diff --git a/fmmd_concept/System_safety_2011/submission.tex b/fmmd_concept/System_safety_2011/submission.tex index 4482ab1..f4bb04a 100644 --- a/fmmd_concept/System_safety_2011/submission.tex +++ b/fmmd_concept/System_safety_2011/submission.tex @@ -13,8 +13,8 @@ \newcommand{\fc}{\em fault scenario} \newcommand{\fcs}{\em fault scenarios} \date{} -\renewcommand{\encodingdefault}{T1} -\renewcommand{\rmdefault}{tnr} +%\renewcommand{\encodingdefault}{T1} +%\renewcommand{\rmdefault}{tnr} %\newboolean{paper} %\setboolean{paper}{true} % boolvar=true or false @@ -50,6 +50,15 @@ failure mode of the component or sub-system}}} \newboolean{dag} \setboolean{dag}{true} % boolvar=true or false : draw analysis using directed acylic graphs +\setlength{\topmargin}{0in} +\setlength{\headheight}{0in} +\setlength{\headsep}{0in} +\setlength{\textheight}{22cm} +\setlength{\textwidth}{18cm} +\setlength{\oddsidemargin}{0in} +\setlength{\evensidemargin}{0in} +\setlength{\parindent}{0.0in} +\setlength{\parskip}{6pt} \begin{document} %\pagestyle{fancy} @@ -75,7 +84,7 @@ failure mode of the component or sub-system}}} \paragraph{Keywords:} static failure mode modelling safety-critical %\small -\abstract{ \em { +\abstract{ \em The certification process of safety critical products for European and other international standards often demand environmental stress, endurance and Electro Magnetic Compatibility (EMC) testing. Theoretical, or 'static testing', @@ -85,7 +94,7 @@ This paper proposes a new theoretical methodology for creating failure mode mode systems. It has a common notation for mechanical, electronic and software domains and is modular and hierarchical. The method provide advantages in rigour and efficiency when compared to current methodologies. -} + } \section{Introduction} @@ -102,14 +111,13 @@ Finally the desirable criteria list is presented as a check box table alongside the four current methodologies. } -\paragraph{Current methodologies} +%\paragraph{Current methodologies} We briefly analyse four current methodologies. Comprehensive overviews of these methodologies maybe found in ~\cite{safeware,sccs}. \paragraph{Fault Tree Analysis (FTA)} - FTA~\cite{nucfta,nasafta} is a top down methodology in which a hierarchical diagram is drawn for each undesirable top level failure/event, presenting the conditions that must arise to cause the event. @@ -148,7 +156,7 @@ analyse how particular components may fail. \paragraph{Failure Mode Effects Criticality Analysis (FMECA)} is a refinement of FMEA, using -three extra variables: the probability of a component failure mode occurring, +extra variables: the probability of a component failure mode occurring, the probability that this will cause a given top level failure, and the perceived critically. It gives better estimations of product reliability/safety and the occurrence of particular system failure modes than FMEA but has similar deficiencies. @@ -239,7 +247,7 @@ To look in detail at half a million fault~scenarios is obviously impractical. \section{Desireable Criteria.} From the deficiencies outlined above, ideally we can form a set of desirable criteria for a better methodology. -{ \small +{ %\small \label{criteria} \begin{enumerate} %\begin{itemize} @@ -612,10 +620,10 @@ This is represented in the DAG in figure \ref{fig:fg1adag}. \node[component] (R2) at (0,-1.9) {$R_2$}; \node[failure] (R1SHORT) at (\layersep,-0) {$R1_{Sh}$}; - \node[failure] (R1OPEN) at (\layersep,-1.2) {$R1_{Op}$}; + \node[failure] (R1OPEN) at (\layersep,-1.1) {$R1_{Op}$}; - \node[failure] (R2SHORT) at (\layersep,-2.5) {$R2_{Sh}$}; - \node[failure] (R2OPEN) at (\layersep,-3.8) {$R2_{Op}$}; + \node[failure] (R2SHORT) at (\layersep,-2.4) {$R2_{Sh}$}; + \node[failure] (R2OPEN) at (\layersep,-3.7) {$R2_{Op}$}; \path (R1) edge (R1SHORT); \path (R1) edge (R1OPEN); @@ -838,7 +846,7 @@ and this is represented in table \ref{ampfmea}. %\clearpage {\footnotesize -\begin{table}[ht] +\begin{table}[h] \caption{Non Inverting Amplifier: Failure Mode Effects Analysis: Single Faults} % title of Table \centering % used for centering table \begin{tabular}{||l|c|c|l||} @@ -880,7 +888,7 @@ For this amplifier configuration we have three failure modes, $AMPHigh, AMPLow, \ifthenelse {\boolean{pld}} { We can now derive a `component' to represent this amplifier configuration (see figure ~\ref{fig:noninvampa}). -\begin{figure}[h+] +\begin{figure}[h] \centering \includegraphics[width=200pt,keepaspectratio=true]{./noninvopamp/noninvampa.png} % noninvampa.jpg: 436x720 pixel, 72dpi, 15.38x25.40 cm, bb=0 0 436 720 @@ -891,82 +899,9 @@ We can now derive a `component' to represent this amplifier configuration (see f { } - -% \ifthenelse {\boolean{dag}} -% { -% -% %% text for figure below -% -% The non-inverting amplifier can be drawn as a DAG using the -% results from table~\ref{ampfmea} (see~figure~\ref{fig:noninvdag0}). -% Note that the potential divider, $PD$, is treated as a component with a set of failure modes, -% and its error sources and analysis have been hidden in this diagram. -% $PD$ is considered to be a {\dc}. -% -% \begin{figure} -% \centering -% \begin{tikzpicture}[shorten >=1pt,->,draw=black!50, node distance=\layersep] -% \tikzstyle{every pin edge}=[<-,shorten <=1pt] -% \tikzstyle{fmmde}=[circle,fill=black!25,minimum size=30pt,inner sep=0pt] -% \tikzstyle{component}=[fmmde, fill=green!50]; -% \tikzstyle{failure}=[fmmde, fill=red!50]; -% \tikzstyle{symptom}=[fmmde, fill=blue!50]; -% \tikzstyle{annot} = [text width=4em, text centered] -% -% \node[component] (OPAMP) at (0,-4) {$OPAMP$}; -% \node[failure] (OPAMPLU) at (\layersep,-0) {latchup}; -% \node[failure] (OPAMPLD) at (\layersep,-2) {latchdown}; -% \node[failure] (OPAMPNP) at (\layersep,-4) {noop}; -% \node[failure] (OPAMPLS) at (\layersep,-6) {lowslew}; -% \path (OPAMP) edge (OPAMPLU); -% \path (OPAMP) edge (OPAMPLD); -% \path (OPAMP) edge (OPAMPNP); -% \path (OPAMP) edge (OPAMPLS); -% -% -% \node[component] (PD) at (0,-9) {$PD$}; -% \node[symptom] (PDHIGH) at (\layersep,-8) {$PD_{HIGH}$}; -% \node[symptom] (PDLOW) at (\layersep,-10) {$PD_{LOW}$}; -% \path (PD) edge (PDHIGH); -% \path (PD) edge (PDLOW); -% -% \node[symptom] (AMPHIGH) at (\layersep*4,-3) {$AMP_{HIGH}$}; -% \node[symptom] (AMPLOW) at (\layersep*4,-5) {$AMP_{LOW}$}; -% \node[symptom] (AMPLP) at (\layersep*4,-7) {$LOWPASS$}; -% -% \path (PDLOW) edge (AMPHIGH); -% \path (OPAMPLU) edge (AMPHIGH); -% -% \path (PDHIGH) edge (AMPLOW); -% \path (OPAMPNP) edge (AMPLOW); -% \path (OPAMPLD) edge (AMPLOW); -% \path (OPAMPLS) edge (AMPLP); -% \end{tikzpicture} -% % End of code -% \caption{DAG representing failure modes and symptoms of the Non Inverting Op-amp Circuit} -% \label{fig:noninvdag0} -% \end{figure} -% } -% { -% } - - -%failure mode contours). -%\clearpage -%\clearpage -%\paragraph{Failure Modes from non inverting amplifier as a Directed Acyclic Graph (DAG)} -\ifthenelse {\boolean{pld}} -{ -We can now represent the FMMD analysis as a directed graph, see figure \ref{fig:noninvdag1}. -With the information structured in this way, we can trace the high level failure mode symptoms -back to their potential causes. -} -{ -} - \ifthenelse {\boolean{dag}} { -We can now expand the $PD$ {\dc} and now have a full FMMD failure %mode +We can now expand the $PD$ {\dc} and have a full FMMD failure %mode model drawn as a DAG, which we can use to traverse to determine the possible causes to the three high level symptoms, i.e. the failure~modes of the non-inverting amplifier. @@ -1006,15 +941,15 @@ to assist in building models for FTA, FMEA, FMECA and FMEDA failure mode analysi % \path[yshift=0.5cm] \node[failure] (OPAMPLU) at (\layersep,-0) {l-up}; - \node[failure] (OPAMPLD) at (\layersep,-1.3) {l-dn}; - \node[failure] (OPAMPNP) at (\layersep,-2.6) {noop}; - \node[failure] (OPAMPLS) at (\layersep,-3.9) {lowslew}; + \node[failure] (OPAMPLD) at (\layersep,-1.2) {l-dn}; + \node[failure] (OPAMPNP) at (\layersep,-2.5) {noop}; + \node[failure] (OPAMPLS) at (\layersep,-3.8) {lowslew}; - \node[failure] (R1SHORT) at (\layersep,-5.2) {$R1_{Sh}$}; - \node[failure] (R1OPEN) at (\layersep,-6.5) {$R1_{Op}$}; + \node[failure] (R1SHORT) at (\layersep,-5.1) {$R1_{Sh}$}; + \node[failure] (R1OPEN) at (\layersep,-6.4) {$R1_{Op}$}; - \node[failure] (R2SHORT) at (\layersep,-7.8) {$R2_{Sh}$}; - \node[failure] (R2OPEN) at (\layersep,-9.1) {$R2_{Op}$}; + \node[failure] (R2SHORT) at (\layersep,-7.7) {$R2_{Sh}$}; + \node[failure] (R2OPEN) at (\layersep,-9.0) {$R2_{Op}$}; @@ -1098,6 +1033,80 @@ to assist in building models for FTA, FMEA, FMECA and FMEDA failure mode analysi \label{fig:noninvdag1} \end{figure} + +% \ifthenelse {\boolean{dag}} +% { +% +% %% text for figure below +% +% The non-inverting amplifier can be drawn as a DAG using the +% results from table~\ref{ampfmea} (see~figure~\ref{fig:noninvdag0}). +% Note that the potential divider, $PD$, is treated as a component with a set of failure modes, +% and its error sources and analysis have been hidden in this diagram. +% $PD$ is considered to be a {\dc}. +% +% \begin{figure} +% \centering +% \begin{tikzpicture}[shorten >=1pt,->,draw=black!50, node distance=\layersep] +% \tikzstyle{every pin edge}=[<-,shorten <=1pt] +% \tikzstyle{fmmde}=[circle,fill=black!25,minimum size=30pt,inner sep=0pt] +% \tikzstyle{component}=[fmmde, fill=green!50]; +% \tikzstyle{failure}=[fmmde, fill=red!50]; +% \tikzstyle{symptom}=[fmmde, fill=blue!50]; +% \tikzstyle{annot} = [text width=4em, text centered] +% +% \node[component] (OPAMP) at (0,-4) {$OPAMP$}; +% \node[failure] (OPAMPLU) at (\layersep,-0) {latchup}; +% \node[failure] (OPAMPLD) at (\layersep,-2) {latchdown}; +% \node[failure] (OPAMPNP) at (\layersep,-4) {noop}; +% \node[failure] (OPAMPLS) at (\layersep,-6) {lowslew}; +% \path (OPAMP) edge (OPAMPLU); +% \path (OPAMP) edge (OPAMPLD); +% \path (OPAMP) edge (OPAMPNP); +% \path (OPAMP) edge (OPAMPLS); +% +% +% \node[component] (PD) at (0,-9) {$PD$}; +% \node[symptom] (PDHIGH) at (\layersep,-8) {$PD_{HIGH}$}; +% \node[symptom] (PDLOW) at (\layersep,-10) {$PD_{LOW}$}; +% \path (PD) edge (PDHIGH); +% \path (PD) edge (PDLOW); +% +% \node[symptom] (AMPHIGH) at (\layersep*4,-3) {$AMP_{HIGH}$}; +% \node[symptom] (AMPLOW) at (\layersep*4,-5) {$AMP_{LOW}$}; +% \node[symptom] (AMPLP) at (\layersep*4,-7) {$LOWPASS$}; +% +% \path (PDLOW) edge (AMPHIGH); +% \path (OPAMPLU) edge (AMPHIGH); +% +% \path (PDHIGH) edge (AMPLOW); +% \path (OPAMPNP) edge (AMPLOW); +% \path (OPAMPLD) edge (AMPLOW); +% \path (OPAMPLS) edge (AMPLP); +% \end{tikzpicture} +% % End of code +% \caption{DAG representing failure modes and symptoms of the Non Inverting Op-amp Circuit} +% \label{fig:noninvdag0} +% \end{figure} +% } +% { +% } + + +%failure mode contours). +%\clearpage +%\clearpage +%\paragraph{Failure Modes from non inverting amplifier as a Directed Acyclic Graph (DAG)} +\ifthenelse {\boolean{pld}} +{ +We can now represent the FMMD analysis as a directed graph, see figure \ref{fig:noninvdag1}. +With the information structured in this way, we can trace the high level failure mode symptoms +back to their potential causes. +} +{ +} + + %\paragraph{Worked example. Effect on State explosion.} The potential divider {\dc} reduced the number of failures to consider from four to two. The op-amp and potential divider modelled together, reduced the number of @@ -1121,18 +1130,21 @@ One can then use use {\dcs} in more complex circuits where the advantages of FMM We evaluate the FMMD method using the criteria in section \ref{fmmdreq}. Table \ref{tbl:comparison} compares the current methodologies and FMMD using these criteria. -{ \small +{ %\small \begin{itemize} \item{State Explosion is reduced,} +%State Explosion is reduced, because small collections of components are dealt with in functional groups to produce derived components which are used in an hierarchical manner. \item{All component failure modes must be considered in the model.} +%All component failure modes must be considered in the model. Since the proposed methodology is bottom-up. This means that we can ensure/check that all component failure modes are handled. \item{ It should be straight forward to integrate mechanical, electronic and software models,} +%It should be straight forward to integrate mechanical, electronic and software models, because FMMD models in terms of failure modes only. % we have a generic failure mode entities to model. %We can describe a mechanical, electrical or software component in terms of its failure modes. % @@ -1141,19 +1153,21 @@ we can model and analyse integrated electromechanical systems, controlled by com using a common notation. \item{ It should be re-usable, in that commonly used modules can be re-used in other designs/projects.} +%It should be re-usable, in that commonly used modules can be re-used in other designs/projects. The hierarchical nature, taking {\fg}s and deriving components from them, means that commonly used {\dcs} can be re-used in a design% (for instance self checking digital inputs) or even in other projects where the same {\dc} is used. - \item{ It should have a formal basis, data should be available to produce mathematical proofs for its results} -Because the failure mode model of a system is a hierarchy of {\fg}s and {\dcs} +%It should have a formal basis, data should be available to produce mathematical proofs +%for its results +because the failure mode model of a system is a hierarchy of {\fg}s and {\dcs} system level failure modes are traceable back down the fault tree to component level failure modes. % -This allows causation trees \cite{sccs} or, minimal cut sets~\cite{nasafta}[Ch.1p3] +This allows cut sets~\cite{nasafta}[Ch.1p3] to be determined by traversing the DAG from top level events down to their causes. @@ -1176,6 +1190,7 @@ to be determined by traversing the DAG from top level events down to their cause % \item{ Multiple failure modes (conjunction) may be modelled from the base component level up.} +%Multiple failure modes (conjunction) may be modelled from the base component level up. By breaking the problem of failure mode analysis into small stages and building a hierarchy, the problems associated with the cross products of all failure modes within a system are reduced.