WE removal
This commit is contained in:
parent
7e53e0c05d
commit
a476926969
@ -104,11 +104,11 @@ These are presented below.
|
||||
\fmmdgloss
|
||||
\fmeagloss
|
||||
An FMMD model has a data structure (described by UML diagrams, see figure~\ref{fig:cfg}), and by traversing an FMMD hierarchy
|
||||
we can map system level failures back to {\bc} {\fms} (or combinations thereof).
|
||||
system level failures can be mapped back to {\bc} {\fms} (or combinations thereof).
|
||||
%
|
||||
Because we can determine these mappings we can produce reports in the traditional FMEA format ({\bc}~{\fm}~$\mapsto$~{system failure}).
|
||||
Because these mappings can be determined reports in the traditional FMEA format ({\bc}~{\fm}~$\mapsto$~{system failure}) can be produced.
|
||||
%
|
||||
With the addition of {\bc} {\fm} statistics~\cite{mil1991} we can provide reliability predictions for system level failures.
|
||||
With the addition of {\bc} {\fm} statistics~\cite{mil1991} reliability predictions for system level failures can be provided.
|
||||
%
|
||||
The Pt100 example is revisited for this purpose and analysed for single and double failures, with statistics for {\bcs}
|
||||
taken from MIL1991 %~\cite{mil1991},
|
||||
@ -116,7 +116,7 @@ in section~\ref{sec:bcstats}.
|
||||
%
|
||||
With an FMMD failure mode model a top down perspective is possible.
|
||||
%
|
||||
We could for instance take each system level failure and produce a causation tree for it, tracing back
|
||||
Each system level failure can have a causation tree produced for it, tracing back
|
||||
to all {\bc} {\fms}.
|
||||
%
|
||||
This is very closely related to the structure of FTA (top down) failure causation graphs.
|
||||
@ -139,15 +139,17 @@ FMMD, as a bottom up methodology can use component failure mode statistical data
|
||||
into its hierarchical model.
|
||||
%By way of example, the Pt100 analysis %example
|
||||
%from section~\{sec:pt100} has been used to demonstrate this.
|
||||
Because we can use an FMMD model to generate an FMEA report, with additional {\bc} failure mode statistics
|
||||
we can %therefore
|
||||
use FMMD to produce an FMEDA report.
|
||||
Because an FMMD model can be used to generate an FMEA report,
|
||||
with additional {\bc} failure mode statistics
|
||||
an FMEDA report can be produced.
|
||||
%we can %therefore
|
||||
%use FMMD to produce an FMEDA report.
|
||||
|
||||
|
||||
\paragraph{Pt100 Example: Single Failures and statistical data.} %Mean Time to Failure}
|
||||
\frategloss
|
||||
From an earlier example, the model for the failure mode behaviour of the Pt100 circuit,
|
||||
we can add {\bc} {\fm} statistics and determine the probability of symptoms of failure.
|
||||
{\bc} {\fm} statistics are added to determine the probability of symptoms of failure.
|
||||
%
|
||||
The DOD electronic reliability of components
|
||||
document MIL-HDBK-217F~\cite{mil1991} gives formulae for calculating
|
||||
@ -256,7 +258,7 @@ resistor{\lambda}_p = {\lambda}_{b}{\pi}_Q{\pi}_E
|
||||
Thus thermistor, bead type, `non~military~spec' is given a FIT of 315.0.
|
||||
%
|
||||
\frategloss
|
||||
Using the RIAC finding we can draw up the following table (table \ref{tab:stat_single}),
|
||||
Using the RIAC finding the following table (table \ref{tab:stat_single}) can be created,
|
||||
showing the FIT values for all single failure modes.
|
||||
%\glossary{name={FIT}, description={Failure in Time (FIT). The number of times a particular failure is expected to occur in a $10^{9}$ hour time period.}}
|
||||
\fmmdglossFIT
|
||||
@ -292,10 +294,13 @@ about $\approx 360$ years per circuit.
|
||||
%
|
||||
A probabilistic tree can now be drawn, with a FIT value for the Pt100
|
||||
circuit and FIT values for all the component fault modes from which it was calculated.
|
||||
We can see from this that the most likely fault is the thermistor going OPEN.
|
||||
%
|
||||
From this it can be seen that the most likely fault is the thermistor going OPEN.
|
||||
%
|
||||
This circuit is around 10 times more likely to fail in this way than in any other.
|
||||
Were we to need a more reliable temperature sensor, this would probably
|
||||
be the fault~mode we would scrutinise first.
|
||||
%
|
||||
If a more reliable temperature sensor was required, this would probably
|
||||
be the fault~mode scrutinised first.
|
||||
%
|
||||
\frategloss
|
||||
%
|
||||
@ -313,8 +318,8 @@ conditions.
|
||||
%
|
||||
%
|
||||
\paragraph{Pt100 Example: Double Failures and statistical data}
|
||||
Because we can perform double simultaneous failure analysis under FMMD
|
||||
we can also apply failure rate statistics to double failures.
|
||||
Because double simultaneous failure analysis can be performed under FMMD
|
||||
failure rate statistics to double failures can also be determined.
|
||||
%
|
||||
\frategloss
|
||||
%
|
||||
@ -325,14 +330,14 @@ we can also apply failure rate statistics to double failures.
|
||||
%% statistical impacts of failures.
|
||||
%%
|
||||
%
|
||||
If we consider the failure modes to be statistically independent we can calculate
|
||||
Considering the failure modes to be statistically independent
|
||||
the FIT values for all the combinations
|
||||
failures in the electronic examples from chapter~\ref{sec:chap5} in table~\ref{tab:ptfmea2}.
|
||||
failures in the electronic examples from chapter~\ref{sec:chap5} in table~\ref{tab:ptfmea2} can be calculated.
|
||||
%
|
||||
The failure mode of most concern, the undetectable {\textbf{FLOATING}} condition,
|
||||
requires that resistors $R_1$ and $R_2$ both fail.
|
||||
%
|
||||
We can multiply the MTTF probabilities for these types of resistor failing and find the MTTF for both failing.
|
||||
Multiplying the MTTF probabilities for these types of resistor failing gives the MTTF for both failing.
|
||||
%
|
||||
The FIT value of 12.42 corresponds to
|
||||
$12.42 \times {10}^{-9}$ failures per hour. Squaring this gives $ 154.3 \times {10}^{-18} $.
|
||||
@ -341,19 +346,23 @@ This is an astronomically small MTTF, and so small that it would
|
||||
probably fall below a threshold to sensibly consider.
|
||||
%
|
||||
However, it is very interesting from a failure analysis perspective,
|
||||
because here we have found a fault that we cannot detect (at least at this
|
||||
level in the FMMD hierarchy).
|
||||
because an undetectable fault (at least at this
|
||||
level in the FMMD hierarchy) has been revealed.
|
||||
%
|
||||
This means that should we wish to cope with
|
||||
this fault, we need to engineer a new way of detecting this
|
||||
condition, perhaps in higher levels of the system/FMMD hierarchy.
|
||||
This means that should it be required to cope with
|
||||
this fault, a new way of detecting this
|
||||
condition must be engineered, perhaps in higher levels of the system/FMMD hierarchy.
|
||||
%
|
||||
\paragraph{MTTF statistics and FMMD hierarchies.}
|
||||
%
|
||||
In a large FMMD model, system/top level failures can be traced
|
||||
down to {\bc} {\fms}. To determine the MTTF probability
|
||||
for a system level failure, we add the MTTF statistics for all its possible causes.
|
||||
Thus even for large FMMD models we can calculate accurate
|
||||
statistics for electronic sourced failures.
|
||||
down to {\bc} {\fms}.
|
||||
%
|
||||
To determine the MTTF probability
|
||||
for a system level failure, the MTTF statistics are added for all its possible causes.
|
||||
%
|
||||
Thus even for large FMMD models accurate
|
||||
statistics for electronic sourced failures can be calculated.
|
||||
%
|
||||
%\glossary{name={FIT}, description={Failure in Time (FIT). The number of times a particular failure is expected to occur in a $10^{9}$ hour time period. Associated with continuous demand systems under EN61508~\cite{en61508}}}
|
||||
%
|
||||
@ -366,8 +375,10 @@ statistics for electronic sourced failures.
|
||||
%
|
||||
Fault Tree Analysis (FTA)~\cite{ftahistory} is a top down methodology that
|
||||
draws a fault tree---or top down fault causation diagram---for each given top-level
|
||||
failure. With an FMMD model, we can trace all the causes of system failures
|
||||
down to the base component level.
|
||||
failure.
|
||||
%
|
||||
With an FMMD model, all the causes of system failures
|
||||
down can be traced to the base component level.
|
||||
%
|
||||
This would be enough to create a fault causation tree, but FTA introduces
|
||||
concepts of operational and environmental states, and inhibit gates.
|
||||
@ -380,8 +391,8 @@ The FTA perspective is that some safety can be built in
|
||||
by preventing certain things happening (inhibit gates), and by considering
|
||||
different behaviour due to environmental or operational states~\cite{nucfta,nasafta}.
|
||||
%
|
||||
If we require FMMD to produce full FTA diagrams, we need to add these
|
||||
attributes to the FMMD UML model\footnote{Top down failure mode models, such as FTA, are additionally
|
||||
If FMMD is required to produce full FTA diagrams, these
|
||||
attributes must be added to the FMMD UML model\footnote{Top down failure mode models, such as FTA, are additionally
|
||||
useful in guiding diagnostic analysis.}.
|
||||
%
|
||||
\fmmdglossINHIBIT
|
||||
@ -424,35 +435,40 @@ This is rather like a logical guard criterion. For instance in the gas burner st
|
||||
states that a flame detector must confirm that a pilot flame has been established before the main burner fuel can be applied.
|
||||
In FTA terms this would be an inhibit condition on the main fuel, i.e. PILOT\_NOT\_CONFIRMED.
|
||||
\fmmdglossFTA
|
||||
We now look at the nature of these three attributes and decide how they should fit into the UML
|
||||
The nature of these three attributes is examined and decisions are made as how they should fit into the UML
|
||||
model for FMMD developed in section~\ref{sec:fmmd_uml}.
|
||||
|
||||
\paragraph{Environmental Modelling.} The external influences/environment could typically be temperature ranges,
|
||||
levels of electrical interference, high voltage contamination on supply
|
||||
lines, radiation levels etc.
|
||||
%
|
||||
Environmental influences will affect specific components in specific ways\footnote{A good example of a part
|
||||
affected by environmental conditions, in this case temperature, is the opto-isolator~\cite{tlp181}
|
||||
which typically starts having performance problems at {60 \oc} and above.
|
||||
Most electrical components are robust to temperature variations and
|
||||
would not normally require special environmental attributes.}.
|
||||
Environmental analysis is thus applicable to components.
|
||||
%
|
||||
Environmental influences, such as over-stress due to voltage
|
||||
can be eliminated by down-rating components as discussed in section~\ref{sec:determine_fms}.
|
||||
With given environmental constraints, we can therefore eliminate some failure modes from the model.
|
||||
%
|
||||
With given environmental constraints, it is therefore possible to eliminate some failure modes from the model.
|
||||
\fmmdglossFTA
|
||||
|
||||
\paragraph{Operational states.}
|
||||
%
|
||||
Within the field of safety critical engineering, we often encounter
|
||||
elements that include test or self-test facilities.
|
||||
Within the field of safety critical engineering,
|
||||
elements are often encountered that include test or self-test facilities.
|
||||
%
|
||||
Degraded performance
|
||||
(such as only performing certain functions in an emergency) and lockout/emergency conditions
|
||||
are also common conditions that are considered.
|
||||
%
|
||||
We also encounter degraded performance
|
||||
(such as only performing certain functions in an emergency) and lockout/emergency conditions.
|
||||
These can be broadly termed operational states. %, and apply to the
|
||||
%functional groups.
|
||||
%
|
||||
We need to determine which UML class is most appropriate to hold a relationship
|
||||
to operational states.
|
||||
The UML class is most appropriate to hold a relationship
|
||||
to operational states must be chosen.
|
||||
%
|
||||
Consider for instance an electrical circuit that has a TEST line.
|
||||
When the TEST line is activated, it supplies a test signal
|
||||
@ -463,7 +479,7 @@ It seems more appropriate to apply the operational states to {\fgs}
|
||||
which %
|
||||
%Functional groupings
|
||||
by definition implement functionality, or purpose.
|
||||
On this basis we associate operational states with {\fgs}.
|
||||
On this basis operational states are associated with {\fgs}.
|
||||
%therefore are the best objects to model
|
||||
%operational states.% with.
|
||||
|
||||
@ -482,7 +498,7 @@ a failure mode.
|
||||
This inhibit class can be triggered
|
||||
on a combination of environmental or failure modes.
|
||||
%
|
||||
In the UML diagram, we therefore link this with
|
||||
In the UML diagram, this is therefore, linked with
|
||||
both environmental conditions and failure modes.
|
||||
%
|
||||
%
|
||||
@ -522,12 +538,12 @@ can reveal previously undetected system failure modes.
|
||||
%
|
||||
This is because the analyst
|
||||
is forced to deal with all component failure modes when applying the FMMD process, and
|
||||
all failure modes of the resultant {\dcs} as we progress up a hierarchy.
|
||||
all failure modes of the resultant {\dcs} as the hierarchy is built.
|
||||
%
|
||||
FMMD requires that all failure modes of components in a {\fg} are resolved to
|
||||
a symptom in the resulting {\dc}.
|
||||
%
|
||||
Because we can enforce a `complete' analysis, FMMD can find failure modes which were missed by
|
||||
As `complete' analysis can be enforced, FMMD can find failure modes which were missed by
|
||||
other FMEA processes; meaning that the FMMD process can expose un-handled
|
||||
failure modes.
|
||||
%come to light.
|
||||
@ -535,7 +551,7 @@ failure modes.
|
||||
%
|
||||
\paragraph{Retrospective failure mode analysis and software.}
|
||||
%
|
||||
We can apply retrospective FMMD to electronic and software hybrid systems as well.
|
||||
Retrospective FMMD can be applied to electronic and software hybrid systems. %as well.
|
||||
%
|
||||
The electronic components {\fms} are established in the literature~\cite{fmd91,mil1991,en298,en230}.
|
||||
%
|
||||
@ -551,7 +567,7 @@ which parts of the FMEA analysis to
|
||||
re-visit.
|
||||
%
|
||||
For instance, which components in the system should
|
||||
we check against this newly discovered failure mode?
|
||||
newly discovered failure mode be checked against?
|
||||
%
|
||||
This is linked to the concepts behind
|
||||
the need for failure mode coverage against all components in the system, that provoked discussions
|
||||
@ -582,10 +598,10 @@ Finding these could be automated in a software tool that can traverse the failur
|
||||
% By treating hardware interfaces to software as {\dcs}, we automatically have a list of the failure modes
|
||||
% of the electronics.
|
||||
%%
|
||||
With the contracts in place for the software functions, we can then integrate them into the FMMD model.
|
||||
With the contracts in place for the software functions, they can be integrated into the FMMD model.
|
||||
%
|
||||
FMMD models both software and hardware;
|
||||
we can thus verify that all
|
||||
thus it can be verified that all
|
||||
failure modes from the electronics module have been dealt
|
||||
with by the controlling software.
|
||||
%
|
||||
@ -598,15 +614,15 @@ This again can be flagged using an automated tool.
|
||||
% of the electronics.
|
||||
%
|
||||
By performing FMMD on a software electronic hybrid system,
|
||||
we thus reveal design deficiencies in both the software, the electronics and the software/electronics interface.
|
||||
design deficiencies are revealed in both the software, the electronics and the software/electronics interface.
|
||||
%in the hardware/software interface.
|
||||
%
|
||||
\fmmdglossFMEDA
|
||||
\fmmdgloss
|
||||
FMEDA does not handle software ---or---the software/hardware interface.
|
||||
It thus potentially misses many undetected failures (in EN61508 terms undetected-dangerous and undetected safe failures).
|
||||
In Safety Integrity Level (SIL)~\cite{en61508} terms, by identifying undetectable faults and fixing them, we raise
|
||||
the safe failure fraction (SFF).
|
||||
In Safety Integrity Level (SIL)~\cite{en61508} terms, by identifying undetectable faults and fixing them,
|
||||
the safe failure fraction (SFF) is raised.
|
||||
%
|
||||
%
|
||||
%
|
||||
@ -615,6 +631,7 @@ the safe failure fraction (SFF).
|
||||
%Opportunity for formal definitions and perhaps an interface or process for achieving it....
|
||||
The act of applying failure mode effects analysis, is commonly performed from
|
||||
an `engineering' oriented cause and effect perspective.
|
||||
%
|
||||
This is the realm of the objective.
|
||||
%
|
||||
The executive decisions about deploying systems are in the domain of management and politics.
|
||||
@ -638,26 +655,39 @@ leak of radioactive material into the environment.
|
||||
%
|
||||
For the objective failure mode determined by
|
||||
FMEA, that of leakage of coolant,
|
||||
we would not reasonably expect this to go unchecked and unresolved for an extended period and cause such a critical failure.
|
||||
it would not be reasonable to expect this to go unchecked and unresolved for an extended period and cause such a critical failure.
|
||||
%
|
||||
The criticality level of that accident was therefore subjective. It was not known how the operators
|
||||
The criticality level of that accident was therefore subjective.
|
||||
%
|
||||
It was not known how the operators
|
||||
would have reacted, and deficiencies in the Human Machine Interface (HMI) were not a factor in the failure analysis.
|
||||
|
||||
|
||||
\paragraph{Further Work: Objective and Subjective Reasoning in FMEA.}
|
||||
%
|
||||
We could term the criticality prediction to be in the domain of subjective reasoning. With an objectively defined system level failure
|
||||
we often are next required to determine its level of criticality, or how serious the risk posed would be.
|
||||
Criticality prediction can be said to be in the domain of subjective reasoning.
|
||||
%
|
||||
With an objectively defined system level failure
|
||||
it is often required to next determine its level of criticality, or how serious the risk posed would be.
|
||||
%
|
||||
Two methodologies have started to consider this aspect, FMECA~\cite{fmeca} with its criticality and probability factors, and
|
||||
FMEDA~\cite{en61508,fmeda} with its classification of dangerous and safe failures.
|
||||
\fmmdglossFMEDA
|
||||
\fmmdglossFMECA
|
||||
%
|
||||
It is the author's opinion that more work is required to clarify this area. The scope of FMMD is the objective level only.
|
||||
It is the author's opinion that more work is required to clarify this area.
|
||||
%
|
||||
Accurate models of objective failure modes, are seen by the author to be a pre-requisite
|
||||
for subjective assessment.
|
||||
%
|
||||
The scope of FMMD is the objective level only,
|
||||
but offers significant benefits in terms of accuracy and work savings.
|
||||
%
|
||||
It also offers integrated modelling of software and hardware.
|
||||
%
|
||||
Its failure mode model can also be used to assist in producing traditional FMEA formats.
|
||||
%
|
||||
%
|
||||
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||||
%\today%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||||
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||||
|
||||
Loading…
Reference in New Issue
Block a user