Reasoning distance concept added
This commit is contained in:
parent
469b8b6f8f
commit
6ec06b5223
@ -65,8 +65,8 @@ failure mode of the component or sub-system}}}
|
||||
\abstract{
|
||||
The certification process of safety critical products for European and
|
||||
other international standards often involve environmental stress,
|
||||
endurance and EMC testing. Theoretical, or 'static testing',
|
||||
is often also required to highlight modifications that must be made to
|
||||
endurance and Electro Magnetic Compatibility (EMC) testing. Theoretical, or 'static testing',
|
||||
is often also required. In general this will reveal modifications that must be made to
|
||||
improve the product safety, or identify theoretical weaknesses in the design.
|
||||
This paper proposes a new theoretical methodology for creating failure mode models of safety critical systems.
|
||||
It has a common notation for mechanical, electronic and software domains and is modular and hierarchical.
|
||||
@ -158,7 +158,7 @@ via self checking statistical mitigation.
|
||||
|
||||
\paragraph{Top Down approach} The top down technique FTA, introduces the possibility of missing base component
|
||||
level failure modes~\cite{faa}[Ch.9]. Also one FTA treee is drawn for each top level
|
||||
event, leading to repreated work, with limitied ability for cross checking.
|
||||
event, leading to repreated work, with limitied ability for cross checking/model validation.
|
||||
|
||||
\paragraph{State Explosion problem}
|
||||
The bottom -up techniques all suffer from a problem of state explosion.
|
||||
@ -187,11 +187,22 @@ To look in detail at a half of a million test cases is obviously impractical.
|
||||
% current methodologies are used to establish criteria for an improved methodology.
|
||||
|
||||
\paragraph{Reasoning distance - complexity and reachability}
|
||||
Tracing a component level failure up to a top level event, without rigour involving state explosion, involves
|
||||
working heuistically. A base component failure will typically
|
||||
be concepually removed by several stages from a top level event.
|
||||
The reasoning distance can be determined by the number of components
|
||||
Tracing a component level failure up to a top level event, without the rigour accompanying state explosion, involves
|
||||
working heuristically. A base component failure will typically
|
||||
be conceptually removed by several stages from a top level event.
|
||||
The `reasoning~distance' $R_D$ can be calculated by summing the number of components
|
||||
involved, multiplied by the number of failure modes in each component,
|
||||
that must interact to reach the top level event.
|
||||
Where $C$ represents the set of components in a failure mode causation chain,
|
||||
$c$ represents a component and
|
||||
the function $fn$ returns the number of failure modes for a given component, equation
|
||||
\ref{eqn:complexity}, returns a value representing the complexity
|
||||
from the base component failure to the SYSTEM level event.
|
||||
\begin{equation}
|
||||
R_D = \sum_{i=1}^{|C|} {fn(c)} %\; where \; c \in C
|
||||
\label{eqn:complexity}
|
||||
\end{equation}
|
||||
|
||||
% could have a chapter on this.
|
||||
% take a circuit or system and follow all the interactions
|
||||
% to the components that cause the system level event.
|
||||
@ -202,21 +213,24 @@ SYSTEM level failure mode.
|
||||
It could be possible to identify one top level event asssociated with
|
||||
a {\bcfm} and not investigate other possibilities.
|
||||
|
||||
\section{Requirements for a new static faiilure mode Analysis methodology}
|
||||
\section{Requirements for a new static failure mode Analysis methodology}
|
||||
|
||||
A new methodology must ensure that it represents all component failure modes and it therefore should be bottom-up,
|
||||
starting with individual component failure modes.
|
||||
|
||||
In order to control the state explosion problem, the process must be modular
|
||||
and deal with small groups of components.
|
||||
and deal with small groups of components. The design process follows this
|
||||
rationale, sub-systems are build to perform often basic functions from base components.
|
||||
We can term these small groups {\fgs}.
|
||||
|
||||
|
||||
Components should be broken
|
||||
down into small functional groups to enable the examination of the effect of a
|
||||
Components should be collected
|
||||
into small functional groups to enable the examination of the effect of a
|
||||
component failure mode on the other components in the group.
|
||||
The functional group can now be considered as `derived component' with a known set
|
||||
Once we have the failure modes, or symptoms of failure of a {\fg}
|
||||
it can now be considered as `derived component' with a known set
|
||||
of failure symptoms. We can use this `derived component' to build higher level
|
||||
functional groups.
|
||||
|
||||
This helps with the reasoning distance problem,
|
||||
because we can trace failure modes back through complex interactions and have a structure to
|
||||
base our reasoning on, at each stage.
|
||||
|
||||
Loading…
Reference in New Issue
Block a user