robin/Robin_PHD
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'master' of dev:/home/robin/git/thesis

Browse Source
This commit is contained in:
Robin Clark 2012-09-08 13:57:03 +01:00
commit 7b0e42703d
1 changed files with 89 additions and 125 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

214
submission_thesis/CH4_FMMD/copy.tex
View File

@ -54,100 +54,53 @@
This chapter
starts with %starts with %an overview of current failure modelling techniques, and then
a worked example to introduce % using
the new methodology,
a new methodology,
Failure Mode Modular De-composition (FMMD).
This is followed by a discussion on the design of the FMMD methodology and then a
This is followed by a discussion on the design of FMMD and then a
%an ontological
description using UML class models.
description and re-factoring process using UML class models.
% This chapter defines the FMMD process and related concepts and calculations.
FMMD is in essence modularised FMEA. Rather than taking each component failure mode
FMMD is in essence a modularised variant of traditional FMEA~\cite{sccs}[pp.34-38].
%
Rather than taking each component failure mode
and extrapolating top level or system failure symptoms from it,
small groups of components are collected into {\fgs} and analysed.
%and then {\dcs} are used to represent the {\fgs}.
We analyse the {\fgs} in order to determine its the failure mode behaviour.
We analyse each {\fg} in order to determine its failure mode behaviour.
%of the {\fg}.
With the failure mode behaviour we can obtain a set of failure modes
for the {\fg}. We can then create a new theoretical component to represent the {\fg}.
for the {\fg}.
%
Or in other words we determine how the {\fg}, as an entity can fail.
%
We can then create a new theoretical component to represent the {\fg}.
%
We call this a {\dc}.
This {\dc} may be used as though it were a component, and has a set of failure modes.
We then use {\dcs} to then build further {\fgs} until a hierarchy of {\fgs}
%
This {\dc} has a set of failure modes: we can thus treat it as a `higher~level' component.
%
Because a {\dc} has a set of failure modes we can use it in higher level {\fgs}
which in turn produce higher level {\dcs}.
%
We can then use these {\dcs} to build further {\fgs} until a hierarchy of {\fgs}
and {\dcs} has been built, converging to a final {\dc}
at the top of the hierarchy. The final {\dcs} failure modes
at the top of the hierarchy.
%
The failure modes of the final or top {\dc}
are the failure modes of the system under investigation.
%
Or in other words we take the traditional FMEA~\cite{sccs}[pp.34-38] process, and modularise it from the bottom-up.
Or in other words we take the traditional FMEA process, and modularise it from the bottom-up.
%We break down each stage of reasoning
%into small manageable groups, and use the failure mode behaviour from them to create {\dcs}
%to build higher level groups.
In this way we can incrementally analyse an entire system.
In this way we can incrementally analyse an entire system. %, with documented reasoning stages.
% %This has advantages of concentrating
% %effort in where modules interact,
%A notation is then described to index and classify objects created in FMMD hierarchical models.
% \subsection{Overview of current failure mode modelling techniques}
%
% We briefly analyse four current methodologies.
% Comprehensive overviews of these methodologies may be found
% in ~\cite{safeware,sccs,nasafta,nucfta,bfmea}.
%
% \paragraph{Fault Tree Analysis (FTA).}
% FTA~\cite{nasafta,nucfta} is a top down methodology in which a hierarchical diagram is drawn for
% each undesirable top level failure/event, presenting the conditions that must arise to cause
% the event.
% %
% It is suitable for large complicated systems with few undesirable top
% level failures and focuses on those events considered most important or most catastrophic.
% %
% Effects of duplication/redundancy of safety systems can be readily assessed.
% It uses notations that are readily understood by engineers
% (logic symbols borrowed from digital electronics and a fault hierarchy).
% However, it cannot guarantee to model all base component failures
% or be used to determine system level errors other than those modelled.
% %
% Each FTA diagram models one top level event.
% This creates duplication of modelled elements,
% and it is difficult to cross check between diagrams. It has limited
% support for environmental and operational states.
%
%
% \paragraph{Fault Mode Effects Analysis (FMEA)} is used principally to determine system reliability.
% It is bottom-up and starts with component failure modes, which
% lead to top level failure/events.
% Each top level failure is assessed by its cost to repair (or perceived criticality) and its estimated frequency. %, using a
% %failure mode ratio.
% A list of failures according to their cost to repair~\cite{bfmea}, or effect on system reliability is then calculated.
% It is easy to identify single component failure to system failure mappings
% and an estimate of product reliability can be calculated.
% %This can be viewed as a prioritised `to~fix' list.
% %
% It cannot focus on complex
% component interactions that cause system failure modes or determine potential
% problems from simultaneous failures. It does not consider changing environmental
% or operational states in sub-systems or components. It cannot model
% self-checking safety elements or other in-built safety features or
% analyse how particular components may fail.
%
%
% \paragraph{Failure Mode Effects Criticality Analysis (FMECA)} is a refinement of FMEA, using
% extra variables: the probability of a component failure mode occurring,
% the probability that this will cause a given top level failure, and the perceived
% criticality. It gives better estimations of product reliability/safety and the
% occurrence of particular system failure modes than FMEA but has similar deficiencies.
%
%
% \paragraph{Failure Modes, Effects and Diagnostic Analysis (FMEDA)} is a refinement of
% FMEA and FMECA and in addition models self-checking safety elements. It assigns two
% attributes to component failure modes: detectable/undetectable and safe/dangerous.
% Statistical measures about the system can be made and used to classify a
% safety integrity level. It allows designs with in-built safety features to be assessed.
% Otherwise, it has similar deficiencies to FMEA.
% However, it has limited support
% for environmental and operational states in sub-systems or components,
% via self checking statistical mitigation. FMEDA is the methodology associated with
% the safety integrity standard EN61508~\cite{en61508}.
%
% \subsection{Summary of Deficiencies in Current Methods}
%
% \paragraph{Top Down approach: FTA} The top down technique FTA, introduces the possibility of missing base component
@ -470,15 +423,13 @@ In this way we can incrementally analyse an entire system.
\section{Worked Example: Non-Inverting Amplifier}
%% here bring in sys safety papaer from 2011
%% here bring in sys safety paper from 2011
%%
%% GARK BEGIN
To demonstrate the principles of FMMD, we use it to analyse a
commonly used circuit, a non-inverting amplifier built from an op amp~\cite{aoe}[p.234] and two resistors, a circuit schematic for this is shown in figure \ref{fig:noninvamp}.
commonly used circuit, a non-inverting amplifier built from an op amp~\cite{aoe}[p.234] and
two resistors, a circuit schematic for this is shown in figure \ref{fig:noninvamp}.
%
\begin{figure}[h+]
\centering
@ -490,20 +441,24 @@ commonly used circuit, a non-inverting amplifier built from an op amp~\cite{aoe}
\end{figure}
%
The function of the resistors in this circuit is to set the amplifier gain.
They operate as a potential divider, the resistors act as a potential divider --- assuming the op-amp has high impedance ---
and program the inverting input on the op-amp
The resistors act as a potential divider---assuming the op-amp has high impedance---and
program the inverting input on the op-amp
to balance them against the positive input, giving the voltage gain ($G_v$)
defined by $ G_v = 1 + \frac{R2}{R1} $ at the output.
\paragraph{Potential Divider.}
\paragraph{Analysing the failure modes of the Potential Divider.}
\label{subsec:potdiv}
As the resistors work to provide a specific function, that of a potential divider,
As the resistors work to provide a clearly defined function, that of a potential divider,
we can treat them as a collection of components with a specific functionality---which can be termed a `{\fg}'.
This {\fg} has two members, $R1$ and $R2$.
Taken as an entity the potential divider can be viewed as a {\dc}.
%
The potential divider circuit can be considered as a component
that provides the function of splitting two voltages into three,
the third voltage being a ratio defined by the values of the resistors.
%Taken as an entity the potential divider can be viewed as a {\dc}.
That is to say we can treat the potential divider, comprised of two resistors
to act as a component.
to act as a {\dc}.
%
Using the EN298 specification for resistor failure~\cite{en298}[App.A],
we can assign failure modes of $OPEN$ and $SHORT$ to the resistors individually (assignment of failure modes
@ -533,22 +488,24 @@ We represent a resistor and its failure modes as a directed acyclic graph (DAG)
Thus $R1$ has failure modes $\{R1_{OPEN}, R1_{SHORT}\}$ and $R2$ has failure modes $\{R2_{OPEN}, R2_{SHORT}\}$.
%
We look at each of these base component failure modes,
and determine how they affect the operation of the potential divider.
and determine how they affect the operation of the potential~divider.
%Each failure mode scenario we look at will be given a test case number,
%which is represented on the diagram, with an asterisk marking
%which failure modes is modelling (see figure \ref{fig:fg1a}).
%
Each resistor failure mode is a potential {\fc} in the potential~divider.
%%For this example we look at single failure modes only.
For each failure mode in our {\fg} `potential~divider',
we can assign a %{\fc}
For each failure mode in our {\fg} potential~divider
we can assign a {\fc}
number (see table \ref{tbl:pdfmea}).
%
Each {\fc} is analysed to determine the symptom of failure in
the potential dividers' operation. For instance
the potential~dividers' operation. For instance
if resistor $R_1$ were to become open, then the potential~divider would not be grounded and the
voltage output from it would float high (+ve).
This would mean the symptom of the failed potential divider would be voltage high output.
This would mean the symptom of the failed potential~divider would be voltage high output.
%
The failure symptom of a high potential divider output is termed `HighPD', and
The failure symptom of a high potential~divider output is termed `HighPD', and
for it outputting a low voltage `LowPD'. % Andrew asked for this to be defined before the table. ...
%We can now consider the {\fg}
%as a component in its own right, and its symptoms as its failure modes.
@ -625,8 +582,8 @@ This is represented in the DAG in figure \ref{fig:fg1adag}.
% Potential divider failure modes
%
\node[symptom] (PDHIGH) at (\layersep*2,-1.0) {$PD_{HIGH}$};
\node[symptom] (PDLOW) at (\layersep*2,-3.0) {$PD_{LOW}$};
\node[symptom] (PDHIGH) at (\layersep*2,-1.0) {HighPD};
\node[symptom] (PDLOW) at (\layersep*2,-3.0) {LowPD};
\path (R1OPEN) edge (PDHIGH);
\path (R2SHORT) edge (PDHIGH);
@ -642,14 +599,14 @@ This is represented in the DAG in figure \ref{fig:fg1adag}.
We can now create % formulate
a `derived component' to represent this potential divider:
a {\dc} to represent this potential divider:
we name this \textbf{PD}.
This {\dc} will have two failure modes.
We use the symbol $\derivec$ to represent the process of taking the analysed
{\fg} and creating from it a {\dc}.
The creation of the {\dc} \textbf{PD} is represented as a
hierarchy diagram in figure~\ref{fig:dc1}.
We represent the {\dc} \textbf{PD}, as a DAG in figure \ref{fig:dc1dag}.
This {\dc} will have two failure modes, $HighPD$ and $LowPD$.
% HTR 05SEP2012 We use the symbol $\derivec$ to represent the process of taking the analysed
% HTR 05SEP2012 {\fg} and creating from it a {\dc}.
% HTR 05SEP2012 The creation of the {\dc} \textbf{PD} is represented as a
% HTR 05SEP2012 hierarchy diagram in figure~\ref{fig:dc1}.
% HTR 05SEP2012 We represent the {\dc} \textbf{PD}, as a DAG in figure \ref{fig:dc1dag}.
%We could represent it algebraically thus: $ \derivec(PotDiv) =
@ -823,8 +780,8 @@ as {\fcs} in table~\ref{tbl:ampfmea1}.
% \node[component, pin=left:Input \#\y] (I-\name) at (0,-\y) {};
\node[component] (OPAMP) at (0,-1.8) {$OPAMP$};
\node[component] (R1) at (0,-6) {$R_1$};
\node[component] (R2) at (0,-7.6) {$R_2$};
\node[component] (R1) at (0,-7) {$R_1$};
\node[component] (R2) at (0,-8.6) {$R_2$};
%\node[component] (C-3) at (0,-5) {$C^0_3$};
%\node[component] (K-4) at (0,-8) {$K^0_4$};
@ -841,11 +798,11 @@ as {\fcs} in table~\ref{tbl:ampfmea1}.
\node[failure] (OPAMPNP) at (\layersep,-2.5) {noop};
\node[failure] (OPAMPLS) at (\layersep,-3.8) {lowslew};
\node[failure] (R1SHORT) at (\layersep,-5.1) {$R1_{SHORT}$};
\node[failure] (R1OPEN) at (\layersep,-6.4) {$R1_{OPEN}$};
\node[failure] (R1SHORT) at (\layersep,-5.6) {$R1_{SHORT}$};
\node[failure] (R1OPEN) at (\layersep,-7.4) {$R1_{OPEN}$};
\node[failure] (R2SHORT) at (\layersep,-7.7) {$R2_{SHORT}$};
\node[failure] (R2OPEN) at (\layersep,-9.0) {$R2_{OPEN}$};
\node[failure] (R2SHORT) at (\layersep,-9.0) {$R2_{SHORT}$};
\node[failure] (R2OPEN) at (\layersep,-11.0) {$R2_{OPEN}$};
@ -869,8 +826,8 @@ as {\fcs} in table~\ref{tbl:ampfmea1}.
% Potential divider failure modes
%
\node[symptom] (PDHIGH) at (\layersep*2,-6) {$PD_{HIGH}$};
\node[symptom] (PDLOW) at (\layersep*2,-7.6) {$PD_{LOW}$};
\node[symptom] (PDHIGH) at (\layersep*2,-7) {HighPD};
\node[symptom] (PDLOW) at (\layersep*2,-8.6) {LowPD};
@ -934,30 +891,30 @@ as {\fcs} in table~\ref{tbl:ampfmea1}.
%in hand (say milli-volt signal amplification).
For this amplifier configuration we have three {\dc} failure modes; {\em AMP\_High, AMP\_Low, LowPass}. % see figure~\ref{fig:fgampb}.
This model now has two stages of analysis hierarchy,
as represented in figure~\ref{fig:dc2}.
% HTR 05SEP2012 This model now has two stages of analysis hierarchy, as represented in figure~\ref{fig:dc2}.
From the analysis in table \ref{tbl:ampfmea1} we can create the {\dc} {\em NONINVAMP}, which
represents the failure mode behaviour of the non-inverting amplifier.
\begin{figure}[h]
\centering
\includegraphics[width=225pt]{./CH4_FMMD/dc2.png}
% dc2.png: 635x778 pixel, 72dpi, 22.40x27.45 cm, bb=0 0 635 778
\caption{Hierarchy representing the two stage FMMD analysis
(i.e. two `$\derivec$' processes taking {\fgs} and creating {\dcs}) for the non-inverting amplifier}
\label{fig:dc2}
\end{figure}
% HTR 05SEP2012 \begin{figure}[h]
% HTR 05SEP2012 % HTR 05SEP2012 \centering
% HTR 05SEP2012 \includegraphics[width=225pt]{./CH4_FMMD/dc2.png}
% HTR 05SEP2012 % dc2.png: 635x778 pixel, 72dpi, 22.40x27.45 cm, bb=0 0 635 778
% HTR 05SEP2012 \caption{Hierarchy representing the two stage FMMD analysis
% HTR 05SEP2012 (i.e. two `$\derivec$' processes taking {\fgs} and creating {\dcs}) for the non-inverting amplifier}
% HTR 05SEP2012 \label{fig:dc2}
% HTR 05SEP2012 \end{figure}
We can also represent the hierarchy as an Euler diagram, where the curves
We can represent the hierarchy as an Euler diagram, where the curves
define the components and {\dcs} used to form the INVAMP model, see figure~\ref{fig:eulerfmmd}.
\begin{figure}[h]
\centering
\includegraphics[width=300pt]{./CH4_FMMD/eulerfmmd.png}
% eulerfmmd.png: 413x207 pixel, 72dpi, 14.57x7.30 cm, bb=0 0 413 207
\caption{FMMD analysis of the INVAMP represented as an Euler diagram, showing the relationships between base and derived components.}
\caption{FMMD analysis of the INVAMP represented as an Euler diagram, showing how
the components have been grouped into {\fgs} and then used as {\dcs} to build the analysis hierarchy.}
\label{fig:eulerfmmd}
\end{figure}
@ -970,7 +927,9 @@ down to the base component failure modes, %leaves of the tree (the leaves being
and thus determine all possible causes for
the three high level symptoms, i.e. the failure~modes of the non-inverting amplifier {\dc} {\em INVAMP}.
Knowing all possible causes for a top level event/failure~mode
is extremely useful. Were the top level event to be classified as catastrophic for instance,
is extremely useful.
%
Were a particular top level event to be classified as catastrophic for instance,
we could use this information
to strengthen components that could cause that particular top level event/failure.
%
@ -1498,10 +1457,10 @@ The UML meta model above (see figure~\ref{fig:cfg}) describes a hierarchical str
This is because, as {\dcs} inherit the properties of
components, {\dcs} may be used to form {\fgs}.
%
Consider the hierarchy from the example in figure~\ref{fig:dc2}.
Consider the hierarchy from the example in figure~\ref{fig:eulerfmmd}. % ~\ref{fig:dc2}.
The lowest level in this hierarchy are the {\bcs}, the resistors and the op-amp.
%
The resistors are collected into a {\fg}, and the ${PD}$ derived component created from its analysis, is shown above the {\fg}.
The resistors are collected into a {\fg}, and the ${PD}$ derived component created from its analysis, is shown enclosing R1 and R2. % above the {\fg}.
%
As this derived component inherits the properties of a component, we may use
it in {\fg} higher in the hierarchy.
@ -1511,9 +1470,14 @@ with the op-amp.
%
This {\fg} is now analysed and a {\dc} created to
represent the failure mode behaviour of the {\em INVAMP}.
An analysis report is generated for each {\fg} to {\dc}
process\footnote{By having an analysis report report for each analysis stage, i.e. {fg} to {\dc},
we increase the tracability in the reasoning applied to to the FMEA process.}.
%
An analysis report is generated as part of the {\fg} to {\dc}
process. %\footnote
{By having an analysis report report for each analysis stage, i.e. {\fg} to {\dc},
we add traceability to the reasoning applied to to the FMEA process.}
%
Traditional FMEA has one large reasoning stage, that of component failure mode
directly to system level failure.
%
We may now use the {\em INVAMP} {\dc} in even higher level {\fgs}.