From ba06de1a210796a07458cb6eb579dc3c256abf04 Mon Sep 17 00:00:00 2001 From: Robin Clark Date: Sat, 10 Aug 2013 18:37:24 +0100 Subject: [PATCH] Whole of Saturday really:wq --- submission_thesis/CH2_FMEA/copy.tex | 9 +- submission_thesis/CH5_Examples/copy.tex | 144 ++++++++++-------- .../CH6_Software_Examples/software.tex | 12 +- submission_thesis/CH7_Evaluation/copy.tex | 18 ++- submission_thesis/CH8_Conclusion/copy.tex | 108 ++++++------- 5 files changed, 165 insertions(+), 126 deletions(-) diff --git a/submission_thesis/CH2_FMEA/copy.tex b/submission_thesis/CH2_FMEA/copy.tex index 2eaccba..75b4003 100644 --- a/submission_thesis/CH2_FMEA/copy.tex +++ b/submission_thesis/CH2_FMEA/copy.tex @@ -1223,7 +1223,12 @@ self checking features on safety, and provides detailed recommendations for comp % % These SIL levels are broadly linked to the concept of an -acceptance of probability of dangerous failures against time, as shown in table~\ref{tbl:sil_levels}. +acceptance of given probabilities of dangerous +failures against time, as shown in table~\ref{tbl:sil_levels}. +% +The philosophy behind this is that is recognised that no system can have a perfect +safety integrity, but risk and criticality can be matched to acceptable, +or realistic levels of risk. % FMEDA is the fundamental methodology of the statistical (safety integrity level) type standards (EN61508/IOC5108). @@ -1250,7 +1255,7 @@ in the plant. This entire loop must be designed to detect and deal with any hazards and have measures in place to reduce their affects. % -In EN61508 terminology, a safety~loop is known as a safety instrumented function (SIF). +In EN61508 terminology, a safety~loop is known as a Safety Instrumented Function (SIF). % % diff --git a/submission_thesis/CH5_Examples/copy.tex b/submission_thesis/CH5_Examples/copy.tex index c0c358f..e27837c 100644 --- a/submission_thesis/CH5_Examples/copy.tex +++ b/submission_thesis/CH5_Examples/copy.tex @@ -785,8 +785,9 @@ The second stage of this amplifier, following the signal path, is the amplifier consisting of $R3,R4$ and $IC2$. % This is in exactly the same configuration as the first amplifier, but it is being fed by the first amplifier. -The first amplifier was grounded and received as input `+V1' (presumably -a positive voltage). +The first amplifier was connected to ground on its minus input +and received as input `+V1' (explicitly +a positive voltage from the schematic). This means the junction of R2 R3 is always +ve. This means the input voltage `+V2' could be lower than this. This means R3 R4 is not a fixed potential divider, with R4 being on the positive side. @@ -952,7 +953,7 @@ The output of this is passed into another Sallen~Key filter. % -- which although %for its resistors/capacitors and thus have a different frequency response -- is identical from a failure mode perspective. Thus we can analyse the first Sallen~Key low pass filter and re-use it for the second stage -(avoiding repeat work that would have had to be performed using traditional FMEA). +(avoiding repeat work that would have been performed using traditional FMEA). \begin{figure}[h] @@ -1070,7 +1071,8 @@ on the schematic as in figure~\ref{fig:circuit2002_LP1}. \paragraph{Second order Sallen Key Low Pass Filter.} The next two filters in the signal path are R1,R2,C2,C1,IC2 and R3,R4,C4,C3,IC3. From a failure mode perspective these are identical. -We can analyse the first one and then re-use these results for the second (see figure~\ref{fig:circuit2002_FIVEPOLE}). +We can analyse the first one (see table~\ref{tbl:sallenkeylp}) and then re-use these +results for the next stage of analysis (see figure~\ref{fig:circuit2002_FIVEPOLE}). \begin{table}[ht] \caption{Sallen Key Low Pass Filter SKLP: Failure Mode Effects Analysis: Single Faults} % title of Table @@ -1289,7 +1291,8 @@ We can now analyse each of these {\fgs} and create failure mode models for them, determine {\dcs}. \subsection{Inverting Amplifier: INVAMP} -This has been analysed in section~\ref{sec:invamp}. +The inverting amplifier was analysed in section~\ref{sec:invamp} and we can therefore simply re-use those results +i.e. the {\dc} $INVAMP$. The inverting amplifier, as a {\dc}, has the following failure modes: $$ fm(INVAMP) = \{ AMP\_High, AMP\_Low, LowPass \}. $$ % \{ HIGH, LOW, LOW PASS \}. $$ @@ -1299,27 +1302,32 @@ $$ fm(INVAMP) = \{ AMP\_High, AMP\_Low, LowPass \}. $$ % \{ HIGH, LOW, LOW PASS \subsection{Phase shifter: PHS45} -This consists of a resistor and a capacitor. We already have failure mode models for these components -- $ fm(R) = \{OPEN, SHORT\}$, $fm(C) = \{OPEN, SHORT\}$ -- -we now need to see how these failure modes would affect the phase shifter. Note that the circuit here +This consists of a resistor and a capacitor. +% +We already have failure mode models for these components -- $ fm(R) = \{OPEN, SHORT\}$, $fm(C) = \{OPEN, SHORT\}$ -- +we now need to see how these failure modes would affect the phase shifter. +% +Note that the circuit here is identical to the low pass filter in circuit topology (see section~\ref{sec:lp}), but its intended use is different. +% We have to analyse this circuit from the perspective of it being a {\em phase~shifter} not a {\em low~pass~filter}. +% Our {\fg} for the phase shifter consists of a resistor and a capacitor, $G_0 = \{ R, C \}$ -(FMMD analysis details at section~\ref{detail:PHS45}) - - - -$$ fm (G_0) = \{ nosignal, 0\_phaseshift \} $$ +(FMMD analysis details in appendix section~\ref{detail:PHS45}), +% +% +$$ fm (G_0) = \{ nosignal, 0\_phaseshift \} . $$ %$$ CC(G_0) = 4 \times 1 = 4 $$ %23SEP2012 \subsection{Non Inverting Buffer: NIBUFF.} - +% The non-inverting buffer {\fg} is comprised of one component, an op-amp. We use the failure modes for an op-amp~\cite{fmd91}[p.3-116] to represent this group. % GARK We can express the failure modes for the non-inverting buffer ($NIBUFF$) thus: $$ fm(NIBUFF) = fm(OPAMP) = \{L\_{up}, L\_{dn}, Noop, L\_slew \} . $$ - +% %Because we obtain the failure modes for $NIBUFF$ from the literature, %its comparison complexity is zero. In re-using {\dcs} we expend no extra analysis effort. %$$ CC(NIBUFF) = 0 $$ @@ -1331,7 +1339,9 @@ $$ fm(NIBUFF) = fm(OPAMP) = \{L\_{up}, L\_{dn}, Noop, L\_slew \} . $$ We could at this point bring all the {\dcs} together into one large functional group (see figure~\ref{fig:bubbaeuler1}) %{fig:poss1finalbubba}) -or we could try to merge smaller stages. +or we could try to merge in smaller stages, which will have the side-effect of +creating intermediate {\dcs}. +% Initially we use the first identified {\fgs} to create our model without further stages of refinement/hierarchy. @@ -1513,7 +1523,7 @@ $$ %It has %also This more decomposed approach has given us five {\dcs}, building blocks, which could % -be re-used in other projects. +potentially be re-used in other projects. %potentially be re-used for similar circuitry %to analyse in the future. % @@ -1530,7 +1540,7 @@ there will %would be more {\dcs} and this %therefore increases the potential for re-use of pre-analysed {\dcs}. % -A finer grained model---with potentially more hierarchy stages---conveys that +A finer grained model---with potentially more hierarchy stages---also means that %more work, or more reasoning stages have been used in the analysis. % HTR The more we can modularise, the more we decimate the $O(N^2)$ effect @@ -1922,11 +1932,11 @@ industrial applications below 600\oc, due to high accuracy\cite{aoe}. % %This section looks at the most common configuration, the %four wire circuit, and analyses it from an FMEA perspective twice. -FMMD is performed twice on this circuit -firstly considering single faults only +%FMMD is performed twice on this circuit +%firstly considering single faults only %(cardinality constrained powerset of 1) -and secondly, considering the -possibility of double faults. % (cardinality constrained powerset of 2). +%and secondly, considering the +%possibility of double faults. % (cardinality constrained powerset of 2). % % \ifthenelse {\boolean{pld}} % { @@ -1975,9 +1985,13 @@ look-up tables or a suitable polynomial expression. The voltage ranges we expect from this three stage potential divider\footnote{Two stages are required for validation, a third stage is used to measure the current flowing through the circuit to obtain accurate temperature readings.} -are shown in figure \ref{fig:Pt100vrange}. Note that there is -an expected range for each reading, for a given temperature span. -Note that the low reading goes down as temperature increases, and the higher reading goes up. +are shown in figure \ref{fig:Pt100vrange}. +% +Note that there is +an expected range for each low and high reading, for a given temperature span. +% +The low reading goes down as temperature increases, and the higher reading goes up. +% For this reason the low reading will be referred to as {\em sense-} and the higher as {\em sense+}. @@ -2114,7 +2128,7 @@ we can calculate the current by reading the voltage over the known resistor $R2$.\footnote{To calculate the resistance of the Pt100 we need the current flowing though it. We can determine this via Ohms law applied to $R_2$, $V=IR$, $I=\frac{V}{R_2}$, and then using $I$, we can calculate $R_{3} = \frac{V_{R3}}{I}$.} -As these calculations are performed by ohms law, which is linear, the accuracy of the reading +As these calculations are performed by Ohms law, which is linear, the accuracy of the reading will be determined by the accuracy of $R_2$ and $R_{3}$. %It is reasonable to %take the mean square error of these accuracy figures. @@ -2173,38 +2187,38 @@ for any single error (short or opening of any resistor) this bounds check will detect it. - -\paragraph{Consideration of Resistor Tolerance.} -% -\label{sec:ptbounds} -The separate sense lines ensure the voltage read over the $Pt100$ thermistor is not -altered by having to pass any significant current. The current is supplied -by separate wires and the resistance in those are effectively cancelled -out by considering the voltage reading over $R_3$ to be relative. -% -The Pt100 element is a precision part and will be chosen for a specified accuracy/tolerance range. -One or other of the load resistors (the one over which we measure current) should also -be of a specified accuracy\footnote{It is common for standard surface mount resistors to have an -accuracy of $\pm 1\%$. Higher accuracy parts may be specified.}. -% -The \ohms{2k2} loading resistors should have a good temperature co-effecient -(i.e. $\leq \; 50(ppm)\Delta R \propto \Delta \oc $). -% -To calculate the resistance of the Pt100 element % (and thus derive its temperature), -knowing $V_{R3}$ we now need the current flowing in the temperature sensor loop. -% -Lets use, for the sake of example, $R_2$ to measure the current. -% -We can calculate the current $I$, by reading -the voltage over the known resistor $R_2$ and using Ohms law\footnote{To calculate the resistance of the Pt100 we need the current flowing though it. -We can determine this via Ohms law applied to $R_2$, $V=IR$, $I=\frac{V}{R_2}$, -and then using $I$, we can calculate $R_{3} = \frac{V_{3}}{I}$.} and then use Ohms law again to calculate -the resistance of $R_3$. -% -As Ohms law is linear, the accuracy of the reading -will be determined by the accuracy of $R_2$ and $R_{3}$. It is reasonable to -take the mean square error of these accuracy figures~\cite{probstat}. - +% WAS a repeated paragraph +% \paragraph{Consideration of Resistor Tolerance.} +% % +% \label{sec:ptbounds} +% The separate sense lines ensure the voltage read over the $Pt100$ thermistor is not +% altered by having to pass any significant current. The current is supplied +% by separate wires and the resistance in those are effectively cancelled +% out by considering the voltage reading over $R_3$ to be relative. +% % +% The Pt100 element is a precision part and will be chosen for a specified accuracy/tolerance range. +% One or other of the load resistors (the one over which we measure current) should also +% be of a specified accuracy\footnote{It is common for standard surface mount resistors to have an +% accuracy of $\pm 1\%$. Higher accuracy parts may be specified.}. +% % +% The \ohms{2k2} loading resistors should have a good temperature co-effecient +% (i.e. $\leq \; 50(ppm)\Delta R \propto \Delta \oc $). +% % +% To calculate the resistance of the Pt100 element % (and thus derive its temperature), +% knowing $V_{R3}$ we now need the current flowing in the temperature sensor loop. +% % +% Lets use, for the sake of example, $R_2$ to measure the current. +% % +% We can calculate the current $I$, by reading +% the voltage over the known resistor $R_2$ and using Ohms law\footnote{To calculate the resistance of the Pt100 we need the current flowing though it. +% We can determine this via Ohms law applied to $R_2$, $V=IR$, $I=\frac{V}{R_2}$, +% and then using $I$, we can calculate $R_{3} = \frac{V_{3}}{I}$.} and then use Ohms law again to calculate +% the resistance of $R_3$. +% % +% As Ohms law is linear, the accuracy of the reading +% will be determined by the accuracy of $R_2$ and $R_{3}$. It is reasonable to +% take the mean square error of these accuracy figures~\cite{probstat}. +% \paragraph{Single Fault FMEA Analysis of $Pt100$ Four wire circuit} @@ -2305,8 +2319,8 @@ read 5V. Both readings are outside the proscribed range. \subsection{Summary of Analysis} -All six test cases have been analysed and the results agree with the hypothesis -put in table~\ref{ptfmea}. +All six test cases have been analysed and the results agree with the FMEA +presented in table~\ref{ptfmea}. %The PLD diagram, can now be used to collect the symptoms. In this case there is a common and easily detected symptom for all these single resistor faults---that of---`voltage~out~of~range'. @@ -2332,7 +2346,7 @@ resistors in this circuit has failed. \subsection{Derived Component with one failure mode.} The Pt100 circuit can now be treated as a component in its own right, and has one failure mode, -{\textbf OUT\_OF\_RANGE}. This is a single, detectable failure mode. The observability of a +{\textbf OUT\_OF\_RANGE}. This is a single, detectable failure mode. The detectability of a fault condition is very good with this circuit. This should not be a surprise, as the four wire $Pt100$ has been developed for safety critical temperature measurement. % @@ -2425,13 +2439,17 @@ TC 18: & $R_2$ SHORT $R_3$ SHORT & low & low & Both out of Rang \label{Pt100:bothfloating} This double fault mode produces an interesting symptom. Both sense lines are floating. +% We cannot know what the {\adctw} readings on them will be. % -In practise these would probably float to low values +In practise these would probably float to low or high values but for the purpose of a safety critical analysis, all we can say is that the values are `floating' and `unknown'. -This is an interesting case, because it is, at this stage an undetectable---or unobservable--- -fault. Unobservable faults are generally unacceptable in a safety critical environment~\cite{ACS:ACS1297,721666}. +% +This is an interesting case, because it is, at this stage an undetectable %---or unobservable--- +fault. +% +Undetectable faults are generally to be avoided in a safety critical environment~\cite{ACS:ACS1297,721666}. %that must be handled. diff --git a/submission_thesis/CH6_Software_Examples/software.tex b/submission_thesis/CH6_Software_Examples/software.tex index f93ef41..1f8e28a 100644 --- a/submission_thesis/CH6_Software_Examples/software.tex +++ b/submission_thesis/CH6_Software_Examples/software.tex @@ -183,11 +183,19 @@ and to outputs (where violations can be considered {\fms} in FMMD terminology). For the purpose of example, we chose a simple common safety critical industrial circuit that is nearly always used in conjunction with a programmatic element. +% A common method for delivering a quantitative value in analogue electronics is to supply a current signal to represent the value to be sent~\cite{aoe}[p.934]. % Usually, $4mA$ represents a zero or starting value and $20mA$ represents the full scale, -and this is referred to as {\ft} signalling which has intrinsic electrical safety advantages. +and this is referred to as {\ft} signalling. +% +Using current instead of voltage to transmit an analogue value +has intrinsic electrical safety advantages mainly due to +current being constant in a circuit (Kirchovs current law). +% +What is sent as current is what will +arrive at the receiving end. % % Because the current in a loop is constant~\cite{aoe}[p.20], % resistance in the wires between the source and receiving end is not an issue @@ -716,7 +724,7 @@ top or system level failure. For this reason applying traditional FMEA to software stretches the reasoning distance even further. This is exacerbated by the fact that traditional SFMEA is performed separately from HFMEA~\cite{sfmea,sfmeaa}, additionally even the software/hardware -interfacing is treated as a separate FMEA task~\cite{sfmeainterface,embedsfmea,procsfmea} +interfacing is usually treated as a separate FMEA task~\cite{sfmeainterface,embedsfmea,procsfmea} We now have a {\dc} for a {\ft} input in software. diff --git a/submission_thesis/CH7_Evaluation/copy.tex b/submission_thesis/CH7_Evaluation/copy.tex index 4d19119..ff11147 100644 --- a/submission_thesis/CH7_Evaluation/copy.tex +++ b/submission_thesis/CH7_Evaluation/copy.tex @@ -101,7 +101,7 @@ side effects of failure may manifest due to interaction with other components no The temptation with FMEA can be to follow direct lines of failure effect reasoning without considering side effects. %% -To perform FMEA exhaustively % rigorously +To perform FMEA exhaustively, % rigorously we could stipulate that every failure mode must be checked for effects against all the components in the system. % @@ -132,7 +132,7 @@ of components $G$. %system or {\fg}. \label{sec:formal7} % %\paragraph{Considering a system as a group of Components.} -Using the language developed in the previous chapters +Using the language developed in the previous chapters, we consider a system for analysis as a collection %{\fg} of components. We can represent this set of components as $G$, and the number of components in it by @@ -216,7 +216,7 @@ $i$ for identification and a superscript for the $\alpha$~level (see section~\r %--- %o identify the hierarchy. For example the first {\fg} in a hierarchy containing base components only -i.e. at the zero'th level of an FMMD hierarchy where $\alpha=0$, would have the superscript 0 and a subscript of 1: $FG^{0}_{1}$. +i.e. at the zeroth level of an FMMD hierarchy where $\alpha=0$, would have the superscript 0 and a subscript of 1: $FG^{0}_{1}$. % The {\fg} representing the potential divider in section~\ref{subsec:potdiv} has an $\alpha$ level of 0 (as it contains base components). The {\fg} @@ -267,8 +267,9 @@ We overload the comparison complexity function $CC$, to obtain the comparison co \end{equation} \subsection{Complexity Comparison Examples} +\label{sec:theoreticalperfmodel} %\pagebreak[4] -We initially work though the amplifier example from chapter~\ref{sec:chap4}, which has two +We initially work through the amplifier example from chapter~\ref{sec:chap4}, which has two stages, the potential divider and then the amplifier. We add the complexities from both these stages to determine how many reasoning paths there were to perform FMMD analysis on the non-inverting amplifier. @@ -292,6 +293,7 @@ we obtain $ 2 \times (3-1) + 2 \times (3-1) + 4 \times (3-1)$ = 16. Even with this very trivial example, we begin to see benefits of taking a modular approach to FMEA. \paragraph{Complexity Comparison for a hypothetical 81 component system.} + %Even considering a $example$ A system, $example$, with just 81 components, with these components having 3 failure modes each would, using equation~\ref{eqn:rd2} have a $CC$ of @@ -474,7 +476,7 @@ produce figure~\ref{fig:xfmeafmmdcomp} may be found in section~\ref{sec:gnuplotx Looking at the graph in figure~\ref{fig:xfmeafmmdcomp} we see that the reasoning distance for large numbers of components becomes extremely difficult to achieve -for FMEA. +for traditional FMEA. % It can be seen that the reasoning distance has gone from a polynomial to a logarithmic order. % @@ -503,7 +505,7 @@ compared to the DFT algorithm. %\clearpage -\subsection{Complexity Comparison applied to FMMD electronic circuits analysed in chapter~\ref{sec:chap5}.} +\section{Complexity Comparison applied to FMMD electronic circuits analysed in chapter~\ref{sec:chap5}.} All the FMMD examples in chapters \ref{sec:chap5} and \ref{sec:chap6} showed a marked reduction in comparison @@ -1268,7 +1270,7 @@ We could consider the component a composite of two simpler components, and model their interaction to create a derived component (i.e. use FMMD). % -The second way to do this would be to consider the combnations of non-mutually +The second way to do this would be to consider the combinations of non-mutually exclusive {\fms} as new {\fms}: this approach is discussed below. \ifthenelse {\boolean{paper}} @@ -1353,7 +1355,7 @@ The choice of components for {\fgs} is one to be made by the analyst. The guiding principle it to choose components that are functionally adjacent and try to create the smallest groups possible. There are some mistakes that an analyst could make when choosing the members -of functional groups. These are +of functional groups. These are: \begin{itemize} \item Choosing components that are not functionally adjacent --- i.e. components that do not work together to perform a specific function, \item Not including components that may have side effects on the {\fg}, but are not obviously connected. diff --git a/submission_thesis/CH8_Conclusion/copy.tex b/submission_thesis/CH8_Conclusion/copy.tex index e8a741b..a2e9164 100644 --- a/submission_thesis/CH8_Conclusion/copy.tex +++ b/submission_thesis/CH8_Conclusion/copy.tex @@ -10,8 +10,8 @@ The FMECA and FMEDA variants also suffer from embedding subjective and objective % A modularised FMEA---Failure Mode Modular De-composition (FMMD)---had been proposed. % -This modularised version had been supported by the work already established in the -{\fms} of {\bc} in the literature~\cite{fmd91,mil1991,en298,en230}. +This modularised version had been supported by the work already established by the definition of +{\fms} for {\bc} in the literature~\cite{fmd91,mil1991,en298,en230}. % A selection of electronic examples was analysed using FMMD which deliberately introduced varying circuit @@ -33,21 +33,21 @@ Traditional FMEA methods have been applied to software, but analysis has always the electronic FMEA~\cite{sfmeaa,sfmea}. %, and while modular kept strictly to a bottom-up approach. % Using established concepts from contract programming~\cite{dbcbe} FMMD was extended to analyse software, -which allows us to neatly solve the software hardware interfacing problem~\cite{sfmeainterface}. +which facilitated a solution to the software/hardware interfacing problem~\cite{sfmeainterface}. % Two examples of mixed software and hardware systems were analysed as integrated FMMD models -as a proof of concept. The first example in chapter~\ref{sec:chap6}, was +as proof of concept. The first example in chapter~\ref{sec:chap6}, was presented to the System Safety IET conference in 2012~\cite{syssafe2012}. % Chapter~\ref{sec:chap7} viewed FMMD from a formal perspective and looked at problems and constraints necessary to perform FMEA and FMMD. % -Theoretical performance models were developed which showed that with increasing modularisation -the number of manual checks to perform for analysis fell, which was validated by examining the -electronic examples in this regard. +Theoretical performance models were developed (see section~\ref{sec:theoreticalperfmodel}) which showed that with increasing modularisation +the number of manual checks to perform for analysis fell, which was validated by examining the reasoning distance performance of +the examples from chapter~\ref{sec:chap5}. % in this regard. % -A unitary state failure mode constraint was developed for the failure modes of a component, and it was shown that -the FMMD process strictly enforced this throughout the hierarchy of a model. +A unitary state failure mode concept was developed (see section~\ref{sec:unitarystate}), and it was shown that +the FMMD process naturally enforced this throughout the hierarchy of a model. % Finally the FMMD process was described algorithmically using set theory in appendix~\ref{sec:algorithmfmmd}.%{app:alg}. @@ -65,13 +65,13 @@ In conclusion then, a new method of failure analysis has been devised which imp \begin{itemize} \item FMMD provides the means to create failure models that integrate software and hardware, - \item State explosion related to exhaustive FMEA solved, - \item Modular approach means analysis work is re-usable, - \item FMMD encourages - \item Distributed systems, and smart instruments, can now be analysed and assessed, - \item Multiple failures can be analysed (without an undue state explosion cost). + \item the state explosion related to exhaustive FMEA solved, + \item a modular approach to FMEA means that analysis work is re-usable, + %\item FMMD encourages + \item distributed systems, and smart instruments, can now be analysed and assessed, + \item multiple failures can be analysed (without an undue state explosion cost). \end{itemize} -Under the following assumptions and constraints: +These benefits fall under the following assumptions and constraints: \begin{itemize} \item Failure modes are available for all {\bcs}, \item Analysts are capable of finding suitable {\fgs} from electronic schematics, @@ -82,7 +82,7 @@ Under the following assumptions and constraints: Whilst investigating FMMD a number of further areas for research revealed themselves. -These are explained below. +These are presented below. %\section{Conclusion} @@ -94,27 +94,32 @@ These are explained below. \section{Further Work} %This section describes areas that the study has revealed where the FMMD methodology may be extended or improved. - \section{How traditional FMEA reports can be derived from an FMMD model.} + \subsection{How traditional FMEA reports can be derived from an FMMD model.} % -An FMMD model has a data structure (described by UML diagrams, see figure~\ref{fig:cfg}), and by traversing this +An FMMD model has a data structure (described by UML diagrams, see figure~\ref{fig:cfg}), and by traversing an FMMD hierarchy we can map system level failures back to {\bc} {\fms} (or combinations thereof). % Because we can determine these mappings we can produce reports in the traditional FMEA format ({\bc}~{\fm}~$\mapsto$~{system failure}). % With the addition of {\bc} {\fm} statistics~\cite{mil1991} we can provide reliability predictions for system level failures. +% The Pt100 example is revisited for this purpose and analysed for single and double failures, with statistics for {\bcs} taken from MIL1991 %~\cite{mil1991}, in section~\ref{sec:bcstats}. % With an FMMD failure mode model a top down perspective is possible. +% We could for instance take each system level failure and produce a causation tree for it, tracing back to all {\bc} {\fms}. +% This is very closely related to the structure of FTA (top down) failure causation graphs. +% The possibility of automatically producing FTA diagrams from FMMD models is examined in section~\ref{sec:fta}. +% -\section{Statistics: From base component failure modes to System level events/failures.} +\subsection{Statistics: From base component failure modes to System level events/failures.} \label{sec:bcstats} Knowing the statistical likelihood of a component failing can give a good indication of the reliability of a system, or in the case of dangerous failures, the Safety Integrity Level @@ -132,7 +137,7 @@ we can %therefore use FMMD to produce an FMEDA report. -\subsection{Pt100 Example: Single Failures and statistical data}. %Mean Time to Failure} +\paragraph{Pt100 Example: Single Failures and statistical data} %Mean Time to Failure} From an earlier example, the model for the failure mode behaviour of the Pt100 circuit, we can add {\bc} {\fm} statistics and determine the probability of symptoms of failure. @@ -205,22 +210,22 @@ compromises and uses a 9:1 OPEN:SHORT ratio, for resistor failure. % Thus for this example resistors are expected to fail OPEN in 90\% of cases and SHORTED in the other 10\%. -A standard fixed film resistor, for use in a benign environment, non military spec at +A standard fixed film resistor, for use in a benign environment, non military specification at temperatures up to {60\oc} is given a probability of 13.8 failures per billion ($10^9$) hours of operation (see equation \ref{eqn:resistor}). -This figure is referred to as a FIT\footnote{FIT values are measured as the number of +In EN61508 terminology, this figure is referred to as a Failure in Time FIT\footnote{FIT values are measured as the number of failures per Billion (${10}^9$) hours of operation, (roughly 114,000 years). The smaller the -FIT number the more reliable the fault~mode} Failure in time. - +FIT number the more reliable the component.}. +% The formula given for a thermistor in MIL-HDBK-217F\cite{mil1991}[9.8] is reproduced in equation \ref{thermistorfit}. The variable meanings and values are described in table \ref{tab:thermistor}. - +% \begin{equation} % fixed comp resistor{\lambda}_p = {\lambda}_{b}{\pi}_{R}{\pi}_Q{\pi}_E resistor{\lambda}_p = {\lambda}_{b}{\pi}_Q{\pi}_E \label{thermistorfit} \end{equation} - +% \begin{table}[ht] \caption{Bead type Thermistor Failure in time assessment} % title of Table \centering % used for centering table @@ -238,23 +243,18 @@ resistor{\lambda}_p = {\lambda}_{b}{\pi}_Q{\pi}_E \end{tabular} \label{tab:thermistor} \end{table} - - +% \begin{equation} 0.021 \times 1.0 \times 15.0 \times 1.0 = 0.315 \; {failures}/{{10}^{6} Hours} \label{eqn:thermistor} \end{equation} - - +% Thus thermistor, bead type, `non~military~spec' is given a FIT of 315.0 - +% Using the RIAC finding we can draw up the following table (table \ref{tab:stat_single}), showing the FIT values for all faults considered. \glossary{name={FIT}, description={Failure in Time (FIT). The number of times a particular failure is expected to occur in a $10^{9}$ hour time period.}} - - - \begin{table}[h+] \caption{Pt100 FMEA Single // Fault Statistics} % title of Table \centering % used for centering table @@ -331,16 +331,19 @@ This is an astronomically small MTTF, and so small that it would probably fall below a threshold to sensibly consider. % However, it is very interesting from a failure analysis perspective, -because here we have found a fault that we cannot detect at this -level. This means that should we wish to cope with -this fault, we need to devise a way of detecting this -condition in higher levels of the system. +because here we have found a fault that we cannot detect (at least at this +level in the FMMD hierarchy). +% +This means that should we wish to cope with +this fault, we need to devise a new way of detecting this +condition, perhaps in higher levels of the system/FMMD hierarchy. +% \glossary{name={FIT}, description={Failure in Time (FIT). The number of times a particular failure is expected to occur in a $10^{9}$ hour time period. Associated with continuous demand systems under EN61508~\cite{en61508}}} - - +% +% \subsection{Deriving FTA diagrams from FMMD models} \label{sec:fta} - +% Fault Tree Analysis (FTA)~\cite{ftahistory} is a top down methodology that draws a fault tree---or top down fault causation diagram---for each given top-level failure. With an FMMD model, we can trace all the causes of system failures @@ -357,7 +360,10 @@ The FTA perspective is that some safety can be built in by preventing certain things happening (inhibit gates), and by considering different behaviour due to environmental or operational states~\cite{nucfta,nasafta}. % -If we require FMMD to produce full FTA diagrams, we need to add these attributes to the FMMD UML model. +If we require FMMD to produce full FTA diagrams, we need to add these +attributes to the FMMD UML model\footnote{Top down failure mode models, such as FTA, are additionally +useful in guiding diagnostic analysis.}. + \paragraph{Environment, operational states and inhibit gates: additions to the UML model.} @@ -484,9 +490,8 @@ all failure modes of the resultant {\dcs} as we progress up a hierarchy. FMMD requires that all failure modes of components in a {\fg} are resolved to a symptom in the resulting {\dc}. % -FMMD thus finds failure modes that are not -dealt with as a symptom, i.e. were ignored -or forgotten, meaning that the FMMD process will expose un-handled +Because we can enforce a `complete' analysis, FMMD can find failure modes were missed by +other FMEA processes; meaning that the FMMD process can expose un-handled failure modes. %come to light. @@ -521,7 +526,7 @@ By performing FMMD on a software electronic hybrid system, we thus reveal design deficiencies in both the software, the electronics and the software/electronics interface. %in the hardware/software interface. % -FMEDA does not handle software ---or---the software hardware interface. +FMEDA does not handle software ---or---the software/hardware interface. It thus potentially misses many undetected failures (in EN61508 terms undetected-dangerous and undetected safe failures). In Safety Integrity Level (SIL)~\cite{en61508} terms, by identifying undetectable faults and fixing them, we raise the safe failure fraction (SFF). @@ -532,7 +537,8 @@ the safe failure fraction (SFF). \section{Objective and Subjective Reasoning stages} %Opportunity for formal definitions and perhaps an interface or process for achieving it.... The act of applying failure mode effects analysis, in terms of cause and effect is viewed from -an engineering perspective. This is the realm of the objective. +an `engineering' mentality cause and effect perspective. This is the realm of the objective. +% The executive decisions about deploying systems are in the domain of management and politics. % The dangers, or potential negative effects of a safety critical system depend not only on the system itself, @@ -545,8 +551,8 @@ An example of objective and subjective factors is demonstrated in the accident r nuclear accident~\cite{safeware}[App.D]. Here, a vent valve for the primary reactor coolant (pressurised water) became stuck open. This condition causes an objectively derived failure mode --- `leakage~of~coolant' --- due to a stuck valve. % -This, if recognised correctly by the operators, would have lead to -a short reactor shut-down and then +This, if recognised correctly by the operators, would have lead quickly to +to a reactor shut-down and a maintenance procedure to replace the valve. % The failure was not recognised in time however, and coolant was lost @@ -557,8 +563,8 @@ For the objective failure mode determined by FMEA, that of leakage of coolant, we would not reasonably expect this to go unchecked and unresolved for an extended period and cause such a critical failure. % -The criticality level is therefore subjective. We cannot know how the operators -would have reacted, and deficiencies in the HMI were not a factor in the failure analysis. +The criticality level of that accident was therefore subjective. It was not known how the operators +would have reacted, and deficiencies in the Human Machine Interface (HMI) were not a factor in the failure analysis. \paragraph{Further Work: Objective and Subjective Reasoning in FMEA.}