diff --git a/presentations/System_safety_2012/Makefile b/presentations/System_safety_2012/Makefile new file mode 100644 index 0000000..8abfb65 --- /dev/null +++ b/presentations/System_safety_2012/Makefile @@ -0,0 +1,13 @@ + +DIAPNG= three_tree.png component.png fmmd_env_op_uml.png fmmd_exm_h.png master_uml.png mvampcircuit.png mvamp.png n_inv_dc.png pd.png pd_euler2.png pd_euler.png + +%.png:%.dia + dia -t png $< + +all: $(DIAPNG) + pdflatex fmmd_software_pres + acroread fmmd_software_pres.pdf || evince fmmd_software_pres.pdf + + +bib: + bibtex fmmd_software_pres diff --git a/presentations/System_safety_2012/component.dia b/presentations/System_safety_2012/component.dia new file mode 100644 index 0000000..4ff7001 Binary files /dev/null and b/presentations/System_safety_2012/component.dia differ diff --git a/presentations/System_safety_2012/fmmd_env_op_uml.dia b/presentations/System_safety_2012/fmmd_env_op_uml.dia new file mode 100644 index 0000000..6225a05 Binary files /dev/null and b/presentations/System_safety_2012/fmmd_env_op_uml.dia differ diff --git a/presentations/System_safety_2012/fmmd_exm_h.dia b/presentations/System_safety_2012/fmmd_exm_h.dia new file mode 100644 index 0000000..708b789 Binary files /dev/null and b/presentations/System_safety_2012/fmmd_exm_h.dia differ diff --git a/presentations/System_safety_2012/fmmd_software_pres.tex b/presentations/System_safety_2012/fmmd_software_pres.tex new file mode 100644 index 0000000..42f3773 --- /dev/null +++ b/presentations/System_safety_2012/fmmd_software_pres.tex @@ -0,0 +1,1045 @@ +\documentclass{beamer} +%\documentclass[handout]{beamer} +\title[Failure Mode Effects Analysis]{Failure Mode Effects Analysis\\A critical view} +\usetheme{Warsaw} +\usepackage[latin1]{inputenc} +\author{Robin Clark -- Energy Technology Control Ltd} +\institute{Brighton University} +\setbeamertemplate{footline}[page number] + + +\newcommand{\fg}{\em functional~group} +\newcommand{\fgs}{\em functional~groups} +\newcommand{\dc}{\em derived~component} +\newcommand{\dcs}{\em derived~components} +\newcommand{\bc}{\em base~component} +\newcommand{\bcs}{\em base~components} +\newcommand{\irl}{in~real~life} + +\begin{document} + +\section{F.M.E.A.} +\begin{frame} +\frametitle{FMEA} +%\tableofcontents[currentsection] +\end{frame} + + + +\begin{frame} +\frametitle{FMEA} +This talk introduces Failure Mode Effects Analysis, and the different ways it is applied. +These techniques are discussed, and then +a refinement is proposed, which is essentially a modularisation of the FMEA process. +% + +\begin{itemize} + \pause \item Failure + \pause \item Mode + \pause \item Effects + \pause \item Analysis +\end{itemize} + +\end{frame} + +% % \begin{itemize} +% \item Failure +% \item Mode +% \item Effects +% \item Analysis +% \end{itemize} + + +\subsection{FMEA basic concept} + +\begin{frame} +\begin{itemize} + \pause \item \textbf{F - Failures of given component} Consider a component in a system + \pause \item \textbf{M - Failure Mode} Look at one of the ways in which it can fail (i.e. determine a component `failure~mode') + \pause \item \textbf{E - Effects} Determine the effects this failure mode will cause to the system we are examining + \pause \item \textbf{A - Analysis} Analyse how much impact this symptom will have on the environment/people/the system itsself +\end{itemize} +\end{frame} + + +\begin{frame} + \frametitle{ FMEA Example: Milli-volt reader} +Example: Let us consider a system, in this case a milli-volt reader, consisting +of instrumentation amplifiers connected to a micro-processor +that reports its readings via RS-232. +\begin{figure} + \centering + \includegraphics[width=175pt]{./mvamp.png} + % mvamp.png: 561x403 pixel, 72dpi, 19.79x14.22 cm, bb=0 0 561 403 +\end{figure} + + +\end{frame} + + +\begin{frame} + \frametitle{FMEA Example: Milli-volt reader} +Let us perform an FMEA and consider how one of its resistors failing could affect +it. +For the sake of example let us choose resistor R1 in the OP-AMP gain circuitry. +\begin{figure} + \centering + \includegraphics[width=175pt]{./mvamp.png} + % mvamp.png: 561x403 pixel, 72dpi, 19.79x14.22 cm, bb=0 0 561 403 +\end{figure} + +\end{frame} + + + + +\begin{frame} + \frametitle{FMEA Example: Milli-volt reader} +\begin{figure} + \centering + \includegraphics[width=80pt]{./mvamp.png} + % mvamp.png: 561x403 pixel, 72dpi, 19.79x14.22 cm, bb=0 0 561 403 +\end{figure} +\begin{itemize} + \pause \item \textbf{F - Failures of given component} The resistor (R1) could fail by going OPEN or SHORT (EN298 definition). + \pause \item \textbf{M - Failure Mode} Consider the component failure mode SHORT + \pause \item \textbf{E - Effects} This will drive the minus input LOW causing a HIGH OUTPUT/READING + \pause \item \textbf{A - Analysis} The reading will be out of normal range, and we will have an erroneous milli-volt reading +\end{itemize} +\end{frame} + + + +\begin{frame} +Note here that we have had to look at the failure~mode +in relation to the entire circuit. \pause +We have used intuition to determine the probable +effect of this failure mode. \pause +We have not examined this failure mode +against every other component in the system. \pause +Perhaps we should.... this would be a more rigorous and complete +approach in looking for system failures. + +\end{frame} + +\subsection{Rigorous FMEA - State Explosion} +\begin{frame} + \frametitle{Rigorous Single Failure FMEA} +Consider the analysis +where we look at all the failure modes in a system, and then +see how they can affect all other components within it. +\end{frame} + + + \begin{frame} +\frametitle{Rigorous Single Failure FMEA} +We need to look at a large number of failure scenarios +to do this completely (all failure modes against all components). +This is represented in the equation below. %~\ref{eqn:fmea_state_exp}, +where $N$ is the total number of components in the system, and +$f$ is the number of failure modes per component. + + +\begin{equation} + \label{eqn:fmea_single} + N.(N-1).f % \\ + %(N^2 - N).f +\end{equation} +\end{frame} + + +\begin{frame} +\frametitle{Rigorous Single Failure FMEA} +This would mean an order of $N^2$ number of checks to perform +to undertake a `rigorous~FMEA'. Even small systems have typically +100 components, and they typically have 3 or more failure modes each. +$100*99*3=29,700$. +\end{frame} + + + + +\begin{frame} + \frametitle{Rigorous Double Failure FMEA} +For looking at potential double failure scenarios (two components +failing within a given time frame) and the order becomes +$N^3$. \pause + +\begin{equation} + \label{eqn:fmea_double} + N.(N-1).(N-2).f % \\ + %(N^2 - N).f +\end{equation} + \pause +$100*99*98*3=2,910,600$. +\pause + +.\\ + +The European Gas burner standard (EN298:2003), demands the checking of +double failure scenarios (for burner lock-out scenarios). + +\end{frame} + +\begin{frame} +\frametitle{Four main Variants of FMEA} + \begin{itemize} + \pause \item \textbf{PFMEA - Production} \pause Car Manufacture etc + \pause \item \textbf{FMECA - Criticallity} \pause Military/Space + \pause \item \textbf{FMEDA - Statistical safety} \pause EN61508/IOC1508 \pause Safety Integrity Levels + \pause \item \textbf{DFMEA - Design or static/theoretical} \pause EN298/EN230/UL1998 +\end{itemize} +\end{frame} + + + + +\section{PFMEA - Production FMEA : 1940's to present} + +\begin{frame} + \frametitle{PFMEA} +Production FMEA (or PFMEA), is FMEA used to prioritise, in terms of +cost, problems to be addressed in product production.\pause + +It focuses on known problems, determines the +frequency they occur and their cost to fix.\pause +This is multiplied together and called an RPN +number.\pause +Fixing problems with the highest RPN number +will return most cost benefit.\pause + +\end{frame} + + +\begin{frame} +% benign example of PFMEA in CARS - make something up. +\frametitle{PFMEA Example} + +{ +\begin{table}[ht] +\caption{FMEA Calculations} % title of Table +%\centering % used for centering table +\begin{tabular}{|| l | l | c | c | l ||} \hline + \textbf{Failure Mode} & \textbf{P} & \textbf{Cost} & \textbf{Symptom} & \textbf{RPN} \\ \hline \hline + relay 1 n/c & $1*10^{-5}$ & 38.0 & indicators fail & 0.00038 \\ \hline + relay 2 n/c & $1*10^{-5}$ & 98.0 & doorlocks fail & 0.00098 \\ \hline +% rear end crash & $14.4*10^{-6}$ & 267,700 & fatal fire & 3.855 \\ +% ruptured f.tank & & & & \\ \hline + + +\hline +\end{tabular} +\end{table} +} + +%Savings: 180 burn deaths, 180 serious burn injuries, 2,100 burned vehicles. Unit Cost: $200,000 per death, $67,000 per injury, $700 per vehicle. +%Total Benefit: 180 X ($200,000) + 180 X ($67,000) + $2,100 X ($700) = $49.5 million. +%COSTS +%Sales: 11 million cars, 1.5 million light trucks. +%Unit Cost: $11 per car, $11 per truck. +%Total Cost: 11,000,000 X ($11) + 1,500,000 X ($11) = $137 million. + + + + +\end{frame} + + + +%\subsection{Production FMEA : Example Ford Pinto : 1975} +\begin{frame} + \frametitle{PFMEA Example: Ford Pinto: 1975} + +\begin{figure}[h] + \centering + \includegraphics[width=200pt]{./ad_ford_pinto_mpg_red_3_1975.jpg} + % ad_ford_pinto_mpg_red_3_1975.jpg: 720x933 pixel, 96dpi, 19.05x24.69 cm, bb=0 0 540 700 + \caption{Ford Pinto Advert} + \label{fig:fordpintoad} +\end{figure} + +\end{frame} + + + \begin{frame} + \frametitle{PFMEA Example: Ford Pinto: 1975} + +\begin{figure}[h] + \centering + \includegraphics[width=200pt]{./burntoutpinto.png} + % burntoutpinto.png: 376x250 pixel, 72dpi, 13.26x8.82 cm, bb=0 0 376 250 + \caption{Burnt Out Pinto} + \label{fig:burntoutpinto} +\end{figure} + + +\end{frame} + + +\begin{frame} + \frametitle{PFMEA Example: Ford Pinto: 1975} + { +\begin{table}[ht] +\caption{FMEA Calculations} % title of Table +%\centering % used for centering table +\begin{tabular}{|| l | l | c | c | l ||} \hline + \textbf{Failure Mode} & \textbf{P} & \textbf{Cost} & \textbf{Symptom} & \textbf{RPN} \\ \hline \hline + relay 1 n/c & $1*10^{-5}$ & 38.0 & indicators fail & 0.00038 \\ \hline + relay 2 n/c & $1*10^{-5}$ & 98.0 & doorlocks fail & 0.00098 \\ \hline + rear end crash & $14.4*10^{-6}$ & 267,700 & fatal fire & 3.855 \\ + ruptured f.tank & & & allow & \\ \hline + + rear end crash & $1$ & $11$ & recall & 11.0 \\ + ruptured f.tank & & & fix tank & \\ \hline + +\hline +\end{tabular} +\end{table} +} + + + http://www.youtube.com/watch?v=rcNeorjXMrE + +\end{frame} + + + + +\section{FMECA - Failure Modes Effects and Criticality Analysis} + + + +\begin{frame} +\frametitle{ FMECA - Failure Modes Effects and Criticallity Analysis} +\begin{figure} + \centering + %\includegraphics[width=100pt]{./military-aircraft-desktop-computer-wallpaper-missile-launch.jpg} + \includegraphics[width=100pt]{./A10_thunderbolt.jpg} + % military-aircraft-desktop-computer-wallpaper-missile-launch.jpg: 1024x768 pixel, 300dpi, 8.67x6.50 cm, bb=0 0 246 184 + \caption{A10 Thunderbolt} + \label{fig:f16missile} +\end{figure} +Emphasis on determining criticality of failure. +Applies some Bayesian statistics (probabilities of component failures and those thereby causing given system level failures). +\end{frame} + + +\begin{frame} +\frametitle{ FMECA - Failure Modes Effects and Criticality Analysis} +Very similar to PFMEA, but instead of cost, a criticality or +seriousness factor is ascribed to putative top level incidents.\pause +FMECA has three probability factors for component failures.\pause + +\textbf{FMECA ${\lambda}_{p}$ value.} +This is the overall failure rate of a base component. +This will typically be the failure rate per million ($10^6$) or +billion ($10^9$) hours of operation.\pause reference MIL1991. \pause + +\textbf{FMECA $\alpha$ value.} +The failure mode probability, usually denoted by $\alpha$ is the probability of +a particular failure~mode occurring within a component. \pause reference FMD-91. +%, should it fail. +%A component with N failure modes will thus have +%have an $\alpha$ value associated with each of those modes. +%As the $\alpha$ modes are probabilities, the sum of all $\alpha$ modes for a component must equal one. +\end{frame} + +\begin{frame} +\frametitle{ FMECA - Failure Modes Effects and Criticality Analysis} +\textbf{FMECA $\beta$ value.} +The second probability factor $\beta$, is the probability that the failure mode +will cause a given system failure.\pause +This corresponds to `Bayesian' probability, given a particular +component failure mode, the probability of a given system level failure. +\pause +\textbf{FMECA `t' Value}\pause +The time that a system will be operating for, or the working life time of the product is +represented by the variable $t$. +%for probability of failure on demand studies, +%this can be the number of operating cycles or demands expected. +\pause +\textbf{Severity `s' value} +A weighting factor to indicate the seriousness of the putative system level error. +%Typical classifications are as follows:~\cite{fmd91} +\pause +\begin{equation} + C_m = {\beta} . {\alpha} . {{\lambda}_p} . {t} . {s} +\end{equation} +\pause +Highest $C_m$ values would be at the top of a `to~do' list +for a project manager. +\end{frame} + + + +\section{FMEDA - Failure Modes Effects and Diagnostic Analysis} + + + +\begin{frame} +\frametitle{ FMEDA - Failure Modes Effects and Diagnostic Analysis} +\begin{figure} + \centering + \includegraphics[width=200pt]{./SIL.png} + % SIL.jpg: 350x286 pixel, 72dpi, 12.35x10.09 cm, bb=0 0 350 286 + \caption{SIL requirements} +\end{figure} + +\end{frame} + + + + + +\begin{frame} + +\frametitle{ FMEDA - Failure Modes Effects and Diagnostic Analysis} + +\begin{itemize} + \pause \item \textbf{Statistical Safety} \pause Safety Integrity Level (SIL) standards (EN61508/IOC5108). + \pause \item \textbf{Diagnostics} \pause Diagnostic or self checking elements modelled + \pause \item \textbf{Complete Failure Mode Coverage} \pause All failure modes of all components must be in the model + \pause \item \textbf{Guidelines} \pause To system architectures and development processes +\end{itemize} + +% FMEDA is the methodology behind statistical (safety integrity level) +% type standards (EN61508/IOC5108). \pause +% It provides a statistical overall level of safety +% and allows diagnostic mitigation for self checking etc. \pause +% It provides guidelines for the design and architecture +% of computer/software systems for the four levels of +% safety Integrity. +% %For Hardware +% \pause +% FMEDA does force the user to consider all components in a system +% by requiring that a MTTF value is assigned for each failure~mode; \pause +% the MTTF may be statistically mitigated (improved) +% if it can be shown that self-checking will detect failure modes. + +\end{frame} + + + + + +\begin{frame} +\frametitle{ FMEDA - Failure Modes Effects and Diagnostic Analysis} +\textbf{Failure Mode Classifications in FMEDA.} + \begin{itemize} + \pause \item \textbf{Safe or Dangerous} \pause Failure modes are classified SAFE or DANGEROUS + \pause \item \textbf{Detectable failure modes} \pause Failure modes are given the attribute DETECTABLE or UNDETECTABLE + \pause \item \textbf{Four attributes to Failure Modes} \pause All failure modes may thus be Safe Detected(SD), Safe Undetected(SU), Dangerous Detected(DD), Dangerous Undetected(DU) + \pause \item \textbf{Four statistical properties of a system} \pause \\ +$ \sum \lambda_{SD}$, $\sum \lambda_{SU}$, $\sum \lambda_{DD}$, $\sum \lambda_{DU}$ +\end{itemize} + +% Failure modes are classified as Safe or Dangerous according +% to the putative system level failure they will cause. \pause +% The Failure modes are also classified as Detected or +% Undetected. +% This gives us four level failure mode classifications: +% Safe-Detected (SD), Safe-Undetected (SU), Dangerous-Detected (DD) or Dangerous-Undetected (DU), +% and the probabilistic failure rate of each classification +% is represented by lambda variables +% (i.e. $\lambda_{SD}$, $\lambda_{SU}$, $\lambda_{DD}$, $\lambda_{DU}$). +\end{frame} +\begin{frame} +\frametitle{ FMEDA - Failure Modes Effects and Diagnostic Analysis} +\textbf{Diagnostic Coverage.} +The diagnostic coverage is simply the ratio +of the dangerous detected probabilities +against the probability of all dangerous failures, +and is normally expressed as a percentage. $\Sigma\lambda_{DD}$ represents +the percentage of dangerous detected base component failure modes, and +$\Sigma\lambda_D$ the total number of dangerous base component failure modes. + +$$ DiagnosticCoverage = \Sigma\lambda_{DD} / \Sigma\lambda_D $$ +\end{frame} + + +\begin{frame} +\frametitle{ FMEDA - Failure Modes Effects and Diagnostic Analysis} +The \textbf{diagnostic coverage} for safe failures, where $\Sigma\lambda_{SD}$ represents the percentage of +safe detected base component failure modes, +and $\Sigma\lambda_S$ the total number of safe base component failure modes, +is given as + +$$ SF = \frac{\Sigma\lambda_{SD}}{\Sigma\lambda_S} $$ +\end{frame} + +\begin{frame} +\frametitle{ FMEDA - Failure Modes Effects and Diagnostic Analysis} +\textbf{Safe Failure Fraction.} +A key concept in FMEDA is Safe Failure Fraction (SFF). +This is the ratio of safe and dangerous detected failures +against all safe and dangerous failure probabilities. +Again this is usually expressed as a percentage. + +$$ SFF = \big( \Sigma\lambda_S + \Sigma\lambda_{DD} \big) / \big( \Sigma\lambda_S + \Sigma\lambda_D \big) $$ +\pause +SFF determines how proportionately fail-safe a system is, not how reliable it is ! \pause +Weakness in this philosophy; \pause adding extra safe failures (even unused ones) improves the SFF. + +\end{frame} + +\begin{frame} +\frametitle{ FMEDA - Failure Modes Effects and Diagnostic Analysis} +To achieve SIL levels, diagnostic coverage and SFF levels are prescribed along with +hardware architectures and software techniques. \pause +The overall the aim of SIL is classify the safety of a system, +by statistically determining how frequently it can fail dangerously. + + +\end{frame} + +\begin{frame} +\frametitle{ FMEDA - Failure Modes Effects and Diagnostic Analysis} +{ +\begin{table}[ht] +\caption{FMEA Calculations} % title of Table +%\centering % used for centering table +\begin{tabular}{|| l | l | c | c | l ||} \hline + \textbf{SIL} & \textbf{Low Demand} & \textbf{Continuous Demand} \\ + & Prob of failing on demand & Prob of failure per hour \\ \hline \hline + 4 & $ 10^{-5}$ to $< 10^{-4}$ & $ 10^{-9}$ to $< 10^{-8}$ \\ \hline + 3 & $ 10^{-4}$ to $< 10^{-3}$ & $ 10^{-8}$ to $< 10^{-7}$ \\ \hline + 2 & $ 10^{-3}$ to $< 10^{-2}$ & $ 10^{-7}$ to $< 10^{-6}$ \\ \hline + 1 & $ 10^{-2}$ to $< 10^{-1}$ & $ 10^{-6}$ to $< 10^{-5}$ \\ \hline + +\hline +\end{tabular} +\end{table} +} +Table adapted from EN61508-1:2001 [7.6.2.9 p33] +\end{frame} + +\begin{frame} +\frametitle{ FMEDA - Failure Modes Effects and Diagnostic Analysis} +FMEDA is a modern extension of FMEA, in that it will allow for +self checking features, and provides detailed recommendations for computer/software architecture. \pause +It has a simple final result, a Safety Integrity Level (SIL) from 1 to 4 (where 4 is safest). + +%FMEA can be used as a term simple to mean Failure Mode Effects Analysis, and is +%part of product approval for many regulated products in the EU and the USA... + +\end{frame} + + + + +\section{FMEA used for Safety Critical Approvals} + +\begin{frame} +\frametitle{DESIGN FMEA: Safety Critical Approvals FMEA} +\begin{figure}[h] + \centering + \includegraphics[width=100pt,keepaspectratio=true]{./tech_meeting.png} + % tech_meeting.png: 350x299 pixel, 300dpi, 2.97x2.53 cm, bb=0 0 84 72 + \caption{FMEA Meeting} + \label{fig:tech_meeting} +\end{figure} +Static FMEA, Design FMEA, Approvals FMEA \pause + +Experts from Approval House and Equipment Manufacturer +discuss selected component failure modes +judged to be in critical sections of the product. + + + +\end{frame} + +\begin{frame} +\frametitle{DESIGN FMEA: Safety Critical Approvals FMEA} + +\begin{figure}[h] + \centering + \includegraphics[width=70pt,keepaspectratio=true]{./tech_meeting.png} + % tech_meeting.png: 350x299 pixel, 300dpi, 2.97x2.53 cm, bb=0 0 84 72 + \caption{FMEA Meeting} + \label{fig:tech_meeting} +\end{figure} + +\begin{itemize} + \pause \item Impossible to look at all component failures let alone apply FMEA rigorously. + \pause \item In practise, failure scenarios for critical sections are contested, and either justified or extra safety measures implemented. + \pause \item Often Meeting notes or minutes only. Unusual for detailed arguments to be documented. +\end{itemize} + +\end{frame} + +\section{FMEA - General Criticism} +\begin{frame} +\frametitle{FMEA - General Criticism} + +\begin{itemize} + \pause \item FMEA type methodologies were designed for simple electro-mechanical systems of the 1940's to 1960's. + \pause \item Reasoning Distance - component failure to system level symptom + \pause \item State explosion - impossible to perform rigorously + \pause \item Difficult to re-use previous analysis work + \pause \item Very Difficult to model simultaneous failures. + +\end{itemize} + +% + +\end{frame} + + +\subsection{FMEA - Better Methodology - Wish List} + +\begin{frame} +\frametitle{FMEA - Better Metodology - Wish List} + +\begin{itemize} + + \pause \item State explosion + \pause \item Rigorous (total coverage) + \pause \item Reasoning Traceable + \pause \item Re-useable + \pause \item Simultaneous failures + %\pause \item +\end{itemize} + +%FMEDA is a modern extension of FMEA, in that it will allow for +%self checking features, and provides detailed recommendations for computer/software architecture, +%but + +\end{frame} +\section{Failure Mode Modular De-Composition} +\begin{frame} + \frametitle{FMMD - Failure Mode Modular De-Composition} +% Consider the FMEA type methodologies +% where we look at all the failure modes in a system, and then +% see how they can affect all other components within it, +% to determine its system level symptom or failure mode. +% We need to look at a large number of failure scenarios +% to do this completely (all failure modes against all components). +% This is represented in equation~\ref{eqn:fmea_state_exp}, +% where $N$ is the total number of components in the system, and +% $f$ is the number of failure modes per component. +% +% \begin{equation} +% \label{eqn:fmea_state_exp} +% N.(N-1).f % \\ +% %(N^2 - N).f +% \end{equation} + +\begin{itemize} + + \pause \item Analysis occurs in small stages, within {\fgs} + \pause \item Each {\fg} is analysed until we have a set of its symptoms of failure. + \pause \item A {\dc} is created with its failure modes being the symptoms from the {\fg} + \pause \item We can now use {\dcs} as higher level components + \pause \item We can build a failure model hierarchy in this way + %\pause \item +\end{itemize} + +% The FMMD methodology breaks the analysis down into small stages, +% by making the analyst choose {\fgs} of components, to which FMEA is applied. +% When analysed, a set of symptoms of failure for the {\fg} is used to create a derived~component. \pause +% The derived components failure modes, are the symptoms of the {\fg} +% from which it was derived. \pause +% We can use derived components to form `higher~level' {\fgs}. +% This creates an analysis hierarchy. +\end{frame} + + +\subsection{FMMD Outline of Methodology} +\begin{frame} +\frametitle{FMMD - Outline of Methodology} +\begin{itemize} + \pause \item Select `{\fgs}' of components ( groups that perform a well defined function). + \pause \item Using the failure modes of the components create failure scenarios. + \pause \item Analyse each failure scenario of the {\fg}. + \pause \item Collect Symptoms. + \pause \item Create a '{\dc}', where its failure modes are the symptoms of the {\fg} from which it was derived. + \pause \item The {\dc} is now available to be used in higher level {\fgs}. + %\pause \item We can represent this process as a function which converts a {\fg} into a {\dc} and use the symbol $ \bowtie $ to represet it. + \pause $ \bowtie ( FunctionalGroup ) \rightarrow {DerivedComponent} $ + %\item could use AMALG instead here $ \amalg $ +\end{itemize} +\end{frame} + + + +\subsection{FMMD - Example - Milli Volt Amplifier} +\begin{frame} +\frametitle{FMMD - Example - Milli Volt Amplifier} +\begin{figure} + \centering + \includegraphics[width=100pt]{./mvampcircuit.png} + % mvampcircuit.png: 243x143 pixel, 72dpi, 8.57x5.04 cm, bb=0 0 243 143 +\end{figure} + +We return to the milli-volt amplifier as an example to analyse. +\pause +We can begin by looking for functional groups.\pause +The resistors perform a fairly common function in electronics, that of the potential divider. +So our first functional group is $\{ R1, R2 \}$.\pause +We can now take the failure modes for the resistors (OPEN and SHORT EN298) and see what effect each of these failures will have on the {\fg} (the potential divider). + +\end{frame} + + +\begin{frame} +\frametitle{FMMD - Example - Resistor and failure modes} +Resistor and its failure modes represented as a directed graph. + +\begin{figure} + \centering + \includegraphics[width=200pt]{./resistor_failure_graph.png} + % resistor_failure_graph.png: 391x279 pixel, 93dpi, 10.68x7.62 cm, bb=0 0 303 216 + \label{fig:resasfm} +\end{figure} + +\end{frame} + + +\subsubsection{Potential Divider} +\begin{frame} +\frametitle{FMMD - Example - Failure mode analysis of Potential Divider} + + +\begin{table} +\begin{tabular}{|| l | l | c | c | l ||} \hline + \textbf{Failure Scenario} & & \textbf{Pot Div Effect} & & \textbf{Symptom} \\ +\textbf{ / test case } & & \textbf{ } & & \textbf{ } \\ + \hline + FS1: R1 SHORT & & $LOW$ & & $PDLow$ \\ \hline + FS2: R1 OPEN & & $HIGH$ & & $PDHigh$ \\ \hline + FS3: R2 SHORT & & $HIGH$ & & $PDHigh$ \\ \hline + FS4: R2 OPEN & & $LOW$ & & $PDLow$ \\ \hline +\hline +\end{tabular} +\end{table} + +\begin{figure} + \centering + \includegraphics[width=100pt,keepaspectratio=true]{./pd.png} + % pd.png: 361x241 pixel, 72dpi, 12.74x8.50 cm, bb=0 0 361 241 +\end{figure} +\end{frame} + + + +\begin{frame} +\frametitle{FMMD - Example - Potential Divider as Derived Component} +\begin{figure} + \centering + \includegraphics[width=175pt]{./pd_failures_as_graph.png} + % pd_dc_failures_as_graph.png: 389x284 pixel, 93dpi, 10.63x7.76 cm, bb=0 0 301 220 + \label{fig:pd} +\end{figure} +\end{frame} + + +\begin{frame} +\frametitle{FMMD - Example - Potential Divider as Derived Component} +\begin{figure} + \centering + \includegraphics[width=200pt]{./pd_dc_failures_as_graph.png} + % pd_dc_failures_as_graph.png: 389x284 pixel, 93dpi, 10.63x7.76 cm, bb=0 0 301 220 + \label{fig:pd} +\end{figure} +\end{frame} + +\begin{frame} +\frametitle{FMMD - Example - Potential Divider as Derived Component} + +We can now use this pre-analysed potential divider `derived~component' +in a higher level design. + +\begin{figure} + \centering + \includegraphics[width=100pt]{./pd_dc_failures_as_graph.png} + % pd_dc_failures_as_graph.png: 389x284 pixel, 93dpi, 10.63x7.76 cm, bb=0 0 301 220 + \label{fig:pd} +\end{figure} +\end{frame} + +\subsection{Non Inverting OP-AMP} + +\begin{frame} +\frametitle{FMMD - Example - Non Inverting OP-AMP} +\begin{figure} + \centering + \includegraphics{./mvampcircuit.png} + % mvampcircuit.png: 243x143 pixel, 72dpi, 8.57x5.04 cm, bb=0 0 243 143 +\end{figure} + +\end{frame} + + + +\begin{frame} +\frametitle{FMMD - Example - Non Inverting OP-AMP} +\begin{figure} + \centering + \includegraphics[width=300pt]{./non_inv_amp_fmea.png} + % non_inv_amp_fmea.png: 964x492 pixel, 96dpi, 25.50x13.02 cm, bb=0 0 723 369 +\end{figure} + +\end{frame} + + +\begin{frame} +\frametitle{FMMD - Example - Non Inverting OP-AMP} +% \begin{figure} +% \centering +% \includegraphics[width=200pt]{./opamp_failures_as_graph.png} // op amp failure modes +% % opamp_failures_as_graph.png: 329x440 pixel, 93dpi, 8.99x12.02 cm, bb=0 0 255 341 +% \end{figure} +\begin{figure} + \centering + \includegraphics[width=150pt]{./fg_opamp_pd_as_graph.png} + % fg_opamp_pd_as_graph.png: 750x826 pixel, 93dpi, 20.49x22.56 cm, bb=0 0 581 640 +\end{figure} +\end{frame} + + + +\begin{frame} +\frametitle{FMMD - Example - Non Inverting OP-AMP} +\begin{figure} + \centering + \includegraphics[width=150pt]{./n_inv_dc.png} + % n_inv_dc.png: 296x326 pixel, 72dpi, 10.44x11.50 cm, bb=0 0 296 326 +\end{figure} + +\end{frame} + + + +\begin{frame} +\frametitle{FMMD - Example - Non Inverting OP-AMP} +\begin{figure} + \centering + \includegraphics[width=200pt]{./fmmd_exm_h.png} + % fmmd_exm_h.png: 376x241 pixel, 72dpi, 13.26x8.50 cm, bb=0 0 376 241 +\end{figure} + + +\end{frame} + +\begin{frame} +\frametitle{FMMD - Failure Mode Modular De-Composition} +%We can view the functional groups in FMMD as forming a hierarchy. +%If +% For the sake of example we consider each functional group to +% be three components, the figure below shows +% how the levels work and converge to a top or system level. +\begin{figure} + \centering + \includegraphics[width=300pt]{./three_tree.png} + % three_tree.png: 780x226 pixel, 72dpi, 27.52x7.97 cm, bb=0 0 780 226 + \caption{Functional Group Tree example} + \label{fig:three_tree} +\end{figure} +\pause +For the sake of example we consider each functional group to +be three components, the figure below shows +how the levels work and converge to a top or system level. +\end{frame} + + \begin{frame} + \frametitle{FMMD - Failure Mode Modular De-Composition} +The fact FMMD analyses small groups of components at a time, and organises them +into a hierarchy +addresses the state explosion problem. \pause + +For FMEA where we check every component failure mode rigorously +against all the other components (we could call this \textbf{RFMEA}) +Where $N$ is the number of components, we can determine the order +of complexity $ O(N^2) $ thus. +% % +\begin{equation} + \label{eqn:fmea_single2} + N.(N-1).f +\end{equation} +% +% %\end{frame} + \end{frame} + + + +\begin{frame} +\frametitle{FMMD - comparing number of checks RFMEA $\ldots$ FMMD} + +If we consider $c$ to be the number of components in a {\fg}, $f$ is the number of failure modes per component, and +$L$ to be the number of levels in the hierarchy of FMMD analysis. + + +We can represent the number of failure scenarios to check in an FMMD hierarchy +with equation~\ref{eqn:anscen}. +\pause +\begin{equation} + \label{eqn:anscen} + \sum_{n=0}^{L} {c}^{n}.c.f.(c-1) +\end{equation} + + +\end{frame} + + + +% So for a very simple analysis with three components forming a functional group where +% each component has three failure modes, we have only one level (zero'th). +% So to check every failure modes against the other components in the functional group +% requires 18 checks. +% +% \begin{equation} +% \label{eqn:anscen2} +% \sum_{n=0}^{0} {3}^{0}.3.3.(3-1) = 18 +% \end{equation} +% \clearpage +% +% +% +% In other words, we have three components in our functional group, +% and nine failure modes to consider. +% So taking each failure mode and looking at how that could affect the functional group, +% we must compare each failure mode against the two other components (the `$c-1$' term). +% +% For the one `zero' level FMMD case we are doing the same thing as FMEA type analysis +% (but on a very simple small sub-system). +% We are looking at how each failure~mode can effect the system/top level. +% We can use equation~\ref{eqn:fmea_state_exp44} to represent +% the number of checks to rigorously perform FMEA, where $N$ is the total +% number of components in the system, and $f$ is the number of failures per component. + + +% +% Where $N=3$ and $f=3$ we can see that the number of checks for this simple functional +% group is the same for equation~\ref{eqn:fmea_state_exp22} +% and equation~\ref{eqn:anscen}. +% \clearpage + +%\section{Example}/bowtie +\begin{frame} +\frametitle{FMMD - Failure Mode Modular De-Composition} +To see the effects of reducing `state~explosion' we can use an example. +% with fixed numbers +%for components in a functional group, and failure modes per component. +Let us take a system with 3 levels of FMMD analysis, +with three components per functional group and three failure modes per component, + and apply these formulae. +Having 4 levels (in addition to the top zeroth level) +will require 81 base level components. + +$$ +%\begin{equation} + \label{eqn:fmea_state_exp22} + 81.(81-1).3 = 19440 % \\ + %(N^2 - N).f +%\end{equation} +$$ + +$$ +%\begin{equation} + % \label{eqn:anscen} + \sum_{n=0}^{3} {3}^{n}.3.3.(2) = 720 +%\end{equation} +$$ +\end{frame} + + +\begin{frame} +\frametitle{FMMD - Failure Mode Modular De-Composition} + + + +\begin{itemize} + \pause \item Thus for FMMD we needed to examine 720 failure~modes against functionally adjacent components, and for traditional FMEA +type analysis methods, the number rises to 19440. + \pause \item 19440 `checks' is not practical + \pause \item 720 checks is quite alot, but... + \pause \item Modules in FMMD can be re-used... +\end{itemize} +% In practical example followed through, no more than 9 components have ever been required for a functional +% group and the largest known number of failure modes has been 6. +% If we take these numbers and double them (18 components per functional group +% and 12 failure modes per component) and apply the formulas for a 4 level analysis +% (i.e. + +\end{frame} + +\begin{frame} +\frametitle{FMMD - Failure Mode Modular De-Composition} + +To determine all possible double simultaneous failures for rigorous FMEA + the order $O(N^3)$. + + +\begin{equation} + \label{eqn:fmea_state_exp2} + N.(N-1).(N-2).f % \\ + %(N^2 - N).f +\end{equation} + +Or express in terms of the level + +\begin{equation} + \label{eqn:fmea_state_exp2} + c^{L+1}.(c^{L+1}-1).(c^{L+1}-2).f % \\ + %(N^2 - N).f +\end{equation} + +\pause +The FMMD case (equation~\ref{eqn:anscen2}), is cubic within the functional groups only, +not all the components in the system. +\begin{equation} + \label{eqn:anscen2} + \sum_{n=0}^{L} {c}^{n}.c.f.(c-1).(c-2) +\end{equation} +\end{frame} + +\begin{frame} +\frametitle{FMMD - Failure Mode Modular De-Composition} +\textbf{Traceability} +Because each reasoning stage contains associations ($FailureMode \rightarrow Symptom$) +we can trace the `reasoning' from base level component failure mode to top level/system +failure, by traversing the tree/hierarchy. This is in effect providing a `framework' of the reasoning. + + +\end{frame} + +\begin{frame} +\frametitle{FMMD - Failure Mode Modular De-Composition} +\textbf{Re-usability} +Electronic Systems use commonly re-used functional groups (such as potential~dividers, amplifier configurations etc) +Once a derived component is determined, it can generally be used in other projects. + +\end{frame} + + +\begin{frame} +\frametitle{FMMD - Failure Mode Modular De-Composition} +\textbf{Total coverage} +With FMMD we can ensure that all component failure modes +have been represented as a symptom in the derived components created from them. +We can thus apply automated checking to ensure that no +failure modes, from base or derived components have been +missed in an analysis. +\end{frame} + + + +\subsection{conclusion} +\begin{frame} +\frametitle{FMMD - Failure Mode Modular De-Composition} +\textbf{Conclusion: FMMD} + +\begin{itemize} + \pause \item Addresses State Explosion + \pause \item Addresses total coverage of all components and their failure modes + \pause \item Provides traceable reasoning + \pause \item derived components are re-use-able +\end{itemize} +\end{frame} + +\begin{frame} +\frametitle{FMMD - Failure Mode Modular De-Composition} +\textbf{Questions?} +\end{frame} + +\end{document} diff --git a/presentations/System_safety_2012/master_uml.dia b/presentations/System_safety_2012/master_uml.dia new file mode 100644 index 0000000..6775a97 Binary files /dev/null and b/presentations/System_safety_2012/master_uml.dia differ diff --git a/presentations/System_safety_2012/mvamp.dia b/presentations/System_safety_2012/mvamp.dia new file mode 100644 index 0000000..f6168b9 Binary files /dev/null and b/presentations/System_safety_2012/mvamp.dia differ diff --git a/presentations/System_safety_2012/mvampcircuit.dia b/presentations/System_safety_2012/mvampcircuit.dia new file mode 100644 index 0000000..a0d4ad1 Binary files /dev/null and b/presentations/System_safety_2012/mvampcircuit.dia differ diff --git a/presentations/System_safety_2012/n_inv_dc.dia b/presentations/System_safety_2012/n_inv_dc.dia new file mode 100644 index 0000000..98aaf02 Binary files /dev/null and b/presentations/System_safety_2012/n_inv_dc.dia differ diff --git a/presentations/System_safety_2012/pd.dia b/presentations/System_safety_2012/pd.dia new file mode 100644 index 0000000..1f18d93 Binary files /dev/null and b/presentations/System_safety_2012/pd.dia differ diff --git a/presentations/System_safety_2012/pd_euler.dia b/presentations/System_safety_2012/pd_euler.dia new file mode 100644 index 0000000..8cec333 Binary files /dev/null and b/presentations/System_safety_2012/pd_euler.dia differ diff --git a/presentations/System_safety_2012/pd_euler2.dia b/presentations/System_safety_2012/pd_euler2.dia new file mode 100644 index 0000000..2521b47 Binary files /dev/null and b/presentations/System_safety_2012/pd_euler2.dia differ diff --git a/presentations/System_safety_2012/three_tree.dia b/presentations/System_safety_2012/three_tree.dia new file mode 100644 index 0000000..ce105bd Binary files /dev/null and b/presentations/System_safety_2012/three_tree.dia differ