diff --git a/mybib.bib b/mybib.bib index 5a7cf32..a1d9e58 100644 --- a/mybib.bib +++ b/mybib.bib @@ -1,7 +1,7 @@ -@BOOK{dmfnt, - AUTHOR = "mixedsignaldsp", - TITLE = "Mixed Signal and DSP Design Techniques ISBN 0750676116" +@BOOK{mixedsignaldsp, + AUTHOR = "Walt Kestler", + TITLE = "Mixed Signal and DSP Design Techniques ISBN 0750676116", PUBLISHER = "Newnes/Analog Devices", YEAR = "2003" } diff --git a/presentations/System_safety_2012/fmmd_software_pres.tex b/presentations/System_safety_2012/fmmd_software_pres.tex index 4f3ed15..0fdf06f 100644 --- a/presentations/System_safety_2012/fmmd_software_pres.tex +++ b/presentations/System_safety_2012/fmmd_software_pres.tex @@ -117,6 +117,7 @@ For the sake of example let us choose resistor R1 in the OP-AMP gain circuitry. \begin{frame} +% \frametitle{FMEA Example: Milli-volt reader} \begin{figure} \centering @@ -129,80 +130,14 @@ For the sake of example let us choose resistor R1 in the OP-AMP gain circuitry. \pause \item \textbf{E - Effects} This will drive the minus input LOW causing a HIGH OUTPUT/READING \pause \item \textbf{A - Analysis} The reading will be out of normal range, and we will have an erroneous milli-volt reading \end{itemize} -\end{frame} - - - -\begin{frame} -Note here that we have had to look at the failure~mode -in relation to the entire circuit. \pause -We have used intuition to determine the probable -effect of this failure mode. \pause -We have not examined this failure mode -against every other component in the system. \pause -Perhaps we should.... this would be a more rigorous and complete -approach in looking for system failures. - -\end{frame} - -\subsection{Rigorous FMEA - State Explosion} -\begin{frame} - \frametitle{Rigorous Single Failure FMEA} -Consider the analysis -where we look at all the failure modes in a system, and then -see how they can affect all other components within it. -\end{frame} - - - \begin{frame} -\frametitle{Rigorous Single Failure FMEA} -We need to look at a large number of failure scenarios -to do this completely (all failure modes against all components). -This is represented in the equation below. %~\ref{eqn:fmea_state_exp}, -where $N$ is the total number of components in the system, and -$f$ is the number of failure modes per component. - - -\begin{equation} - \label{eqn:fmea_single} - N.(N-1).f % \\ - %(N^2 - N).f -\end{equation} -\end{frame} - - -\begin{frame} -\frametitle{Rigorous Single Failure FMEA} -This would mean an order of $N^2$ number of checks to perform -to undertake a `rigorous~FMEA'. Even small systems have typically -100 components, and they typically have 3 or more failure modes each. -$100*99*3=29,700$. +% \end{frame} -\begin{frame} - \frametitle{Rigorous Double Failure FMEA} -For looking at potential double failure scenarios (two components -failing within a given time frame) and the order becomes -$N^3$. \pause -\begin{equation} - \label{eqn:fmea_double} - N.(N-1).(N-2).f % \\ - %(N^2 - N).f -\end{equation} - \pause -$100*99*98*3=2,910,600$. -\pause -.\\ - -The European Gas burner standard (EN298:2003), demands the checking of -double failure scenarios (for burner lock-out scenarios). - -\end{frame} \begin{frame} \frametitle{Four main Variants of FMEA} @@ -216,380 +151,6 @@ double failure scenarios (for burner lock-out scenarios). - -\subsection{PFMEA - Production FMEA : 1940's to present} - -\begin{frame} - \frametitle{PFMEA} -Production FMEA (or PFMEA), is FMEA used to prioritise, in terms of -cost, problems to be addressed in product production.\pause - -It focuses on known problems, determines the -frequency they occur and their cost to fix.\pause -This is multiplied together and called an RPN -number.\pause -Fixing problems with the highest RPN number -will return most cost benefit.\pause - -\end{frame} - - -\begin{frame} -% benign example of PFMEA in CARS - make something up. -\frametitle{PFMEA Example} - -{ -\begin{table}[ht] -\caption{FMEA Calculations} % title of Table -%\centering % used for centering table -\begin{tabular}{|| l | l | c | c | l ||} \hline - \textbf{Failure Mode} & \textbf{P} & \textbf{Cost} & \textbf{Symptom} & \textbf{RPN} \\ \hline \hline - relay 1 n/c & $1*10^{-5}$ & 38.0 & indicators fail & 0.00038 \\ \hline - relay 2 n/c & $1*10^{-5}$ & 98.0 & doorlocks fail & 0.00098 \\ \hline -% rear end crash & $14.4*10^{-6}$ & 267,700 & fatal fire & 3.855 \\ -% ruptured f.tank & & & & \\ \hline - - -\hline -\end{tabular} -\end{table} -} - -%Savings: 180 burn deaths, 180 serious burn injuries, 2,100 burned vehicles. Unit Cost: $200,000 per death, $67,000 per injury, $700 per vehicle. -%Total Benefit: 180 X ($200,000) + 180 X ($67,000) + $2,100 X ($700) = $49.5 million. -%COSTS -%Sales: 11 million cars, 1.5 million light trucks. -%Unit Cost: $11 per car, $11 per truck. -%Total Cost: 11,000,000 X ($11) + 1,500,000 X ($11) = $137 million. - - - - -\end{frame} - - - -%\subsection{Production FMEA : Example Ford Pinto : 1975} -\begin{frame} - \frametitle{PFMEA Example: Ford Pinto: 1975} - -\begin{figure}[h] - \centering - \includegraphics[width=200pt]{./ad_ford_pinto_mpg_red_3_1975.jpg} - % ad_ford_pinto_mpg_red_3_1975.jpg: 720x933 pixel, 96dpi, 19.05x24.69 cm, bb=0 0 540 700 - \caption{Ford Pinto Advert} - \label{fig:fordpintoad} -\end{figure} - -\end{frame} - - - \begin{frame} - \frametitle{PFMEA Example: Ford Pinto: 1975} - -\begin{figure}[h] - \centering - \includegraphics[width=200pt]{./burntoutpinto.png} - % burntoutpinto.png: 376x250 pixel, 72dpi, 13.26x8.82 cm, bb=0 0 376 250 - \caption{Burnt Out Pinto} - \label{fig:burntoutpinto} -\end{figure} - - -\end{frame} - - -\begin{frame} - \frametitle{PFMEA Example: Ford Pinto: 1975} - { -\begin{table}[ht] -\caption{FMEA Calculations} % title of Table -%\centering % used for centering table -\begin{tabular}{|| l | l | c | c | l ||} \hline - \textbf{Failure Mode} & \textbf{P} & \textbf{Cost} & \textbf{Symptom} & \textbf{RPN} \\ \hline \hline - relay 1 n/c & $1*10^{-5}$ & 38.0 & indicators fail & 0.00038 \\ \hline - relay 2 n/c & $1*10^{-5}$ & 98.0 & doorlocks fail & 0.00098 \\ \hline - rear end crash & $14.4*10^{-6}$ & 267,700 & fatal fire & 3.855 \\ - ruptured f.tank & & & allow & \\ \hline - - rear end crash & $1$ & $11$ & recall & 11.0 \\ - ruptured f.tank & & & fix tank & \\ \hline - -\hline -\end{tabular} -\end{table} -} - - - http://www.youtube.com/watch?v=rcNeorjXMrE - -\end{frame} - - - - -\subsection{FMECA - Failure Modes Effects and Criticality Analysis} - - - -\begin{frame} -\frametitle{ FMECA - Failure Modes Effects and Criticallity Analysis} -\begin{figure} - \centering - %\includegraphics[width=100pt]{./military-aircraft-desktop-computer-wallpaper-missile-launch.jpg} - \includegraphics[width=100pt]{./A10_thunderbolt.jpg} - % military-aircraft-desktop-computer-wallpaper-missile-launch.jpg: 1024x768 pixel, 300dpi, 8.67x6.50 cm, bb=0 0 246 184 - \caption{A10 Thunderbolt} - \label{fig:f16missile} -\end{figure} -Emphasis on determining criticality of failure. -Applies some Bayesian statistics (probabilities of component failures and those thereby causing given system level failures). -\end{frame} - - -\begin{frame} -\frametitle{ FMECA - Failure Modes Effects and Criticality Analysis} -Very similar to PFMEA, but instead of cost, a criticality or -seriousness factor is ascribed to putative top level incidents.\pause -FMECA has three probability factors for component failures.\pause - -\textbf{FMECA ${\lambda}_{p}$ value.} -This is the overall failure rate of a base component. -This will typically be the failure rate per million ($10^6$) or -billion ($10^9$) hours of operation.\pause reference MIL1991. \pause - -\textbf{FMECA $\alpha$ value.} -The failure mode probability, usually denoted by $\alpha$ is the probability of -a particular failure~mode occurring within a component. \pause reference FMD-91. -%, should it fail. -%A component with N failure modes will thus have -%have an $\alpha$ value associated with each of those modes. -%As the $\alpha$ modes are probabilities, the sum of all $\alpha$ modes for a component must equal one. -\end{frame} - -\begin{frame} -\frametitle{ FMECA - Failure Modes Effects and Criticality Analysis} -\textbf{FMECA $\beta$ value.} -The second probability factor $\beta$, is the probability that the failure mode -will cause a given system failure.\pause -This corresponds to `Bayesian' probability, given a particular -component failure mode, the probability of a given system level failure. -\pause -\textbf{FMECA `t' Value}\pause -The time that a system will be operating for, or the working life time of the product is -represented by the variable $t$. -%for probability of failure on demand studies, -%this can be the number of operating cycles or demands expected. -\pause -\textbf{Severity `s' value} -A weighting factor to indicate the seriousness of the putative system level error. -%Typical classifications are as follows:~\cite{fmd91} -\pause -\begin{equation} - C_m = {\beta} . {\alpha} . {{\lambda}_p} . {t} . {s} -\end{equation} -\pause -Highest $C_m$ values would be at the top of a `to~do' list -for a project manager. -\end{frame} - - - -\subsection{FMEDA - Failure Modes Effects and Diagnostic Analysis} - - - -\begin{frame} -\frametitle{ FMEDA - Failure Modes Effects and Diagnostic Analysis} -\begin{figure} - \centering - \includegraphics[width=200pt]{./SIL.png} - % SIL.jpg: 350x286 pixel, 72dpi, 12.35x10.09 cm, bb=0 0 350 286 - \caption{SIL requirements} -\end{figure} - -\end{frame} - - - - - -\begin{frame} - -\frametitle{ FMEDA - Failure Modes Effects and Diagnostic Analysis} - -\begin{itemize} - \pause \item \textbf{Statistical Safety} \pause Safety Integrity Level (SIL) standards (EN61508/IOC5108). - \pause \item \textbf{Diagnostics} \pause Diagnostic or self checking elements modelled - \pause \item \textbf{Complete Failure Mode Coverage} \pause All failure modes of all components must be in the model - \pause \item \textbf{Guidelines} \pause To system architectures and development processes -\end{itemize} - -% FMEDA is the methodology behind statistical (safety integrity level) -% type standards (EN61508/IOC5108). \pause -% It provides a statistical overall level of safety -% and allows diagnostic mitigation for self checking etc. \pause -% It provides guidelines for the design and architecture -% of computer/software systems for the four levels of -% safety Integrity. -% %For Hardware -% \pause -% FMEDA does force the user to consider all components in a system -% by requiring that a MTTF value is assigned for each failure~mode; \pause -% the MTTF may be statistically mitigated (improved) -% if it can be shown that self-checking will detect failure modes. - -\end{frame} - - - - - -\begin{frame} -\frametitle{ FMEDA - Failure Modes Effects and Diagnostic Analysis} -\textbf{Failure Mode Classifications in FMEDA.} - \begin{itemize} - \pause \item \textbf{Safe or Dangerous} \pause Failure modes are classified SAFE or DANGEROUS - \pause \item \textbf{Detectable failure modes} \pause Failure modes are given the attribute DETECTABLE or UNDETECTABLE - \pause \item \textbf{Four attributes to Failure Modes} \pause All failure modes may thus be Safe Detected(SD), Safe Undetected(SU), Dangerous Detected(DD), Dangerous Undetected(DU) - \pause \item \textbf{Four statistical properties of a system} \pause \\ -$ \sum \lambda_{SD}$, $\sum \lambda_{SU}$, $\sum \lambda_{DD}$, $\sum \lambda_{DU}$ -\end{itemize} - -% Failure modes are classified as Safe or Dangerous according -% to the putative system level failure they will cause. \pause -% The Failure modes are also classified as Detected or -% Undetected. -% This gives us four level failure mode classifications: -% Safe-Detected (SD), Safe-Undetected (SU), Dangerous-Detected (DD) or Dangerous-Undetected (DU), -% and the probabilistic failure rate of each classification -% is represented by lambda variables -% (i.e. $\lambda_{SD}$, $\lambda_{SU}$, $\lambda_{DD}$, $\lambda_{DU}$). -\end{frame} -\begin{frame} -\frametitle{ FMEDA - Failure Modes Effects and Diagnostic Analysis} -\textbf{Diagnostic Coverage.} -The diagnostic coverage is simply the ratio -of the dangerous detected probabilities -against the probability of all dangerous failures, -and is normally expressed as a percentage. $\Sigma\lambda_{DD}$ represents -the percentage of dangerous detected base component failure modes, and -$\Sigma\lambda_D$ the total number of dangerous base component failure modes. - -$$ DiagnosticCoverage = \Sigma\lambda_{DD} / \Sigma\lambda_D $$ -\end{frame} - - -\begin{frame} -\frametitle{ FMEDA - Failure Modes Effects and Diagnostic Analysis} -The \textbf{diagnostic coverage} for safe failures, where $\Sigma\lambda_{SD}$ represents the percentage of -safe detected base component failure modes, -and $\Sigma\lambda_S$ the total number of safe base component failure modes, -is given as - -$$ SF = \frac{\Sigma\lambda_{SD}}{\Sigma\lambda_S} $$ -\end{frame} - -\begin{frame} -\frametitle{ FMEDA - Failure Modes Effects and Diagnostic Analysis} -\textbf{Safe Failure Fraction.} -A key concept in FMEDA is Safe Failure Fraction (SFF). -This is the ratio of safe and dangerous detected failures -against all safe and dangerous failure probabilities. -Again this is usually expressed as a percentage. - -$$ SFF = \big( \Sigma\lambda_S + \Sigma\lambda_{DD} \big) / \big( \Sigma\lambda_S + \Sigma\lambda_D \big) $$ -\pause -SFF determines how proportionately fail-safe a system is, not how reliable it is ! \pause -Weakness in this philosophy; \pause adding extra safe failures (even unused ones) improves the SFF. - -\end{frame} - -\begin{frame} -\frametitle{ FMEDA - Failure Modes Effects and Diagnostic Analysis} -To achieve SIL levels, diagnostic coverage and SFF levels are prescribed along with -hardware architectures and software techniques. \pause -The overall the aim of SIL is classify the safety of a system, -by statistically determining how frequently it can fail dangerously. - - -\end{frame} - -\begin{frame} -\frametitle{ FMEDA - Failure Modes Effects and Diagnostic Analysis} -{ -\begin{table}[ht] -\caption{FMEA Calculations} % title of Table -%\centering % used for centering table -\begin{tabular}{|| l | l | c | c | l ||} \hline - \textbf{SIL} & \textbf{Low Demand} & \textbf{Continuous Demand} \\ - & Prob of failing on demand & Prob of failure per hour \\ \hline \hline - 4 & $ 10^{-5}$ to $< 10^{-4}$ & $ 10^{-9}$ to $< 10^{-8}$ \\ \hline - 3 & $ 10^{-4}$ to $< 10^{-3}$ & $ 10^{-8}$ to $< 10^{-7}$ \\ \hline - 2 & $ 10^{-3}$ to $< 10^{-2}$ & $ 10^{-7}$ to $< 10^{-6}$ \\ \hline - 1 & $ 10^{-2}$ to $< 10^{-1}$ & $ 10^{-6}$ to $< 10^{-5}$ \\ \hline - -\hline -\end{tabular} -\end{table} -} -Table adapted from EN61508-1:2001 [7.6.2.9 p33] -\end{frame} - -\begin{frame} -\frametitle{ FMEDA - Failure Modes Effects and Diagnostic Analysis} -FMEDA is a modern extension of FMEA, in that it will allow for -self checking features, and provides detailed recommendations for computer/software architecture. \pause -It has a simple final result, a Safety Integrity Level (SIL) from 1 to 4 (where 4 is safest). - -%FMEA can be used as a term simple to mean Failure Mode Effects Analysis, and is -%part of product approval for many regulated products in the EU and the USA... - -\end{frame} - - - - -\subsection{FMEA used for Safety Critical Approvals} - -\begin{frame} -\frametitle{DESIGN FMEA (DFMEA): Safety Critical Approvals FMEA} -\begin{figure}[h] - \centering - \includegraphics[width=100pt,keepaspectratio=true]{./tech_meeting.png} - % tech_meeting.png: 350x299 pixel, 300dpi, 2.97x2.53 cm, bb=0 0 84 72 - \caption{FMEA Meeting} - \label{fig:tech_meeting} -\end{figure} -Static FMEA, Design FMEA, Approvals FMEA \pause - -Experts from Approval House and Equipment Manufacturer -discuss selected component failure modes -judged to be in critical sections of the product. - - - -\end{frame} - -\begin{frame} -\frametitle{DESIGN FMEA: Safety Critical Approvals FMEA} - -\begin{figure}[h] - \centering - \includegraphics[width=70pt,keepaspectratio=true]{./tech_meeting.png} - % tech_meeting.png: 350x299 pixel, 300dpi, 2.97x2.53 cm, bb=0 0 84 72 - \caption{FMEA Meeting} - \label{fig:tech_meeting} -\end{figure} - -\begin{itemize} - \pause \item Impossible to look at all component failures let alone apply FMEA rigorously. - \pause \item In practise, failure scenarios for critical sections are contested, and either justified or extra safety measures implemented. - \pause \item Often Meeting notes or minutes only. Unusual for detailed arguments to be documented. -\end{itemize} - -\end{frame} - \subsection{FMEA - General Criticism} \begin{frame} \frametitle{FMEA - General Criticism} @@ -1648,8 +1209,459 @@ Questions ? +\begin{frame} +Addendum --- Types of FMEA. +\end{frame} + +\subsection{PFMEA - Production FMEA : 1940's to present} + +\begin{frame} + \frametitle{PFMEA} +Production FMEA (or PFMEA), is FMEA used to prioritise, in terms of +cost, problems to be addressed in product production.\pause + +It focuses on known problems, determines the +frequency they occur and their cost to fix.\pause +This is multiplied together and called an RPN +number.\pause +Fixing problems with the highest RPN number +will return most cost benefit.\pause + +\end{frame} + + +\begin{frame} +% benign example of PFMEA in CARS - make something up. +\frametitle{PFMEA Example} + +{ +\begin{table}[ht] +\caption{FMEA Calculations} % title of Table +%\centering % used for centering table +\begin{tabular}{|| l | l | c | c | l ||} \hline + \textbf{Failure Mode} & \textbf{P} & \textbf{Cost} & \textbf{Symptom} & \textbf{RPN} \\ \hline \hline + relay 1 n/c & $1*10^{-5}$ & 38.0 & indicators fail & 0.00038 \\ \hline + relay 2 n/c & $1*10^{-5}$ & 98.0 & doorlocks fail & 0.00098 \\ \hline +% rear end crash & $14.4*10^{-6}$ & 267,700 & fatal fire & 3.855 \\ +% ruptured f.tank & & & & \\ \hline + + +\hline +\end{tabular} +\end{table} +} + +%Savings: 180 burn deaths, 180 serious burn injuries, 2,100 burned vehicles. Unit Cost: $200,000 per death, $67,000 per injury, $700 per vehicle. +%Total Benefit: 180 X ($200,000) + 180 X ($67,000) + $2,100 X ($700) = $49.5 million. +%COSTS +%Sales: 11 million cars, 1.5 million light trucks. +%Unit Cost: $11 per car, $11 per truck. +%Total Cost: 11,000,000 X ($11) + 1,500,000 X ($11) = $137 million. + + + + +\end{frame} + + + +%\subsection{Production FMEA : Example Ford Pinto : 1975} +\begin{frame} + \frametitle{PFMEA Example: Ford Pinto: 1975} + +\begin{figure}[h] + \centering + \includegraphics[width=200pt]{./ad_ford_pinto_mpg_red_3_1975.jpg} + % ad_ford_pinto_mpg_red_3_1975.jpg: 720x933 pixel, 96dpi, 19.05x24.69 cm, bb=0 0 540 700 + \caption{Ford Pinto Advert} + \label{fig:fordpintoad} +\end{figure} + +\end{frame} + + + \begin{frame} + \frametitle{PFMEA Example: Ford Pinto: 1975} + +\begin{figure}[h] + \centering + \includegraphics[width=200pt]{./burntoutpinto.png} + % burntoutpinto.png: 376x250 pixel, 72dpi, 13.26x8.82 cm, bb=0 0 376 250 + \caption{Burnt Out Pinto} + \label{fig:burntoutpinto} +\end{figure} + + +\end{frame} + + +\begin{frame} + \frametitle{PFMEA Example: Ford Pinto: 1975} + { +\begin{table}[ht] +\caption{FMEA Calculations} % title of Table +%\centering % used for centering table +\begin{tabular}{|| l | l | c | c | l ||} \hline + \textbf{Failure Mode} & \textbf{P} & \textbf{Cost} & \textbf{Symptom} & \textbf{RPN} \\ \hline \hline + relay 1 n/c & $1*10^{-5}$ & 38.0 & indicators fail & 0.00038 \\ \hline + relay 2 n/c & $1*10^{-5}$ & 98.0 & doorlocks fail & 0.00098 \\ \hline + rear end crash & $14.4*10^{-6}$ & 267,700 & fatal fire & 3.855 \\ + ruptured f.tank & & & allow & \\ \hline + + rear end crash & $1$ & $11$ & recall & 11.0 \\ + ruptured f.tank & & & fix tank & \\ \hline + +\hline +\end{tabular} +\end{table} +} + + + http://www.youtube.com/watch?v=rcNeorjXMrE + +\end{frame} +\subsection{FMECA - Failure Modes Effects and Criticality Analysis} + + + +\begin{frame} +\frametitle{ FMECA - Failure Modes Effects and Criticallity Analysis} +\begin{figure} + \centering + %\includegraphics[width=100pt]{./military-aircraft-desktop-computer-wallpaper-missile-launch.jpg} + \includegraphics[width=100pt]{./A10_thunderbolt.jpg} + % military-aircraft-desktop-computer-wallpaper-missile-launch.jpg: 1024x768 pixel, 300dpi, 8.67x6.50 cm, bb=0 0 246 184 + \caption{A10 Thunderbolt} + \label{fig:f16missile} +\end{figure} +Emphasis on determining criticality of failure. +Applies some Bayesian statistics (probabilities of component failures and those thereby causing given system level failures). +\end{frame} + + +\begin{frame} +\frametitle{ FMECA - Failure Modes Effects and Criticality Analysis} +Very similar to PFMEA, but instead of cost, a criticality or +seriousness factor is ascribed to putative top level incidents.\pause +FMECA has three probability factors for component failures.\pause + +\textbf{FMECA ${\lambda}_{p}$ value.} +This is the overall failure rate of a base component. +This will typically be the failure rate per million ($10^6$) or +billion ($10^9$) hours of operation.\pause reference MIL1991. \pause + +\textbf{FMECA $\alpha$ value.} +The failure mode probability, usually denoted by $\alpha$ is the probability of +a particular failure~mode occurring within a component. \pause reference FMD-91. +%, should it fail. +%A component with N failure modes will thus have +%have an $\alpha$ value associated with each of those modes. +%As the $\alpha$ modes are probabilities, the sum of all $\alpha$ modes for a component must equal one. +\end{frame} + +\begin{frame} +\frametitle{ FMECA - Failure Modes Effects and Criticality Analysis} +\textbf{FMECA $\beta$ value.} +The second probability factor $\beta$, is the probability that the failure mode +will cause a given system failure.\pause +This corresponds to `Bayesian' probability, given a particular +component failure mode, the probability of a given system level failure. +\pause +\textbf{FMECA `t' Value}\pause +The time that a system will be operating for, or the working life time of the product is +represented by the variable $t$. +%for probability of failure on demand studies, +%this can be the number of operating cycles or demands expected. +\pause +\textbf{Severity `s' value} +A weighting factor to indicate the seriousness of the putative system level error. +%Typical classifications are as follows:~\cite{fmd91} +\pause +\begin{equation} + C_m = {\beta} . {\alpha} . {{\lambda}_p} . {t} . {s} +\end{equation} +\pause +Highest $C_m$ values would be at the top of a `to~do' list +for a project manager. +\end{frame} + + + +\subsection{FMEDA - Failure Modes Effects and Diagnostic Analysis} + + + +\begin{frame} +\frametitle{ FMEDA - Failure Modes Effects and Diagnostic Analysis} +\begin{figure} + \centering + \includegraphics[width=200pt]{./SIL.png} + % SIL.jpg: 350x286 pixel, 72dpi, 12.35x10.09 cm, bb=0 0 350 286 + \caption{SIL requirements} +\end{figure} + +\end{frame} + + + + + +\begin{frame} + +\frametitle{ FMEDA - Failure Modes Effects and Diagnostic Analysis} + +\begin{itemize} + \pause \item \textbf{Statistical Safety} \pause Safety Integrity Level (SIL) standards (EN61508/IOC5108). + \pause \item \textbf{Diagnostics} \pause Diagnostic or self checking elements modelled + \pause \item \textbf{Complete Failure Mode Coverage} \pause All failure modes of all components must be in the model + \pause \item \textbf{Guidelines} \pause To system architectures and development processes +\end{itemize} + +% FMEDA is the methodology behind statistical (safety integrity level) +% type standards (EN61508/IOC5108). \pause +% It provides a statistical overall level of safety +% and allows diagnostic mitigation for self checking etc. \pause +% It provides guidelines for the design and architecture +% of computer/software systems for the four levels of +% safety Integrity. +% %For Hardware +% \pause +% FMEDA does force the user to consider all components in a system +% by requiring that a MTTF value is assigned for each failure~mode; \pause +% the MTTF may be statistically mitigated (improved) +% if it can be shown that self-checking will detect failure modes. + +\end{frame} + + + + + +\begin{frame} +\frametitle{ FMEDA - Failure Modes Effects and Diagnostic Analysis} +\textbf{Failure Mode Classifications in FMEDA.} + \begin{itemize} + \pause \item \textbf{Safe or Dangerous} \pause Failure modes are classified SAFE or DANGEROUS + \pause \item \textbf{Detectable failure modes} \pause Failure modes are given the attribute DETECTABLE or UNDETECTABLE + \pause \item \textbf{Four attributes to Failure Modes} \pause All failure modes may thus be Safe Detected(SD), Safe Undetected(SU), Dangerous Detected(DD), Dangerous Undetected(DU) + \pause \item \textbf{Four statistical properties of a system} \pause \\ +$ \sum \lambda_{SD}$, $\sum \lambda_{SU}$, $\sum \lambda_{DD}$, $\sum \lambda_{DU}$ +\end{itemize} + +% Failure modes are classified as Safe or Dangerous according +% to the putative system level failure they will cause. \pause +% The Failure modes are also classified as Detected or +% Undetected. +% This gives us four level failure mode classifications: +% Safe-Detected (SD), Safe-Undetected (SU), Dangerous-Detected (DD) or Dangerous-Undetected (DU), +% and the probabilistic failure rate of each classification +% is represented by lambda variables +% (i.e. $\lambda_{SD}$, $\lambda_{SU}$, $\lambda_{DD}$, $\lambda_{DU}$). +\end{frame} +\begin{frame} +\frametitle{ FMEDA - Failure Modes Effects and Diagnostic Analysis} +\textbf{Diagnostic Coverage.} +The diagnostic coverage is simply the ratio +of the dangerous detected probabilities +against the probability of all dangerous failures, +and is normally expressed as a percentage. $\Sigma\lambda_{DD}$ represents +the percentage of dangerous detected base component failure modes, and +$\Sigma\lambda_D$ the total number of dangerous base component failure modes. + +$$ DiagnosticCoverage = \Sigma\lambda_{DD} / \Sigma\lambda_D $$ +\end{frame} + + +\begin{frame} +\frametitle{ FMEDA - Failure Modes Effects and Diagnostic Analysis} +The \textbf{diagnostic coverage} for safe failures, where $\Sigma\lambda_{SD}$ represents the percentage of +safe detected base component failure modes, +and $\Sigma\lambda_S$ the total number of safe base component failure modes, +is given as + +$$ SF = \frac{\Sigma\lambda_{SD}}{\Sigma\lambda_S} $$ +\end{frame} + +\begin{frame} +\frametitle{ FMEDA - Failure Modes Effects and Diagnostic Analysis} +\textbf{Safe Failure Fraction.} +A key concept in FMEDA is Safe Failure Fraction (SFF). +This is the ratio of safe and dangerous detected failures +against all safe and dangerous failure probabilities. +Again this is usually expressed as a percentage. + +$$ SFF = \big( \Sigma\lambda_S + \Sigma\lambda_{DD} \big) / \big( \Sigma\lambda_S + \Sigma\lambda_D \big) $$ +\pause +SFF determines how proportionately fail-safe a system is, not how reliable it is ! \pause +Weakness in this philosophy; \pause adding extra safe failures (even unused ones) improves the SFF. + +\end{frame} + +\begin{frame} +\frametitle{ FMEDA - Failure Modes Effects and Diagnostic Analysis} +To achieve SIL levels, diagnostic coverage and SFF levels are prescribed along with +hardware architectures and software techniques. \pause +The overall the aim of SIL is classify the safety of a system, +by statistically determining how frequently it can fail dangerously. + + +\end{frame} + +\begin{frame} +\frametitle{ FMEDA - Failure Modes Effects and Diagnostic Analysis} +{ +\begin{table}[ht] +\caption{FMEA Calculations} % title of Table +%\centering % used for centering table +\begin{tabular}{|| l | l | c | c | l ||} \hline + \textbf{SIL} & \textbf{Low Demand} & \textbf{Continuous Demand} \\ + & Prob of failing on demand & Prob of failure per hour \\ \hline \hline + 4 & $ 10^{-5}$ to $< 10^{-4}$ & $ 10^{-9}$ to $< 10^{-8}$ \\ \hline + 3 & $ 10^{-4}$ to $< 10^{-3}$ & $ 10^{-8}$ to $< 10^{-7}$ \\ \hline + 2 & $ 10^{-3}$ to $< 10^{-2}$ & $ 10^{-7}$ to $< 10^{-6}$ \\ \hline + 1 & $ 10^{-2}$ to $< 10^{-1}$ & $ 10^{-6}$ to $< 10^{-5}$ \\ \hline + +\hline +\end{tabular} +\end{table} +} +Table adapted from EN61508-1:2001 [7.6.2.9 p33] +\end{frame} + +\begin{frame} +\frametitle{ FMEDA - Failure Modes Effects and Diagnostic Analysis} +FMEDA is a modern extension of FMEA, in that it will allow for +self checking features, and provides detailed recommendations for computer/software architecture. \pause +It has a simple final result, a Safety Integrity Level (SIL) from 1 to 4 (where 4 is safest). + +%FMEA can be used as a term simple to mean Failure Mode Effects Analysis, and is +%part of product approval for many regulated products in the EU and the USA... + +\end{frame} + + + + +\subsection{FMEA used for Safety Critical Approvals} + +\begin{frame} +\frametitle{DESIGN FMEA (DFMEA): Safety Critical Approvals FMEA} +\begin{figure}[h] + \centering + \includegraphics[width=100pt,keepaspectratio=true]{./tech_meeting.png} + % tech_meeting.png: 350x299 pixel, 300dpi, 2.97x2.53 cm, bb=0 0 84 72 + \caption{FMEA Meeting} + \label{fig:tech_meeting} +\end{figure} +Static FMEA, Design FMEA, Approvals FMEA \pause + +Experts from Approval House and Equipment Manufacturer +discuss selected component failure modes +judged to be in critical sections of the product. + + + +\end{frame} + +\begin{frame} +\frametitle{DESIGN FMEA: Safety Critical Approvals FMEA} + +\begin{figure}[h] + \centering + \includegraphics[width=70pt,keepaspectratio=true]{./tech_meeting.png} + % tech_meeting.png: 350x299 pixel, 300dpi, 2.97x2.53 cm, bb=0 0 84 72 + \caption{FMEA Meeting} + \label{fig:tech_meeting} +\end{figure} + +\begin{itemize} + \pause \item Impossible to look at all component failures let alone apply FMEA rigorously. + \pause \item In practise, failure scenarios for critical sections are contested, and either justified or extra safety measures implemented. + \pause \item Often Meeting notes or minutes only. Unusual for detailed arguments to be documented. +\end{itemize} + +\end{frame} + + + + + +\begin{frame} +Addendum --- reasoning distance +\end{frame} + + +\begin{frame} +Note here that we have had to look at the failure~mode +in relation to the entire circuit. \pause +We have used intuition to determine the probable +effect of this failure mode. \pause +We have not examined this failure mode +against every other component in the system. \pause +Perhaps we should.... this would be a more rigorous and complete +approach in looking for system failures. + +\end{frame} + +\subsection{Rigorous FMEA - State Explosion} +\begin{frame} + \frametitle{Rigorous Single Failure FMEA} +Consider the analysis +where we look at all the failure modes in a system, and then +see how they can affect all other components within it. +\end{frame} + + + \begin{frame} +\frametitle{Rigorous Single Failure FMEA} +We need to look at a large number of failure scenarios +to do this completely (all failure modes against all components). +This is represented in the equation below. %~\ref{eqn:fmea_state_exp}, +where $N$ is the total number of components in the system, and +$f$ is the number of failure modes per component. + + +\begin{equation} + \label{eqn:fmea_single} + N.(N-1).f % \\ + %(N^2 - N).f +\end{equation} +\end{frame} + + +\begin{frame} +\frametitle{Rigorous Single Failure FMEA} +This would mean an order of $N^2$ number of checks to perform +to undertake a `rigorous~FMEA'. Even small systems have typically +100 components, and they typically have 3 or more failure modes each. +$100*99*3=29,700$. +\pause +The European Gas burner standard (EN298:2003), demands the checking of +double failure scenarios (for burner lock-out scenarios). +\end{frame} + + + + +\begin{frame} + \frametitle{Rigorous Double Failure FMEA} +For looking at potential double failure scenarios (two components +failing within a given time frame) and the order becomes +$N^3$. \pause + +\begin{equation} + \label{eqn:fmea_double} + N.(N-1).(N-2).f % \\ + %(N^2 - N).f +\end{equation} + \pause +$100*99*98*3=2,910,600$. +\pause + +.\\ +\end{frame} \end{document} diff --git a/submission_thesis/CH4_FMMD/copy.tex b/submission_thesis/CH4_FMMD/copy.tex index b9f21cd..80cbd61 100644 --- a/submission_thesis/CH4_FMMD/copy.tex +++ b/submission_thesis/CH4_FMMD/copy.tex @@ -772,7 +772,7 @@ We can represent these failure modes on a DAG (see figure~\ref{fig:op1dag}). %} %\clearpage %\paragraph{Modelling the OP amp with the potential divider.} -We now bring the op-amp and the {\dc} {\em PD} together to % andrew heavily critised this sentence but it made sense to Chris and I +The op-amp and the {\dc} {\em PD} now % andrew heavily critised this sentence but it made sense to Chris and I form a {\fg} to model the failure mode behaviour of the non-inverting amplifier. % %We have the failure modes of the {\dc} for the potential divider, @@ -963,7 +963,7 @@ as {\fcs} in table~\ref{tbl:ampfmea1}. % For this amplifier configuration we have three {\dc} failure modes; {\em AMP\_High, AMP\_Low, LowPass}. % see figure~\ref{fig:fgampb}. % HTR 05SEP2012 -This model now has two stages of analysis, as represented in figure~\ref{fig:dc2}. +This model now has two stages of analysis, as represented in figure~\ref{fig:eulerfmmd}. % From the analysis in table \ref{tbl:ampfmea1} we can create the {\dc} {\em NONINVAMP}, which represents the failure mode behaviour of the non-inverting amplifier. @@ -1461,7 +1461,7 @@ This is dealt with in detail using an algorithmic description, in appendix \ref{ % %, and in this case it would have a set of failure modes. % %Looking at the {\fg} in this way is seeing it as a {\dc}. -In terms of our UML model, the symptom abstraction process takes a {\fg} +In terms of our UML model (see figure~\ref{fig:cfg}), the symptom abstraction process takes a {\fg} and creates a new {\dc} from it. %To do this it first creates %a new set of failure modes, representing the fault behaviour @@ -1493,13 +1493,14 @@ Each {\fg} will have one analysis report associated with it. The UML representation (in figure \ref{fig:cfg}) shows a `{\fg}' having a one to one relationship with a derived~component. % % -The symbol $\derivec$ is used to indicate the analysis process that takes a -functional group and converts it into a new component. -\begin{definition} -With $\mathcal{\FG}$ representing the set of all functional groups (over all possible components), -and $\mathcal{{\DC}}$ the set of all derived components, -we express the analysis process $\derivec$ as $$ \derivec : \mathcal{\FG} \rightarrow \mathcal{{\DC}} .$$ -\end{definition} +%%% FORMAL DEF SLIGHTLY OUT OF PLACE HERE ---- J.HOWSE +% The symbol $\derivec$ is used to indicate the analysis process that takes a +% functional group and converts it into a new component. +% \begin{definition} +% With $\mathcal{\FG}$ representing the set of all functional groups (over all possible components), +% and $\mathcal{{\DC}}$ the set of all derived components, +% we express the analysis process $\derivec$ as $$ \derivec : \mathcal{\FG} \rightarrow \mathcal{{\DC}} .$$ +% \end{definition} \begin{figure}[h] \centering @@ -1563,7 +1564,7 @@ in quality systems~\cite{iso9001}. Having analysis reports increases the traceability---or documented paper trail---aiding understanding and maintainability for failure mode models. % -Also a detailed cause and effect model is useful creating diagnostic schemas~\cite{dbamafta}. +Also a detailed cause and effect model is useful for creating diagnostic schemas~\cite{dbamafta}. diff --git a/submission_thesis/CH5_Examples/copy.tex b/submission_thesis/CH5_Examples/copy.tex index 3ca3d5b..fb9020d 100644 --- a/submission_thesis/CH5_Examples/copy.tex +++ b/submission_thesis/CH5_Examples/copy.tex @@ -1985,7 +1985,7 @@ It is level converted to an analogue signal (i.e. a digital 0 becomes a -ve voltage and a digital 1 becomes a +ve voltage) and fed into the summing integrator completing the negative feedback loop. % -This implements an over-sampling analogue to digital converter~\cite{ehb}[pp.729-730]. +In essence this implements an over-sampling analogue to digital converter~\cite{ehb}[pp.729-730]. \subsection{FMMD analysis of \sd } diff --git a/submission_thesis/CH5_Examples/eulersdfinal.dia b/submission_thesis/CH5_Examples/eulersdfinal.dia new file mode 100644 index 0000000..abc0d86 Binary files /dev/null and b/submission_thesis/CH5_Examples/eulersdfinal.dia differ