WE removal

2013-09-11 16:30:32 +01:00 · 2013-09-11 16:30:32 +01:00 · a476926969
commit a476926969
parent 7e53e0c05d
1 changed files with 84 additions and 54 deletions
--- a/submission_thesis/CH8_Conclusion/copy.tex
+++ b/submission_thesis/CH8_Conclusion/copy.tex
@ -104,11 +104,11 @@ These are presented below.
 \fmmdgloss
 \fmeagloss
 An FMMD model has a data structure (described by UML diagrams, see figure~\ref{fig:cfg}), and by traversing an FMMD hierarchy
-we can map system level failures back to {\bc} {\fms} (or combinations thereof).
+system level failures can be mapped back to {\bc} {\fms} (or combinations thereof).
 %
-Because we can determine these mappings we can produce reports in the traditional FMEA format ({\bc}~{\fm}~$\mapsto$~{system failure}).
+Because these mappings  can be determined reports in the traditional FMEA format ({\bc}~{\fm}~$\mapsto$~{system failure}) can be produced.
 %
-With the addition of {\bc} {\fm} statistics~\cite{mil1991} we can provide reliability predictions for system level failures.
+With the addition of {\bc} {\fm} statistics~\cite{mil1991} reliability predictions for system level failures can be provided.
 %
 The Pt100 example is revisited for this purpose and analysed for single and double failures, with statistics for {\bcs}
 taken from MIL1991 %~\cite{mil1991}, 
@ -116,7 +116,7 @@ in section~\ref{sec:bcstats}.
 %
 With an FMMD failure mode model a top down perspective is possible.
 %
-We could for instance take each system level failure and produce a causation tree for it, tracing back
+Each system level failure can have a causation tree produced for it, tracing back
 to all {\bc} {\fms}.
 %
 This is very closely related to the structure of FTA (top down) failure causation graphs.
@ -139,15 +139,17 @@ FMMD, as a bottom up methodology can use component failure mode statistical data
 into its hierarchical model.
 %By way of example, the Pt100 analysis %example 
 %from section~\{sec:pt100} has been used to demonstrate this.
-Because we can use an FMMD model to generate an FMEA report, with additional {\bc} failure mode statistics
+Because an FMMD model can be used to generate an FMEA report, 
-we can %therefore 
+with additional {\bc} failure mode statistics
-use FMMD to produce an FMEDA report.
+an FMEDA report can be produced.
 %we can %therefore 
 %use FMMD to produce an FMEDA report.
 \paragraph{Pt100 Example: Single Failures and statistical data.} %Mean Time to Failure}
 \frategloss
 From an earlier example, the model for the failure mode behaviour of the Pt100 circuit,
-we can add {\bc} {\fm} statistics and determine the probability of symptoms of failure.
+{\bc} {\fm} statistics are added to  determine the probability of symptoms of failure.
 %
 The DOD electronic reliability of components
 document  MIL-HDBK-217F~\cite{mil1991} gives formulae for calculating
@ -256,7 +258,7 @@ resistor{\lambda}_p = {\lambda}_{b}{\pi}_Q{\pi}_E
 Thus thermistor, bead type, `non~military~spec' is given a FIT of 315.0.
 %
 \frategloss
-Using the RIAC finding we can draw up the following table (table \ref{tab:stat_single}),
+Using the RIAC finding the following table (table \ref{tab:stat_single}) can be created,
 showing the FIT values for all single failure modes.
 %\glossary{name={FIT}, description={Failure in Time (FIT). The number of times a particular failure is expected to occur in a $10^{9}$ hour time period.}}
 \fmmdglossFIT
@ -292,10 +294,13 @@ about $\approx 360$ years per circuit.
 %
 A probabilistic tree can now be drawn, with a FIT value for the Pt100
 circuit and FIT values for all the component fault modes from which  it was calculated.
-We can see from this that  the most likely fault is the thermistor going OPEN.
+%
 From this it can be seen that  the most likely fault is the thermistor going OPEN.
 %
 This circuit is around 10 times more likely to fail in this way than in any other.
-Were we to need a more reliable temperature sensor, this would probably 
+%
-be the fault~mode we would scrutinise first.
+If  a more reliable temperature sensor was required, this would probably 
 be the fault~mode   scrutinised first.
 %
 \frategloss
 %
@ -313,8 +318,8 @@ conditions.
 %
 %
 \paragraph{Pt100 Example: Double Failures and statistical data}
-Because we can perform double simultaneous failure analysis under FMMD
+Because double simultaneous failure analysis can be performed under FMMD
-we can also apply failure rate statistics to double failures.
+failure rate statistics to double failures can also be determined.
 %
 \frategloss
 % 
@ -325,14 +330,14 @@ we can also apply failure rate statistics to double failures.
 %% statistical impacts of failures.
 %%
 %
-If we consider the failure modes to be statistically independent we can calculate
+Considering the failure modes to be statistically independent  
 the FIT values for all the combinations 
-failures in the electronic examples from chapter~\ref{sec:chap5} in table~\ref{tab:ptfmea2}. 
+failures in the electronic examples from chapter~\ref{sec:chap5} in table~\ref{tab:ptfmea2} can be calculated. 
 %
 The failure mode of most concern, the undetectable {\textbf{FLOATING}} condition,
 requires that resistors $R_1$ and $R_2$ both fail.
 %
-We can multiply the MTTF probabilities for these types of resistor failing and find the MTTF for both failing.
+Multiplying the MTTF probabilities for these types of resistor failing gives the MTTF for both failing.
 %
 The FIT value of 12.42 corresponds to
 $12.42 \times {10}^{-9}$ failures per hour. Squaring this gives $ 154.3 \times {10}^{-18} $.
@ -341,19 +346,23 @@ This is an astronomically small MTTF, and so small that it would
 probably fall below a threshold to sensibly consider.
 %
 However, it is very interesting from a failure analysis perspective,
-because here we have found a fault that we cannot detect (at least at this
+because an undetectable fault  (at least at this
-level in the FMMD hierarchy). 
+level in the FMMD hierarchy) has been revealed. 
 %
-This means that should we wish to cope with
+This means that should it be required to cope with
-this fault, we need to engineer a new way of detecting this
+this fault, a new way of detecting this
-condition, perhaps in higher levels of the system/FMMD hierarchy.
+condition must be engineered, perhaps in higher levels of the system/FMMD hierarchy.
 %
 \paragraph{MTTF statistics and FMMD hierarchies.}
 %
 In a large FMMD model, system/top level failures can be traced
-down to {\bc} {\fms}. To determine the MTTF probability
+down to {\bc} {\fms}. 
-for a system level failure, we add the MTTF statistics for all its possible causes.
+%
-Thus even for large FMMD models we can calculate accurate
+To determine the MTTF probability
-statistics for electronic sourced failures.
+for a system level failure,   the MTTF statistics are added for all its possible causes.
 %
 Thus even for large FMMD models accurate
 statistics for electronic sourced failures can be calculated.
 %
 %\glossary{name={FIT}, description={Failure in Time (FIT). The number of times a particular failure is expected to occur in a $10^{9}$ hour time period. Associated with continuous demand systems under EN61508~\cite{en61508}}}
 %
@ -366,8 +375,10 @@ statistics for electronic sourced failures.
 %
 Fault Tree Analysis (FTA)~\cite{ftahistory} is a top down methodology that
 draws a fault tree---or top down fault causation diagram---for each given top-level
-failure. With an FMMD model, we can trace all the causes of system failures
+failure. 
-down to the base component level.
+%
 With an FMMD model, all the causes of system failures
 down can be traced to the base component level.
 %
 This would be enough to create a fault causation tree, but FTA introduces 
 concepts of operational and environmental states, and inhibit gates.
@ -380,8 +391,8 @@ The FTA perspective is that some safety can be built in
 by preventing certain things happening (inhibit gates), and by considering 
 different behaviour due to environmental or operational states~\cite{nucfta,nasafta}.
 %
-If we require FMMD to produce full FTA diagrams, we need to add these 
+If FMMD is required to produce full FTA diagrams, these 
-attributes to the FMMD UML model\footnote{Top down failure mode models, such as FTA, are additionally 
+attributes must be added to the FMMD UML model\footnote{Top down failure mode models, such as FTA, are additionally 
 useful in guiding diagnostic analysis.}.
 %
 \fmmdglossINHIBIT
@ -424,35 +435,40 @@ This is rather like a logical guard criterion. For instance in the gas burner st
 states that a flame detector must confirm that a pilot flame has been established before the main burner fuel can be applied.
 In FTA terms this would be an inhibit condition on the main fuel, i.e. PILOT\_NOT\_CONFIRMED.
 \fmmdglossFTA
-We now look at the nature of these three attributes and decide how they should fit into the UML
+The nature of these three attributes is examined and decisions are made as how they should fit into the UML
 model for FMMD developed in section~\ref{sec:fmmd_uml}.
 \paragraph{Environmental Modelling.} The external influences/environment could typically be temperature ranges,
 levels of electrical interference, high voltage contamination on supply
 lines, radiation levels etc.
 %
 Environmental influences will affect specific components in specific ways\footnote{A good example of a part 
 affected by environmental conditions, in this case temperature, is the opto-isolator~\cite{tlp181}
 which  typically starts having performance problems at {60 \oc} and above. 
 Most electrical components are robust to temperature variations and 
 would not normally require special environmental attributes.}.
 Environmental analysis is thus applicable to components.
 %
 Environmental influences, such as over-stress due to voltage
 can be eliminated by down-rating components as discussed in section~\ref{sec:determine_fms}.
-With given environmental constraints, we can therefore eliminate some failure modes from the model.
+%
 With given environmental constraints, it is therefore possible to eliminate some failure modes from the model.
 \fmmdglossFTA
 \paragraph{Operational states.}
 %
-Within the field of safety critical engineering, we often encounter 
+Within the field of safety critical engineering, 
-elements that include test or self-test facilities. 
+elements are often encountered that include test or self-test facilities. 
 %
 Degraded performance
 (such as only performing certain functions in an emergency) and lockout/emergency conditions
 are also common conditions that are considered.
 %
 We also encounter degraded performance
 (such as only performing certain functions in an emergency) and lockout/emergency conditions.
 These can be broadly termed operational states. %, and apply to the 
 %functional groups.
 %
-We need to determine which UML class is most appropriate to hold a relationship
+The UML class is most appropriate to hold a relationship
-to operational states.
+to operational states must be chosen.
 %
 Consider for instance an electrical circuit that has a TEST line.
 When the TEST line is activated, it supplies a test signal
@ -463,7 +479,7 @@ It seems more appropriate to apply the operational states to {\fgs}
 which %
 %Functional groupings 
 by definition implement functionality, or purpose.
-On this basis we associate operational states with {\fgs}.
+On this basis operational states are associated with {\fgs}.
 %therefore are the best objects to model
 %operational states.% with.
@ -482,7 +498,7 @@ a failure mode.
 This inhibit class can be triggered
 on a combination of environmental or failure modes.
 %
-In the UML diagram, we therefore link this with 
+In the UML diagram, this is therefore, linked  with 
 both environmental conditions and failure modes.
 %
 %
@ -522,12 +538,12 @@ can reveal previously undetected system failure modes.
 %
 This is because the analyst 
 is  forced to deal with all component failure modes when applying the FMMD process, and
-all failure modes of the resultant {\dcs} as we progress up a hierarchy.
+all failure modes of the resultant {\dcs} as the hierarchy is built.
 %
 FMMD requires that all failure modes of components in a {\fg} are resolved to
 a symptom in the resulting {\dc}.
 %
-Because we can enforce a `complete' analysis, FMMD can find failure modes which were missed by
+ As `complete' analysis can be enforced, FMMD can find failure modes which were missed by
 other FMEA processes; meaning that the  FMMD process can expose un-handled 
 failure modes.
 %come to light.
@ -535,7 +551,7 @@ failure modes.
 %
 \paragraph{Retrospective failure mode analysis and software.}
 %
-We can apply retrospective FMMD to electronic and software hybrid systems as well.
+ Retrospective FMMD can be applied to electronic and software hybrid systems. %as well.
 %
 The electronic components {\fms} are established in the literature~\cite{fmd91,mil1991,en298,en230}.
 %
@ -551,7 +567,7 @@ which parts of the FMEA analysis to
 re-visit. 
 %
 For instance, which components in the system should 
-we check against this newly discovered failure mode?
+newly discovered failure mode be checked against?
 %
 This is linked to the concepts behind
 the need for failure mode coverage against all components in the system, that provoked discussions
@ -582,10 +598,10 @@ Finding these could be automated in a software tool that can traverse the failur
 % By treating hardware interfaces to software as {\dcs}, we automatically have a list of the failure modes
 % of the electronics.
 %%
-With the contracts in place for the software functions, we can then integrate them into the FMMD model.
+With the contracts in place for the software functions, they can be integrated into the FMMD model.
 %
 FMMD models both software and hardware;
-we can thus verify that all
+thus it can be verified that all
 failure modes from the electronics module have been dealt
 with by the controlling software. 
 %
@ -598,15 +614,15 @@ This again can be flagged using an automated tool.
 % of the electronics.
 %
 By performing FMMD on a software electronic hybrid system,
-we thus reveal design deficiencies in both the software, the electronics and the software/electronics interface.
+design deficiencies are revealed in both the software, the electronics and the software/electronics interface.
 %in the hardware/software interface.
 %
 \fmmdglossFMEDA
 \fmmdgloss
 FMEDA does not handle software ---or---the software/hardware interface.
 It thus potentially misses many undetected failures (in EN61508 terms undetected-dangerous and undetected safe failures).
-In Safety Integrity Level (SIL)~\cite{en61508} terms, by identifying undetectable faults and fixing them, we raise 
+In Safety Integrity Level (SIL)~\cite{en61508} terms, by identifying undetectable faults and fixing them,  
-the safe failure fraction (SFF).
+the safe failure fraction (SFF) is raised.
 %
 %
 %
@ -615,6 +631,7 @@ the safe failure fraction (SFF).
 %Opportunity for formal definitions and perhaps an interface or process for achieving it....
 The act of applying failure mode effects analysis, is commonly performed from
 an `engineering' oriented cause and effect perspective. 
 %
 This is the realm of the objective.
 %
 The executive decisions about deploying systems are in the domain of management and politics.
@ -638,26 +655,39 @@ leak of radioactive material into the environment.
 %
 For the objective failure mode determined by
 FMEA, that of leakage of coolant,
-we would not reasonably expect this to go unchecked and unresolved for an extended period and cause such a critical failure.
+it would not be reasonable to expect this to go unchecked and unresolved for an extended period and cause such a critical failure.
 %
-The criticality level of that accident was therefore subjective. It was not known how the operators
+The criticality level of that accident was therefore subjective. 
 %
 It was not known how the operators
 would have reacted, and deficiencies in the Human Machine Interface (HMI) were not a factor in the failure analysis.
 \paragraph{Further Work: Objective and Subjective Reasoning in FMEA.}
 %
-We could term the criticality prediction to be in the domain of subjective reasoning. With an objectively defined  system level failure
+Criticality prediction can be said to be in the domain of subjective reasoning. 
-we often are next required to determine its level of criticality, or how serious the risk posed would be.
+%
 With an objectively defined  system level failure
 it is often required to next determine its level of criticality, or how serious the risk posed would be.
 %
 Two methodologies have started to consider this aspect, FMECA~\cite{fmeca} with its criticality and probability factors, and 
 FMEDA~\cite{en61508,fmeda} with its classification of dangerous and safe failures.
 \fmmdglossFMEDA
 \fmmdglossFMECA
 %
-It is the author's opinion that more work is required to clarify this area. The scope of FMMD is the objective level only.
+It is the author's opinion that more work is required to clarify this area. 
 %
 Accurate models of objective failure modes, are seen by the author to be a pre-requisite
 for subjective assessment.
 %
 The scope of FMMD is the objective level only,
 but offers significant benefits in terms of accuracy and work savings.
 %
 It also offers integrated modelling of software and hardware.
 %
 Its failure mode model can also be used to assist in producing traditional FMEA formats.
 %
 %
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 %\today%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%