robin/Robin_PHD
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

.

Browse Source
This commit is contained in:
Robin Clark 2013-05-29 18:39:32 +01:00
parent fc039d280b
commit a30e9e6855
1 changed files with 22 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
submission_thesis/CH8_Conclusion/copy.tex
View File

@ -2,7 +2,7 @@
In this study we have examined the processes and state of the art of the four main FMEA variants. In this study we have examined the processes and state of the art of the four main FMEA variants.
% %
We have exposed shortcomings in these methodologies; which can be summed up as an inability to We have exposed shortcomings in these methodologies, which can be summed up as an inability to
model hybrid software and hardware systems in a satisfactory manner, a problem with state explosion model hybrid software and hardware systems in a satisfactory manner, a problem with state explosion
and difficulty of re-use of analysis because there is no support for modularity. and difficulty of re-use of analysis because there is no support for modularity.
% %
@ -13,7 +13,7 @@ A modularised FMEA---Failure Mode Modular De-composition (FMMD)---was proposed.
This modularised version was supported by the work already established in the This modularised version was supported by the work already established in the
{\fms} of {\bc} in the literature~\cite{fmd91,mil1991,en298,en230}. {\fms} of {\bc} in the literature~\cite{fmd91,mil1991,en298,en230}.
% %
A selection of electronic examples were analysed using FMMD A selection of electronic examples was analysed using FMMD
which deliberately introduced varying circuit which deliberately introduced varying circuit
topologies with conventional and circular signal paths topologies with conventional and circular signal paths
and mixed digital and analogue designs. and mixed digital and analogue designs.
@ -26,10 +26,10 @@ that is to say that for all but trivial cases,
the number of manual analysis operations to perform the number of manual analysis operations to perform
was reduced. was reduced.
% %
Not only this but the analysis naturally provided modules which could be re-used, Not only this, but the analysis naturally provided modules which could be re-used,
re-used not only in the circuit under analysis but potentially in different and future projects as well. re-used not only in the circuit under analysis but potentially in different and future projects as well.
Traditional FMEA methods have been applied to software, but analysis has always be separate from Traditional FMEA methods have been applied to software, but analysis has always to be separate from
the electronic FMEA~\cite{sfmeaa,sfmea}. %, and while modular kept strictly to a bottom-up approach. the electronic FMEA~\cite{sfmeaa,sfmea}. %, and while modular kept strictly to a bottom-up approach.
% %
Using established concepts from contract programming~\cite{dbcbe} we extended FMMD to analyse software, Using established concepts from contract programming~\cite{dbcbe} we extended FMMD to analyse software,
@ -250,7 +250,7 @@ we can also apply failure rate statistics to double failures.
%% %%
% %
If we consider the failure modes to be statistically independent we can calculate If we consider the failure modes to be statistically independent we can calculate
the FIT values for all the combinations failures in the the electronic examples chapter~\ref{sec:chap5} table~\ref{tab:ptfmea2}. the FIT values for all the combinations failures in the electronic examples chapter~\ref{sec:chap5} table~\ref{tab:ptfmea2}.
% %
The failure mode of concern, the undetectable {\textbf{FLOATING}} condition The failure mode of concern, the undetectable {\textbf{FLOATING}} condition
requires that resistors $R_1$ and $R_2$ fail. requires that resistors $R_1$ and $R_2$ fail.
@ -295,8 +295,8 @@ If we require FMMD to produce full FTA diagrams, we need to add these attributes
\paragraph{Environment, operational states and inhibit gates: additions to the UML model.} \paragraph{Environment, operational states and inhibit gates: additions to the UML model.}
FTA%~\cite{nasafta,nucfta} FTA, in addition to using symbols borrowed from digital logic introduces threee new symbols to
models environmental, operational state and inhibit gates, and these can be incorporated into model environmental, operational state and inhibit gates; we discuss here how these can be incorporated into
the FMMD model. the FMMD model.
A system will be expected to perform in a given environment. A system will be expected to perform in a given environment.
@ -320,7 +320,7 @@ Operational states and environmental conditions can %must
be factored into the UML model. be factored into the UML model.
% %
We may encounter a condition where we would want to inhibit some action of the system. We may encounter a condition where we would want to inhibit some action of the system.
This is rather like a logical guard criterion. For instance in the gas burner standard EN298 This is rather like a logical guard criterion. For instance in the gas burner standard EN298 it
states that a flame detector must confirm that a pilot flame has been established before the main burner fuel can be applied. states that a flame detector must confirm that a pilot flame has been established before the main burner fuel can be applied.
In FTA terms this would be an inhibit condition on the main fuel, i.e. PILOT\_NOT\_CONFIRMED. In FTA terms this would be an inhibit condition on the main fuel, i.e. PILOT\_NOT\_CONFIRMED.
@ -416,7 +416,7 @@ a symptom in the resulting {\dc}.
% %
FMMD can find failure modes that are not FMMD can find failure modes that are not
dealt with as a symptom, i.e. were ignored dealt with as a symptom, i.e. were ignored
or forgotten. This means that FMMD will route out un-handled or forgotten. This means that the FMMD process will expose un-handled
failure modes. failure modes.
%come to light. %come to light.
% %
@ -438,7 +438,7 @@ With the contracts in place for the software, we can then integrate them into th
% %
FMMD models both software and hardware; FMMD models both software and hardware;
we can thus verify that all we can thus verify that all
failure modes from the electronics module, have been dealt failure modes from the electronics module have been dealt
by the controlling software. by the controlling software.
% %
If not they are an un-handled error condition relating to the software hardware interface. If not they are an un-handled error condition relating to the software hardware interface.
@ -448,7 +448,7 @@ If not they are an un-handled error condition relating to the software hardware
% of the electronics. % of the electronics.
% %
By performing FMMD on a software electronic hybrid system, By performing FMMD on a software electronic hybrid system,
we thus reveal design deficiencies inboth the software and the software/electronics interface. we thus reveal design deficiencies in both the software and the software/electronics interface.
%in the hardware/software interface. %in the hardware/software interface.
FMEDA does not handle software ---or---the software hardware interface. FMEDA does not handle software ---or---the software hardware interface.
It thus potentially misses many undetected failures (in EN61508 terms undetected-dangerous and undetected safe failures). It thus potentially misses many undetected failures (in EN61508 terms undetected-dangerous and undetected safe failures).
@ -477,21 +477,21 @@ is examined in section~\ref{sec:fta}.
\section{Objective and Subjective Reasoning stages} \section{Objective and Subjective Reasoning stages}
%Opportunity for formal definitions and perhaps an interface or process for achieving it.... %Opportunity for formal definitions and perhaps an interface or process for achieving it....
The act of applying failure mode effects analysis, is in terms of cause and effect viewed from The act of applying failure mode effects analysis, in terms of cause and effect is viewed from
and engineering perspective. This is the realm of the objective. and engineering perspective. This is the realm of the objective.
The executive decisions about deploying systems are in the domain of management and politics. The executive decisions about deploying systems are in the domain of management and politics.
% %
The dangers, or potential negative effects of a safety critical system depend not only on the system its self, The dangers, or potential negative effects of a safety critical system depend not only on the system itself,
but on the environment they are used in but on the environment in which they are used
and other human factors such as the training level of operatives, psychological and logical factors in and other human factors such as the training level of operatives, psychological and logical factors in
the Human Machine Interface~(HMI) and the environment the equipment is used in~\cite{stranks2007human}. the Human Machine Interface~(HMI)~\cite{stranks2007human}.
% %
\paragraph{Objective and Subjective Reasoning in FMEA: Three Mile Island nuclear accident example.} \paragraph{Objective and Subjective Reasoning in FMEA: Three Mile Island nuclear accident example.}
An example of objective and subjective factors can be derived from the accident report on the 1979 3-mile island An example of objective and subjective factors can be derived from the accident report on the 1979 Three Mile Island
nuclear accident~\cite{safeware}[App.D]. Here, a vent valve for the primary reactor coolant (pressurised water) became stuck open. nuclear accident~\cite{safeware}[App.D]. Here, a vent valve for the primary reactor coolant (pressurised water) became stuck open.
This condition causes an objectively derived failure mode, temporary loss of coolant due to a stuck valve. This condition causes an objectively derived failure mode, temporary loss of coolant due to a stuck valve.
% %
This, if recognised correctly by the operators would have lead to This, if recognised correctly by the operators, would have lead to
a short reactor shut-down and then a short reactor shut-down and then
a maintenance procedure to replace the valve. a maintenance procedure to replace the valve.
% %
@ -509,18 +509,18 @@ would have reacted, and deficiencies in the HMI were not a factor in the failure
\paragraph{Further Work: Objective and Subjective Reasoning in FMEA.} \paragraph{Further Work: Objective and Subjective Reasoning in FMEA.}
% %
We could term the criticality prediction to be in the domain of subjective reasoning. With the system level failure We could term the criticality prediction to be in the domain of subjective reasoning. With an objectively defined system level failure
we have to determine its level of criticality, or how serious the risk posed is. we have to determine its level of criticality, or how serious the risk posed would be.
% %
Two methodologies have started to consider this aspect, FMECA with its criticality and probability factors, and Two methodologies have started to consider this aspect, FMECA with its criticality and probability factors, and
EN61508 with its classification of dangerous and safe failures. EN61508 with its classification of dangerous and safe failures.
% %
It is the authors opinion that more work is required to clarify this area. FMMD stops at the objective level. It is the author's opinion that more work is required to clarify this area. FMMD stops at the objective level.
\section{Conclusion} \section{Conclusion}
It is the authors belfief that the practise of FMEA would be imporoved by taking a modular approach It is the authors belief that the practise of FMEA would be improved by taking a modular approach
and that it is necessary that software and hardware should be included n the same failure mode models. and that it is necessary that software and hardware should be included in the same failure mode models.
% %
The proposed methodology, FMMD, provides the means to do this, and it is the authors hope that this The proposed methodology, FMMD, provides the means to do this, and it is the authors hope that this
or a variant thereof is taken up and used to improve system safety. or a variant thereof is taken up and used to improve system safety.