diff --git a/submission_thesis/CH8_Conclusion/copy.tex b/submission_thesis/CH8_Conclusion/copy.tex index 50d5689..3dc95fe 100644 --- a/submission_thesis/CH8_Conclusion/copy.tex +++ b/submission_thesis/CH8_Conclusion/copy.tex @@ -2,7 +2,7 @@ In this study we have examined the processes and state of the art of the four main FMEA variants. % -We have exposed shortcomings in these methodologies; which can be summed up as an inability to +We have exposed shortcomings in these methodologies, which can be summed up as an inability to model hybrid software and hardware systems in a satisfactory manner, a problem with state explosion and difficulty of re-use of analysis because there is no support for modularity. % @@ -13,7 +13,7 @@ A modularised FMEA---Failure Mode Modular De-composition (FMMD)---was proposed. This modularised version was supported by the work already established in the {\fms} of {\bc} in the literature~\cite{fmd91,mil1991,en298,en230}. % -A selection of electronic examples were analysed using FMMD +A selection of electronic examples was analysed using FMMD which deliberately introduced varying circuit topologies with conventional and circular signal paths and mixed digital and analogue designs. @@ -26,10 +26,10 @@ that is to say that for all but trivial cases, the number of manual analysis operations to perform was reduced. % -Not only this but the analysis naturally provided modules which could be re-used, +Not only this, but the analysis naturally provided modules which could be re-used, re-used not only in the circuit under analysis but potentially in different and future projects as well. -Traditional FMEA methods have been applied to software, but analysis has always be separate from +Traditional FMEA methods have been applied to software, but analysis has always to be separate from the electronic FMEA~\cite{sfmeaa,sfmea}. %, and while modular kept strictly to a bottom-up approach. % Using established concepts from contract programming~\cite{dbcbe} we extended FMMD to analyse software, @@ -250,7 +250,7 @@ we can also apply failure rate statistics to double failures. %% % If we consider the failure modes to be statistically independent we can calculate -the FIT values for all the combinations failures in the the electronic examples chapter~\ref{sec:chap5} table~\ref{tab:ptfmea2}. +the FIT values for all the combinations failures in the electronic examples chapter~\ref{sec:chap5} table~\ref{tab:ptfmea2}. % The failure mode of concern, the undetectable {\textbf{FLOATING}} condition requires that resistors $R_1$ and $R_2$ fail. @@ -295,8 +295,8 @@ If we require FMMD to produce full FTA diagrams, we need to add these attributes \paragraph{Environment, operational states and inhibit gates: additions to the UML model.} -FTA%~\cite{nasafta,nucfta} -models environmental, operational state and inhibit gates, and these can be incorporated into +FTA, in addition to using symbols borrowed from digital logic introduces threee new symbols to +model environmental, operational state and inhibit gates; we discuss here how these can be incorporated into the FMMD model. A system will be expected to perform in a given environment. @@ -320,7 +320,7 @@ Operational states and environmental conditions can %must be factored into the UML model. % We may encounter a condition where we would want to inhibit some action of the system. -This is rather like a logical guard criterion. For instance in the gas burner standard EN298 +This is rather like a logical guard criterion. For instance in the gas burner standard EN298 it states that a flame detector must confirm that a pilot flame has been established before the main burner fuel can be applied. In FTA terms this would be an inhibit condition on the main fuel, i.e. PILOT\_NOT\_CONFIRMED. @@ -416,7 +416,7 @@ a symptom in the resulting {\dc}. % FMMD can find failure modes that are not dealt with as a symptom, i.e. were ignored -or forgotten. This means that FMMD will route out un-handled +or forgotten. This means that the FMMD process will expose un-handled failure modes. %come to light. % @@ -438,7 +438,7 @@ With the contracts in place for the software, we can then integrate them into th % FMMD models both software and hardware; we can thus verify that all -failure modes from the electronics module, have been dealt +failure modes from the electronics module have been dealt by the controlling software. % If not they are an un-handled error condition relating to the software hardware interface. @@ -448,7 +448,7 @@ If not they are an un-handled error condition relating to the software hardware % of the electronics. % By performing FMMD on a software electronic hybrid system, -we thus reveal design deficiencies inboth the software and the software/electronics interface. +we thus reveal design deficiencies in both the software and the software/electronics interface. %in the hardware/software interface. FMEDA does not handle software ---or---the software hardware interface. It thus potentially misses many undetected failures (in EN61508 terms undetected-dangerous and undetected safe failures). @@ -477,21 +477,21 @@ is examined in section~\ref{sec:fta}. \section{Objective and Subjective Reasoning stages} %Opportunity for formal definitions and perhaps an interface or process for achieving it.... -The act of applying failure mode effects analysis, is in terms of cause and effect viewed from +The act of applying failure mode effects analysis, in terms of cause and effect is viewed from and engineering perspective. This is the realm of the objective. The executive decisions about deploying systems are in the domain of management and politics. % -The dangers, or potential negative effects of a safety critical system depend not only on the system its self, -but on the environment they are used in +The dangers, or potential negative effects of a safety critical system depend not only on the system itself, +but on the environment in which they are used and other human factors such as the training level of operatives, psychological and logical factors in -the Human Machine Interface~(HMI) and the environment the equipment is used in~\cite{stranks2007human}. +the Human Machine Interface~(HMI)~\cite{stranks2007human}. % \paragraph{Objective and Subjective Reasoning in FMEA: Three Mile Island nuclear accident example.} -An example of objective and subjective factors can be derived from the accident report on the 1979 3-mile island +An example of objective and subjective factors can be derived from the accident report on the 1979 Three Mile Island nuclear accident~\cite{safeware}[App.D]. Here, a vent valve for the primary reactor coolant (pressurised water) became stuck open. This condition causes an objectively derived failure mode, temporary loss of coolant due to a stuck valve. % -This, if recognised correctly by the operators would have lead to +This, if recognised correctly by the operators, would have lead to a short reactor shut-down and then a maintenance procedure to replace the valve. % @@ -509,18 +509,18 @@ would have reacted, and deficiencies in the HMI were not a factor in the failure \paragraph{Further Work: Objective and Subjective Reasoning in FMEA.} % -We could term the criticality prediction to be in the domain of subjective reasoning. With the system level failure -we have to determine its level of criticality, or how serious the risk posed is. +We could term the criticality prediction to be in the domain of subjective reasoning. With an objectively defined system level failure +we have to determine its level of criticality, or how serious the risk posed would be. % Two methodologies have started to consider this aspect, FMECA with its criticality and probability factors, and EN61508 with its classification of dangerous and safe failures. % -It is the authors opinion that more work is required to clarify this area. FMMD stops at the objective level. +It is the author's opinion that more work is required to clarify this area. FMMD stops at the objective level. \section{Conclusion} -It is the authors belfief that the practise of FMEA would be imporoved by taking a modular approach -and that it is necessary that software and hardware should be included n the same failure mode models. +It is the authors belief that the practise of FMEA would be improved by taking a modular approach +and that it is necessary that software and hardware should be included in the same failure mode models. % The proposed methodology, FMMD, provides the means to do this, and it is the authors hope that this or a variant thereof is taken up and used to improve system safety. \ No newline at end of file