From a010647f64a08d1729434b884494c0b09e331115 Mon Sep 17 00:00:00 2001 From: Robin Clark Date: Sun, 18 Aug 2013 08:39:44 +0100 Subject: [PATCH] JMC PR --- submission_thesis/CH2_FMEA/copy.tex | 23 ++++++++++--------- submission_thesis/CH3_FMEA_criticism/copy.tex | 16 ++++++------- .../CH6_Software_Examples/software.tex | 2 +- submission_thesis/CH7_Evaluation/copy.tex | 8 +++---- 4 files changed, 25 insertions(+), 24 deletions(-) diff --git a/submission_thesis/CH2_FMEA/copy.tex b/submission_thesis/CH2_FMEA/copy.tex index f6a073b..8dcd198 100644 --- a/submission_thesis/CH2_FMEA/copy.tex +++ b/submission_thesis/CH2_FMEA/copy.tex @@ -114,7 +114,7 @@ The next stage is analysis, that is reasoning applied to the system in the event a given failure mode. % To perform this we need to know how a failure -mode, considering its effect on other components in the system +mode, considering its effect on other components in the system, will translate to a system level symptom/failure. % The result of FMEA is to determine system level failures, @@ -666,12 +666,13 @@ In this section we examine some fundamental concepts and underlying philosophies \paragraph{Failure modes of a component and mutual exclusivity.} It is desirable that the failure modes for a component are mutually exclusive, were a component able to fail in several ways at the same time, this would complicate analysis. +% It would mean having to consider combinations of internal component failures as separate failure modes. This concept is discussed in sections~\ref{ch4:mutex} and~\ref{ch7:mutex}. % -In general failure modes -for simple components are mutually exclusive +In general, failure modes +for simple components are mutually exclusive, but large and complex components (such as integrated circuits), especially where they contain separate modules, could have non mutually exclusive failure modes and these need special handling, see section~\ref{ch7:indfm}. @@ -697,7 +698,7 @@ in the direction of the signal, echoing diagnostic/fault~finding methods~\cite{garrett, maikowski}. % loebowski}. % When fault finding, we generally follow the signal path checking for correct behaviour -along it: when we find something out of place we zoom in and measure +along it: when we find something out of place, we zoom in and measure the circuit behaviour until we find a faulty component or module~\cite{garrett}. % With this style of fault finding, because it is based on experiment, @@ -734,12 +735,12 @@ Too much and the task becomes impossible due to time/labour constraints. Too little and the analysis could become meaningless, because it could miss potential system failures. % -For a more complete analysis we should perhaps examine each component {\fm} along the complete signal path, +For a more complete analysis, we should perhaps examine each component {\fm} along the complete signal path, forwards and backwards from the placement of the component exhibiting the {\fm} under investigation. % Also, whether following the effects through the signal path {\em only} is acceptable, and instead -would looking at its effect on all other components in the system be necessary. +would looking at its effect on all other components in the system be necessary? %is a matter for debate. % In practise, a compromise is made between the amount of time/money that can be spent @@ -896,7 +897,7 @@ will be used for describing the observability of failure modes in this document. \glossary{name={observability}, description={The property of a system failure in relation to a particular component failure mode, where it can be determined whether the readings/actions associated     with it are valid, or the by-product of a failure. If we cannot determine that there is a fault present, the system level failure is said to be unobservable.}} -\paragraph{Impracticality of Field Data for modern systems.} +\paragraph{Impracticality of Field Data for Modern Systems.} Modern electronic components, are generally very reliable, and the systems built from them are thus very reliable too. Reliable field data on failures will, therefore, be sparse. @@ -911,7 +912,7 @@ However, we can use FMEA (more specifically the FMEDA variant, see section~\ref{ working from known component failure rates, to obtain statistical estimates of the equipment reliability. -\paragraph{Forward and backward searches.} +\paragraph{Forward and Backward Searches.} A forward search starts with possible failure causes and uses logic and reasoning to determine system level outcomes. @@ -1054,8 +1055,8 @@ is given in section~\ref{sec:resistortolerance}. \begin{itemize} \item \textbf{PFMEA - Production} Emphasis on cost reduction and product improvement; \item \textbf{FMECA - Criticality} Emphasis on minimising the effect of critical systems failing; % Military/Space - \item \textbf{FMEDA - Statistical safety} Statistical analysis giving Safety Integrity Levels; - \item \textbf{DFMEA - Design or static/theoretical} Approval of safety critical systems using FMEA and single or double failure prevention;% EN298/EN230/UL1998 + \item \textbf{FMEDA - Statistical Safety} Statistical analysis giving Safety Integrity Levels; + \item \textbf{DFMEA - Design or Static/Theoretical} Approval of safety critical systems using FMEA and single or double failure prevention;% EN298/EN230/UL1998 \item \textbf{SFMEA - Software FMEA --- only used in highly critical systems at present} \end{itemize} @@ -1346,7 +1347,7 @@ apparent loophole is closed in the 2010 edition of the standard. \subsection{ FMEDA - Failure Modes Effects and Diagnostic Analysis} To achieve SIL levels, diagnostic coverage and SFF levels are prescribed along with hardware architectures and software techniques. -The overall the aim of SIL is to classify the safety of a system, +The overall aim of SIL is to classify the safety of a system, by statistically determining how frequently it can fail dangerously. diff --git a/submission_thesis/CH3_FMEA_criticism/copy.tex b/submission_thesis/CH3_FMEA_criticism/copy.tex index 6d1bd29..ba8a437 100644 --- a/submission_thesis/CH3_FMEA_criticism/copy.tex +++ b/submission_thesis/CH3_FMEA_criticism/copy.tex @@ -48,7 +48,7 @@ one failure can influence the programmatic behaviour and decisions made complicating the analysis of additional failures. % Dual failure analysis is required by some recent European standards~\cite{en298,en230} -and with increasing demands on safety we are likely to see more multiple failure +and with increasing demands on safety, we are likely to see more multiple failure FMEA requirements. Other problems such as the inability to easily re-use, and validate/audit (through @@ -134,12 +134,12 @@ components are checked against any other components in the system which it may affect, due to state explosion. % FMEA is therefore performed using heuristics % at best -to decide -which components to check the effect of a component failure mode on. +to decide on +which components to check the effect of a component failure mode. % on. %We could term the number of checks made for each failure mode %on aspects of the system to be the reasoning distance. % -Typically FMEA will performed by following the signal path +Typically FMEA will be performed by following the signal path of the component failure mode to its system level effect, echoing fault finding reasoning. % @@ -162,7 +162,7 @@ for small groups of components that work together to provide a well defined func We could term such a group a `{\fg}'. Potentially here we have a way of de-composing the problem and reducing the $O(N^2)$ state explosion effect associated with XFMEA. An order $N^2$ could be seen as desirable in an automated process such as a search algorithm, but here -its is a time consuming manual process which demands experienced and highly qualified personnel. +it is a time consuming manual process which demands experienced and highly qualified personnel. It is therefore desirable to reduce this order further. @@ -293,7 +293,7 @@ of the communications physical layer. %(figure~\ref{fig:distcon} The failure reasoning paths for a distributed real time system, with its multiple passes of the hardware/software -interface mean traditional FMEA, for these systems, +interface, mean traditional FMEA, for these systems, is impossible to perform. % The base component failure mode to system failure paradigm is @@ -332,7 +332,7 @@ Traditional forms of FMEA are no longer % fit for purpose! of meaningful use for modern systems incorporating programmatic elements. They were designed to analyse simple electro-mechanical systems and even the commonplace large integrated analogue circuits (that are physically small), are -getting to complicated for meaningful analysis using FMEA. +getting too complicated for meaningful analysis using FMEA. % % % \section{Conclusions on current FMEA Methodologies} @@ -432,7 +432,7 @@ getting to complicated for meaningful analysis using FMEA. % \subsection{FMEA Criticism: Conclusions.} -FMEA is a useful tool for basic safety --- it provides statistics on safety where field data impractical --- +FMEA is a useful tool for basic safety --- it provides statistics on safety where field data is impractical --- and is good with single failure modes linked to top level events. FMEA has become part of the safety critical and safety certification industries. % diff --git a/submission_thesis/CH6_Software_Examples/software.tex b/submission_thesis/CH6_Software_Examples/software.tex index 1f8e28a..aa0eb31 100644 --- a/submission_thesis/CH6_Software_Examples/software.tex +++ b/submission_thesis/CH6_Software_Examples/software.tex @@ -1174,7 +1174,7 @@ underlying cause from one of its components has been included in each analysis s involving software. This is because software introduces the possibility of anything going wrong! The common causes for software failing are: \begin{itemize} - \item Value/RAM corruption typically from interrupt contention problems or accidental over writing~\cite{swseatbelt}, + \item Value/RAM corruption typically from interrupt contention problems~\cite{concurrency_c_tool} or accidental over writing~\cite{swseatbelt}, but can be from external sources such as radiation changing bits/values at runtime~\cite{5963919, 5488118}; \item Address bus errors leading to program errors (program sequence); \item ROM memory failures; diff --git a/submission_thesis/CH7_Evaluation/copy.tex b/submission_thesis/CH7_Evaluation/copy.tex index be3acf1..978f9ae 100644 --- a/submission_thesis/CH7_Evaluation/copy.tex +++ b/submission_thesis/CH7_Evaluation/copy.tex @@ -210,7 +210,7 @@ An FMMD hierarchy consists of many {\fgs} which are subsets of $G$. % FMMD analysis creates a hierarchy $\hh$ of {\fgs}. % where $\hh \subset \mathcal{FG}$. % -We can define individual {\fgs} using $FG^{\alpha}_{i}$ with an index, +We can define individual {\fgs} using $FG^{\alpha}_{i}$ with an index $i$ for identification and a superscript for the $\alpha$~level (see section~\ref{sec:alpha}). % %--- @@ -233,7 +233,7 @@ with the potential divider and the operational amplifier has an $\alpha$ level o An FMMD hierarchy will have reducing numbers of {\fgs} as we progress up the hierarchy. -In order to calculate its comparison~complexity we need to apply equation~\ref{eqn:CC} to +In order to calculate its comparison~complexity, we need to apply equation~\ref{eqn:CC} to all {\fgs} on each level. We can define an FMMD hierarchy as a set of {\fgs}, $\hh$. % We define a helper function $g$ with a domain of the level $Level$ in an FMMD hierarchy $\hh$, and a @@ -354,7 +354,7 @@ to compare the number of checks to make from an FMMD hierarchy to {\XFMEA}. % While real-world analysis models have variable numbers of failure modes per component type and -different numbers of components in their {\fgs} +different numbers of components in their {\fgs}, a fixed model provides indicative estimates of complexity performance. %applied to %all components in a system. @@ -1299,7 +1299,7 @@ the context of component failure modes} $\{ B_1, B_2, B_3, OK \}$ see figure \re % For the purpose of example let us consider $\{ B_2, B_3 \}$ to be intrinsically mutually exclusive, but $B_1$ to be independent. -This means the we have the possibility of two new combinations +This means that we have the possibility of two new combinations $ B_1 \cap B_2$ and $ B_1 \cap B_3$. We can represent these as shaded sections of figure \ref{fig:combco2}.