractical by hand~\cite{cbds}),
\item encourage exhaustive checking within each modular, %(total failure coverage within {\fgs} all interacting component and failure modes checked),
\item traceable reasoning inherent in system failure models,% to aid repeatability and checking,
\item re-usable i.e. it should be possible to re-use analysis~\cite{rudov2009language},
\item re-usable i.e. it should be possible to re-use analysis,
\item possibility to analyse simultaneous/multiple failures,
\item one to one mapping from {\bc} {\fms} to system level failures (see section~\ref{sec:onetoone}),
%\item one to one mapping from {\bc} {\fms} to system level failures (see section~\ref{sec:onetoone}),
\item modular --- i.e. usable in a distributed system.
% \item
\end{itemize}
@ -620,24 +638,135 @@ in an improved FMEA methodology,
\section{Proposed Methodology: Failure Mode Modular De-composition (FMMD)}
\section{The proposed Methodology}
\label{fmmdproc}
In essence, this methodology beginning with low level modules (or {\fgs})
which are analysed and assigned a failure mode behaviour.
They are then considered as higher level components with
their own failure mode behaviour. These higher level components
are then collected to form {\fgs} and so on until a hierarchy is built
representing the entire system.
\paragraph{A more-complete Failure Mode Model}
% Any new static failure mode methodology must ensure that it
% represents all component failure modes and it therefore should be bottom-up,
% starting with individual component failure modes.
To ensure all component failure modes are modelled, the new methodology must be bottom-up.
%
%This seems essential to satisfy criterion 2.
%The proposed methodology is therefore a bottom-up process
A {\em {\fg}}, is defined as a small collection of components
that interact to provide
a function or task within a system.
%
Starting with base~components small {\fgs} are chosen and each component failure mode considered in the
context of the {\fg}.
%
%% GARK
%
The component failures are termed {\em{\fcs}}. %`test~cases'.
For each {\fc}
there will be a corresponding resultant failure, or `symptom', from the perspective of the {\fg}.
%
% MAYBE NEED TO DESCRIBE WHAT A SYMPTOM IS HERE
%
%From the perspective of the {\fg} failures of components will be symptoms.
It is conjectured that many symptoms will be common. That is to say
that component failures will often cause the same symptoms of failure
from the perspective of a {\fg}.
%
%
A common symptom collection stage is now applied. Here common symptoms are collected
from the results of the {\fcs}.
%Because it is possible to model combinations of failures, criterion 6 is satisfied.
%
With a collection of the {\fg} failure symptoms, we can create a {\em{\dc}}.
The failure modes of this new {\dc} are the symptoms of the {\fg} it was derived from.
%This satisfies criterion 4, as we can now treat {\dcs} as pre-analysed
%modules available for re-use.
%
%
By using {\dcs} in higher level functional groups, a hierarchy can be built representing
the failure mode behaviour of a system. Because the hierarchy maintains information
linking the symptoms to component failure modes (via {\fcs}).
Reasoning connections from base component failures to top level failures can now be made
by tracing cause and effect though the hierarchy of modules.
%The traceability should satisfy criterion 5.
An advantage of performing FMEA in this modular way, is that the
{\fgs} are small in terms of the numbers of components. This means the $O(N^2)$ effect
of the reasoning distance is greatly reduced for the overall project.
This addresses the state explosion problem of XFMEA.
It also means that modules are re-usable (analogous to software classes).
%
%
A practical example of a hardware FMEA performed both traditionally and using FMMD may be found in~\cite{syssafe2011}
and examples of `reasoning~distance' efficiency savings can be found in~\cite{clark}[Ch.7].
%
\paragraph{Integrating software into the FMMD model}
%
%With modular FMEA i.e. FMMD %(FMMD)
%the concepts of failure~modes
%of components, {\fgs} and symptoms of failure have been defined. % for a functional group.
%
A programmatic function has similar attributes to an FMMD {\fg}. % with these concepts. %a {\fg} as defined by the FMMD process.
%
An FMMD {\fg} is placed into a hierarchy, likewise
a software function is typically placed into the hierarchy of its call-tree.
%
A software function calls other functions and uses data sources %via hardware interaction
which could be viewed as its `components':
it has outputs, i.e. it can perform actions on data or hardware.
%which will be used by other functions that may call it.
%
It is shown below that a software function can be mapped to an FMMD {\fg}: its failure modes
are the failure modes of the software components %(other functions
it calls %)
and/or the hardware from which it reads values.
Its outputs are the data it changes, or the hardware actions it performs.
%%
%% Talk about how software specification will often say how hardware
%% will react and how to interpret readings---but they do not
%% always cover the failure modes of the hardware being interfaced too.
%
When a
software function has been analysed---using failure conditions of its inputs as a source of failure modes---its symptoms of failure
can be defined (i.e. how functions that call it will see its failure mode behaviour).
%
%
FMMD is applied to software functions by viewing functions in terms of their failure mode behaviour.
%
That is to say, using FMMD, software functions are treated like {\fgs} of electronic components.
%
%
As software already fits into a hierarchy, there one less analysis decision to make when compared
to analysing electronics.
%
For electrical and mechanical systems, although the original system designers
concepts of modularity and sub-systems in design may provide guidance,
applying FMMD means deciding on the members for {\fgs} and the subsequent hierarchy.
%
%
%
%
%%
%
%
%
%
%%
%
%
%
%
In order to obtain a more complete failure mode model of
a hybrid electronic/software system we need to analyse
the hardware, the software, the hardware the software runs on (i.e. the software's medium),
and the software/hardware interface.
%
HFMEA is a well established technique and needs no further description in this paper.
%
\section{Example for analysis} % : How can we apply FMEA}
%