From b2edbec6785b7b1fe902735527c0287e41faa56e Mon Sep 17 00:00:00 2001 From: Robin Clark Date: Sun, 17 Feb 2013 14:07:17 +0000 Subject: [PATCH] Sunday edit, Chapter 3, criticism of FMEA leading to wish list. --- submission_thesis/CH3_FMEA_criticism/Makefile | 2 +- submission_thesis/CH3_FMEA_criticism/copy.tex | 135 ++++++++++++++++-- .../CH3_FMEA_criticism/distcon.dia | Bin 0 -> 3436 bytes 3 files changed, 125 insertions(+), 12 deletions(-) create mode 100644 submission_thesis/CH3_FMEA_criticism/distcon.dia diff --git a/submission_thesis/CH3_FMEA_criticism/Makefile b/submission_thesis/CH3_FMEA_criticism/Makefile index 5743eec..cdaf773 100644 --- a/submission_thesis/CH3_FMEA_criticism/Makefile +++ b/submission_thesis/CH3_FMEA_criticism/Makefile @@ -3,7 +3,7 @@ # # Place all .dia files here as .png targets # -DIA = +DIA = distcon.png doc: $(DIA) diff --git a/submission_thesis/CH3_FMEA_criticism/copy.tex b/submission_thesis/CH3_FMEA_criticism/copy.tex index 478e72e..c1b5ea5 100644 --- a/submission_thesis/CH3_FMEA_criticism/copy.tex +++ b/submission_thesis/CH3_FMEA_criticism/copy.tex @@ -1,9 +1,10 @@ \label{sec:chap3} \section{Historical Origins of FMEA} + \subsection{FMEA designed for simple electro-mechanical systems} FMEA traces it roots to the 1940s when it was used to identify the most costly -failures arising from car mass-production~\cite{pfmea}. +failures arising from car mass-production~\cite{bfmea}. It was later modified slightly to include severity of the top level failure (FMECA~\cite{fmeca}). In the 1980s FMEA was extended again (FMEDA~\cite{fmeda}) to provide statistics for predicting failure rates. @@ -31,11 +32,119 @@ This problem is compounded by the fact that traditional FMEA cannot integrate so \section{Reasoning Distance used to measure Comparison Complexity} +Traditional FMEA cannot ensure that each failure mode of all its +components are checked against any other components in the system which +it may affect, due to state explosion. +FMEA is therefore performed using heuristics to decide +which components to check the effect of a component failure mode on. +We could term the number of checks made for each failure mode +on aspects of the system to be the reasoning distance. +Were we to compare the reasoning distance with the theoretical maximum, the sum of all failure +modes in a system, multiplied by the number of components in it, we could arrive at a comparison complexity figure. +This figure would mean we could compare the maximum number of checks (i.e. rigorous analysis) +with the number actually performed. + +\section{software and FMEA} + +Traditional FMEA deals only with electrical and mechanical components, i.e. it does not have provision for software. +Modern control systems nearly always have a significant software/firmware element, +and not being able to model software with current FMEA methodologies +is a cause for criticism~\cite{safeware}[Ch.12]. Similar difficulties in integrating mechanical and electronic/software +failure models are discussed in ~\cite{SMR:SMR580}. -\section{FMEA - General Criticism} +\paragraph{Current work on Software FMEA} -\subsection{FMEA - General Criticism} +SFMEA usually does not seek to integrate +hardware and software models, but to perform +FMEA on the software in isolation~\cite{procsfmea}. +% +Work has been performed using databases +to track the relationships between variables +and system failure modes~\cite{procsfmeadb}, to %work has been performed to +introduce automation into the FMEA process~\cite{appswfmea} and to provide code analysis +automation~\cite{modelsfmea}. Although the SFMEA and hardware FMEAs are performed separately, +some schools of thought aim for Fault Tree Analysis (FTA)~\cite{nasafta,nucfta} (top down - deductive) +and FMEA (bottom-up inductive) +to be performed on the same system to provide insight into the +software hardware/interface~\cite{embedsfmea}. +% +Although this +would give a better picture of the failure mode behaviour, it +is by no means a rigorous approach to tracing errors that may occur in hardware +through to the top (and therefore ultimately controlling) layer of software. + + +\subsection{The rise of the smart instrument} +%% AWE --- Atomic Weapons Establishment have this problem.... +A smart instrument is defined as one that uses a micro-processor and software +in conjunction with its sensing electronics, rather than +analogue electronics only. +% +It is termed `smart' because it has some software, or intelligence incorporated into it. +% +An AVO-8 multi-meter circa 1970, uses only analogue electronics, and we can determine +using FMEA how component failures within it could affect readings. +% +A modern multi-meter will have a small dedicated micro-processor and sensing electronics, all on the same chip, +with firmware to read the user controls, and display results on an LCD. +% +For quality control, many safety critical processes require regular inspections +and measurements of physical characteristics of materials and machinery. +% +For highly critical systems i.e. the nuclear industry, the instruments used to perform these measurements, must be analysed for +FMEA, to ensure that failure modes within the instrument cannot lead to invalid measurements. +% +Most modern instruments now use highly integrated electronics coupled to micro-controllers, which read and filter the measurements, +and interface to an LCD readout. +% +For the highly critical systems, that means they cannot use traditional FMEA to validate +the design of instruments. +% +While noting that being more modern, these instruments are likely to be more reliable and +accurate than the analogue instruments in use some twenty years ago but this cannot be validated +to a high level of reliability by traditional FMEA. + +\subsection{Distributed real time systems} + +Distributed real time systems are control systems where +smart sensors communicate over a communications bus to +a master controller. +% +Most modern cars follow this pattern and use CANbus~\cite{canspec,can}. +% +For instance, the throttle pedal will be linked to a sensor to determine how +far the pedal is pressed. This sensor will be read by a micro-controller, and passed, via CANbus, to the Engine Control Unit (ECU) +which will use that information (along with information from other sensors) to adjust the power required from the engine. +In terms of FMEA, see figure~\ref{fig:distcon}, our reasoning path spans four interface layers of electronics to software. +Traditional FMEA does not cater for the software hardware interface, and here we have the addition complications +%with the additional complications +of the communications protocol used to transmit data, and the failure mode characteristics +of the communications physical layer. + +(figure~\ref{fig:distcon} +The failure reasoning paths for a typical section of a distributed real time system, mean that traditional FMEA +is almost impossible to perform. +% +The base component failure mode to system failure paradigm is utterly anachronistic in the distributed real time system environment. + + +\begin{figure}[h] + \centering + \includegraphics[width=400pt]{./CH3_FMEA_criticism/distcon.png} + % distcon.png: 1622x656 pixel, 72dpi, 57.22x23.14 cm, bb=0 0 1622 656 + \caption{Distributed Control System FMEA reasoning path for a single failure.} + \label{fig:distcon} +\end{figure} + + + + + + +\section{FMEA ---- general criticism --- conclusion} + +%\subsection{FMEA - General Criticism} \begin{itemize} \item FMEA type methodologies were designed for simple electro-mechanical systems of the 1940's to 1960's. @@ -43,26 +152,30 @@ This problem is compounded by the fact that traditional FMEA cannot integrate so \item State explosion - impossible to perform rigorously \item Difficult to re-use previous analysis work \item Very Difficult to model simultaneous failures. - + \item Software and hardware models are separate. + \item Distributed real time systemsare very difficult to meaningfully analyse with FMEA. \end{itemize} +FMEA is no longer fit for purpose! % -\subsection{FMEA - Better Methodology - Wish List} +%\subsection{FMEA - Better Methodology - Wish List} \subsection{FMEA - Better Methodology - Wish List} +We now form a wish list, stating the features that we would want +in an improved FMEA methodology, \begin{itemize} - - \item State explosion - \item Rigorous (total coverage) - \item Reasoning Traceable - \item Re-useable - \item Simultaneous failures + \item No state explosion making analysis impractical, + \item Rigorous (total failure coverage within {\fgs} all interacting component and failure modes checked), + \item Reasoning Traceable in system models, + \item Re-useable i.e. it should be possible to re-use analysis performed previously, + \item It must be possible to analyse simultaneous/multiple failures, + \item Modular --- i.e. usable in a distributed system. % \item \end{itemize} diff --git a/submission_thesis/CH3_FMEA_criticism/distcon.dia b/submission_thesis/CH3_FMEA_criticism/distcon.dia new file mode 100644 index 0000000000000000000000000000000000000000..ba7ef6387f1a20cf868e4bb81c891807dfb966af GIT binary patch literal 3436 zcmV-y4U_U8iwFP!000021MOYiZ`(!^f6rebsISU;zdy=4McT{Z4!E?3OAGYPpk+qZ zRVEFJj^mg6+izwm$CgCKvR12x#tMjAD;o}noSEOu?Ci`BKYqSij6N0ha$c3EV@BwB zRFu=|VqVTp$G`vf_t$p(+eraZf|eN;%=EY zRZSN28?r1;{+BNn`3WpK8NYco8a=+iMc(B2-Rj%CY3lj;O;e1@{Hiz|pXbv*XLWT` zUX0sSt98?AQPrbQ`Qmi^-ADf!pR6u(vUZ)XT>Cno73X!4|Ji?O3Loe8x%72WZ(jE5 zx?0X*Npp9-wWQ}d`18@4)v6^dDraxLdn>ymQRS; z`kJ0AU9Og$JoVH!*X{aX+OIai+LKu1cSXIr{7(-sJzBlsmBo4V6sq(87Sm?M-iIbH zFY@|g^m_DD^?Cf@b%4(?zc?NLO4lFHCPQ#BuzXw3=el|jB1+VRX`C(P|luUHgUXVa=Kx7~sRa^7Gh4AffsHG zH&NwyMaK|rGbX`9@kHg`R2zICPuS{>HGMDEJGX1=HvHfZ?|%94>wkKD;jaKlpEpvK zO&2-*e)KWFnlJ9)uJUp@9xa2;)A))`9ga(HEs*gurc`l~+ag8!gJ4tJTxokxD0QK2I|~`CHo5jfYzihqX-I z=*mM4lLd^JFc#4y0fh;mol_ZrDg|OHGPDMOKFjf=StFsYeSGA6@_61?AIza5|(1T-f<5o9u@ESmb z6>$Q?6H2%m0>Hlg+s~u-zyFa?^$2n6rXVIr9Ui3W13;>sXky|bDwrTl&myD>4|cI3 zHGrqx5LHElP)6)p_SdNw1feEaVg(TsLu^cmZAoxMP)W1_@ioK^1wa#cMhDL=5lq-Q zJnXdL`Cc*ML`Kc`as?!W%D5l~F)eboH-Mp?vb_p;S&I&%W_$TMjJ~8u)Eyua#SKjr zI}}ACvJFPTVmgB)hY^dupHJ&*^fQ26T`d+xopALCLFtxECS)BRva;|(C5JUcu?v-e z2-3&|^_!_QYET-;(Tja#; zxY276OS{0UB=R6-xjXKoYWH$$fP;&bxF8y0fr-OkQL+btv2TAF zz54BsR0bR$Si8hAA?vq{tp5U!vkO|~0b*B+rv_-`*wsj9@z{%T&SqL*kq<|@Z0{o4 zX;qeIMS0BhN)xJa*PQE^E`Km%Y11l-+utL|!L=U( zUPUWbF$Ec^Fr>nCCKYkoM*u3SBnNYr^20|BV1tVX1c0)fI53kjCD{|P;035m3j7aH zx*e9ehVe9}i#he|$GC50`$2{dsTdoE_`~$lzK4DZzo5U;-kh1bQM8eXmRb zJUUq|IwVl!|@U28d`p zYol;eK}J7p6Ts7sI~Qy%FpSw;Nuek4xRKLKI&Q?UG`oE%1qG zmXHS4Eh(%AZd(P%gx5fpcEVOn6+ZsNEm_iQySDpo7=D}B8eFoZB;i;;6g7bLL@d!F z)8H^-=T}FB83L@noi;Z(;cN6RwFf>P#C8c~0@wipY;ehvGJabM%Ov`ryCZ~t65&0<#k=%_A4XjftNm86y@ye+^A3z zPd+bolnQMj4lo{}75cdI5g_=&V|PMw<1+BArNvrpJPU4gY~|nPu(L6%PsHk^`$_i) zqWkgy9kN@YkE{FEIg54ihGEGb$N9nrs2XG91OGOMo!)`izfE}3{G|EE)_iq{NvK+J zka}uu)cgieqE;C!9pcyy_FfQEWb!z|^PM(rfYoP6@lqS9_(8FnG@i@o(6v-4MQ!o%yU=DD8CrIdb zKD{HYK|0oPB{B{IWtE(~X2ft7KOpE}vZH;YAD4m4lKvwhPc9m^PT6S40I&ZPcH{g18w!NrC5A|F}#EmsW4Xv;Z6 z-KW}E9O+}ZVX<|8o5RjU0`5m8&p)aDFjQaC1E{|6T~xUgF6L$c5Mop_phTsn4*O6r zVPsour%inQ?_{%c(2n!1?UEHpR$w4j;1KitEc0S-l#DwzOH0RneYTZ;h64p-fJKl> zM4#c%&1Cny8@wf+EI_gV!>|DS5F^L1OisidI3_Uxh}v$L!9I-&^M63rNFF`>-{!F6 zOgqCIfv>_&%Ab^f7|I`92q+x!7#y`5x+8)~jVJ!3mO8^$!Cv_RXJe~=2Y-EwXiEGg z#UF~|%L6FBViKiZSQ&Tdkg-PNY-Ve?&Va6=R`|(7#)|mr-^FFeLQNPB2uawVOu#@) zKyW!A$UG*!qe8zX)R_s+Z=}}xStwFDASx(#u`_?${B?N!96KM#l=)AJKN!UiZzd=R zlhR9l+|0k%E}?vxk2Zqi*gtU?`R#yw{*0#({oF z;yAN0&jq1&QHuIyxTe0bFVhr@gdF8Ec0oWdpW90{CstwS*5nZ+J1`78pn_`yK^v)N zm_5@rt{w2|rLh=T8Y6jTD4~v7EDki(#d3V=YEi@72IS78wfCl6H~2-o+#|)vvaBPgItpxNOoW#b|AP!5C`sA!zY|U z)b3(V`p`scXPqw$^nF8cSc3AD^}b!TclQSR*z9gE24=t|Ban>1w`Bx+x+1IKQbBDn zAI41Flfo-1ni!=rBZ;)!6IFxg