diff --git a/submission_thesis/CH8_Conclusion/copy.tex b/submission_thesis/CH8_Conclusion/copy.tex index bb2472f..ee046d0 100644 --- a/submission_thesis/CH8_Conclusion/copy.tex +++ b/submission_thesis/CH8_Conclusion/copy.tex @@ -104,11 +104,11 @@ These are presented below. \fmmdgloss \fmeagloss An FMMD model has a data structure (described by UML diagrams, see figure~\ref{fig:cfg}), and by traversing an FMMD hierarchy -we can map system level failures back to {\bc} {\fms} (or combinations thereof). +system level failures can be mapped back to {\bc} {\fms} (or combinations thereof). % -Because we can determine these mappings we can produce reports in the traditional FMEA format ({\bc}~{\fm}~$\mapsto$~{system failure}). +Because these mappings can be determined reports in the traditional FMEA format ({\bc}~{\fm}~$\mapsto$~{system failure}) can be produced. % -With the addition of {\bc} {\fm} statistics~\cite{mil1991} we can provide reliability predictions for system level failures. +With the addition of {\bc} {\fm} statistics~\cite{mil1991} reliability predictions for system level failures can be provided. % The Pt100 example is revisited for this purpose and analysed for single and double failures, with statistics for {\bcs} taken from MIL1991 %~\cite{mil1991}, @@ -116,7 +116,7 @@ in section~\ref{sec:bcstats}. % With an FMMD failure mode model a top down perspective is possible. % -We could for instance take each system level failure and produce a causation tree for it, tracing back +Each system level failure can have a causation tree produced for it, tracing back to all {\bc} {\fms}. % This is very closely related to the structure of FTA (top down) failure causation graphs. @@ -139,15 +139,17 @@ FMMD, as a bottom up methodology can use component failure mode statistical data into its hierarchical model. %By way of example, the Pt100 analysis %example %from section~\{sec:pt100} has been used to demonstrate this. -Because we can use an FMMD model to generate an FMEA report, with additional {\bc} failure mode statistics -we can %therefore -use FMMD to produce an FMEDA report. +Because an FMMD model can be used to generate an FMEA report, +with additional {\bc} failure mode statistics +an FMEDA report can be produced. +%we can %therefore +%use FMMD to produce an FMEDA report. \paragraph{Pt100 Example: Single Failures and statistical data.} %Mean Time to Failure} \frategloss From an earlier example, the model for the failure mode behaviour of the Pt100 circuit, -we can add {\bc} {\fm} statistics and determine the probability of symptoms of failure. +{\bc} {\fm} statistics are added to determine the probability of symptoms of failure. % The DOD electronic reliability of components document MIL-HDBK-217F~\cite{mil1991} gives formulae for calculating @@ -256,7 +258,7 @@ resistor{\lambda}_p = {\lambda}_{b}{\pi}_Q{\pi}_E Thus thermistor, bead type, `non~military~spec' is given a FIT of 315.0. % \frategloss -Using the RIAC finding we can draw up the following table (table \ref{tab:stat_single}), +Using the RIAC finding the following table (table \ref{tab:stat_single}) can be created, showing the FIT values for all single failure modes. %\glossary{name={FIT}, description={Failure in Time (FIT). The number of times a particular failure is expected to occur in a $10^{9}$ hour time period.}} \fmmdglossFIT @@ -292,10 +294,13 @@ about $\approx 360$ years per circuit. % A probabilistic tree can now be drawn, with a FIT value for the Pt100 circuit and FIT values for all the component fault modes from which it was calculated. -We can see from this that the most likely fault is the thermistor going OPEN. +% +From this it can be seen that the most likely fault is the thermistor going OPEN. +% This circuit is around 10 times more likely to fail in this way than in any other. -Were we to need a more reliable temperature sensor, this would probably -be the fault~mode we would scrutinise first. +% +If a more reliable temperature sensor was required, this would probably +be the fault~mode scrutinised first. % \frategloss % @@ -313,8 +318,8 @@ conditions. % % \paragraph{Pt100 Example: Double Failures and statistical data} -Because we can perform double simultaneous failure analysis under FMMD -we can also apply failure rate statistics to double failures. +Because double simultaneous failure analysis can be performed under FMMD +failure rate statistics to double failures can also be determined. % \frategloss % @@ -325,14 +330,14 @@ we can also apply failure rate statistics to double failures. %% statistical impacts of failures. %% % -If we consider the failure modes to be statistically independent we can calculate +Considering the failure modes to be statistically independent the FIT values for all the combinations -failures in the electronic examples from chapter~\ref{sec:chap5} in table~\ref{tab:ptfmea2}. +failures in the electronic examples from chapter~\ref{sec:chap5} in table~\ref{tab:ptfmea2} can be calculated. % The failure mode of most concern, the undetectable {\textbf{FLOATING}} condition, requires that resistors $R_1$ and $R_2$ both fail. % -We can multiply the MTTF probabilities for these types of resistor failing and find the MTTF for both failing. +Multiplying the MTTF probabilities for these types of resistor failing gives the MTTF for both failing. % The FIT value of 12.42 corresponds to $12.42 \times {10}^{-9}$ failures per hour. Squaring this gives $ 154.3 \times {10}^{-18} $. @@ -341,19 +346,23 @@ This is an astronomically small MTTF, and so small that it would probably fall below a threshold to sensibly consider. % However, it is very interesting from a failure analysis perspective, -because here we have found a fault that we cannot detect (at least at this -level in the FMMD hierarchy). +because an undetectable fault (at least at this +level in the FMMD hierarchy) has been revealed. % -This means that should we wish to cope with -this fault, we need to engineer a new way of detecting this -condition, perhaps in higher levels of the system/FMMD hierarchy. +This means that should it be required to cope with +this fault, a new way of detecting this +condition must be engineered, perhaps in higher levels of the system/FMMD hierarchy. % \paragraph{MTTF statistics and FMMD hierarchies.} +% In a large FMMD model, system/top level failures can be traced -down to {\bc} {\fms}. To determine the MTTF probability -for a system level failure, we add the MTTF statistics for all its possible causes. -Thus even for large FMMD models we can calculate accurate -statistics for electronic sourced failures. +down to {\bc} {\fms}. +% +To determine the MTTF probability +for a system level failure, the MTTF statistics are added for all its possible causes. +% +Thus even for large FMMD models accurate +statistics for electronic sourced failures can be calculated. % %\glossary{name={FIT}, description={Failure in Time (FIT). The number of times a particular failure is expected to occur in a $10^{9}$ hour time period. Associated with continuous demand systems under EN61508~\cite{en61508}}} % @@ -366,8 +375,10 @@ statistics for electronic sourced failures. % Fault Tree Analysis (FTA)~\cite{ftahistory} is a top down methodology that draws a fault tree---or top down fault causation diagram---for each given top-level -failure. With an FMMD model, we can trace all the causes of system failures -down to the base component level. +failure. +% +With an FMMD model, all the causes of system failures +down can be traced to the base component level. % This would be enough to create a fault causation tree, but FTA introduces concepts of operational and environmental states, and inhibit gates. @@ -380,8 +391,8 @@ The FTA perspective is that some safety can be built in by preventing certain things happening (inhibit gates), and by considering different behaviour due to environmental or operational states~\cite{nucfta,nasafta}. % -If we require FMMD to produce full FTA diagrams, we need to add these -attributes to the FMMD UML model\footnote{Top down failure mode models, such as FTA, are additionally +If FMMD is required to produce full FTA diagrams, these +attributes must be added to the FMMD UML model\footnote{Top down failure mode models, such as FTA, are additionally useful in guiding diagnostic analysis.}. % \fmmdglossINHIBIT @@ -424,35 +435,40 @@ This is rather like a logical guard criterion. For instance in the gas burner st states that a flame detector must confirm that a pilot flame has been established before the main burner fuel can be applied. In FTA terms this would be an inhibit condition on the main fuel, i.e. PILOT\_NOT\_CONFIRMED. \fmmdglossFTA -We now look at the nature of these three attributes and decide how they should fit into the UML +The nature of these three attributes is examined and decisions are made as how they should fit into the UML model for FMMD developed in section~\ref{sec:fmmd_uml}. \paragraph{Environmental Modelling.} The external influences/environment could typically be temperature ranges, levels of electrical interference, high voltage contamination on supply lines, radiation levels etc. +% Environmental influences will affect specific components in specific ways\footnote{A good example of a part affected by environmental conditions, in this case temperature, is the opto-isolator~\cite{tlp181} which typically starts having performance problems at {60 \oc} and above. Most electrical components are robust to temperature variations and would not normally require special environmental attributes.}. Environmental analysis is thus applicable to components. +% Environmental influences, such as over-stress due to voltage can be eliminated by down-rating components as discussed in section~\ref{sec:determine_fms}. -With given environmental constraints, we can therefore eliminate some failure modes from the model. +% +With given environmental constraints, it is therefore possible to eliminate some failure modes from the model. \fmmdglossFTA \paragraph{Operational states.} % -Within the field of safety critical engineering, we often encounter -elements that include test or self-test facilities. +Within the field of safety critical engineering, +elements are often encountered that include test or self-test facilities. +% +Degraded performance +(such as only performing certain functions in an emergency) and lockout/emergency conditions +are also common conditions that are considered. % -We also encounter degraded performance -(such as only performing certain functions in an emergency) and lockout/emergency conditions. These can be broadly termed operational states. %, and apply to the %functional groups. % -We need to determine which UML class is most appropriate to hold a relationship -to operational states. +The UML class is most appropriate to hold a relationship +to operational states must be chosen. % Consider for instance an electrical circuit that has a TEST line. When the TEST line is activated, it supplies a test signal @@ -463,7 +479,7 @@ It seems more appropriate to apply the operational states to {\fgs} which % %Functional groupings by definition implement functionality, or purpose. -On this basis we associate operational states with {\fgs}. +On this basis operational states are associated with {\fgs}. %therefore are the best objects to model %operational states.% with. @@ -482,7 +498,7 @@ a failure mode. This inhibit class can be triggered on a combination of environmental or failure modes. % -In the UML diagram, we therefore link this with +In the UML diagram, this is therefore, linked with both environmental conditions and failure modes. % % @@ -522,12 +538,12 @@ can reveal previously undetected system failure modes. % This is because the analyst is forced to deal with all component failure modes when applying the FMMD process, and -all failure modes of the resultant {\dcs} as we progress up a hierarchy. +all failure modes of the resultant {\dcs} as the hierarchy is built. % FMMD requires that all failure modes of components in a {\fg} are resolved to a symptom in the resulting {\dc}. % -Because we can enforce a `complete' analysis, FMMD can find failure modes which were missed by + As `complete' analysis can be enforced, FMMD can find failure modes which were missed by other FMEA processes; meaning that the FMMD process can expose un-handled failure modes. %come to light. @@ -535,7 +551,7 @@ failure modes. % \paragraph{Retrospective failure mode analysis and software.} % -We can apply retrospective FMMD to electronic and software hybrid systems as well. + Retrospective FMMD can be applied to electronic and software hybrid systems. %as well. % The electronic components {\fms} are established in the literature~\cite{fmd91,mil1991,en298,en230}. % @@ -551,7 +567,7 @@ which parts of the FMEA analysis to re-visit. % For instance, which components in the system should -we check against this newly discovered failure mode? +newly discovered failure mode be checked against? % This is linked to the concepts behind the need for failure mode coverage against all components in the system, that provoked discussions @@ -582,10 +598,10 @@ Finding these could be automated in a software tool that can traverse the failur % By treating hardware interfaces to software as {\dcs}, we automatically have a list of the failure modes % of the electronics. %% -With the contracts in place for the software functions, we can then integrate them into the FMMD model. +With the contracts in place for the software functions, they can be integrated into the FMMD model. % FMMD models both software and hardware; -we can thus verify that all +thus it can be verified that all failure modes from the electronics module have been dealt with by the controlling software. % @@ -598,15 +614,15 @@ This again can be flagged using an automated tool. % of the electronics. % By performing FMMD on a software electronic hybrid system, -we thus reveal design deficiencies in both the software, the electronics and the software/electronics interface. +design deficiencies are revealed in both the software, the electronics and the software/electronics interface. %in the hardware/software interface. % \fmmdglossFMEDA \fmmdgloss FMEDA does not handle software ---or---the software/hardware interface. It thus potentially misses many undetected failures (in EN61508 terms undetected-dangerous and undetected safe failures). -In Safety Integrity Level (SIL)~\cite{en61508} terms, by identifying undetectable faults and fixing them, we raise -the safe failure fraction (SFF). +In Safety Integrity Level (SIL)~\cite{en61508} terms, by identifying undetectable faults and fixing them, +the safe failure fraction (SFF) is raised. % % % @@ -615,6 +631,7 @@ the safe failure fraction (SFF). %Opportunity for formal definitions and perhaps an interface or process for achieving it.... The act of applying failure mode effects analysis, is commonly performed from an `engineering' oriented cause and effect perspective. +% This is the realm of the objective. % The executive decisions about deploying systems are in the domain of management and politics. @@ -638,26 +655,39 @@ leak of radioactive material into the environment. % For the objective failure mode determined by FMEA, that of leakage of coolant, -we would not reasonably expect this to go unchecked and unresolved for an extended period and cause such a critical failure. +it would not be reasonable to expect this to go unchecked and unresolved for an extended period and cause such a critical failure. % -The criticality level of that accident was therefore subjective. It was not known how the operators +The criticality level of that accident was therefore subjective. +% +It was not known how the operators would have reacted, and deficiencies in the Human Machine Interface (HMI) were not a factor in the failure analysis. \paragraph{Further Work: Objective and Subjective Reasoning in FMEA.} % -We could term the criticality prediction to be in the domain of subjective reasoning. With an objectively defined system level failure -we often are next required to determine its level of criticality, or how serious the risk posed would be. +Criticality prediction can be said to be in the domain of subjective reasoning. +% +With an objectively defined system level failure +it is often required to next determine its level of criticality, or how serious the risk posed would be. % Two methodologies have started to consider this aspect, FMECA~\cite{fmeca} with its criticality and probability factors, and FMEDA~\cite{en61508,fmeda} with its classification of dangerous and safe failures. \fmmdglossFMEDA \fmmdglossFMECA % -It is the author's opinion that more work is required to clarify this area. The scope of FMMD is the objective level only. +It is the author's opinion that more work is required to clarify this area. +% Accurate models of objective failure modes, are seen by the author to be a pre-requisite for subjective assessment. % +The scope of FMMD is the objective level only, +but offers significant benefits in terms of accuracy and work savings. +% +It also offers integrated modelling of software and hardware. +% +Its failure mode model can also be used to assist in producing traditional FMEA formats. +% +% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %\today%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%