robin/Robin_PHD
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

larger surface area

Browse Source
This commit is contained in:
Robin Clark 2011-06-27 10:36:18 +01:00
parent 246e2eea20
commit 9c62a90548
1 changed files with 113 additions and 98 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

211
fmmd_concept/System_safety_2011/submission.tex
View File

@ -13,8 +13,8 @@
\newcommand{\fc}{\em fault scenario} \newcommand{\fc}{\em fault scenario}
\newcommand{\fcs}{\em fault scenarios} \newcommand{\fcs}{\em fault scenarios}
\date{} \date{}
\renewcommand{\encodingdefault}{T1} %\renewcommand{\encodingdefault}{T1}
\renewcommand{\rmdefault}{tnr} %\renewcommand{\rmdefault}{tnr}
%\newboolean{paper} %\newboolean{paper}
%\setboolean{paper}{true} % boolvar=true or false %\setboolean{paper}{true} % boolvar=true or false
@ -50,6 +50,15 @@ failure mode of the component or sub-system}}}
\newboolean{dag} \newboolean{dag}
\setboolean{dag}{true} % boolvar=true or false : draw analysis using directed acylic graphs \setboolean{dag}{true} % boolvar=true or false : draw analysis using directed acylic graphs
\setlength{\topmargin}{0in}
\setlength{\headheight}{0in}
\setlength{\headsep}{0in}
\setlength{\textheight}{22cm}
\setlength{\textwidth}{18cm}
\setlength{\oddsidemargin}{0in}
\setlength{\evensidemargin}{0in}
\setlength{\parindent}{0.0in}
\setlength{\parskip}{6pt}
\begin{document} \begin{document}
%\pagestyle{fancy} %\pagestyle{fancy}
@ -75,7 +84,7 @@ failure mode of the component or sub-system}}}
\paragraph{Keywords:} static failure mode modelling safety-critical \paragraph{Keywords:} static failure mode modelling safety-critical
%\small %\small
\abstract{ \em { \abstract{ \em
The certification process of safety critical products for European and The certification process of safety critical products for European and
other international standards often demand environmental stress, other international standards often demand environmental stress,
endurance and Electro Magnetic Compatibility (EMC) testing. Theoretical, or 'static testing', endurance and Electro Magnetic Compatibility (EMC) testing. Theoretical, or 'static testing',
@ -85,7 +94,7 @@ This paper proposes a new theoretical methodology for creating failure mode mode
systems. systems.
It has a common notation for mechanical, electronic and software domains and is modular and hierarchical. It has a common notation for mechanical, electronic and software domains and is modular and hierarchical.
The method provide advantages in rigour and efficiency when compared to current methodologies. The method provide advantages in rigour and efficiency when compared to current methodologies.
}
} }
\section{Introduction} \section{Introduction}
@ -102,14 +111,13 @@ Finally the desirable criteria list is presented as a check box table alongside
the four current methodologies. the four current methodologies.
} }
\paragraph{Current methodologies} %\paragraph{Current methodologies}
We briefly analyse four current methodologies. We briefly analyse four current methodologies.
Comprehensive overviews of these methodologies maybe found Comprehensive overviews of these methodologies maybe found
in ~\cite{safeware,sccs}. in ~\cite{safeware,sccs}.
\paragraph{Fault Tree Analysis (FTA)} \paragraph{Fault Tree Analysis (FTA)}
FTA~\cite{nucfta,nasafta} is a top down methodology in which a hierarchical diagram is drawn for FTA~\cite{nucfta,nasafta} is a top down methodology in which a hierarchical diagram is drawn for
each undesirable top level failure/event, presenting the conditions that must arise to cause each undesirable top level failure/event, presenting the conditions that must arise to cause
the event. the event.
@ -148,7 +156,7 @@ analyse how particular components may fail.
\paragraph{Failure Mode Effects Criticality Analysis (FMECA)} is a refinement of FMEA, using \paragraph{Failure Mode Effects Criticality Analysis (FMECA)} is a refinement of FMEA, using
three extra variables: the probability of a component failure mode occurring, extra variables: the probability of a component failure mode occurring,
the probability that this will cause a given top level failure, and the perceived the probability that this will cause a given top level failure, and the perceived
critically. It gives better estimations of product reliability/safety and the critically. It gives better estimations of product reliability/safety and the
occurrence of particular system failure modes than FMEA but has similar deficiencies. occurrence of particular system failure modes than FMEA but has similar deficiencies.
@ -239,7 +247,7 @@ To look in detail at half a million fault~scenarios is obviously impractical.
\section{Desireable Criteria.} \section{Desireable Criteria.}
From the deficiencies outlined above, ideally we can form a set of desirable criteria for a better methodology. From the deficiencies outlined above, ideally we can form a set of desirable criteria for a better methodology.
{ \small { %\small
\label{criteria} \label{criteria}
\begin{enumerate} \begin{enumerate}
%\begin{itemize} %\begin{itemize}
@ -612,10 +620,10 @@ This is represented in the DAG in figure \ref{fig:fg1adag}.
\node[component] (R2) at (0,-1.9) {$R_2$}; \node[component] (R2) at (0,-1.9) {$R_2$};
\node[failure] (R1SHORT) at (\layersep,-0) {$R1_{Sh}$}; \node[failure] (R1SHORT) at (\layersep,-0) {$R1_{Sh}$};
\node[failure] (R1OPEN) at (\layersep,-1.2) {$R1_{Op}$}; \node[failure] (R1OPEN) at (\layersep,-1.1) {$R1_{Op}$};
\node[failure] (R2SHORT) at (\layersep,-2.5) {$R2_{Sh}$}; \node[failure] (R2SHORT) at (\layersep,-2.4) {$R2_{Sh}$};
\node[failure] (R2OPEN) at (\layersep,-3.8) {$R2_{Op}$}; \node[failure] (R2OPEN) at (\layersep,-3.7) {$R2_{Op}$};
\path (R1) edge (R1SHORT); \path (R1) edge (R1SHORT);
\path (R1) edge (R1OPEN); \path (R1) edge (R1OPEN);
@ -838,7 +846,7 @@ and this is represented in table \ref{ampfmea}.
%\clearpage %\clearpage
{\footnotesize {\footnotesize
\begin{table}[ht] \begin{table}[h]
\caption{Non Inverting Amplifier: Failure Mode Effects Analysis: Single Faults} % title of Table \caption{Non Inverting Amplifier: Failure Mode Effects Analysis: Single Faults} % title of Table
\centering % used for centering table \centering % used for centering table
\begin{tabular}{||l|c|c|l||} \begin{tabular}{||l|c|c|l||}
@ -880,7 +888,7 @@ For this amplifier configuration we have three failure modes, $AMPHigh, AMPLow,
\ifthenelse {\boolean{pld}} \ifthenelse {\boolean{pld}}
{ {
We can now derive a `component' to represent this amplifier configuration (see figure ~\ref{fig:noninvampa}). We can now derive a `component' to represent this amplifier configuration (see figure ~\ref{fig:noninvampa}).
\begin{figure}[h+] \begin{figure}[h]
\centering \centering
\includegraphics[width=200pt,keepaspectratio=true]{./noninvopamp/noninvampa.png} \includegraphics[width=200pt,keepaspectratio=true]{./noninvopamp/noninvampa.png}
% noninvampa.jpg: 436x720 pixel, 72dpi, 15.38x25.40 cm, bb=0 0 436 720 % noninvampa.jpg: 436x720 pixel, 72dpi, 15.38x25.40 cm, bb=0 0 436 720
@ -891,82 +899,9 @@ We can now derive a `component' to represent this amplifier configuration (see f
{ {
} }
% \ifthenelse {\boolean{dag}}
% {
%
% %% text for figure below
%
% The non-inverting amplifier can be drawn as a DAG using the
% results from table~\ref{ampfmea} (see~figure~\ref{fig:noninvdag0}).
% Note that the potential divider, $PD$, is treated as a component with a set of failure modes,
% and its error sources and analysis have been hidden in this diagram.
% $PD$ is considered to be a {\dc}.
%
% \begin{figure}
% \centering
% \begin{tikzpicture}[shorten >=1pt,->,draw=black!50, node distance=\layersep]
% \tikzstyle{every pin edge}=[<-,shorten <=1pt]
% \tikzstyle{fmmde}=[circle,fill=black!25,minimum size=30pt,inner sep=0pt]
% \tikzstyle{component}=[fmmde, fill=green!50];
% \tikzstyle{failure}=[fmmde, fill=red!50];
% \tikzstyle{symptom}=[fmmde, fill=blue!50];
% \tikzstyle{annot} = [text width=4em, text centered]
%
% \node[component] (OPAMP) at (0,-4) {$OPAMP$};
% \node[failure] (OPAMPLU) at (\layersep,-0) {latchup};
% \node[failure] (OPAMPLD) at (\layersep,-2) {latchdown};
% \node[failure] (OPAMPNP) at (\layersep,-4) {noop};
% \node[failure] (OPAMPLS) at (\layersep,-6) {lowslew};
% \path (OPAMP) edge (OPAMPLU);
% \path (OPAMP) edge (OPAMPLD);
% \path (OPAMP) edge (OPAMPNP);
% \path (OPAMP) edge (OPAMPLS);
%
%
% \node[component] (PD) at (0,-9) {$PD$};
% \node[symptom] (PDHIGH) at (\layersep,-8) {$PD_{HIGH}$};
% \node[symptom] (PDLOW) at (\layersep,-10) {$PD_{LOW}$};
% \path (PD) edge (PDHIGH);
% \path (PD) edge (PDLOW);
%
% \node[symptom] (AMPHIGH) at (\layersep*4,-3) {$AMP_{HIGH}$};
% \node[symptom] (AMPLOW) at (\layersep*4,-5) {$AMP_{LOW}$};
% \node[symptom] (AMPLP) at (\layersep*4,-7) {$LOWPASS$};
%
% \path (PDLOW) edge (AMPHIGH);
% \path (OPAMPLU) edge (AMPHIGH);
%
% \path (PDHIGH) edge (AMPLOW);
% \path (OPAMPNP) edge (AMPLOW);
% \path (OPAMPLD) edge (AMPLOW);
% \path (OPAMPLS) edge (AMPLP);
% \end{tikzpicture}
% % End of code
% \caption{DAG representing failure modes and symptoms of the Non Inverting Op-amp Circuit}
% \label{fig:noninvdag0}
% \end{figure}
% }
% {
% }
%failure mode contours).
%\clearpage
%\clearpage
%\paragraph{Failure Modes from non inverting amplifier as a Directed Acyclic Graph (DAG)}
\ifthenelse {\boolean{pld}}
{
We can now represent the FMMD analysis as a directed graph, see figure \ref{fig:noninvdag1}.
With the information structured in this way, we can trace the high level failure mode symptoms
back to their potential causes.
}
{
}
\ifthenelse {\boolean{dag}} \ifthenelse {\boolean{dag}}
{ {
We can now expand the $PD$ {\dc} and now have a full FMMD failure %mode We can now expand the $PD$ {\dc} and have a full FMMD failure %mode
model model
drawn as a DAG, which we can use to traverse to determine the possible causes to drawn as a DAG, which we can use to traverse to determine the possible causes to
the three high level symptoms, i.e. the failure~modes of the non-inverting amplifier. the three high level symptoms, i.e. the failure~modes of the non-inverting amplifier.
@ -1006,15 +941,15 @@ to assist in building models for FTA, FMEA, FMECA and FMEDA failure mode analysi
% \path[yshift=0.5cm] % \path[yshift=0.5cm]
\node[failure] (OPAMPLU) at (\layersep,-0) {l-up}; \node[failure] (OPAMPLU) at (\layersep,-0) {l-up};
\node[failure] (OPAMPLD) at (\layersep,-1.3) {l-dn}; \node[failure] (OPAMPLD) at (\layersep,-1.2) {l-dn};
\node[failure] (OPAMPNP) at (\layersep,-2.6) {noop}; \node[failure] (OPAMPNP) at (\layersep,-2.5) {noop};
\node[failure] (OPAMPLS) at (\layersep,-3.9) {lowslew}; \node[failure] (OPAMPLS) at (\layersep,-3.8) {lowslew};
\node[failure] (R1SHORT) at (\layersep,-5.2) {$R1_{Sh}$}; \node[failure] (R1SHORT) at (\layersep,-5.1) {$R1_{Sh}$};
\node[failure] (R1OPEN) at (\layersep,-6.5) {$R1_{Op}$}; \node[failure] (R1OPEN) at (\layersep,-6.4) {$R1_{Op}$};
\node[failure] (R2SHORT) at (\layersep,-7.8) {$R2_{Sh}$}; \node[failure] (R2SHORT) at (\layersep,-7.7) {$R2_{Sh}$};
\node[failure] (R2OPEN) at (\layersep,-9.1) {$R2_{Op}$}; \node[failure] (R2OPEN) at (\layersep,-9.0) {$R2_{Op}$};
@ -1098,6 +1033,80 @@ to assist in building models for FTA, FMEA, FMECA and FMEDA failure mode analysi
\label{fig:noninvdag1} \label{fig:noninvdag1}
\end{figure} \end{figure}
% \ifthenelse {\boolean{dag}}
% {
%
% %% text for figure below
%
% The non-inverting amplifier can be drawn as a DAG using the
% results from table~\ref{ampfmea} (see~figure~\ref{fig:noninvdag0}).
% Note that the potential divider, $PD$, is treated as a component with a set of failure modes,
% and its error sources and analysis have been hidden in this diagram.
% $PD$ is considered to be a {\dc}.
%
% \begin{figure}
% \centering
% \begin{tikzpicture}[shorten >=1pt,->,draw=black!50, node distance=\layersep]
% \tikzstyle{every pin edge}=[<-,shorten <=1pt]
% \tikzstyle{fmmde}=[circle,fill=black!25,minimum size=30pt,inner sep=0pt]
% \tikzstyle{component}=[fmmde, fill=green!50];
% \tikzstyle{failure}=[fmmde, fill=red!50];
% \tikzstyle{symptom}=[fmmde, fill=blue!50];
% \tikzstyle{annot} = [text width=4em, text centered]
%
% \node[component] (OPAMP) at (0,-4) {$OPAMP$};
% \node[failure] (OPAMPLU) at (\layersep,-0) {latchup};
% \node[failure] (OPAMPLD) at (\layersep,-2) {latchdown};
% \node[failure] (OPAMPNP) at (\layersep,-4) {noop};
% \node[failure] (OPAMPLS) at (\layersep,-6) {lowslew};
% \path (OPAMP) edge (OPAMPLU);
% \path (OPAMP) edge (OPAMPLD);
% \path (OPAMP) edge (OPAMPNP);
% \path (OPAMP) edge (OPAMPLS);
%
%
% \node[component] (PD) at (0,-9) {$PD$};
% \node[symptom] (PDHIGH) at (\layersep,-8) {$PD_{HIGH}$};
% \node[symptom] (PDLOW) at (\layersep,-10) {$PD_{LOW}$};
% \path (PD) edge (PDHIGH);
% \path (PD) edge (PDLOW);
%
% \node[symptom] (AMPHIGH) at (\layersep*4,-3) {$AMP_{HIGH}$};
% \node[symptom] (AMPLOW) at (\layersep*4,-5) {$AMP_{LOW}$};
% \node[symptom] (AMPLP) at (\layersep*4,-7) {$LOWPASS$};
%
% \path (PDLOW) edge (AMPHIGH);
% \path (OPAMPLU) edge (AMPHIGH);
%
% \path (PDHIGH) edge (AMPLOW);
% \path (OPAMPNP) edge (AMPLOW);
% \path (OPAMPLD) edge (AMPLOW);
% \path (OPAMPLS) edge (AMPLP);
% \end{tikzpicture}
% % End of code
% \caption{DAG representing failure modes and symptoms of the Non Inverting Op-amp Circuit}
% \label{fig:noninvdag0}
% \end{figure}
% }
% {
% }
%failure mode contours).
%\clearpage
%\clearpage
%\paragraph{Failure Modes from non inverting amplifier as a Directed Acyclic Graph (DAG)}
\ifthenelse {\boolean{pld}}
{
We can now represent the FMMD analysis as a directed graph, see figure \ref{fig:noninvdag1}.
With the information structured in this way, we can trace the high level failure mode symptoms
back to their potential causes.
}
{
}
%\paragraph{Worked example. Effect on State explosion.} %\paragraph{Worked example. Effect on State explosion.}
The potential divider {\dc} reduced the number of failures to consider from four to two. The potential divider {\dc} reduced the number of failures to consider from four to two.
The op-amp and potential divider modelled together, reduced the number of The op-amp and potential divider modelled together, reduced the number of
@ -1121,18 +1130,21 @@ One can then use use {\dcs} in more complex circuits where the advantages of FMM
We evaluate the FMMD method using the criteria in section \ref{fmmdreq}. We evaluate the FMMD method using the criteria in section \ref{fmmdreq}.
Table \ref{tbl:comparison} compares the current methodologies and FMMD using these criteria. Table \ref{tbl:comparison} compares the current methodologies and FMMD using these criteria.
{ \small { %\small
\begin{itemize} \begin{itemize}
\item{State Explosion is reduced,} \item{State Explosion is reduced,}
%State Explosion is reduced,
because small collections of components are dealt with in functional groups because small collections of components are dealt with in functional groups
to produce derived components which are used in an hierarchical manner. to produce derived components which are used in an hierarchical manner.
\item{All component failure modes must be considered in the model.} \item{All component failure modes must be considered in the model.}
%All component failure modes must be considered in the model.
Since the proposed methodology is bottom-up. Since the proposed methodology is bottom-up.
This means that we can ensure/check that all component failure modes are handled. This means that we can ensure/check that all component failure modes are handled.
\item{ It should be straight forward to integrate mechanical, electronic and software models,} \item{ It should be straight forward to integrate mechanical, electronic and software models,}
%It should be straight forward to integrate mechanical, electronic and software models,
because FMMD models in terms of failure modes only. % we have a generic failure mode entities to model. because FMMD models in terms of failure modes only. % we have a generic failure mode entities to model.
%We can describe a mechanical, electrical or software component in terms of its failure modes. %We can describe a mechanical, electrical or software component in terms of its failure modes.
% %
@ -1141,19 +1153,21 @@ we can model and analyse integrated electromechanical systems, controlled by com
using a common notation. using a common notation.
\item{ It should be re-usable, in that commonly used modules can be re-used in other designs/projects.} \item{ It should be re-usable, in that commonly used modules can be re-used in other designs/projects.}
%It should be re-usable, in that commonly used modules can be re-used in other designs/projects.
The hierarchical nature, taking {\fg}s and deriving components from them, means that The hierarchical nature, taking {\fg}s and deriving components from them, means that
commonly used {\dcs} can be re-used in a design% (for instance self checking digital inputs) commonly used {\dcs} can be re-used in a design% (for instance self checking digital inputs)
or even in other projects where the same {\dc} is used. or even in other projects where the same {\dc} is used.
\item{ It should have a formal basis, data should be available to produce mathematical proofs \item{ It should have a formal basis, data should be available to produce mathematical proofs
for its results} for its results}
Because the failure mode model of a system is a hierarchy of {\fg}s and {\dcs} %It should have a formal basis, data should be available to produce mathematical proofs
%for its results
because the failure mode model of a system is a hierarchy of {\fg}s and {\dcs}
system level failure modes are traceable back down the fault tree to system level failure modes are traceable back down the fault tree to
component level failure modes. component level failure modes.
% %
This allows causation trees \cite{sccs} or, minimal cut sets~\cite{nasafta}[Ch.1p3] This allows cut sets~\cite{nasafta}[Ch.1p3]
to be determined by traversing the DAG from top level events down to their causes. to be determined by traversing the DAG from top level events down to their causes.
@ -1176,6 +1190,7 @@ to be determined by traversing the DAG from top level events down to their cause
% %
\item{ Multiple failure modes (conjunction) may be modelled from the base component level up.} \item{ Multiple failure modes (conjunction) may be modelled from the base component level up.}
%Multiple failure modes (conjunction) may be modelled from the base component level up.
By breaking the problem of failure mode analysis into small stages By breaking the problem of failure mode analysis into small stages
and building a hierarchy, the problems associated with the cross products of and building a hierarchy, the problems associated with the cross products of
all failure modes within a system are reduced. all failure modes within a system are reduced.