robin/Robin_PHD
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

.

Browse Source
This commit is contained in:
Robin Clark 2013-05-29 18:39:32 +01:00
parent fc039d280b
commit a30e9e6855
1 changed files with 22 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
submission_thesis/CH8_Conclusion/copy.tex
View File

@ -2,7 +2,7 @@
In this study we have examined the processes and state of the art of the four main FMEA variants.
%
We have exposed shortcomings in these methodologies; which can be summed up as an inability to
We have exposed shortcomings in these methodologies, which can be summed up as an inability to
model hybrid software and hardware systems in a satisfactory manner, a problem with state explosion
and difficulty of re-use of analysis because there is no support for modularity.
%
@ -13,7 +13,7 @@ A modularised FMEA---Failure Mode Modular De-composition (FMMD)---was proposed.
This modularised version was supported by the work already established in the
{\fms} of {\bc} in the literature~\cite{fmd91,mil1991,en298,en230}.
%
A selection of electronic examples were analysed using FMMD
A selection of electronic examples was analysed using FMMD
which deliberately introduced varying circuit
topologies with conventional and circular signal paths
and mixed digital and analogue designs.
@ -26,10 +26,10 @@ that is to say that for all but trivial cases,
the number of manual analysis operations to perform
was reduced.
%
Not only this but the analysis naturally provided modules which could be re-used,
Not only this, but the analysis naturally provided modules which could be re-used,
re-used not only in the circuit under analysis but potentially in different and future projects as well.
Traditional FMEA methods have been applied to software, but analysis has always be separate from
Traditional FMEA methods have been applied to software, but analysis has always to be separate from
the electronic FMEA~\cite{sfmeaa,sfmea}. %, and while modular kept strictly to a bottom-up approach.
%
Using established concepts from contract programming~\cite{dbcbe} we extended FMMD to analyse software,
@ -250,7 +250,7 @@ we can also apply failure rate statistics to double failures.
%%
%
If we consider the failure modes to be statistically independent we can calculate
the FIT values for all the combinations failures in the the electronic examples chapter~\ref{sec:chap5} table~\ref{tab:ptfmea2}.
the FIT values for all the combinations failures in the electronic examples chapter~\ref{sec:chap5} table~\ref{tab:ptfmea2}.
%
The failure mode of concern, the undetectable {\textbf{FLOATING}} condition
requires that resistors $R_1$ and $R_2$ fail.
@ -295,8 +295,8 @@ If we require FMMD to produce full FTA diagrams, we need to add these attributes
\paragraph{Environment, operational states and inhibit gates: additions to the UML model.}
FTA%~\cite{nasafta,nucfta}
models environmental, operational state and inhibit gates, and these can be incorporated into
FTA, in addition to using symbols borrowed from digital logic introduces threee new symbols to
model environmental, operational state and inhibit gates; we discuss here how these can be incorporated into
the FMMD model.
A system will be expected to perform in a given environment.
@ -320,7 +320,7 @@ Operational states and environmental conditions can %must
be factored into the UML model.
%
We may encounter a condition where we would want to inhibit some action of the system.
This is rather like a logical guard criterion. For instance in the gas burner standard EN298
This is rather like a logical guard criterion. For instance in the gas burner standard EN298 it
states that a flame detector must confirm that a pilot flame has been established before the main burner fuel can be applied.
In FTA terms this would be an inhibit condition on the main fuel, i.e. PILOT\_NOT\_CONFIRMED.
@ -416,7 +416,7 @@ a symptom in the resulting {\dc}.
%
FMMD can find failure modes that are not
dealt with as a symptom, i.e. were ignored
or forgotten. This means that FMMD will route out un-handled
or forgotten. This means that the FMMD process will expose un-handled
failure modes.
%come to light.
%
@ -438,7 +438,7 @@ With the contracts in place for the software, we can then integrate them into th
%
FMMD models both software and hardware;
we can thus verify that all
failure modes from the electronics module, have been dealt
failure modes from the electronics module have been dealt
by the controlling software.
%
If not they are an un-handled error condition relating to the software hardware interface.
@ -477,21 +477,21 @@ is examined in section~\ref{sec:fta}.
\section{Objective and Subjective Reasoning stages}
%Opportunity for formal definitions and perhaps an interface or process for achieving it....
The act of applying failure mode effects analysis, is in terms of cause and effect viewed from
The act of applying failure mode effects analysis, in terms of cause and effect is viewed from
and engineering perspective. This is the realm of the objective.
The executive decisions about deploying systems are in the domain of management and politics.
%
The dangers, or potential negative effects of a safety critical system depend not only on the system its self,
but on the environment they are used in
The dangers, or potential negative effects of a safety critical system depend not only on the system itself,
but on the environment in which they are used
and other human factors such as the training level of operatives, psychological and logical factors in
the Human Machine Interface~(HMI) and the environment the equipment is used in~\cite{stranks2007human}.
the Human Machine Interface~(HMI)~\cite{stranks2007human}.
%
\paragraph{Objective and Subjective Reasoning in FMEA: Three Mile Island nuclear accident example.}
An example of objective and subjective factors can be derived from the accident report on the 1979 3-mile island
An example of objective and subjective factors can be derived from the accident report on the 1979 Three Mile Island
nuclear accident~\cite{safeware}[App.D]. Here, a vent valve for the primary reactor coolant (pressurised water) became stuck open.
This condition causes an objectively derived failure mode, temporary loss of coolant due to a stuck valve.
%
This, if recognised correctly by the operators would have lead to
This, if recognised correctly by the operators, would have lead to
a short reactor shut-down and then
a maintenance procedure to replace the valve.
%
@ -509,18 +509,18 @@ would have reacted, and deficiencies in the HMI were not a factor in the failure
\paragraph{Further Work: Objective and Subjective Reasoning in FMEA.}
%
We could term the criticality prediction to be in the domain of subjective reasoning. With the system level failure
we have to determine its level of criticality, or how serious the risk posed is.
We could term the criticality prediction to be in the domain of subjective reasoning. With an objectively defined system level failure
we have to determine its level of criticality, or how serious the risk posed would be.
%
Two methodologies have started to consider this aspect, FMECA with its criticality and probability factors, and
EN61508 with its classification of dangerous and safe failures.
%
It is the authors opinion that more work is required to clarify this area. FMMD stops at the objective level.
It is the author's opinion that more work is required to clarify this area. FMMD stops at the objective level.
\section{Conclusion}
It is the authors belfief that the practise of FMEA would be imporoved by taking a modular approach
and that it is necessary that software and hardware should be included n the same failure mode models.
It is the authors belief that the practise of FMEA would be improved by taking a modular approach
and that it is necessary that software and hardware should be included in the same failure mode models.
%
The proposed methodology, FMMD, provides the means to do this, and it is the authors hope that this
or a variant thereof is taken up and used to improve system safety.