robin/Robin_PHD
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

lunchtime edit

Browse Source
This commit is contained in:
Robin Clark 2011-02-10 15:11:26 +00:00
parent e15c2ef6d5
commit 8bd0e5291a
5 changed files with 75 additions and 145 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

72
fmmdset/fmmdset.tex
View File

@ -5,32 +5,57 @@
\ifthenelse {\boolean{paper}} \ifthenelse {\boolean{paper}}
{ {
\begin{abstract} \begin{abstract}
This paper describes
a methodology to analyse
safety critical designs from a failure mode perspective.
This paper concentrates on the hierarchical model: the analysis
phases (symtom abstraction) and {\fgs} are dealt with
in \cite{symptom_ex}.
The (Failure Mode Modular De-Composition) FMMD methodology provides This paper describes an incremental and modular approach to traditional FMEA
a rigorous method for creating a fault effects model of a system from the bottom up using {\bc} level fault modes. design analysis.
Using symptom extraction, and taking {\fgs} of components, a fault behaviour
hierarchy is built, forming a fault model tree. %a methodology to analyse
From the fault model trees, %safety critical designs from a failure mode perspective.
%This paper concentrates on the hierarchical model: the analysis
%phases (symtom abstraction) and {\fgs} are dealt with
%in \cite{symptom_ex}.
This methodology, Failure Mode Modular De-Composition (FMMD) provides
a rigorous method for creating a failure mode model of
a SYSTEM from the bottom up starting with {\bc} level failure modes.
The FMMD process in outline is that,
components are collected into functional groups, which are analysed from a failure mode perspective,
and then a failure mode behaviour for each particular {\fg} is determined.
From this failure mode behaviour we can now treat the {\fg}
as a component or `black~box', with a known set of failure modes.
We can thus create a new component, a {\dc}, that we can use in place
of the functional group in our design.
%
By collecting {\dcs} into {\fgs} and analysing these into higher level {\dcs} a
hierarchy is naturally formed. This hierarchy is termed an `FMMD failure mode tree'.
From the FMMD failure mode trees,
modular re-usable sections of safety critical systems, modular re-usable sections of safety critical systems,
and accurate, statistical estimation for fault frequency can be derived automatically. %and accurate, statistical estimation for fault frequency can be derived/
It provides the means to trace the causes of dangerous detected and dangerous undetected faults. can be extracted automatically.
It provides the means to produce Minimal cut-sets, FTA diagrams and FMEDA models, from Thus FMMD supports re-use of analysed design sections.
The failure mode relationships, when traced, are of the form of
a directed acyclic graph. SYSTEM or top level failure modes
can be traced back to the base components that can cause them.
This means that components that may cause more than one SYSTEM failure
are handled naturally by the FMMD methodology.
FMMD provides the means to trace the causes of dangerous detected and dangerous undetected faults.
FMMD provides the means to produce cut-sets, minimal cut-sets, FTA diagrams, FMECA and FMEDA models, from
a data model built by the FMMD methodology. a data model built by the FMMD methodology.
It has a common notation spanning mechanical, electrical and software failures, It has been designed for small safety critical embedded
and incorporating them into system models. It has been designed for small safety critical embedded
systems, but because of its modular and hierarchical nature, can be used to model larger systems. systems, but because of its modular and hierarchical nature, can be used to model larger systems.
It is intended to be used to formally prove systems to meet EN and UL standards, including and not limited to FMMD was originally designed to aid formal proof for industrial burner systems, to meet EN and UL standards, including and not limited to
EN298, EN61508, EN12067, EN230, UL1998. EN298, EN61508, EN12067, EN230, UL1998.
FMMD has a common notation spanning mechanical, electrical and software domians.
Thus complete failure mode models can be produced for electro mechanical systems controlled
by a micro-processor.
\end{abstract} \end{abstract}
} }
{ {
This chapter describes the Failure Mode Modular De-Composition (FMMD) This \chappap describes the Failure Mode Modular De-Composition (FMMD)
methodology to analyse methodology to analyse
safety critical designs from a failure mode perspective, with emphasis on building a hierarchical model, in an incremental and modular fashion. safety critical designs from a failure mode perspective, with emphasis on building a hierarchical model, in an incremental and modular fashion.
%Failure Mode Modular De-Composition (FMMD) %Failure Mode Modular De-Composition (FMMD)
@ -46,7 +71,7 @@ It provides the means to produce Minimal cut-sets, FTA diagrams and FMEDA models
a data model built by the FMMD methodology. a data model built by the FMMD methodology.
It has a common notation spanning mechanical, electrical and software failures, It has a common notation spanning mechanical, electrical and software failures,
and can integrate all three into the same system models. It has been designed for small safety critical embedded and can integrate all three into the same system models. It has been designed for small safety critical embedded
systems, but because of its modular and hierarchical nature, can be used to model larger systems. systems~\cite{Clark200519}, but because of its modular and hierarchical nature, can be used to model larger systems.
It is intended to be used to formally prove systems to meet EN and UL standards, including and not limited to It is intended to be used to formally prove systems to meet EN and UL standards, including and not limited to
EN298, EN61508, EN12067, EN230, UL1998. EN298, EN61508, EN12067, EN230, UL1998.
} }
@ -60,7 +85,7 @@ EN298, EN61508, EN12067, EN230, UL1998.
The purpose of the FMMD methodology is to apply formal techniques to The purpose of the FMMD methodology is to apply formal techniques to
the assessment of safety critical designs, aiding in identifying detected and undetectable faults the assessment of safety critical designs, aiding in identifying detected and undetectable faults
\footnote{Undetectable faults are faults which may occur but are not self~detected, or are impossible to detect by the system.}. \footnote{Undetectable faults are faults which may occur but are not self~detected, or are impossible to detect by the system.}.
Formal methods are just beginning to be specified in some safety standards.\footnote{Formal methods Formal methods are beginning to be specified in some safety standards.\footnote{Formal methods
such as the Z notation appear as `highly recommended' techniques in the EN61508 standard\cite{en61508}, but such as the Z notation appear as `highly recommended' techniques in the EN61508 standard\cite{en61508}, but
apply only to software currently. Semi formal methods such as FMEDA are recomended for electronics.} However, some standards are now implying the handling of apply only to software currently. Semi formal methods such as FMEDA are recomended for electronics.} However, some standards are now implying the handling of
simultaneous faults which complicates the scenario based approvals that are simultaneous faults which complicates the scenario based approvals that are
@ -155,7 +180,7 @@ together to form functional groups and create new {\dcs}
at a higher abstraction level. at a higher abstraction level.
\ifthenelse {\boolean{paper}} \ifthenelse {\boolean{paper}}
{ {
Reference the symptom abstraction paper here %Reference the symptom abstraction paper here
} }
{ {
This analysis and symptom collection process is described in detail in the Symptom Extraction chapter (see section \ref{symptomex}). This analysis and symptom collection process is described in detail in the Symptom Extraction chapter (see section \ref{symptomex}).
@ -615,8 +640,9 @@ This is commonly referred to as a multi-channel safety critical system.
Where there are 2 channels and one arbiter, the term 1oo2 is used (one out of two). Where there are 2 channels and one arbiter, the term 1oo2 is used (one out of two).
The Ericsson AXE telephone exchange hardware is a 1oo2 system, and the arbiter (the AMD) The Ericsson AXE telephone exchange hardware is a 1oo2 system, and the arbiter (the AMD)
can detect and switch control within on processor instruction. Should a hardware error can detect and switch control within on processor instruction. Should a hardware error
be detected,\footnote{Or in a test plant environment, more likely someone coming along and `borrowing' a cpu board from be detected,%\footnote{Or in a test plant environment, more likely someone coming along and `borrowing' a cpu board from
your working exchange} the processor will switch to the redundant side without breaking any telephone calls %your working exchange}
the processor will switch to the redundant side without breaking any telephone calls
or any being set up. An alarm will be raised to inform that this has happened, but the performance impact to or any being set up. An alarm will be raised to inform that this has happened, but the performance impact to
the 1oo2 system, is a one micro-processor instruction delay to the entire process. the 1oo2 system, is a one micro-processor instruction delay to the entire process.

2
fmmdset/paper.tex
View File

@ -9,6 +9,8 @@
\newboolean{paper} \newboolean{paper}
\setboolean{paper}{true} % boolvar=true or false \setboolean{paper}{true} % boolvar=true or false
\newcommand{\chappap}{paper}
\input{../style} \input{../style}
\begin{document} \begin{document}

22
mybib.bib
View File

@ -4,6 +4,28 @@
% $Id: mybib.bib,v 1.3 2009/11/28 20:05:52 robin Exp $ % $Id: mybib.bib,v 1.3 2009/11/28 20:05:52 robin Exp $
@article{Clark200519,
title = "Failure Mode Modular De-Composition Using Spider Diagrams",
journal = "Electronic Notes in Theoretical Computer Science",
volume = "134",
number = "",
pages = "19 - 31",
year = "2005",
note = "Proceedings of the First International Workshop on Euler Diagrams (Euler 2004)",
issn = "1571-0661",
doi = "DOI: 10.1016/j.entcs.2005.02.018",
url = "http://www.sciencedirect.com/science/article/B75H1-4G6XT71-3/2/0e3a47df2ec15bfba9f85feae81786e3",
author = "R.P. Clark",
keywords = "Failsafe",
keywords = "EN298",
keywords = "gas-safety",
keywords = "burner",
keywords = "control",
keywords = "fault",
keywords = "double-fault",
keywords = "single-fault",
keywords = "fault-tolerance"
}
@ARTICLE{ftahistory, @ARTICLE{ftahistory,
AUTHOR = "Clifton Ericsson", AUTHOR = "Clifton Ericsson",

122
style.tex
View File

@ -1,37 +1,4 @@
% %
%============= Definition of {asyoulikeit} page style ======================*
%
% Jonathan Burch This is the terse form - expanded, formatted,
% 20-Jan-1989 commented version in TEX$LATEX:ASYOULIKEIT.FULL
%%
%\catcode`\@=11\def\ps@asyoulikeit{\def\@oddhead{\hbox{}\lp@innerhead
%\lp@headfill\lp@middlehead\lp@headfill\lp@outerhead}\def\@evenhead
%{\hbox{}\lp@outerhead\lp@headfill\lp@middlehead\lp@headfill\lp@innerhead}
%\def\@oddfoot{\hbox{}\lp@innerfoot\lp@footfill\lp@middlefoot\lp@footfill
%\lp@outerfoot}\def\@evenfoot{\hbox{}\lp@outerfoot\lp@footfill\lp@middlefoot
%\lp@footfill\lp@innerfoot}\def\sectionmark##1{}\def\subsectionmark##1{}}
%\def\lp@innerhead{}\def\lp@middlehead{}\def\lp@outerhead{}\def\lp@innerfoot{}
%\def\lp@middlefoot{ {\thepage} }\def\lp@outerfoot{}\def\lp@headfill{\hfil}
%\def\lp@footfill{\hfil}\newcommand{\lp@linefill}{\leaders\hrule height 0.55ex
%depth -0.5ex\hfill}\newcommand{\innerhead}[1]{\def\lp@innerhead{#1}}
%\newcommand{\middlehead}[1]{\def\lp@middlehead{#1}}\newcommand{\outerhead}[1]
%{\def\lp@outerhead{#1}}\newcommand{\innerfoot}[1]{\def\lp@innerfoot{#1}}
%\newcommand{\middlefoot}[1]{\def\lp@middlefoot{#1}}\newcommand{\outerfoot}[1]
%{\def\lp@outerfoot{#1}}\newcommand{\lineheadfill}{\def\lp@headfill
%{\lp@linefill}}\newcommand{\linefootfill}{\def\lp@footfill{\lp@linefill}}
%\newcommand{\blankheadfill}{\def\lp@headfill{\hfill}}\newcommand
%{\blankfootfill}{\def\lp@footfill{\hfill}}\newcommand{\documentnumber}[1]
%{\def\lp@docno{#1}\outerhead{\lp@docno}}\def\lp@docno{}\def\@maketitlet
%{\newpage\null\vskip -14ex\hbox{}\hfill\lp@docno\vskip 13ex\begin{center}
%{\LARGE\@title\par}\vskip 1.5em{\large\lineskip .5em\begin{tabular}[t]{c}
%\@author\end{tabular}\par}\vskip 1em{\large\@date}\end{center}\par\vskip 3em}
%\def\abstract{\if@twocolumn\section*{Abstract}\else\small\begin{center}
%{\bf Abstract\vspace{-.5em}\vspace{0pt}}\end{center}\quotation\fi}\def
%\endabstract{\if@twocolumn\else\endquotation\fi}\ps@asyoulikeit\catcode`\@=12
%%
%=========== End of {asyoulikeit} page style definition ====================*
\DeclareSymbolFont{AMSb}{U}{msb}{m}{n}
\DeclareMathSymbol{\N}{\mathbin}{AMSb}{"4E} \DeclareMathSymbol{\N}{\mathbin}{AMSb}{"4E}
\DeclareMathSymbol{\Z}{\mathbin}{AMSb}{"5A} \DeclareMathSymbol{\Z}{\mathbin}{AMSb}{"5A}
\DeclareMathSymbol{\R}{\mathbin}{AMSb}{"52} \DeclareMathSymbol{\R}{\mathbin}{AMSb}{"52}
@ -48,24 +15,6 @@
\setlength{\textwidth}{160mm} \setlength{\textheight}{220mm} \setlength{\textwidth}{160mm} \setlength{\textheight}{220mm}
\setlength{\oddsidemargin}{0mm} \setlength{\evensidemargin}{0mm} \setlength{\oddsidemargin}{0mm} \setlength{\evensidemargin}{0mm}
% %
% Local definitions
% -----------------
%\newcommand{\eg}{{\it e.g.}}
%\newcommand{\etc}{{\it etc.}}
%\newcommand{\ie}{{\it i.e.}}
%\newcommand{\qv}{{\it q.v.}}
%\newcommand{\viz}{{\it viz.}}
%\newcommand{\degs}[1]{$#1^\circ$} % Degrees symbol
%\newcommand{\mins}[1]{$#1^{\scriptsize\prime}$} % Minutes symbol
%\newcommand{\secs}[1]{$#1^{\scriptsize\prime\prime}$} % Seconds symbol
%\newcommand{\key}[1]{\fbox{\sc#1}} % Box for keys
%\newcommand{\?}{\_\hspace{0.115em}} % Proper spacing for
% % underscore
%\newcommand{\rev}{PA5}
%\newcommand{\etcdoc}{ HR222975 }
%\newcommand{\wlc}{{Water~Level~Controller~Unit}}
%\newcommand{\ft}{{\em 4 $\rightarrow$ 20mA } }
%\newcommand{\tds}{TDS Daughterboard}
\newcommand{\oc}{\ensuremath{^{o}{C}}} \newcommand{\oc}{\ensuremath{^{o}{C}}}
\newcommand{\adctw}{{${\mathcal{ADC}}_{12}$}} \newcommand{\adctw}{{${\mathcal{ADC}}_{12}$}}
\newcommand{\adcten}{{${\mathcal{ADC}}_{10}$}} \newcommand{\adcten}{{${\mathcal{ADC}}_{10}$}}
@ -90,64 +39,6 @@ failure mode of the component or sub-system}}}
\newcommand{\frategloss}{\glossary{name={failure rate}, description={The number of failure within a population (of size N), divided by N over a given time interval}}} \newcommand{\frategloss}{\glossary{name={failure rate}, description={The number of failure within a population (of size N), divided by N over a given time interval}}}
\newcommand{\pecgloss}{\glossary{name={PEC},description={A Programmable Electronic controller, will typically consist of sensors and actuators interfaced electronically, with some firmware/software component in overall control}}} \newcommand{\pecgloss}{\glossary{name={PEC},description={A Programmable Electronic controller, will typically consist of sensors and actuators interfaced electronically, with some firmware/software component in overall control}}}
%----- Display example text (#1) in typewriter font
%\newcommand{\example}[1]{\\ \smallskip\hspace{1in}{\tt #1}\hfil\\
% \smallskip\noindent}
%
%----- Enclose text (#2) in ruled box of given thickness (#1)
%\def\boxit#1#2{\vbox{\hrule height #1pt\hbox{\vrule width #1pt\hskip 5pt
% \vbox{\vskip 5pt #2 \vskip 5pt}\hskip 5pt
% \vrule width #1pt}\hrule height #1pt}}
%
%----- Display boxed warning text (#1)
%\def\warning#1{\bigskip
% \setbox1=\vbox{\tolerance=5000\parfillskip=0pt
% \hsize=3in\noindent#1}
% \centerline{\boxit{1.0}{\box1}}
% \bigskip}
%----- Definitions to aid display of help text
% (modelled on \item and \itemitem)
%\def\helpindent#1{\setbox2=\hbox to\parindent{{\it #1}\hfil}
% \indent\llap{\box2}\ignorespaces}
%\def\helpitem{\parindent=70pt\par\hang\helpindent}
%\def\helpitemitem{\parindent=70pt\par\indent \parindent=80pt
%\hangindent2\parindent \helpindent}
%
%----- Tables and footnotes to tables
%
%\newcommand{\spacerA}{\rule{0mm}{4mm}}
%\newcommand{\spacerB}{\rule[-2mm]{0mm}{5mm}}
%\footnotesep=5mm
%\renewcommand{\footnoterule}{{\small Notes:}}
%% Robin 01AUG2008
%%
%\newcounter{examplec}
%\newcounter{definitionc}
%\newcounter{summaryc}
%\@addtoreset{examplec}{chapter}\renewcommand\theexamplec{\thechapter.arabic{examplec}}
%\@addtoreset{definitionc}{chapter}
%\@addtoreset{summaryc}{chapter}
%\renewcommand\examplec{\arabic{examplec}}
%\newenvironment{example}
%{
% \stepcounter{examplec} \vspace{10pt} \normalfont\bfseries Example:\normalfont\[{\arabic{chapter}.\arabic{examplec}}\]
% \normalfont \begin{quote}}{\end{quote}\par}
%\newenvironment{definition}
%\newenvironment{example}
%{
% \stepcounter{examplec} \vspace{10pt} \normalfont\bfseries Example:\normalfont\[{\arabic{chapter}.\arabic{examplec}}\]
% \normalfont \begin{quote}}{\end{quote}\par}
\usepackage{amsthm} \usepackage{amsthm}
\newtheorem{example}{Example:} \newtheorem{example}{Example:}
@ -167,16 +58,3 @@ failure mode of the component or sub-system}}}
\newcommand{\Complex} {{\mathbb C}} \newcommand{\Complex} {{\mathbb C}}
\newcommand{\Rational} {{\mathbb Q}} \newcommand{\Rational} {{\mathbb Q}}
% %
%\newenvironment{example}
%{ \stepcounter{examplec} \vspace{10pt} \normalfont\bfseries Example:(\arabic{chapter}.\arabic{examplec})
% \normalfont \begin{quote}}{\end{quote}\par}
%
%\newenvironment{definition}
%{ \stepcounter{definitionc} \vspace{10pt} \normalfont\bfseries Definition:(\arabic{chapter}.\arabic{definitionc})
% \normalfont \begin{quote}}{\end{quote}\par}
%
%\newenvironment{summary}
%{ \vspace{10pt} \normalfont\bfseries Summary:
% \normalfont \begin{quote}}{\end{quote}\par}
%

2
thesis.tex
View File

@ -26,6 +26,8 @@
\fancyhf{} \fancyhf{}
\cfoot{Page \thepage} \cfoot{Page \thepage}
\newcommand{\chappap}{chapter}
\input{titlepage/titlepage} \input{titlepage/titlepage}
\clearpage \clearpage