diff --git a/fmmd_concept/fmmd_concept.tex b/fmmd_concept/fmmd_concept.tex index 9292187..051f339 100644 --- a/fmmd_concept/fmmd_concept.tex +++ b/fmmd_concept/fmmd_concept.tex @@ -75,13 +75,14 @@ There are four methodologies in common use for failure mode modelling. These are FTA, FMEA, FMECA and FMEDA (a form of statistical assessment). -These methodologies date from the 1940's onwards and have several draw backs and +These methodologies date from the 1940's onwards, and were designed for +different application areas and reasons; all have draw backs and advantages that are discussed in the next section. %In short %FTA, due to its top down nature, can overlook error conditions. FMEA and the Statistical Methods %lack precision in predicting failure modes at the SYSTEM level. - +\paragraph{FMMD outline.} The Failure Mode Modular De-composition (FMMD) aims to address the weaknesses in these methodoligies and to add @@ -90,12 +91,15 @@ failure mode scenarios, and to allow modular re-use of analysis. %FMMD is an incremental bottom up FMEA process. +%% TERRIBLE PARAGRAPH The FMMD -methodology presented here provides a more detailed and analytical -modelling system which will create a more complete and detailed hierarchical failure mode model from which +methodology provides a detailed, hierarchical, incremental and analytical +modelling system which will create a failure mode model from which the data models from FTA, FMEA, FMECA and FMEDA (the statistical approach) can be -derived if required. An FMMD model is therefore a super set of all these models. -It also applies rigorous checking in all the analysis stages +derived if required. +An FMMD model is effectively a super set of all the four traditional models. +It also focuses on component interaction within the model. +In addition it applies rigorous checking in all the analysis stages ensuring that all component failure modes must be considered in the model. % @@ -109,21 +113,22 @@ paper { chapter } -presents the design considerations that determined +presents the design considerations that motivated and provided the specification for the FMMD methodology. -It first briefly reviews the four traditional +% +It first reviews the four traditional static failure mode analysis methodologies and lists their known weaknesses. A wish list is then drawn up addressing these weaknesses and adding some extra requirements. Using this wish list the philosophy for the new methodology is built up. % -FMMD works by working from the bottom up, taking small groups +FMMD works from the bottom up, taking small groups of components, {\fgs}, and then analysing how they can fail. This analysis is performed using FMEA from a micro rather than a macro perspective. Thus instead of looking at component failure modes and determining how they {\em may} cause a failure at SYSTEM level, we are looking at how -they {\em will} affect the {\fg}. +they {\em will} affect the components local {\fg}. When we know the failure modes of a {\fg} we can treat it as a `black box' or {\dc}. With {\dc}s we can build {\fgs} at higher levels of analysis, until we have a complete @@ -149,24 +154,36 @@ are held in a computer program, we can determine if the model is complete \subsection{General Comments on bottom-up and top down approaches} -\paragraph{A general defeciency in top-down systems analysis} +\paragraph{A general defeciency in top-down systems analysis.} With a top down approach the investigator has to determine -a set of undesirable outcomes or accidents. +a set of undesirable outcomes or `accidents'. As most accidents are unexpected and the causes unforseen \cite{safeware} it is fair to say that a top down approach is not guaranteed to predict all possible undesirable outcomes. It also can miss known component failure modes, by -simply not de-composing down to the base component failure mode level of detail. +simply not de-composing down to the base component failure level of detail. \paragraph{A general problem with bottom-up} With the bottom up techniques we have all the known component failure modes and the freedom to determine how each of these may affect the SYSTEM. -We do have a real prolem though in determining how -the failure mode of one component will affect another working component -to cause an undesirable state. Because of the number of components -our one failure mode may interact with is large, -we cannot consider them all and human judgement is used to -decide which interactions are important. +% +A problem with this is that a component typically +interacts in a complex way with several other functionally +adjacent components +% +To take a component failure mode and then attempt to tie that +to a SYSTEM level outcome is very difficult. +% +The difficulty lies in +% +%Because of +the number of components +our one failure mode may interact with is large. +% +We cannot consider all the components in the SYSTEM +when looking at a single failure mode, +and human judgement must be used to +decide which interactions could be important. Let N be the number of components in our system, and K be the average number of component failure modes (ways in which the component can fail). The total number of base component failure modes @@ -197,12 +214,13 @@ the equation reads $(N-2) \times (N-1) \times N \times K \times E$. The bottom-up methodologies FMEA, FMECA and FMEDA take single failure modes and link them to SYSTEM level failure modes. Because of the astronomical number of possible interactions, -some valid ones are in danger of being missed, we can term this analysis a `leap of faith' from the -component failure mode to the SYSTEM level. +some valid ones are in danger of being missed, we can term this analysis as a `leap~of~faith' +(i.e. leaping from from the +component failure mode to the SYSTEM level). -\paragraph{Ideal static failure mode methodology} +\paragraph{Ideal static failure mode methodology.} An ideal static failure mode methodology would build a failure mode model from which the traditional four models could be derived. It would address the short-comings in the other methodologies, and @@ -331,14 +349,11 @@ The following gives an outline of the procedure. he Statistical Analysis method is used from two perspectives, Probability of Failure on Demand (PFD), and Probability of Failure in continuous Operation, Failure in Time (FIT). -\paragraph{Failure in Time (FIT)}. - -Continuous operation is measured in failures per billion ($10^9$) hours of operation. +\paragraph{Failure in Time (FIT).} Continuous operation is measured in failures per billion ($10^9$) hours of operation. For a continuously running nuclear powerstation we would be interested in its operational FIT values. -\paragraph{Probability of Failure on Demand (PFD)}. -For instance with the anti-lock system on a automobile braking +\paragraph{Probability of Failure on Demand (PFD).} For instance with the anti-lock system on a automobile braking system, we would be interested in PFD. That is to say the ratio of it failing to succeeding on demand. @@ -474,7 +489,7 @@ model can be implemented on a spreadsheet, where each component has a calculated risk, a fault detection time (if any), an estimated risk importance and other factors such as de-rating and environmental stress. With one component failure mode per row, -all the statistical factors for SIL rating can be produced. +all the statistical factors for SIL rating can be produced\footnote{A SIL rating will apply to an installed plant, i.e. A complete SYSTEM. SIL ratings for individual components or sub-systems are meaningless, and the nearest equivalent would be the FIT/PFD and SFF and diagnostic coverage figures}. @@ -602,7 +617,7 @@ this methodology must start at the bottom, with base component failure modes. In this way automated checking can be applied to all component failure modes to ensure none have been inadvertently excluded from the process. -\paragraph{Problem with functional group hierarchy} +\paragraph{Problem with functional group hierarchy.} A hierarchy of functional grouping, leading to a system model still leaves us with the problem of the number of component failure modes. The base components will typically have several failure modes each.