robin/Robin_PHD
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

larger surface area

Browse Source
This commit is contained in:
Robin Clark 2011-06-27 10:36:18 +01:00
parent 246e2eea20
commit 9c62a90548
1 changed files with 113 additions and 98 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

211
fmmd_concept/System_safety_2011/submission.tex
View File

@ -13,8 +13,8 @@
\newcommand{\fc}{\em fault scenario}
\newcommand{\fcs}{\em fault scenarios}
\date{}
\renewcommand{\encodingdefault}{T1}
\renewcommand{\rmdefault}{tnr}
%\renewcommand{\encodingdefault}{T1}
%\renewcommand{\rmdefault}{tnr}
%\newboolean{paper}
%\setboolean{paper}{true} % boolvar=true or false
@ -50,6 +50,15 @@ failure mode of the component or sub-system}}}
\newboolean{dag}
\setboolean{dag}{true} % boolvar=true or false : draw analysis using directed acylic graphs
\setlength{\topmargin}{0in}
\setlength{\headheight}{0in}
\setlength{\headsep}{0in}
\setlength{\textheight}{22cm}
\setlength{\textwidth}{18cm}
\setlength{\oddsidemargin}{0in}
\setlength{\evensidemargin}{0in}
\setlength{\parindent}{0.0in}
\setlength{\parskip}{6pt}
\begin{document}
%\pagestyle{fancy}
@ -75,7 +84,7 @@ failure mode of the component or sub-system}}}
\paragraph{Keywords:} static failure mode modelling safety-critical
%\small
\abstract{ \em {
\abstract{ \em
The certification process of safety critical products for European and
other international standards often demand environmental stress,
endurance and Electro Magnetic Compatibility (EMC) testing. Theoretical, or 'static testing',
@ -85,7 +94,7 @@ This paper proposes a new theoretical methodology for creating failure mode mode
systems.
It has a common notation for mechanical, electronic and software domains and is modular and hierarchical.
The method provide advantages in rigour and efficiency when compared to current methodologies.
}
}
\section{Introduction}
@ -102,14 +111,13 @@ Finally the desirable criteria list is presented as a check box table alongside
the four current methodologies.
}
\paragraph{Current methodologies}
%\paragraph{Current methodologies}
We briefly analyse four current methodologies.
Comprehensive overviews of these methodologies maybe found
in ~\cite{safeware,sccs}.
\paragraph{Fault Tree Analysis (FTA)}
FTA~\cite{nucfta,nasafta} is a top down methodology in which a hierarchical diagram is drawn for
each undesirable top level failure/event, presenting the conditions that must arise to cause
the event.
@ -148,7 +156,7 @@ analyse how particular components may fail.
\paragraph{Failure Mode Effects Criticality Analysis (FMECA)} is a refinement of FMEA, using
three extra variables: the probability of a component failure mode occurring,
extra variables: the probability of a component failure mode occurring,
the probability that this will cause a given top level failure, and the perceived
critically. It gives better estimations of product reliability/safety and the
occurrence of particular system failure modes than FMEA but has similar deficiencies.
@ -239,7 +247,7 @@ To look in detail at half a million fault~scenarios is obviously impractical.
\section{Desireable Criteria.}
From the deficiencies outlined above, ideally we can form a set of desirable criteria for a better methodology.
{ \small
{ %\small
\label{criteria}
\begin{enumerate}
%\begin{itemize}
@ -612,10 +620,10 @@ This is represented in the DAG in figure \ref{fig:fg1adag}.
\node[component] (R2) at (0,-1.9) {$R_2$};
\node[failure] (R1SHORT) at (\layersep,-0) {$R1_{Sh}$};
\node[failure] (R1OPEN) at (\layersep,-1.2) {$R1_{Op}$};
\node[failure] (R1OPEN) at (\layersep,-1.1) {$R1_{Op}$};
\node[failure] (R2SHORT) at (\layersep,-2.5) {$R2_{Sh}$};
\node[failure] (R2OPEN) at (\layersep,-3.8) {$R2_{Op}$};
\node[failure] (R2SHORT) at (\layersep,-2.4) {$R2_{Sh}$};
\node[failure] (R2OPEN) at (\layersep,-3.7) {$R2_{Op}$};
\path (R1) edge (R1SHORT);
\path (R1) edge (R1OPEN);
@ -838,7 +846,7 @@ and this is represented in table \ref{ampfmea}.
%\clearpage
{\footnotesize
\begin{table}[ht]
\begin{table}[h]
\caption{Non Inverting Amplifier: Failure Mode Effects Analysis: Single Faults} % title of Table
\centering % used for centering table
\begin{tabular}{||l|c|c|l||}
@ -880,7 +888,7 @@ For this amplifier configuration we have three failure modes, $AMPHigh, AMPLow,
\ifthenelse {\boolean{pld}}
{
We can now derive a `component' to represent this amplifier configuration (see figure ~\ref{fig:noninvampa}).
\begin{figure}[h+]
\begin{figure}[h]
\centering
\includegraphics[width=200pt,keepaspectratio=true]{./noninvopamp/noninvampa.png}
% noninvampa.jpg: 436x720 pixel, 72dpi, 15.38x25.40 cm, bb=0 0 436 720
@ -891,82 +899,9 @@ We can now derive a `component' to represent this amplifier configuration (see f
{
}
% \ifthenelse {\boolean{dag}}
% {
%
% %% text for figure below
%
% The non-inverting amplifier can be drawn as a DAG using the
% results from table~\ref{ampfmea} (see~figure~\ref{fig:noninvdag0}).
% Note that the potential divider, $PD$, is treated as a component with a set of failure modes,
% and its error sources and analysis have been hidden in this diagram.
% $PD$ is considered to be a {\dc}.
%
% \begin{figure}
% \centering
% \begin{tikzpicture}[shorten >=1pt,->,draw=black!50, node distance=\layersep]
% \tikzstyle{every pin edge}=[<-,shorten <=1pt]
% \tikzstyle{fmmde}=[circle,fill=black!25,minimum size=30pt,inner sep=0pt]
% \tikzstyle{component}=[fmmde, fill=green!50];
% \tikzstyle{failure}=[fmmde, fill=red!50];
% \tikzstyle{symptom}=[fmmde, fill=blue!50];
% \tikzstyle{annot} = [text width=4em, text centered]
%
% \node[component] (OPAMP) at (0,-4) {$OPAMP$};
% \node[failure] (OPAMPLU) at (\layersep,-0) {latchup};
% \node[failure] (OPAMPLD) at (\layersep,-2) {latchdown};
% \node[failure] (OPAMPNP) at (\layersep,-4) {noop};
% \node[failure] (OPAMPLS) at (\layersep,-6) {lowslew};
% \path (OPAMP) edge (OPAMPLU);
% \path (OPAMP) edge (OPAMPLD);
% \path (OPAMP) edge (OPAMPNP);
% \path (OPAMP) edge (OPAMPLS);
%
%
% \node[component] (PD) at (0,-9) {$PD$};
% \node[symptom] (PDHIGH) at (\layersep,-8) {$PD_{HIGH}$};
% \node[symptom] (PDLOW) at (\layersep,-10) {$PD_{LOW}$};
% \path (PD) edge (PDHIGH);
% \path (PD) edge (PDLOW);
%
% \node[symptom] (AMPHIGH) at (\layersep*4,-3) {$AMP_{HIGH}$};
% \node[symptom] (AMPLOW) at (\layersep*4,-5) {$AMP_{LOW}$};
% \node[symptom] (AMPLP) at (\layersep*4,-7) {$LOWPASS$};
%
% \path (PDLOW) edge (AMPHIGH);
% \path (OPAMPLU) edge (AMPHIGH);
%
% \path (PDHIGH) edge (AMPLOW);
% \path (OPAMPNP) edge (AMPLOW);
% \path (OPAMPLD) edge (AMPLOW);
% \path (OPAMPLS) edge (AMPLP);
% \end{tikzpicture}
% % End of code
% \caption{DAG representing failure modes and symptoms of the Non Inverting Op-amp Circuit}
% \label{fig:noninvdag0}
% \end{figure}
% }
% {
% }
%failure mode contours).
%\clearpage
%\clearpage
%\paragraph{Failure Modes from non inverting amplifier as a Directed Acyclic Graph (DAG)}
\ifthenelse {\boolean{pld}}
{
We can now represent the FMMD analysis as a directed graph, see figure \ref{fig:noninvdag1}.
With the information structured in this way, we can trace the high level failure mode symptoms
back to their potential causes.
}
{
}
\ifthenelse {\boolean{dag}}
{
We can now expand the $PD$ {\dc} and now have a full FMMD failure %mode
We can now expand the $PD$ {\dc} and have a full FMMD failure %mode
model
drawn as a DAG, which we can use to traverse to determine the possible causes to
the three high level symptoms, i.e. the failure~modes of the non-inverting amplifier.
@ -1006,15 +941,15 @@ to assist in building models for FTA, FMEA, FMECA and FMEDA failure mode analysi
% \path[yshift=0.5cm]
\node[failure] (OPAMPLU) at (\layersep,-0) {l-up};
\node[failure] (OPAMPLD) at (\layersep,-1.3) {l-dn};
\node[failure] (OPAMPNP) at (\layersep,-2.6) {noop};
\node[failure] (OPAMPLS) at (\layersep,-3.9) {lowslew};
\node[failure] (OPAMPLD) at (\layersep,-1.2) {l-dn};
\node[failure] (OPAMPNP) at (\layersep,-2.5) {noop};
\node[failure] (OPAMPLS) at (\layersep,-3.8) {lowslew};
\node[failure] (R1SHORT) at (\layersep,-5.2) {$R1_{Sh}$};
\node[failure] (R1OPEN) at (\layersep,-6.5) {$R1_{Op}$};
\node[failure] (R1SHORT) at (\layersep,-5.1) {$R1_{Sh}$};
\node[failure] (R1OPEN) at (\layersep,-6.4) {$R1_{Op}$};
\node[failure] (R2SHORT) at (\layersep,-7.8) {$R2_{Sh}$};
\node[failure] (R2OPEN) at (\layersep,-9.1) {$R2_{Op}$};
\node[failure] (R2SHORT) at (\layersep,-7.7) {$R2_{Sh}$};
\node[failure] (R2OPEN) at (\layersep,-9.0) {$R2_{Op}$};
@ -1098,6 +1033,80 @@ to assist in building models for FTA, FMEA, FMECA and FMEDA failure mode analysi
\label{fig:noninvdag1}
\end{figure}
% \ifthenelse {\boolean{dag}}
% {
%
% %% text for figure below
%
% The non-inverting amplifier can be drawn as a DAG using the
% results from table~\ref{ampfmea} (see~figure~\ref{fig:noninvdag0}).
% Note that the potential divider, $PD$, is treated as a component with a set of failure modes,
% and its error sources and analysis have been hidden in this diagram.
% $PD$ is considered to be a {\dc}.
%
% \begin{figure}
% \centering
% \begin{tikzpicture}[shorten >=1pt,->,draw=black!50, node distance=\layersep]
% \tikzstyle{every pin edge}=[<-,shorten <=1pt]
% \tikzstyle{fmmde}=[circle,fill=black!25,minimum size=30pt,inner sep=0pt]
% \tikzstyle{component}=[fmmde, fill=green!50];
% \tikzstyle{failure}=[fmmde, fill=red!50];
% \tikzstyle{symptom}=[fmmde, fill=blue!50];
% \tikzstyle{annot} = [text width=4em, text centered]
%
% \node[component] (OPAMP) at (0,-4) {$OPAMP$};
% \node[failure] (OPAMPLU) at (\layersep,-0) {latchup};
% \node[failure] (OPAMPLD) at (\layersep,-2) {latchdown};
% \node[failure] (OPAMPNP) at (\layersep,-4) {noop};
% \node[failure] (OPAMPLS) at (\layersep,-6) {lowslew};
% \path (OPAMP) edge (OPAMPLU);
% \path (OPAMP) edge (OPAMPLD);
% \path (OPAMP) edge (OPAMPNP);
% \path (OPAMP) edge (OPAMPLS);
%
%
% \node[component] (PD) at (0,-9) {$PD$};
% \node[symptom] (PDHIGH) at (\layersep,-8) {$PD_{HIGH}$};
% \node[symptom] (PDLOW) at (\layersep,-10) {$PD_{LOW}$};
% \path (PD) edge (PDHIGH);
% \path (PD) edge (PDLOW);
%
% \node[symptom] (AMPHIGH) at (\layersep*4,-3) {$AMP_{HIGH}$};
% \node[symptom] (AMPLOW) at (\layersep*4,-5) {$AMP_{LOW}$};
% \node[symptom] (AMPLP) at (\layersep*4,-7) {$LOWPASS$};
%
% \path (PDLOW) edge (AMPHIGH);
% \path (OPAMPLU) edge (AMPHIGH);
%
% \path (PDHIGH) edge (AMPLOW);
% \path (OPAMPNP) edge (AMPLOW);
% \path (OPAMPLD) edge (AMPLOW);
% \path (OPAMPLS) edge (AMPLP);
% \end{tikzpicture}
% % End of code
% \caption{DAG representing failure modes and symptoms of the Non Inverting Op-amp Circuit}
% \label{fig:noninvdag0}
% \end{figure}
% }
% {
% }
%failure mode contours).
%\clearpage
%\clearpage
%\paragraph{Failure Modes from non inverting amplifier as a Directed Acyclic Graph (DAG)}
\ifthenelse {\boolean{pld}}
{
We can now represent the FMMD analysis as a directed graph, see figure \ref{fig:noninvdag1}.
With the information structured in this way, we can trace the high level failure mode symptoms
back to their potential causes.
}
{
}
%\paragraph{Worked example. Effect on State explosion.}
The potential divider {\dc} reduced the number of failures to consider from four to two.
The op-amp and potential divider modelled together, reduced the number of
@ -1121,18 +1130,21 @@ One can then use use {\dcs} in more complex circuits where the advantages of FMM
We evaluate the FMMD method using the criteria in section \ref{fmmdreq}.
Table \ref{tbl:comparison} compares the current methodologies and FMMD using these criteria.
{ \small
{ %\small
\begin{itemize}
\item{State Explosion is reduced,}
%State Explosion is reduced,
because small collections of components are dealt with in functional groups
to produce derived components which are used in an hierarchical manner.
\item{All component failure modes must be considered in the model.}
%All component failure modes must be considered in the model.
Since the proposed methodology is bottom-up.
This means that we can ensure/check that all component failure modes are handled.
\item{ It should be straight forward to integrate mechanical, electronic and software models,}
%It should be straight forward to integrate mechanical, electronic and software models,
because FMMD models in terms of failure modes only. % we have a generic failure mode entities to model.
%We can describe a mechanical, electrical or software component in terms of its failure modes.
%
@ -1141,19 +1153,21 @@ we can model and analyse integrated electromechanical systems, controlled by com
using a common notation.
\item{ It should be re-usable, in that commonly used modules can be re-used in other designs/projects.}
%It should be re-usable, in that commonly used modules can be re-used in other designs/projects.
The hierarchical nature, taking {\fg}s and deriving components from them, means that
commonly used {\dcs} can be re-used in a design% (for instance self checking digital inputs)
or even in other projects where the same {\dc} is used.
\item{ It should have a formal basis, data should be available to produce mathematical proofs
for its results}
Because the failure mode model of a system is a hierarchy of {\fg}s and {\dcs}
%It should have a formal basis, data should be available to produce mathematical proofs
%for its results
because the failure mode model of a system is a hierarchy of {\fg}s and {\dcs}
system level failure modes are traceable back down the fault tree to
component level failure modes.
%
This allows causation trees \cite{sccs} or, minimal cut sets~\cite{nasafta}[Ch.1p3]
This allows cut sets~\cite{nasafta}[Ch.1p3]
to be determined by traversing the DAG from top level events down to their causes.
@ -1176,6 +1190,7 @@ to be determined by traversing the DAG from top level events down to their cause
%
\item{ Multiple failure modes (conjunction) may be modelled from the base component level up.}
%Multiple failure modes (conjunction) may be modelled from the base component level up.
By breaking the problem of failure mode analysis into small stages
and building a hierarchy, the problems associated with the cross products of
all failure modes within a system are reduced.