robin/Robin_PHD
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

re-organised the presentation for System safety

Browse Source 
2012---and made minor alterations to CH4.
J Howse said CH4 is finished !!!!
Whooooooooooooooopppppppppppppppppppppppeeeeeeeeeeeeeeeeeeee!
This commit is contained in:
Robin Clark 2012-10-13 15:06:42 +01:00
parent d34f74ef07
commit 89222b34b2
5 changed files with 469 additions and 456 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
mybib.bib
View File

@ -1,7 +1,7 @@
@BOOK{dmfnt, @BOOK{mixedsignaldsp,
AUTHOR = "mixedsignaldsp", AUTHOR = "Walt Kestler",
TITLE = "Mixed Signal and DSP Design Techniques ISBN 0750676116" TITLE = "Mixed Signal and DSP Design Techniques ISBN 0750676116",
PUBLISHER = "Newnes/Analog Devices", PUBLISHER = "Newnes/Analog Devices",
YEAR = "2003" YEAR = "2003"
} }

894
presentations/System_safety_2012/fmmd_software_pres.tex
View File

@ -117,6 +117,7 @@ For the sake of example let us choose resistor R1 in the OP-AMP gain circuitry.
\begin{frame} \begin{frame}
%
\frametitle{FMEA Example: Milli-volt reader} \frametitle{FMEA Example: Milli-volt reader}
\begin{figure} \begin{figure}
\centering \centering
@ -129,80 +130,14 @@ For the sake of example let us choose resistor R1 in the OP-AMP gain circuitry.
\pause \item \textbf{E - Effects} This will drive the minus input LOW causing a HIGH OUTPUT/READING \pause \item \textbf{E - Effects} This will drive the minus input LOW causing a HIGH OUTPUT/READING
\pause \item \textbf{A - Analysis} The reading will be out of normal range, and we will have an erroneous milli-volt reading \pause \item \textbf{A - Analysis} The reading will be out of normal range, and we will have an erroneous milli-volt reading
\end{itemize} \end{itemize}
\end{frame} %
\begin{frame}
Note here that we have had to look at the failure~mode
in relation to the entire circuit. \pause
We have used intuition to determine the probable
effect of this failure mode. \pause
We have not examined this failure mode
against every other component in the system. \pause
Perhaps we should.... this would be a more rigorous and complete
approach in looking for system failures.
\end{frame}
\subsection{Rigorous FMEA - State Explosion}
\begin{frame}
\frametitle{Rigorous Single Failure FMEA}
Consider the analysis
where we look at all the failure modes in a system, and then
see how they can affect all other components within it.
\end{frame}
\begin{frame}
\frametitle{Rigorous Single Failure FMEA}
We need to look at a large number of failure scenarios
to do this completely (all failure modes against all components).
This is represented in the equation below. %~\ref{eqn:fmea_state_exp},
where $N$ is the total number of components in the system, and
$f$ is the number of failure modes per component.
\begin{equation}
\label{eqn:fmea_single}
N.(N-1).f % \\
%(N^2 - N).f
\end{equation}
\end{frame}
\begin{frame}
\frametitle{Rigorous Single Failure FMEA}
This would mean an order of $N^2$ number of checks to perform
to undertake a `rigorous~FMEA'. Even small systems have typically
100 components, and they typically have 3 or more failure modes each.
$100*99*3=29,700$.
\end{frame} \end{frame}
\begin{frame}
\frametitle{Rigorous Double Failure FMEA}
For looking at potential double failure scenarios (two components
failing within a given time frame) and the order becomes
$N^3$. \pause
\begin{equation}
\label{eqn:fmea_double}
N.(N-1).(N-2).f % \\
%(N^2 - N).f
\end{equation}
\pause
$100*99*98*3=2,910,600$.
\pause
.\\
The European Gas burner standard (EN298:2003), demands the checking of
double failure scenarios (for burner lock-out scenarios).
\end{frame}
\begin{frame} \begin{frame}
\frametitle{Four main Variants of FMEA} \frametitle{Four main Variants of FMEA}
@ -216,380 +151,6 @@ double failure scenarios (for burner lock-out scenarios).
\subsection{PFMEA - Production FMEA : 1940's to present}
\begin{frame}
\frametitle{PFMEA}
Production FMEA (or PFMEA), is FMEA used to prioritise, in terms of
cost, problems to be addressed in product production.\pause
It focuses on known problems, determines the
frequency they occur and their cost to fix.\pause
This is multiplied together and called an RPN
number.\pause
Fixing problems with the highest RPN number
will return most cost benefit.\pause
\end{frame}
\begin{frame}
% benign example of PFMEA in CARS - make something up.
\frametitle{PFMEA Example}
{
\begin{table}[ht]
\caption{FMEA Calculations} % title of Table
%\centering % used for centering table
\begin{tabular}{|| l | l | c | c | l ||} \hline
\textbf{Failure Mode} & \textbf{P} & \textbf{Cost} & \textbf{Symptom} & \textbf{RPN} \\ \hline \hline
relay 1 n/c & $1*10^{-5}$ & 38.0 & indicators fail & 0.00038 \\ \hline
relay 2 n/c & $1*10^{-5}$ & 98.0 & doorlocks fail & 0.00098 \\ \hline
% rear end crash & $14.4*10^{-6}$ & 267,700 & fatal fire & 3.855 \\
% ruptured f.tank & & & & \\ \hline
\hline
\end{tabular}
\end{table}
}
%Savings: 180 burn deaths, 180 serious burn injuries, 2,100 burned vehicles. Unit Cost: $200,000 per death, $67,000 per injury, $700 per vehicle.
%Total Benefit: 180 X ($200,000) + 180 X ($67,000) + $2,100 X ($700) = $49.5 million.
%COSTS
%Sales: 11 million cars, 1.5 million light trucks.
%Unit Cost: $11 per car, $11 per truck.
%Total Cost: 11,000,000 X ($11) + 1,500,000 X ($11) = $137 million.
\end{frame}
%\subsection{Production FMEA : Example Ford Pinto : 1975}
\begin{frame}
\frametitle{PFMEA Example: Ford Pinto: 1975}
\begin{figure}[h]
\centering
\includegraphics[width=200pt]{./ad_ford_pinto_mpg_red_3_1975.jpg}
% ad_ford_pinto_mpg_red_3_1975.jpg: 720x933 pixel, 96dpi, 19.05x24.69 cm, bb=0 0 540 700
\caption{Ford Pinto Advert}
\label{fig:fordpintoad}
\end{figure}
\end{frame}
\begin{frame}
\frametitle{PFMEA Example: Ford Pinto: 1975}
\begin{figure}[h]
\centering
\includegraphics[width=200pt]{./burntoutpinto.png}
% burntoutpinto.png: 376x250 pixel, 72dpi, 13.26x8.82 cm, bb=0 0 376 250
\caption{Burnt Out Pinto}
\label{fig:burntoutpinto}
\end{figure}
\end{frame}
\begin{frame}
\frametitle{PFMEA Example: Ford Pinto: 1975}
{
\begin{table}[ht]
\caption{FMEA Calculations} % title of Table
%\centering % used for centering table
\begin{tabular}{|| l | l | c | c | l ||} \hline
\textbf{Failure Mode} & \textbf{P} & \textbf{Cost} & \textbf{Symptom} & \textbf{RPN} \\ \hline \hline
relay 1 n/c & $1*10^{-5}$ & 38.0 & indicators fail & 0.00038 \\ \hline
relay 2 n/c & $1*10^{-5}$ & 98.0 & doorlocks fail & 0.00098 \\ \hline
rear end crash & $14.4*10^{-6}$ & 267,700 & fatal fire & 3.855 \\
ruptured f.tank & & & allow & \\ \hline
rear end crash & $1$ & $11$ & recall & 11.0 \\
ruptured f.tank & & & fix tank & \\ \hline
\hline
\end{tabular}
\end{table}
}
http://www.youtube.com/watch?v=rcNeorjXMrE
\end{frame}
\subsection{FMECA - Failure Modes Effects and Criticality Analysis}
\begin{frame}
\frametitle{ FMECA - Failure Modes Effects and Criticallity Analysis}
\begin{figure}
\centering
%\includegraphics[width=100pt]{./military-aircraft-desktop-computer-wallpaper-missile-launch.jpg}
\includegraphics[width=100pt]{./A10_thunderbolt.jpg}
% military-aircraft-desktop-computer-wallpaper-missile-launch.jpg: 1024x768 pixel, 300dpi, 8.67x6.50 cm, bb=0 0 246 184
\caption{A10 Thunderbolt}
\label{fig:f16missile}
\end{figure}
Emphasis on determining criticality of failure.
Applies some Bayesian statistics (probabilities of component failures and those thereby causing given system level failures).
\end{frame}
\begin{frame}
\frametitle{ FMECA - Failure Modes Effects and Criticality Analysis}
Very similar to PFMEA, but instead of cost, a criticality or
seriousness factor is ascribed to putative top level incidents.\pause
FMECA has three probability factors for component failures.\pause
\textbf{FMECA ${\lambda}_{p}$ value.}
This is the overall failure rate of a base component.
This will typically be the failure rate per million ($10^6$) or
billion ($10^9$) hours of operation.\pause reference MIL1991. \pause
\textbf{FMECA $\alpha$ value.}
The failure mode probability, usually denoted by $\alpha$ is the probability of
a particular failure~mode occurring within a component. \pause reference FMD-91.
%, should it fail.
%A component with N failure modes will thus have
%have an $\alpha$ value associated with each of those modes.
%As the $\alpha$ modes are probabilities, the sum of all $\alpha$ modes for a component must equal one.
\end{frame}
\begin{frame}
\frametitle{ FMECA - Failure Modes Effects and Criticality Analysis}
\textbf{FMECA $\beta$ value.}
The second probability factor $\beta$, is the probability that the failure mode
will cause a given system failure.\pause
This corresponds to `Bayesian' probability, given a particular
component failure mode, the probability of a given system level failure.
\pause
\textbf{FMECA `t' Value}\pause
The time that a system will be operating for, or the working life time of the product is
represented by the variable $t$.
%for probability of failure on demand studies,
%this can be the number of operating cycles or demands expected.
\pause
\textbf{Severity `s' value}
A weighting factor to indicate the seriousness of the putative system level error.
%Typical classifications are as follows:~\cite{fmd91}
\pause
\begin{equation}
C_m = {\beta} . {\alpha} . {{\lambda}_p} . {t} . {s}
\end{equation}
\pause
Highest $C_m$ values would be at the top of a `to~do' list
for a project manager.
\end{frame}
\subsection{FMEDA - Failure Modes Effects and Diagnostic Analysis}
\begin{frame}
\frametitle{ FMEDA - Failure Modes Effects and Diagnostic Analysis}
\begin{figure}
\centering
\includegraphics[width=200pt]{./SIL.png}
% SIL.jpg: 350x286 pixel, 72dpi, 12.35x10.09 cm, bb=0 0 350 286
\caption{SIL requirements}
\end{figure}
\end{frame}
\begin{frame}
\frametitle{ FMEDA - Failure Modes Effects and Diagnostic Analysis}
\begin{itemize}
\pause \item \textbf{Statistical Safety} \pause Safety Integrity Level (SIL) standards (EN61508/IOC5108).
\pause \item \textbf{Diagnostics} \pause Diagnostic or self checking elements modelled
\pause \item \textbf{Complete Failure Mode Coverage} \pause All failure modes of all components must be in the model
\pause \item \textbf{Guidelines} \pause To system architectures and development processes
\end{itemize}
% FMEDA is the methodology behind statistical (safety integrity level)
% type standards (EN61508/IOC5108). \pause
% It provides a statistical overall level of safety
% and allows diagnostic mitigation for self checking etc. \pause
% It provides guidelines for the design and architecture
% of computer/software systems for the four levels of
% safety Integrity.
% %For Hardware
% \pause
% FMEDA does force the user to consider all components in a system
% by requiring that a MTTF value is assigned for each failure~mode; \pause
% the MTTF may be statistically mitigated (improved)
% if it can be shown that self-checking will detect failure modes.
\end{frame}
\begin{frame}
\frametitle{ FMEDA - Failure Modes Effects and Diagnostic Analysis}
\textbf{Failure Mode Classifications in FMEDA.}
\begin{itemize}
\pause \item \textbf{Safe or Dangerous} \pause Failure modes are classified SAFE or DANGEROUS
\pause \item \textbf{Detectable failure modes} \pause Failure modes are given the attribute DETECTABLE or UNDETECTABLE
\pause \item \textbf{Four attributes to Failure Modes} \pause All failure modes may thus be Safe Detected(SD), Safe Undetected(SU), Dangerous Detected(DD), Dangerous Undetected(DU)
\pause \item \textbf{Four statistical properties of a system} \pause \\
$ \sum \lambda_{SD}$, $\sum \lambda_{SU}$, $\sum \lambda_{DD}$, $\sum \lambda_{DU}$
\end{itemize}
% Failure modes are classified as Safe or Dangerous according
% to the putative system level failure they will cause. \pause
% The Failure modes are also classified as Detected or
% Undetected.
% This gives us four level failure mode classifications:
% Safe-Detected (SD), Safe-Undetected (SU), Dangerous-Detected (DD) or Dangerous-Undetected (DU),
% and the probabilistic failure rate of each classification
% is represented by lambda variables
% (i.e. $\lambda_{SD}$, $\lambda_{SU}$, $\lambda_{DD}$, $\lambda_{DU}$).
\end{frame}
\begin{frame}
\frametitle{ FMEDA - Failure Modes Effects and Diagnostic Analysis}
\textbf{Diagnostic Coverage.}
The diagnostic coverage is simply the ratio
of the dangerous detected probabilities
against the probability of all dangerous failures,
and is normally expressed as a percentage. $\Sigma\lambda_{DD}$ represents
the percentage of dangerous detected base component failure modes, and
$\Sigma\lambda_D$ the total number of dangerous base component failure modes.
$$ DiagnosticCoverage = \Sigma\lambda_{DD} / \Sigma\lambda_D $$
\end{frame}
\begin{frame}
\frametitle{ FMEDA - Failure Modes Effects and Diagnostic Analysis}
The \textbf{diagnostic coverage} for safe failures, where $\Sigma\lambda_{SD}$ represents the percentage of
safe detected base component failure modes,
and $\Sigma\lambda_S$ the total number of safe base component failure modes,
is given as
$$ SF = \frac{\Sigma\lambda_{SD}}{\Sigma\lambda_S} $$
\end{frame}
\begin{frame}
\frametitle{ FMEDA - Failure Modes Effects and Diagnostic Analysis}
\textbf{Safe Failure Fraction.}
A key concept in FMEDA is Safe Failure Fraction (SFF).
This is the ratio of safe and dangerous detected failures
against all safe and dangerous failure probabilities.
Again this is usually expressed as a percentage.
$$ SFF = \big( \Sigma\lambda_S + \Sigma\lambda_{DD} \big) / \big( \Sigma\lambda_S + \Sigma\lambda_D \big) $$
\pause
SFF determines how proportionately fail-safe a system is, not how reliable it is ! \pause
Weakness in this philosophy; \pause adding extra safe failures (even unused ones) improves the SFF.
\end{frame}
\begin{frame}
\frametitle{ FMEDA - Failure Modes Effects and Diagnostic Analysis}
To achieve SIL levels, diagnostic coverage and SFF levels are prescribed along with
hardware architectures and software techniques. \pause
The overall the aim of SIL is classify the safety of a system,
by statistically determining how frequently it can fail dangerously.
\end{frame}
\begin{frame}
\frametitle{ FMEDA - Failure Modes Effects and Diagnostic Analysis}
{
\begin{table}[ht]
\caption{FMEA Calculations} % title of Table
%\centering % used for centering table
\begin{tabular}{|| l | l | c | c | l ||} \hline
\textbf{SIL} & \textbf{Low Demand} & \textbf{Continuous Demand} \\
& Prob of failing on demand & Prob of failure per hour \\ \hline \hline
4 & $ 10^{-5}$ to $< 10^{-4}$ & $ 10^{-9}$ to $< 10^{-8}$ \\ \hline
3 & $ 10^{-4}$ to $< 10^{-3}$ & $ 10^{-8}$ to $< 10^{-7}$ \\ \hline
2 & $ 10^{-3}$ to $< 10^{-2}$ & $ 10^{-7}$ to $< 10^{-6}$ \\ \hline
1 & $ 10^{-2}$ to $< 10^{-1}$ & $ 10^{-6}$ to $< 10^{-5}$ \\ \hline
\hline
\end{tabular}
\end{table}
}
Table adapted from EN61508-1:2001 [7.6.2.9 p33]
\end{frame}
\begin{frame}
\frametitle{ FMEDA - Failure Modes Effects and Diagnostic Analysis}
FMEDA is a modern extension of FMEA, in that it will allow for
self checking features, and provides detailed recommendations for computer/software architecture. \pause
It has a simple final result, a Safety Integrity Level (SIL) from 1 to 4 (where 4 is safest).
%FMEA can be used as a term simple to mean Failure Mode Effects Analysis, and is
%part of product approval for many regulated products in the EU and the USA...
\end{frame}
\subsection{FMEA used for Safety Critical Approvals}
\begin{frame}
\frametitle{DESIGN FMEA (DFMEA): Safety Critical Approvals FMEA}
\begin{figure}[h]
\centering
\includegraphics[width=100pt,keepaspectratio=true]{./tech_meeting.png}
% tech_meeting.png: 350x299 pixel, 300dpi, 2.97x2.53 cm, bb=0 0 84 72
\caption{FMEA Meeting}
\label{fig:tech_meeting}
\end{figure}
Static FMEA, Design FMEA, Approvals FMEA \pause
Experts from Approval House and Equipment Manufacturer
discuss selected component failure modes
judged to be in critical sections of the product.
\end{frame}
\begin{frame}
\frametitle{DESIGN FMEA: Safety Critical Approvals FMEA}
\begin{figure}[h]
\centering
\includegraphics[width=70pt,keepaspectratio=true]{./tech_meeting.png}
% tech_meeting.png: 350x299 pixel, 300dpi, 2.97x2.53 cm, bb=0 0 84 72
\caption{FMEA Meeting}
\label{fig:tech_meeting}
\end{figure}
\begin{itemize}
\pause \item Impossible to look at all component failures let alone apply FMEA rigorously.
\pause \item In practise, failure scenarios for critical sections are contested, and either justified or extra safety measures implemented.
\pause \item Often Meeting notes or minutes only. Unusual for detailed arguments to be documented.
\end{itemize}
\end{frame}
\subsection{FMEA - General Criticism} \subsection{FMEA - General Criticism}
\begin{frame} \begin{frame}
\frametitle{FMEA - General Criticism} \frametitle{FMEA - General Criticism}
@ -1648,8 +1209,459 @@ Questions ?
\begin{frame}
Addendum --- Types of FMEA.
\end{frame}
\subsection{PFMEA - Production FMEA : 1940's to present}
\begin{frame}
\frametitle{PFMEA}
Production FMEA (or PFMEA), is FMEA used to prioritise, in terms of
cost, problems to be addressed in product production.\pause
It focuses on known problems, determines the
frequency they occur and their cost to fix.\pause
This is multiplied together and called an RPN
number.\pause
Fixing problems with the highest RPN number
will return most cost benefit.\pause
\end{frame}
\begin{frame}
% benign example of PFMEA in CARS - make something up.
\frametitle{PFMEA Example}
{
\begin{table}[ht]
\caption{FMEA Calculations} % title of Table
%\centering % used for centering table
\begin{tabular}{|| l | l | c | c | l ||} \hline
\textbf{Failure Mode} & \textbf{P} & \textbf{Cost} & \textbf{Symptom} & \textbf{RPN} \\ \hline \hline
relay 1 n/c & $1*10^{-5}$ & 38.0 & indicators fail & 0.00038 \\ \hline
relay 2 n/c & $1*10^{-5}$ & 98.0 & doorlocks fail & 0.00098 \\ \hline
% rear end crash & $14.4*10^{-6}$ & 267,700 & fatal fire & 3.855 \\
% ruptured f.tank & & & & \\ \hline
\hline
\end{tabular}
\end{table}
}
%Savings: 180 burn deaths, 180 serious burn injuries, 2,100 burned vehicles. Unit Cost: $200,000 per death, $67,000 per injury, $700 per vehicle.
%Total Benefit: 180 X ($200,000) + 180 X ($67,000) + $2,100 X ($700) = $49.5 million.
%COSTS
%Sales: 11 million cars, 1.5 million light trucks.
%Unit Cost: $11 per car, $11 per truck.
%Total Cost: 11,000,000 X ($11) + 1,500,000 X ($11) = $137 million.
\end{frame}
%\subsection{Production FMEA : Example Ford Pinto : 1975}
\begin{frame}
\frametitle{PFMEA Example: Ford Pinto: 1975}
\begin{figure}[h]
\centering
\includegraphics[width=200pt]{./ad_ford_pinto_mpg_red_3_1975.jpg}
% ad_ford_pinto_mpg_red_3_1975.jpg: 720x933 pixel, 96dpi, 19.05x24.69 cm, bb=0 0 540 700
\caption{Ford Pinto Advert}
\label{fig:fordpintoad}
\end{figure}
\end{frame}
\begin{frame}
\frametitle{PFMEA Example: Ford Pinto: 1975}
\begin{figure}[h]
\centering
\includegraphics[width=200pt]{./burntoutpinto.png}
% burntoutpinto.png: 376x250 pixel, 72dpi, 13.26x8.82 cm, bb=0 0 376 250
\caption{Burnt Out Pinto}
\label{fig:burntoutpinto}
\end{figure}
\end{frame}
\begin{frame}
\frametitle{PFMEA Example: Ford Pinto: 1975}
{
\begin{table}[ht]
\caption{FMEA Calculations} % title of Table
%\centering % used for centering table
\begin{tabular}{|| l | l | c | c | l ||} \hline
\textbf{Failure Mode} & \textbf{P} & \textbf{Cost} & \textbf{Symptom} & \textbf{RPN} \\ \hline \hline
relay 1 n/c & $1*10^{-5}$ & 38.0 & indicators fail & 0.00038 \\ \hline
relay 2 n/c & $1*10^{-5}$ & 98.0 & doorlocks fail & 0.00098 \\ \hline
rear end crash & $14.4*10^{-6}$ & 267,700 & fatal fire & 3.855 \\
ruptured f.tank & & & allow & \\ \hline
rear end crash & $1$ & $11$ & recall & 11.0 \\
ruptured f.tank & & & fix tank & \\ \hline
\hline
\end{tabular}
\end{table}
}
http://www.youtube.com/watch?v=rcNeorjXMrE
\end{frame}
\subsection{FMECA - Failure Modes Effects and Criticality Analysis}
\begin{frame}
\frametitle{ FMECA - Failure Modes Effects and Criticallity Analysis}
\begin{figure}
\centering
%\includegraphics[width=100pt]{./military-aircraft-desktop-computer-wallpaper-missile-launch.jpg}
\includegraphics[width=100pt]{./A10_thunderbolt.jpg}
% military-aircraft-desktop-computer-wallpaper-missile-launch.jpg: 1024x768 pixel, 300dpi, 8.67x6.50 cm, bb=0 0 246 184
\caption{A10 Thunderbolt}
\label{fig:f16missile}
\end{figure}
Emphasis on determining criticality of failure.
Applies some Bayesian statistics (probabilities of component failures and those thereby causing given system level failures).
\end{frame}
\begin{frame}
\frametitle{ FMECA - Failure Modes Effects and Criticality Analysis}
Very similar to PFMEA, but instead of cost, a criticality or
seriousness factor is ascribed to putative top level incidents.\pause
FMECA has three probability factors for component failures.\pause
\textbf{FMECA ${\lambda}_{p}$ value.}
This is the overall failure rate of a base component.
This will typically be the failure rate per million ($10^6$) or
billion ($10^9$) hours of operation.\pause reference MIL1991. \pause
\textbf{FMECA $\alpha$ value.}
The failure mode probability, usually denoted by $\alpha$ is the probability of
a particular failure~mode occurring within a component. \pause reference FMD-91.
%, should it fail.
%A component with N failure modes will thus have
%have an $\alpha$ value associated with each of those modes.
%As the $\alpha$ modes are probabilities, the sum of all $\alpha$ modes for a component must equal one.
\end{frame}
\begin{frame}
\frametitle{ FMECA - Failure Modes Effects and Criticality Analysis}
\textbf{FMECA $\beta$ value.}
The second probability factor $\beta$, is the probability that the failure mode
will cause a given system failure.\pause
This corresponds to `Bayesian' probability, given a particular
component failure mode, the probability of a given system level failure.
\pause
\textbf{FMECA `t' Value}\pause
The time that a system will be operating for, or the working life time of the product is
represented by the variable $t$.
%for probability of failure on demand studies,
%this can be the number of operating cycles or demands expected.
\pause
\textbf{Severity `s' value}
A weighting factor to indicate the seriousness of the putative system level error.
%Typical classifications are as follows:~\cite{fmd91}
\pause
\begin{equation}
C_m = {\beta} . {\alpha} . {{\lambda}_p} . {t} . {s}
\end{equation}
\pause
Highest $C_m$ values would be at the top of a `to~do' list
for a project manager.
\end{frame}
\subsection{FMEDA - Failure Modes Effects and Diagnostic Analysis}
\begin{frame}
\frametitle{ FMEDA - Failure Modes Effects and Diagnostic Analysis}
\begin{figure}
\centering
\includegraphics[width=200pt]{./SIL.png}
% SIL.jpg: 350x286 pixel, 72dpi, 12.35x10.09 cm, bb=0 0 350 286
\caption{SIL requirements}
\end{figure}
\end{frame}
\begin{frame}
\frametitle{ FMEDA - Failure Modes Effects and Diagnostic Analysis}
\begin{itemize}
\pause \item \textbf{Statistical Safety} \pause Safety Integrity Level (SIL) standards (EN61508/IOC5108).
\pause \item \textbf{Diagnostics} \pause Diagnostic or self checking elements modelled
\pause \item \textbf{Complete Failure Mode Coverage} \pause All failure modes of all components must be in the model
\pause \item \textbf{Guidelines} \pause To system architectures and development processes
\end{itemize}
% FMEDA is the methodology behind statistical (safety integrity level)
% type standards (EN61508/IOC5108). \pause
% It provides a statistical overall level of safety
% and allows diagnostic mitigation for self checking etc. \pause
% It provides guidelines for the design and architecture
% of computer/software systems for the four levels of
% safety Integrity.
% %For Hardware
% \pause
% FMEDA does force the user to consider all components in a system
% by requiring that a MTTF value is assigned for each failure~mode; \pause
% the MTTF may be statistically mitigated (improved)
% if it can be shown that self-checking will detect failure modes.
\end{frame}
\begin{frame}
\frametitle{ FMEDA - Failure Modes Effects and Diagnostic Analysis}
\textbf{Failure Mode Classifications in FMEDA.}
\begin{itemize}
\pause \item \textbf{Safe or Dangerous} \pause Failure modes are classified SAFE or DANGEROUS
\pause \item \textbf{Detectable failure modes} \pause Failure modes are given the attribute DETECTABLE or UNDETECTABLE
\pause \item \textbf{Four attributes to Failure Modes} \pause All failure modes may thus be Safe Detected(SD), Safe Undetected(SU), Dangerous Detected(DD), Dangerous Undetected(DU)
\pause \item \textbf{Four statistical properties of a system} \pause \\
$ \sum \lambda_{SD}$, $\sum \lambda_{SU}$, $\sum \lambda_{DD}$, $\sum \lambda_{DU}$
\end{itemize}
% Failure modes are classified as Safe or Dangerous according
% to the putative system level failure they will cause. \pause
% The Failure modes are also classified as Detected or
% Undetected.
% This gives us four level failure mode classifications:
% Safe-Detected (SD), Safe-Undetected (SU), Dangerous-Detected (DD) or Dangerous-Undetected (DU),
% and the probabilistic failure rate of each classification
% is represented by lambda variables
% (i.e. $\lambda_{SD}$, $\lambda_{SU}$, $\lambda_{DD}$, $\lambda_{DU}$).
\end{frame}
\begin{frame}
\frametitle{ FMEDA - Failure Modes Effects and Diagnostic Analysis}
\textbf{Diagnostic Coverage.}
The diagnostic coverage is simply the ratio
of the dangerous detected probabilities
against the probability of all dangerous failures,
and is normally expressed as a percentage. $\Sigma\lambda_{DD}$ represents
the percentage of dangerous detected base component failure modes, and
$\Sigma\lambda_D$ the total number of dangerous base component failure modes.
$$ DiagnosticCoverage = \Sigma\lambda_{DD} / \Sigma\lambda_D $$
\end{frame}
\begin{frame}
\frametitle{ FMEDA - Failure Modes Effects and Diagnostic Analysis}
The \textbf{diagnostic coverage} for safe failures, where $\Sigma\lambda_{SD}$ represents the percentage of
safe detected base component failure modes,
and $\Sigma\lambda_S$ the total number of safe base component failure modes,
is given as
$$ SF = \frac{\Sigma\lambda_{SD}}{\Sigma\lambda_S} $$
\end{frame}
\begin{frame}
\frametitle{ FMEDA - Failure Modes Effects and Diagnostic Analysis}
\textbf{Safe Failure Fraction.}
A key concept in FMEDA is Safe Failure Fraction (SFF).
This is the ratio of safe and dangerous detected failures
against all safe and dangerous failure probabilities.
Again this is usually expressed as a percentage.
$$ SFF = \big( \Sigma\lambda_S + \Sigma\lambda_{DD} \big) / \big( \Sigma\lambda_S + \Sigma\lambda_D \big) $$
\pause
SFF determines how proportionately fail-safe a system is, not how reliable it is ! \pause
Weakness in this philosophy; \pause adding extra safe failures (even unused ones) improves the SFF.
\end{frame}
\begin{frame}
\frametitle{ FMEDA - Failure Modes Effects and Diagnostic Analysis}
To achieve SIL levels, diagnostic coverage and SFF levels are prescribed along with
hardware architectures and software techniques. \pause
The overall the aim of SIL is classify the safety of a system,
by statistically determining how frequently it can fail dangerously.
\end{frame}
\begin{frame}
\frametitle{ FMEDA - Failure Modes Effects and Diagnostic Analysis}
{
\begin{table}[ht]
\caption{FMEA Calculations} % title of Table
%\centering % used for centering table
\begin{tabular}{|| l | l | c | c | l ||} \hline
\textbf{SIL} & \textbf{Low Demand} & \textbf{Continuous Demand} \\
& Prob of failing on demand & Prob of failure per hour \\ \hline \hline
4 & $ 10^{-5}$ to $< 10^{-4}$ & $ 10^{-9}$ to $< 10^{-8}$ \\ \hline
3 & $ 10^{-4}$ to $< 10^{-3}$ & $ 10^{-8}$ to $< 10^{-7}$ \\ \hline
2 & $ 10^{-3}$ to $< 10^{-2}$ & $ 10^{-7}$ to $< 10^{-6}$ \\ \hline
1 & $ 10^{-2}$ to $< 10^{-1}$ & $ 10^{-6}$ to $< 10^{-5}$ \\ \hline
\hline
\end{tabular}
\end{table}
}
Table adapted from EN61508-1:2001 [7.6.2.9 p33]
\end{frame}
\begin{frame}
\frametitle{ FMEDA - Failure Modes Effects and Diagnostic Analysis}
FMEDA is a modern extension of FMEA, in that it will allow for
self checking features, and provides detailed recommendations for computer/software architecture. \pause
It has a simple final result, a Safety Integrity Level (SIL) from 1 to 4 (where 4 is safest).
%FMEA can be used as a term simple to mean Failure Mode Effects Analysis, and is
%part of product approval for many regulated products in the EU and the USA...
\end{frame}
\subsection{FMEA used for Safety Critical Approvals}
\begin{frame}
\frametitle{DESIGN FMEA (DFMEA): Safety Critical Approvals FMEA}
\begin{figure}[h]
\centering
\includegraphics[width=100pt,keepaspectratio=true]{./tech_meeting.png}
% tech_meeting.png: 350x299 pixel, 300dpi, 2.97x2.53 cm, bb=0 0 84 72
\caption{FMEA Meeting}
\label{fig:tech_meeting}
\end{figure}
Static FMEA, Design FMEA, Approvals FMEA \pause
Experts from Approval House and Equipment Manufacturer
discuss selected component failure modes
judged to be in critical sections of the product.
\end{frame}
\begin{frame}
\frametitle{DESIGN FMEA: Safety Critical Approvals FMEA}
\begin{figure}[h]
\centering
\includegraphics[width=70pt,keepaspectratio=true]{./tech_meeting.png}
% tech_meeting.png: 350x299 pixel, 300dpi, 2.97x2.53 cm, bb=0 0 84 72
\caption{FMEA Meeting}
\label{fig:tech_meeting}
\end{figure}
\begin{itemize}
\pause \item Impossible to look at all component failures let alone apply FMEA rigorously.
\pause \item In practise, failure scenarios for critical sections are contested, and either justified or extra safety measures implemented.
\pause \item Often Meeting notes or minutes only. Unusual for detailed arguments to be documented.
\end{itemize}
\end{frame}
\begin{frame}
Addendum --- reasoning distance
\end{frame}
\begin{frame}
Note here that we have had to look at the failure~mode
in relation to the entire circuit. \pause
We have used intuition to determine the probable
effect of this failure mode. \pause
We have not examined this failure mode
against every other component in the system. \pause
Perhaps we should.... this would be a more rigorous and complete
approach in looking for system failures.
\end{frame}
\subsection{Rigorous FMEA - State Explosion}
\begin{frame}
\frametitle{Rigorous Single Failure FMEA}
Consider the analysis
where we look at all the failure modes in a system, and then
see how they can affect all other components within it.
\end{frame}
\begin{frame}
\frametitle{Rigorous Single Failure FMEA}
We need to look at a large number of failure scenarios
to do this completely (all failure modes against all components).
This is represented in the equation below. %~\ref{eqn:fmea_state_exp},
where $N$ is the total number of components in the system, and
$f$ is the number of failure modes per component.
\begin{equation}
\label{eqn:fmea_single}
N.(N-1).f % \\
%(N^2 - N).f
\end{equation}
\end{frame}
\begin{frame}
\frametitle{Rigorous Single Failure FMEA}
This would mean an order of $N^2$ number of checks to perform
to undertake a `rigorous~FMEA'. Even small systems have typically
100 components, and they typically have 3 or more failure modes each.
$100*99*3=29,700$.
\pause
The European Gas burner standard (EN298:2003), demands the checking of
double failure scenarios (for burner lock-out scenarios).
\end{frame}
\begin{frame}
\frametitle{Rigorous Double Failure FMEA}
For looking at potential double failure scenarios (two components
failing within a given time frame) and the order becomes
$N^3$. \pause
\begin{equation}
\label{eqn:fmea_double}
N.(N-1).(N-2).f % \\
%(N^2 - N).f
\end{equation}
\pause
$100*99*98*3=2,910,600$.
\pause
.\\
\end{frame}
\end{document} \end{document}

23
submission_thesis/CH4_FMMD/copy.tex
View File

@ -772,7 +772,7 @@ We can represent these failure modes on a DAG (see figure~\ref{fig:op1dag}).
%} %}
%\clearpage %\clearpage
%\paragraph{Modelling the OP amp with the potential divider.} %\paragraph{Modelling the OP amp with the potential divider.}
We now bring the op-amp and the {\dc} {\em PD} together to % andrew heavily critised this sentence but it made sense to Chris and I The op-amp and the {\dc} {\em PD} now % andrew heavily critised this sentence but it made sense to Chris and I
form a {\fg} to model the failure mode behaviour of the non-inverting amplifier. form a {\fg} to model the failure mode behaviour of the non-inverting amplifier.
% %
%We have the failure modes of the {\dc} for the potential divider, %We have the failure modes of the {\dc} for the potential divider,
@ -963,7 +963,7 @@ as {\fcs} in table~\ref{tbl:ampfmea1}.
% %
For this amplifier configuration we have three {\dc} failure modes; {\em AMP\_High, AMP\_Low, LowPass}. % see figure~\ref{fig:fgampb}. For this amplifier configuration we have three {\dc} failure modes; {\em AMP\_High, AMP\_Low, LowPass}. % see figure~\ref{fig:fgampb}.
% HTR 05SEP2012 % HTR 05SEP2012
This model now has two stages of analysis, as represented in figure~\ref{fig:dc2}. This model now has two stages of analysis, as represented in figure~\ref{fig:eulerfmmd}.
% %
From the analysis in table \ref{tbl:ampfmea1} we can create the {\dc} {\em NONINVAMP}, which From the analysis in table \ref{tbl:ampfmea1} we can create the {\dc} {\em NONINVAMP}, which
represents the failure mode behaviour of the non-inverting amplifier. represents the failure mode behaviour of the non-inverting amplifier.
@ -1461,7 +1461,7 @@ This is dealt with in detail using an algorithmic description, in appendix \ref{
% %, and in this case it would have a set of failure modes. % %, and in this case it would have a set of failure modes.
% %Looking at the {\fg} in this way is seeing it as a {\dc}. % %Looking at the {\fg} in this way is seeing it as a {\dc}.
In terms of our UML model, the symptom abstraction process takes a {\fg} In terms of our UML model (see figure~\ref{fig:cfg}), the symptom abstraction process takes a {\fg}
and creates a new {\dc} from it. and creates a new {\dc} from it.
%To do this it first creates %To do this it first creates
%a new set of failure modes, representing the fault behaviour %a new set of failure modes, representing the fault behaviour
@ -1493,13 +1493,14 @@ Each {\fg} will have one analysis report associated with it.
The UML representation (in figure \ref{fig:cfg}) shows a `{\fg}' having a one to one relationship with a derived~component. The UML representation (in figure \ref{fig:cfg}) shows a `{\fg}' having a one to one relationship with a derived~component.
% %
% %
The symbol $\derivec$ is used to indicate the analysis process that takes a %%% FORMAL DEF SLIGHTLY OUT OF PLACE HERE ---- J.HOWSE
functional group and converts it into a new component. % The symbol $\derivec$ is used to indicate the analysis process that takes a
\begin{definition} % functional group and converts it into a new component.
With $\mathcal{\FG}$ representing the set of all functional groups (over all possible components), % \begin{definition}
and $\mathcal{{\DC}}$ the set of all derived components, % With $\mathcal{\FG}$ representing the set of all functional groups (over all possible components),
we express the analysis process $\derivec$ as $$ \derivec : \mathcal{\FG} \rightarrow \mathcal{{\DC}} .$$ % and $\mathcal{{\DC}}$ the set of all derived components,
\end{definition} % we express the analysis process $\derivec$ as $$ \derivec : \mathcal{\FG} \rightarrow \mathcal{{\DC}} .$$
% \end{definition}
\begin{figure}[h] \begin{figure}[h]
\centering \centering
@ -1563,7 +1564,7 @@ in quality systems~\cite{iso9001}.
Having analysis reports increases the traceability---or documented paper trail---aiding understanding Having analysis reports increases the traceability---or documented paper trail---aiding understanding
and maintainability for failure mode models. and maintainability for failure mode models.
% %
Also a detailed cause and effect model is useful creating diagnostic schemas~\cite{dbamafta}. Also a detailed cause and effect model is useful for creating diagnostic schemas~\cite{dbamafta}.

2
submission_thesis/CH5_Examples/copy.tex
View File

@ -1985,7 +1985,7 @@ It is level converted to an analogue signal
(i.e. a digital 0 becomes a -ve voltage and a digital 1 becomes a +ve voltage) (i.e. a digital 0 becomes a -ve voltage and a digital 1 becomes a +ve voltage)
and fed into the summing integrator completing the negative feedback loop. and fed into the summing integrator completing the negative feedback loop.
% %
This implements an over-sampling analogue to digital converter~\cite{ehb}[pp.729-730]. In essence this implements an over-sampling analogue to digital converter~\cite{ehb}[pp.729-730].
\subsection{FMMD analysis of \sd } \subsection{FMMD analysis of \sd }

BIN
submission_thesis/CH5_Examples/eulersdfinal.dia Normal file
View File

Binary file not shown.