after proof read by JMC

2010-10-25 19:35:59 +01:00 · 2010-10-25 19:35:59 +01:00 · 70ed6fdfe9
commit 70ed6fdfe9
parent 9e0a4a0e48
1 changed files with 135 additions and 80 deletions
--- a/fmmd_concept/fmmd_concept.tex
+++ b/fmmd_concept/fmmd_concept.tex
@ -7,8 +7,9 @@
 \abstract{ 
 This paper proposes a methodology for
 creating failure mode models of safety critical systems, which
-has a common and integrateable notation
+have a common notation
-for mechanical, electronic and software domains.
+for mechanical, electronic and software domains and apply an
 incremental and rigorous approach.
 %% What I have done
 %%
@ -19,24 +20,25 @@ a wish list for a more ideal methodology.
 %% What I have found
 %%
-From the wishlist and considering some constraints determined from
+From the wish list and considering some constraints determined from
 the evaluation of the four established methodologies, a new
 methodology is developed. The has been named Failure Mode Modular De-Composition (FMMD).
 %% Sell it
 %%
-In addition, FMMD to addressing the traditional weaknesses of
+In addition to addressing the traditional weaknesses of
 Fault Tree Analysis (FTA), Fault Mode Effects Analysis (FMEA), Faliue Mode Effects Criticallity Analysis (FMECA)
 and Failure Mode Effects and Diagnostic Analysis (FMEDA), FMMD provides the means to model multiple failure mode scenarios 
 as specified in newer European Safety Standards \cite{en298}.
 The proposed methodology is bottom-up and 
-modular, meaning that the results of analysed components amy be re-used in other projects.}
+modular, meaning that the results of analysed components may be re-used in other projects.}
 }
 {
-This chapter proposes a methodology for
+This chapter  proposes a methodology for
 creating failure mode models of safety critical systems, which
-has a common and integrateable notation
+have a common notation
-for mechanical, electronic and software domains.
+for mechanical, electronic and software domains and apply an
 incremental and rigorous approach.
 %% What I have done
 %%
@ -47,29 +49,30 @@ a wish list for a more ideal methodology.
 %% What I have found
 %%
-From the wishlist and considering some constraints determined from
+From the wish list and considering some constraints determined from
 the evaluation of the four established methodologies, a new
 methodology is developed. The has been named Failure Mode Modular De-Composition (FMMD).
 %% Sell it
 %%
-In addition, FMMD to addressing the traditional weaknesses of
+In addition to addressing the traditional weaknesses of
 Fault Tree Analysis (FTA), Fault Mode Effects Analysis (FMEA), Faliue Mode Effects Criticallity Analysis (FMECA)
 and Failure Mode Effects and Diagnostic Analysis (FMEDA), FMMD provides the means to model multiple failure mode scenarios 
 as specified in newer European Safety Standards \cite{en298}.
 The proposed methodology is bottom-up and 
-modular, meaning that the results of analysed components amy be re-used in other projects.
+modular, meaning that the results of analysed components may be re-used in other projects.
 }
-\section{Current Static Failure mode Methodologies}
+\section{Current Static Failure Mode Methodologies}
 There are four methodologies in common use for failure mode modelling.
 These are FTA, FMEA, FMECA
 and FMEDA (a form of statistical analysis).
-These methodologies date from the 1940's onwards and have several draw backs.
+These methodologies date from the 1940's onwards and have several draw backs and 
 advantages that are discussed in the next section.
 %In short
 %FTA, due to its top down nature, can overlook error conditions. FMEA and the Statistical Methods
 %lack precision in predicting failure modes at the SYSTEM level.
@ -84,10 +87,10 @@ of analysis.
 The FMMD
 methodology presented here provides a more detailed and analytical
-modelling system which will create a more complete and detail hierarchical failure mode model from which
+modelling system which will create a more complete and detailed hierarchical failure mode model from which
 the data models from FTA, FMEA, FMECA and FMEDA (the statistical approach) can be 
-derived if required.
+derived if required. An FMMD model is therefore a super set of all these models.
-It also applies rigorous checking in the analysis stages
+It also applies rigorous checking in all the analysis stages
 ensuring that all component failure modes must be considered in the model.
 %
@ -104,17 +107,17 @@ chapter
 presents the design considerations that determined
 the FMMD methodology.
 FMMD is an incremental bottom up FMEA process. 
-It first beiefly reviews the four traditional
+It first briefly reviews the four traditional
 static failure mode analysis methodologies and 
 lists their known weaknesses. A wish list is then drawn up
 addressing these weaknesses and adding some extra requirements.
-Using this wish list the phiosophy for the new methodology
+Using this wish list the philosophy for the new methodology
 is built up.
 %
 FMMD works by working from the bottom up, taking small groups
 of components, {\fgs}, and then analysing how they can fail.
 This analysis is performed using FMEA from a micro rather than a macro perspective.
-Thus instead of looking at a component failure modes, and determining how
+Thus instead of looking at component failure modes and determining how
 they {\em may} cause  a failure at SYSTEM level, we are looking at how
 they {\em will} affect the {\fg}.
 When we know the failure modes of a {\fg} we can treat it as a `black box'
@ -146,7 +149,7 @@ The four methodologies in current use are discussed briefly below.
 \subsection { FTA }
 This, like all top~down methodologies introduces the very serious problem
-of missing component failure modes \cite{faa}[Ch.9]
+of missing component failure modes \cite{faa}[Ch.9].
 %, or modelling at
 %a too high level of failure mode abstraction.
 FTA was invented for use on the minuteman nuclear defence missile
@ -165,7 +168,7 @@ system level outcomes.
 \subsubsection{ FTA weaknesses }
 \begin{itemize}
 \item Possibility to miss component failure modes
-\item Possibility to miss environemtal affects.
+\item Possibility to miss environmetal affects.
 \item No possibility to model base component level double failure modes.
 \end{itemize}
@ -177,11 +180,11 @@ The investigation will typically point to a particular failure
 of a component. 
 The methodology is now applied to find the significance of the failure.
 Its is based on a simple equation where $S$ ranks the severity (or cost \cite{fmea}) of the identified SYSTEM failure,
-$O$ its occurrance, and $D$ giving the failures detectability. Mulipliying these
+$O$ its occurrance, and $D$ giving the failures detectability. Muliplying these
 together, 
-gives a risk probability number, i.e. $RPN = S \times O \times D$.
+gives a risk probability number (RPN), given by $RPN = S \times O \times D$.
 This gives in effect
-a prioritised todo list, with higher the $RPN$ values being the most urgent.
+a prioritised `todo list', with higher the $RPN$ values being the most urgent.
 \subsubsection{ FMEA weaknesses }
@ -204,11 +207,11 @@ It can do this using probability \footnote{for a given component failure mode th
 probability that the component failure mode will cause a given SYSTEM failure}.
 %
 This lacks precision, or in other words, determinability prediction accuracy \cite{fafmea}, 
-as often the component failure mode can't be proven to cause a SYSTEM level failure, but
+as often the component failure mode cannot be proven to cause a SYSTEM level failure, but
 assigned a probability $\beta$ fator by the design engineer.
 %Also, it can miss combinations of failure modes that will cause SYSTEM level errors.
 %
-The results, as with FMEA are an $RPN$ number determing the significance of the SYSTEM fault.
+The results, as with FMEA are an $RPN$ number determining the significance of the SYSTEM fault.
 %%-WIKI- Failure mode, effects, and criticality analysis (FMECA) is an extension of failure mode and effects analysis (FMEA).
 %%-WIKI- FMEA is a a bottom-up, inductive analytical method which may be performed at either the functional or 
@ -222,21 +225,33 @@ The results, as with FMEA are an $RPN$ number determing the significance of the
 \subsubsection{ FMEA weaknesses }
 \begin{itemize}
 \item Possibility to miss the effects of failure modes at SYSTEM level.
-\item Possibility to miss environemtal affects.
+\item Possibility to miss environmental affects.
 \item No possibility to model base component level double failure modes.
 \end{itemize}
 \subsection { FMEDA or Statistical Analyis }
 Failure Modes, Effects, and Diagnostic Analysis (FMEDA).
 This is a process that takes all the components in a system,
-and from the failure modes of those components
+and from the failure modes of those components, the investigating engineer
-tnote{for a given component failure mode there will be a $\beta$ value, the
+must tie them to possible SYSTEM level events/failure modes.
 probability that the component failure mode will cause a given SYSTEM failure}.
-calculates a risk factor for each.
+% Often a given component failure mode there will be a $\beta$ value, the
-The risk factors of all the component failure modes are summed and 
+% probability that the component failure mode will cause a given SYSTEM failure.
 \paragraph{Risk Mitigation}
 The component may be mitigated by a vatriety of factors
 \begin{itemize}
 \item Automatic checking 
 \item Down rating
 \item Coverage of self checking
 \end{itemize}
 Ultimately this tequnique calculates a risk factor for each component.
 The risk factors of all the components are summed and 
 give a value for the `safety level' for the equipment in a given environment.
 %%-he FMEDA technique considers
@ -257,7 +272,7 @@ model can be implemented on a spreadsheet, where each component
 has a calculated risk, a fault detection time (if any), an estimated risk importance
 and other factors such as de-rating and environmental stress.
 This can be calculated, with one component failure mode per row, on a spreadsheet
-and these are all summed to give the final assement figure.
+and these are all summed to give the final assessment figure.
 \paragraph{Two statistical perspectives}
 The Statistical Analysis method is used from two perspectives,
@ -270,16 +285,24 @@ we would be interested in its 24/7 operation FIT values.
 This suffers from the same problems of 
 lack of determinability prediction accuracy, as FMEA above.
-We have to decide how particular components failing will impact ot the SYSTEM or top level.
+%
-This involves a `leap of faith'. For instance a resistor failing in a sensor cirrcuit
+We have to decide how particular components failing will impact on the SYSTEM or top level.
-may be part of a critical montioring function. 
+This involves a `leap of faith'. For instance, a resistor failing in a sensor circuit
 may be part of a critical monitioring function. 
 The analyst is now put in a position
-where he must assign a critical failure possibility to it.  There is no analysis
+where he must assign a critical failure possibility to it.  
-of how that resistor would/could  affect that circuit, but because of the circuitry
+%
-it is part of critical section it is linked to a critical system level fault.
+There is no analysis
 of how that resistor would/could  affect that circuit, but because the circuitry
 it is part of critical section it will be linked to a critical system level fault.
 %
 A $\beta$ factor, the hueristically defined probability
-of the failure causign the system fault may
+of the failure causign the system fault may be applied.
-There is no cause and effect analysis for the failure modes. Unintended side
+%
 But because there is no detailed analysis of the failure mode behaviour
 of the component, traceable to the SYSTEM level, it becomnes more
 guess work than science.
 With FMEDA, there is no rigorous cause and effect analysis for the failure modes. Unintended side
 effects that lead to failure can be missed.
 By this we may have the MTTF of some critical component failure 
@ -290,7 +313,7 @@ This leads to having components within a SYSTEM partitioned into different
 safety level zones \cite{en61508}. This is a vague way of determining
 safety.
-The Statistical Analyis methodology is the core philosophy
+The Statistical Analysis methodology is the core philosophy
 of the Safety Integrity Levels (SIL) of EN61508 \cite{en61508}.
@ -312,8 +335,8 @@ of the Safety Integrity Levels (SIL) of EN61508 \cite{en61508}.
 \item It should have a formal basis, that is to say, it should be able to produce mathematical proofs
 for its results.
 \item It should be capable of producing reliability and danger evaluation statistics.
-\item It should be easy to use, Ideally useing a graphical syntax (as oppossed to a formal mathematical one).
+\item It should be easy to use, Ideally using a graphical syntax (as oppossed to a formal mathematical one).
-\item From the top down the failure mode model should follow a logical de-composition of the functionality
+\item From the top down, the failure mode model should follow a logical de-composition of the functionality
 to smaller and smaller functional modules \cite{maikowski}.
 \item Multiple failure modes may be modelled from the base component level up.
 \end{itemize}
@ -327,9 +350,11 @@ the methodology will have to work from the bottom-up
 and start with the component failure modes.
 %
 \paragraph{Natural Fault Finding is top down}
-The traditional fault finding, or natual fault finding
+The traditional fault finding, or natural fault finding
-is to work form the top down. On encountering a 
+is to work from the top down. 
-fault the symptom is first klnow at the top or
+%
 On encountering a 
 fault, the symptom is first know at the top or
 SYSTEM level. By de-composing the functionality of the faulty system and testing
 we can further de-compose the system until we find the
 faulty base level component.
@ -342,7 +367,7 @@ further into the way the system works and is built.
 What is required here is to mimic this top-down de-composition
 with a bottom up technique.
-By taking components that form {\fg}s form the nottom up
+By taking components that form {\fg}s from the bottom up
 and then taking those to form higher level
 {\fg}s we can mimic the analysis process from the bottom up.
@ -350,8 +375,9 @@ and then taking those to form higher level
 A hierarchy of functional grouping, leading to a system model
 still leaves us with the problem of the number of component failure modes.
 The base components will typically have several failure modes each.
-Given a typical ebedded system may have hundreds of components
+%
-this menas that we have to tie base component failure modes
+Given a typical embedded system may have hundreds of components
 This means that we have to tie base component failure modes
 to SYSTEM level errors. This is the `possibility to miss failure mode effects
 at SYSTEM level' critism of the FTA, FMEDA and FMECA methodologies.
@ -360,29 +386,37 @@ at SYSTEM level' critism of the FTA, FMEDA and FMECA methodologies.
 The next problem is how to we build a failure mode model
 that converges to a finite set of SYSTEM level failure modes.
 %
-What would be better would be to analyse the failure mode behaviour in each
+It would be better would be to analyse the failure mode behaviour in each
 functional group, and determine the ways in which it, rather than its
-components can fail.
+components, can fail.
 \paragraph{Component failures and {\fg} failure symptoms}
 In other words we want to find out what the symptoms of the failures in the {\fg}s
 are. 
 The number of symptoms of failure should be equal to or
-less than the number of compoinent failure modes, simply because
+less than the number of component failure modes, simply because
 often there are several potential causes of failure symptoms.
-When we have this we can treat the {\fg} as a component in its own right,
+%
-with a simplified and reduced set of failure symptoms.
+When we have the the symptoms, we can start thinking of the {\fg} as a component in its own right.
-We create a new {\dc}, where its failure modes
+%with a simplified and reduced set of failure symptoms.
 %
 We can now create a new {\dc}, where its failure modes
 are the failure symptoms of the {\fg}.
 In this way as we build the hierarchy, we naturally abstract the 
 failure mode behaviour, but can check that all failure modes in 
 the hierarchy have been considered and tied to causing symptoms.
-\paragraph{incremental stages and {\dcs}}
+
 \paragraph{Incremental Stages and {\dcs}}.
 We can use incremental stages to build the hierarchy.
-we can take small {\fg}s of components, where the {\fg}
+We can take small {\fg}s of components, where the {\fg}
 is a small set of components that perform a simple
 task.
 %
 This should be small enough to be able to consider all the failure
 modes of its components.
 %
 We can consider these failure modes from the perspective
 of the {\fg}. In other words, for each component failure mode in the {\fg},
 we create a `test case' and decide how each failure affects the functional group.
@ -390,16 +424,22 @@ we create a `test case' and decide how each failure affects the functional group
 With the results from the test cases we will now have the ways in which the 
 {\fg} can fail.
 %
-We can now treat the {\fg} as a component, or rather a {\dc}.
+%
 We can refine this further, by grouping the common symptoms, or results that
 are the same failure w.r.t. the {\fg}.
 %
-We can now create a {\dc} and assign these common symptoms
+We can now treat the {\fg} as a component, and call it a {\dc}, in other words, a sub-system with a known set of failure modes.
 %
 We can now create a new{\dc} and assign it these common symptoms
 as its failure modes.
 %
 This {\dc} can be used to build higher level
-{\fg}s, and naturally a hierarchy is being formed, which is 
+{\fg}s, and this will naturally form a hierarchy.
-a failure mode behaviour model.
+This hierarchy can be extended until it encompasses 
 an entire system. It can be considered complete when
 all failure modes from all components are handled
 and connectable to a SYSTEM level failure mode.
 \paragraph{Directed Acyclic Graph}. This will naturally form a DAG
 meaning that for all SYSTEM failure modes, we will be able to trace
 back through the DAG to possible component failure mode causes.
@ -420,18 +460,24 @@ there are generally only a handful of SYSTEM level failure modes.
 FMMD builds {\fg}s of components from the bottom-up. 
 Thus the {\fg}s are minimal collections of components
 that work together to perform a simple function.
 %
 We can perform a failure mode effects analysis on each of the component failure
 modes within the {\fg}. We can thus ensure that all component failure modes 
-are covered. We can then treat the {\fg} as a `black box' or component in its own right.
+are covered. 
-We can now look at how the {\fg} can fail. Many of the component failure modes will
+%
 We can then treat the {\fg} as a `black box' or component in its own right.
 We can now look at how the {\fg} can fail. 
 %
 Many of the component failure modes will
 cause the same failure symptoms in the {fg} failure behaviour.
 We can collect these failures as common symptoms.
-When we have out set of symptoms, we can now create
+%
 When we have our set of symptoms, we can now create
 a {\dc}. The {\dc} will have as its set of failures
 modes, the collected symptoms of the {\fg}.
-
+%
-Because we can now have a {\dcs} we can use these to form
+Because we can now have {\dcs} we can use these to form
-new {\fg}s and we can build a hierarchical model of the system failure modes.
+new {\fg}s and we can build a hierarchical `failure~mode' model of the SYSTEM.
 %%- Need diagram of hierarchy
 %%-
@ -451,56 +497,65 @@ This ensures that all component failure modes are handled.
 \subsubsection{ It should be easy to integrate mechanical, electronic and software models.}
-Each functional components failure modes are considered. Because of this 
+Because component failure modes are considered, we have a generic enitity to model.
-the failure modes of a mechanical, electrical or software system can be modelled
+We can describe a mecanical, electrical or software component in terms of its failure modes. 
 %
 Because of this 
 we can model and analyse integrated electro mechanical systems, controlled by computers,
 using a common notation.
 \subsubsection{ It should be re-usable, in that commonly used modules can be re-used in other designs/projects.}
 The hierarchical nature, taking {\fg}s and deriving components from them, means that 
 commonly used {\dcs} can be re-used in a design (for instance self checking digital inputs)
 or even in other projects where the same {\dc} is used.
 \subsubsection{ It should have a formal basis, that is to say, it should be able to produce mathematical proofs
 for its results}
-Because the failure mode mode of a SYSTEM is a hierarchy of {\fg}s and derived components
+Because the failure mode of a SYSTEM is a hierarchy of {\fg}s and derived components
 SYSTEM level failure modes are traceable back down the tree to
-component level failure modes. This proivides causation trees \cite{sccs} or, minimal cut sets
+component level failure modes. This provides causation trees \cite{sccs} or, minimal cut sets
 \footnote{Here minimal cut sets represent combinations of component failure modes that can result in s SYSTEM level failure.} 
 for all SYSTEM failure modes.
 \subsubsection{ It should be capable of producing reliability and danger evaluation statistics.}
-The Minimal cuts sets for the SYSTEM level failures, can have computed MTTF
+The Minimal cuts sets for the SYSTEM level failures can have computed MTTF
 and danger evaluation statistics sourced from the component failure mode statistics \cite {mil1991}.
-\subsubsection{ It should be easy to use, Ideally useing a graphical syntax (as oppossed to a formal mathematical one).}
+\subsubsection{ It should be easy to use, ideally using a graphical syntax (as oppossed to a formal mathematical one).}
 A modified form of constraint diagram (an extension of Euler diagrams) has been developed to support the FMMD methodology.
 This uses Euler circles to represent failure modes, and spiders to collect symptoms, to
 advance a {\fg} to a {\dc}.
 \subsubsection{ From the top down the failure mode model should follow a logical de-composition of the functionality
 to smaller and smaller functional modules \cite{maikowski}.}
-The bottom-up approach fulfills the  logical de-composition requirement, because the {\fg}s
+The bottom-up approach fulfils the  logical de-composition requirement, because the {\fg}s
 are built from components performing a given task. 
 \subsubsection{ Multiple failure modes may be modelled from the base component level up}
 By breaking the problem of failure mode analysis into small stages
 and building a hierarchy, the problems associated with the cross products of
-all failure modes within a system are greatly by an exponential order.
+all failure modes within a system are reduced by an exponential order.
 \subsection{Advantages of FMMD Methodology}
 \begin{itemize}
-\item It can be checked, automatically that, all component failure modes have been considered in the model.
+\item It can be checked automatically that all component failure modes have been considered in the model.
 \item Because we are modelling with failure modes the {\fgs} and {\dcs} these can be generic, i.e.  mechanical, electronic or software components.
 \item The {\dcs} are re-usable, in that commonly used modules can be re-used in other designs/projects.
 \item It will have a formal basis, that is to say, it is able to produce mathematical proofs
 for its results (MTTF and the cause trees for SYSTEM level faults).
-\item Overall reliability and danger evaluation statistics can be computed. By knowing all causation trees
+\item Overall reliability and danger evaluation statistics can be computed. 
 By knowing all causation trees,
 the statistical probabilities (from base component data) for all causes can be simply added.
 \item A graphical representation based on Euler diagrams is used.
 \item From the top down the failure mode model will follow a logical de-composition of the functionality; by
-chosing {\fg}s and working bottom-up the hierarchy this happens as a natural consequence.
+chosing {\fg}s and working bottom-up this hierarchical trait will occur as a natural consequence.
 \item Undetectable or unhandled failure modes will be specifically flagged.
 \item It is possible to model multiple failure modes.
 \end{itemize}
@ -510,5 +565,5 @@ chosing {\fg}s and working bottom-up the hierarchy this happens as a natural con
 This paper provides the backgroud for the need for a new methodology for
 static analysis that can span the mechanical electrical and software domains
 using a common notation.
-\vspace{30pt}
+\vspace{60pt}
 \today