diff --git a/fmmd_concept/System_safety_2011/submission.tex b/fmmd_concept/System_safety_2011/submission.tex index 615005a..add52b9 100644 --- a/fmmd_concept/System_safety_2011/submission.tex +++ b/fmmd_concept/System_safety_2011/submission.tex @@ -65,8 +65,8 @@ failure mode of the component or sub-system}}} \abstract{ The certification process of safety critical products for European and other international standards often involve environmental stress, -endurance and EMC testing. Theoretical, or 'static testing', -is often also required to highlight modifications that must be made to +endurance and Electro Magnetic Compatibility (EMC) testing. Theoretical, or 'static testing', +is often also required. In general this will reveal modifications that must be made to improve the product safety, or identify theoretical weaknesses in the design. This paper proposes a new theoretical methodology for creating failure mode models of safety critical systems. It has a common notation for mechanical, electronic and software domains and is modular and hierarchical. @@ -158,7 +158,7 @@ via self checking statistical mitigation. \paragraph{Top Down approach} The top down technique FTA, introduces the possibility of missing base component level failure modes~\cite{faa}[Ch.9]. Also one FTA treee is drawn for each top level -event, leading to repreated work, with limitied ability for cross checking. +event, leading to repreated work, with limitied ability for cross checking/model validation. \paragraph{State Explosion problem} The bottom -up techniques all suffer from a problem of state explosion. @@ -187,11 +187,22 @@ To look in detail at a half of a million test cases is obviously impractical. % current methodologies are used to establish criteria for an improved methodology. \paragraph{Reasoning distance - complexity and reachability} -Tracing a component level failure up to a top level event, without rigour involving state explosion, involves -working heuistically. A base component failure will typically -be concepually removed by several stages from a top level event. -The reasoning distance can be determined by the number of components +Tracing a component level failure up to a top level event, without the rigour accompanying state explosion, involves +working heuristically. A base component failure will typically +be conceptually removed by several stages from a top level event. +The `reasoning~distance' $R_D$ can be calculated by summing the number of components +involved, multiplied by the number of failure modes in each component, that must interact to reach the top level event. +Where $C$ represents the set of components in a failure mode causation chain, +$c$ represents a component and +the function $fn$ returns the number of failure modes for a given component, equation +\ref{eqn:complexity}, returns a value representing the complexity +from the base component failure to the SYSTEM level event. +\begin{equation} +R_D = \sum_{i=1}^{|C|} {fn(c)} %\; where \; c \in C +\label{eqn:complexity} +\end{equation} + % could have a chapter on this. % take a circuit or system and follow all the interactions % to the components that cause the system level event. @@ -202,21 +213,24 @@ SYSTEM level failure mode. It could be possible to identify one top level event asssociated with a {\bcfm} and not investigate other possibilities. -\section{Requirements for a new static faiilure mode Analysis methodology} +\section{Requirements for a new static failure mode Analysis methodology} A new methodology must ensure that it represents all component failure modes and it therefore should be bottom-up, starting with individual component failure modes. In order to control the state explosion problem, the process must be modular -and deal with small groups of components. +and deal with small groups of components. The design process follows this +rationale, sub-systems are build to perform often basic functions from base components. +We can term these small groups {\fgs}. - -Components should be broken -down into small functional groups to enable the examination of the effect of a +Components should be collected +into small functional groups to enable the examination of the effect of a component failure mode on the other components in the group. -The functional group can now be considered as `derived component' with a known set +Once we have the failure modes, or symptoms of failure of a {\fg} +it can now be considered as `derived component' with a known set of failure symptoms. We can use this `derived component' to build higher level functional groups. + This helps with the reasoning distance problem, because we can trace failure modes back through complex interactions and have a structure to base our reasoning on, at each stage.