robin/Robin_PHD
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Whole of Saturday really:wq

Browse Source
This commit is contained in:
Robin Clark 2013-08-10 18:37:24 +01:00
parent 6f5578dffa
commit ba06de1a21
5 changed files with 165 additions and 126 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
submission_thesis/CH2_FMEA/copy.tex
View File

@ -1223,7 +1223,12 @@ self checking features on safety, and provides detailed recommendations for comp
%
%
These SIL levels are broadly linked to the concept of an
acceptance of probability of dangerous failures against time, as shown in table~\ref{tbl:sil_levels}.
acceptance of given probabilities of dangerous
failures against time, as shown in table~\ref{tbl:sil_levels}.
%
The philosophy behind this is that is recognised that no system can have a perfect
safety integrity, but risk and criticality can be matched to acceptable,
or realistic levels of risk.
%
FMEDA is the fundamental methodology of the statistical (safety integrity level)
type standards (EN61508/IOC5108).
@ -1250,7 +1255,7 @@ in the plant.
This entire loop must be designed to detect and deal with any hazards
and have measures in place to reduce their affects.
%
In EN61508 terminology, a safety~loop is known as a safety instrumented function (SIF).
In EN61508 terminology, a safety~loop is known as a Safety Instrumented Function (SIF).
%
%

144
submission_thesis/CH5_Examples/copy.tex
View File

@ -785,8 +785,9 @@ The second stage of this amplifier, following the signal path, is the amplifier
consisting of $R3,R4$ and $IC2$.
%
This is in exactly the same configuration as the first amplifier, but it is being fed by the first amplifier.
The first amplifier was grounded and received as input `+V1' (presumably
a positive voltage).
The first amplifier was connected to ground on its minus input
and received as input `+V1' (explicitly
a positive voltage from the schematic).
This means the junction of R2 R3 is always +ve.
This means the input voltage `+V2' could be lower than this.
This means R3 R4 is not a fixed potential divider, with R4 being on the positive side.
@ -952,7 +953,7 @@ The output of this is passed into another Sallen~Key filter. % -- which although
%for its resistors/capacitors and thus have a different frequency response -- is identical from a failure mode perspective.
Thus we can analyse the first Sallen~Key low pass filter and re-use it
for the second stage
(avoiding repeat work that would have had to be performed using traditional FMEA).
(avoiding repeat work that would have been performed using traditional FMEA).
\begin{figure}[h]
@ -1070,7 +1071,8 @@ on the schematic as in figure~\ref{fig:circuit2002_LP1}.
\paragraph{Second order Sallen Key Low Pass Filter.}
The next two filters in the signal path are R1,R2,C2,C1,IC2 and R3,R4,C4,C3,IC3.
From a failure mode perspective these are identical.
We can analyse the first one and then re-use these results for the second (see figure~\ref{fig:circuit2002_FIVEPOLE}).
We can analyse the first one (see table~\ref{tbl:sallenkeylp}) and then re-use these
results for the next stage of analysis (see figure~\ref{fig:circuit2002_FIVEPOLE}).
\begin{table}[ht]
\caption{Sallen Key Low Pass Filter SKLP: Failure Mode Effects Analysis: Single Faults} % title of Table
@ -1289,7 +1291,8 @@ We can now analyse each of these {\fgs} and create failure mode models for them,
determine {\dcs}.
\subsection{Inverting Amplifier: INVAMP}
This has been analysed in section~\ref{sec:invamp}.
The inverting amplifier was analysed in section~\ref{sec:invamp} and we can therefore simply re-use those results
i.e. the {\dc} $INVAMP$.
The inverting amplifier, as a {\dc}, has the following failure modes:
$$ fm(INVAMP) = \{ AMP\_High, AMP\_Low, LowPass \}. $$ % \{ HIGH, LOW, LOW PASS \}. $$
@ -1299,27 +1302,32 @@ $$ fm(INVAMP) = \{ AMP\_High, AMP\_Low, LowPass \}. $$ % \{ HIGH, LOW, LOW PASS
\subsection{Phase shifter: PHS45}
This consists of a resistor and a capacitor. We already have failure mode models for these components -- $ fm(R) = \{OPEN, SHORT\}$, $fm(C) = \{OPEN, SHORT\}$ --
we now need to see how these failure modes would affect the phase shifter. Note that the circuit here
This consists of a resistor and a capacitor.
%
We already have failure mode models for these components -- $ fm(R) = \{OPEN, SHORT\}$, $fm(C) = \{OPEN, SHORT\}$ --
we now need to see how these failure modes would affect the phase shifter.
%
Note that the circuit here
is identical to the low pass filter in circuit topology (see section~\ref{sec:lp}), but its intended use is different.
%
We have to analyse this circuit from the perspective of it being a {\em phase~shifter} not a {\em low~pass~filter}.
%
Our {\fg} for the phase shifter consists of a resistor and a capacitor, $G_0 = \{ R, C \}$
(FMMD analysis details at section~\ref{detail:PHS45})
$$ fm (G_0) = \{ nosignal, 0\_phaseshift \} $$
(FMMD analysis details in appendix section~\ref{detail:PHS45}),
%
%
$$ fm (G_0) = \{ nosignal, 0\_phaseshift \} . $$
%$$ CC(G_0) = 4 \times 1 = 4 $$
%23SEP2012
\subsection{Non Inverting Buffer: NIBUFF.}
%
The non-inverting buffer {\fg} is comprised of one component, an op-amp.
We use the failure modes for an op-amp~\cite{fmd91}[p.3-116] to represent this group.
% GARK
We can express the failure modes for the non-inverting buffer ($NIBUFF$) thus:
$$ fm(NIBUFF) = fm(OPAMP) = \{L\_{up}, L\_{dn}, Noop, L\_slew \} . $$
%
%Because we obtain the failure modes for $NIBUFF$ from the literature,
%its comparison complexity is zero. In re-using {\dcs} we expend no extra analysis effort.
%$$ CC(NIBUFF) = 0 $$
@ -1331,7 +1339,9 @@ $$ fm(NIBUFF) = fm(OPAMP) = \{L\_{up}, L\_{dn}, Noop, L\_slew \} . $$
We could at this point bring all the {\dcs} together into one large functional
group (see figure~\ref{fig:bubbaeuler1}) %{fig:poss1finalbubba})
or we could try to merge smaller stages.
or we could try to merge in smaller stages, which will have the side-effect of
creating intermediate {\dcs}.
%
Initially we use the first identified {\fgs} to create our model without further stages of refinement/hierarchy.
@ -1513,7 +1523,7 @@ $$
%It has %also
This more decomposed approach has
given us five {\dcs}, building blocks, which could %
be re-used in other projects.
potentially be re-used in other projects.
%potentially be re-used for similar circuitry
%to analyse in the future.
%
@ -1530,7 +1540,7 @@ there will %would
be more {\dcs} and this %therefore
increases the potential for re-use of pre-analysed {\dcs}.
%
A finer grained model---with potentially more hierarchy stages---conveys that
A finer grained model---with potentially more hierarchy stages---also means that
%more work, or
more reasoning stages have been used in the analysis.
% HTR The more we can modularise, the more we decimate the $O(N^2)$ effect
@ -1922,11 +1932,11 @@ industrial applications below 600\oc, due to high accuracy\cite{aoe}.
%
%This section looks at the most common configuration, the
%four wire circuit, and analyses it from an FMEA perspective twice.
FMMD is performed twice on this circuit
firstly considering single faults only
%FMMD is performed twice on this circuit
%firstly considering single faults only
%(cardinality constrained powerset of 1)
and secondly, considering the
possibility of double faults. % (cardinality constrained powerset of 2).
%and secondly, considering the
%possibility of double faults. % (cardinality constrained powerset of 2).
%
% \ifthenelse {\boolean{pld}}
% {
@ -1975,9 +1985,13 @@ look-up tables or a suitable polynomial expression.
The voltage ranges we expect from this three stage potential divider\footnote{Two stages are required
for validation, a third stage is used to measure the current flowing
through the circuit to obtain accurate temperature readings.}
are shown in figure \ref{fig:Pt100vrange}. Note that there is
an expected range for each reading, for a given temperature span.
Note that the low reading goes down as temperature increases, and the higher reading goes up.
are shown in figure \ref{fig:Pt100vrange}.
%
Note that there is
an expected range for each low and high reading, for a given temperature span.
%
The low reading goes down as temperature increases, and the higher reading goes up.
%
For this reason the low reading will be referred to as {\em sense-}
and the higher as {\em sense+}.
@ -2114,7 +2128,7 @@ we can calculate the current by reading
the voltage over the known resistor $R2$.\footnote{To calculate the resistance of the Pt100 we need the current flowing though it.
We can determine this via Ohms law applied to $R_2$, $V=IR$, $I=\frac{V}{R_2}$,
and then using $I$, we can calculate $R_{3} = \frac{V_{R3}}{I}$.}
As these calculations are performed by ohms law, which is linear, the accuracy of the reading
As these calculations are performed by Ohms law, which is linear, the accuracy of the reading
will be determined by the accuracy of $R_2$ and $R_{3}$.
%It is reasonable to
%take the mean square error of these accuracy figures.
@ -2173,38 +2187,38 @@ for any single error (short or opening of any resistor) this bounds check
will detect it.
\paragraph{Consideration of Resistor Tolerance.}
%
\label{sec:ptbounds}
The separate sense lines ensure the voltage read over the $Pt100$ thermistor is not
altered by having to pass any significant current. The current is supplied
by separate wires and the resistance in those are effectively cancelled
out by considering the voltage reading over $R_3$ to be relative.
%
The Pt100 element is a precision part and will be chosen for a specified accuracy/tolerance range.
One or other of the load resistors (the one over which we measure current) should also
be of a specified accuracy\footnote{It is common for standard surface mount resistors to have an
accuracy of $\pm 1\%$. Higher accuracy parts may be specified.}.
%
The \ohms{2k2} loading resistors should have a good temperature co-effecient
(i.e. $\leq \; 50(ppm)\Delta R \propto \Delta \oc $).
%
To calculate the resistance of the Pt100 element % (and thus derive its temperature),
knowing $V_{R3}$ we now need the current flowing in the temperature sensor loop.
%
Lets use, for the sake of example, $R_2$ to measure the current.
%
We can calculate the current $I$, by reading
the voltage over the known resistor $R_2$ and using Ohms law\footnote{To calculate the resistance of the Pt100 we need the current flowing though it.
We can determine this via Ohms law applied to $R_2$, $V=IR$, $I=\frac{V}{R_2}$,
and then using $I$, we can calculate $R_{3} = \frac{V_{3}}{I}$.} and then use Ohms law again to calculate
the resistance of $R_3$.
%
As Ohms law is linear, the accuracy of the reading
will be determined by the accuracy of $R_2$ and $R_{3}$. It is reasonable to
take the mean square error of these accuracy figures~\cite{probstat}.
% WAS a repeated paragraph
% \paragraph{Consideration of Resistor Tolerance.}
% %
% \label{sec:ptbounds}
% The separate sense lines ensure the voltage read over the $Pt100$ thermistor is not
% altered by having to pass any significant current. The current is supplied
% by separate wires and the resistance in those are effectively cancelled
% out by considering the voltage reading over $R_3$ to be relative.
% %
% The Pt100 element is a precision part and will be chosen for a specified accuracy/tolerance range.
% One or other of the load resistors (the one over which we measure current) should also
% be of a specified accuracy\footnote{It is common for standard surface mount resistors to have an
% accuracy of $\pm 1\%$. Higher accuracy parts may be specified.}.
% %
% The \ohms{2k2} loading resistors should have a good temperature co-effecient
% (i.e. $\leq \; 50(ppm)\Delta R \propto \Delta \oc $).
% %
% To calculate the resistance of the Pt100 element % (and thus derive its temperature),
% knowing $V_{R3}$ we now need the current flowing in the temperature sensor loop.
% %
% Lets use, for the sake of example, $R_2$ to measure the current.
% %
% We can calculate the current $I$, by reading
% the voltage over the known resistor $R_2$ and using Ohms law\footnote{To calculate the resistance of the Pt100 we need the current flowing though it.
% We can determine this via Ohms law applied to $R_2$, $V=IR$, $I=\frac{V}{R_2}$,
% and then using $I$, we can calculate $R_{3} = \frac{V_{3}}{I}$.} and then use Ohms law again to calculate
% the resistance of $R_3$.
% %
% As Ohms law is linear, the accuracy of the reading
% will be determined by the accuracy of $R_2$ and $R_{3}$. It is reasonable to
% take the mean square error of these accuracy figures~\cite{probstat}.
%
\paragraph{Single Fault FMEA Analysis of $Pt100$ Four wire circuit}
@ -2305,8 +2319,8 @@ read 5V. Both readings are outside the proscribed range.
\subsection{Summary of Analysis}
All six test cases have been analysed and the results agree with the hypothesis
put in table~\ref{ptfmea}.
All six test cases have been analysed and the results agree with the FMEA
presented in table~\ref{ptfmea}.
%The PLD diagram, can now be used to collect the symptoms.
In this case there is a common and easily detected symptom for all these single
resistor faults---that of---`voltage~out~of~range'.
@ -2332,7 +2346,7 @@ resistors in this circuit has failed.
\subsection{Derived Component with one failure mode.}
The Pt100 circuit can now be treated as a component in its own right, and has one failure mode,
{\textbf OUT\_OF\_RANGE}. This is a single, detectable failure mode. The observability of a
{\textbf OUT\_OF\_RANGE}. This is a single, detectable failure mode. The detectability of a
fault condition is very good with this circuit. This should not be a surprise, as the four wire $Pt100$
has been developed for safety critical temperature measurement.
%
@ -2425,13 +2439,17 @@ TC 18: & $R_2$ SHORT $R_3$ SHORT & low & low & Both out of Rang
\label{Pt100:bothfloating}
This double fault mode produces an interesting symptom.
Both sense lines are floating.
%
We cannot know what the {\adctw} readings on them will be.
%
In practise these would probably float to low values
In practise these would probably float to low or high values
but for the purpose of a safety critical analysis,
all we can say is that the values are `floating' and `unknown'.
This is an interesting case, because it is, at this stage an undetectable---or unobservable---
fault. Unobservable faults are generally unacceptable in a safety critical environment~\cite{ACS:ACS1297,721666}.
%
This is an interesting case, because it is, at this stage an undetectable %---or unobservable---
fault.
%
Undetectable faults are generally to be avoided in a safety critical environment~\cite{ACS:ACS1297,721666}.
%that must be handled.

12
submission_thesis/CH6_Software_Examples/software.tex
View File

@ -183,11 +183,19 @@ and to outputs (where violations can be considered {\fms} in FMMD terminology).
For the purpose of example, we chose a simple common safety critical industrial circuit
that is nearly always used in conjunction with a programmatic element.
%
A common method for delivering a quantitative value in analogue electronics is
to supply a current signal to represent the value to be sent~\cite{aoe}[p.934].
%
Usually, $4mA$ represents a zero or starting value and $20mA$ represents the full scale,
and this is referred to as {\ft} signalling which has intrinsic electrical safety advantages.
and this is referred to as {\ft} signalling.
%
Using current instead of voltage to transmit an analogue value
has intrinsic electrical safety advantages mainly due to
current being constant in a circuit (Kirchovs current law).
%
What is sent as current is what will
arrive at the receiving end.
%
% Because the current in a loop is constant~\cite{aoe}[p.20],
% resistance in the wires between the source and receiving end is not an issue
@ -716,7 +724,7 @@ top or system level failure.
For this reason applying traditional FMEA to software stretches
the reasoning distance even further. This is exacerbated by the fact that traditional SFMEA is
performed separately from HFMEA~\cite{sfmea,sfmeaa}, additionally even the software/hardware
interfacing is treated as a separate FMEA task~\cite{sfmeainterface,embedsfmea,procsfmea}
interfacing is usually treated as a separate FMEA task~\cite{sfmeainterface,embedsfmea,procsfmea}
We now have a {\dc} for a {\ft} input in software.

18
submission_thesis/CH7_Evaluation/copy.tex
View File

@ -101,7 +101,7 @@ side effects of failure may manifest due to interaction with other components no
The temptation with FMEA can be to follow direct lines of failure effect reasoning without considering
side effects.
%%
To perform FMEA exhaustively % rigorously
To perform FMEA exhaustively, % rigorously
we could stipulate that every failure mode must be checked for effects
against all the components in the system.
%
@ -132,7 +132,7 @@ of components $G$. %system or {\fg}.
\label{sec:formal7}
%
%\paragraph{Considering a system as a group of Components.}
Using the language developed in the previous chapters
Using the language developed in the previous chapters,
we consider a system for analysis as a collection %{\fg}
of components.
We can represent this set of components as $G$, and the number of components in it by
@ -216,7 +216,7 @@ $i$ for identification and a superscript for the $\alpha$~level (see section~\r
%---
%o identify the hierarchy.
For example the first {\fg} in a hierarchy containing base components only
i.e. at the zero'th level of an FMMD hierarchy where $\alpha=0$, would have the superscript 0 and a subscript of 1: $FG^{0}_{1}$.
i.e. at the zeroth level of an FMMD hierarchy where $\alpha=0$, would have the superscript 0 and a subscript of 1: $FG^{0}_{1}$.
%
The {\fg} representing the potential divider in section~\ref{subsec:potdiv}
has an $\alpha$ level of 0 (as it contains base components). The {\fg}
@ -267,8 +267,9 @@ We overload the comparison complexity function $CC$, to obtain the comparison co
\end{equation}
\subsection{Complexity Comparison Examples}
\label{sec:theoreticalperfmodel}
%\pagebreak[4]
We initially work though the amplifier example from chapter~\ref{sec:chap4}, which has two
We initially work through the amplifier example from chapter~\ref{sec:chap4}, which has two
stages, the potential divider and then the amplifier. We add the complexities from
both these stages to determine how many reasoning paths there were to perform FMMD analysis on the
non-inverting amplifier.
@ -292,6 +293,7 @@ we obtain $ 2 \times (3-1) + 2 \times (3-1) + 4 \times (3-1)$ = 16.
Even with this very trivial example, we begin to see benefits of taking a modular approach to FMEA.
\paragraph{Complexity Comparison for a hypothetical 81 component system.}
%Even considering a $example$
A system, $example$, with just 81 components, with these components
having 3 failure modes each would, using equation~\ref{eqn:rd2} have a $CC$ of
@ -474,7 +476,7 @@ produce figure~\ref{fig:xfmeafmmdcomp} may be found in section~\ref{sec:gnuplotx
Looking at the graph in figure~\ref{fig:xfmeafmmdcomp} we see that the reasoning distance
for large numbers of components becomes extremely difficult to achieve
for FMEA.
for traditional FMEA.
%
It can be seen that the reasoning distance has gone from a polynomial to a logarithmic order.
%
@ -503,7 +505,7 @@ compared to the DFT algorithm.
%\clearpage
\subsection{Complexity Comparison applied to FMMD electronic circuits analysed in chapter~\ref{sec:chap5}.}
\section{Complexity Comparison applied to FMMD electronic circuits analysed in chapter~\ref{sec:chap5}.}
All the FMMD examples in chapters \ref{sec:chap5}
and \ref{sec:chap6} showed a marked reduction in comparison
@ -1268,7 +1270,7 @@ We could consider the component a composite
of two simpler components, and model their interaction to
create a derived component (i.e. use FMMD).
%
The second way to do this would be to consider the combnations of non-mutually
The second way to do this would be to consider the combinations of non-mutually
exclusive {\fms} as new {\fms}: this approach is discussed below.
\ifthenelse {\boolean{paper}}
@ -1353,7 +1355,7 @@ The choice of components for {\fgs} is one to be made by the analyst.
The guiding principle it to choose components that are functionally adjacent
and try to create the smallest groups possible.
There are some mistakes that an analyst could make when choosing the members
of functional groups. These are
of functional groups. These are:
\begin{itemize}
\item Choosing components that are not functionally adjacent --- i.e. components that do not work together to perform a specific function,
\item Not including components that may have side effects on the {\fg}, but are not obviously connected.

108
submission_thesis/CH8_Conclusion/copy.tex
View File

@ -10,8 +10,8 @@ The FMECA and FMEDA variants also suffer from embedding subjective and objective
%
A modularised FMEA---Failure Mode Modular De-composition (FMMD)---had been proposed.
%
This modularised version had been supported by the work already established in the
{\fms} of {\bc} in the literature~\cite{fmd91,mil1991,en298,en230}.
This modularised version had been supported by the work already established by the definition of
{\fms} for {\bc} in the literature~\cite{fmd91,mil1991,en298,en230}.
%
A selection of electronic examples was analysed using FMMD
which deliberately introduced varying circuit
@ -33,21 +33,21 @@ Traditional FMEA methods have been applied to software, but analysis has always
the electronic FMEA~\cite{sfmeaa,sfmea}. %, and while modular kept strictly to a bottom-up approach.
%
Using established concepts from contract programming~\cite{dbcbe} FMMD was extended to analyse software,
which allows us to neatly solve the software hardware interfacing problem~\cite{sfmeainterface}.
which facilitated a solution to the software/hardware interfacing problem~\cite{sfmeainterface}.
%
Two examples of mixed software and hardware systems were analysed as integrated FMMD models
as a proof of concept. The first example in chapter~\ref{sec:chap6}, was
as proof of concept. The first example in chapter~\ref{sec:chap6}, was
presented to the System Safety IET conference in 2012~\cite{syssafe2012}.
%
Chapter~\ref{sec:chap7} viewed FMMD from a formal perspective and looked at problems and constraints
necessary to perform FMEA and FMMD.
%
Theoretical performance models were developed which showed that with increasing modularisation
the number of manual checks to perform for analysis fell, which was validated by examining the
electronic examples in this regard.
Theoretical performance models were developed (see section~\ref{sec:theoreticalperfmodel}) which showed that with increasing modularisation
the number of manual checks to perform for analysis fell, which was validated by examining the reasoning distance performance of
the examples from chapter~\ref{sec:chap5}. % in this regard.
%
A unitary state failure mode constraint was developed for the failure modes of a component, and it was shown that
the FMMD process strictly enforced this throughout the hierarchy of a model.
A unitary state failure mode concept was developed (see section~\ref{sec:unitarystate}), and it was shown that
the FMMD process naturally enforced this throughout the hierarchy of a model.
%
Finally the FMMD process was described algorithmically using set theory in appendix~\ref{sec:algorithmfmmd}.%{app:alg}.
@ -65,13 +65,13 @@ In conclusion then, a new method of failure analysis has been devised which imp
\begin{itemize}
\item FMMD provides the means to create failure models that integrate software and hardware,
\item State explosion related to exhaustive FMEA solved,
\item Modular approach means analysis work is re-usable,
\item FMMD encourages
\item Distributed systems, and smart instruments, can now be analysed and assessed,
\item Multiple failures can be analysed (without an undue state explosion cost).
\item the state explosion related to exhaustive FMEA solved,
\item a modular approach to FMEA means that analysis work is re-usable,
%\item FMMD encourages
\item distributed systems, and smart instruments, can now be analysed and assessed,
\item multiple failures can be analysed (without an undue state explosion cost).
\end{itemize}
Under the following assumptions and constraints:
These benefits fall under the following assumptions and constraints:
\begin{itemize}
\item Failure modes are available for all {\bcs},
\item Analysts are capable of finding suitable {\fgs} from electronic schematics,
@ -82,7 +82,7 @@ Under the following assumptions and constraints:
Whilst investigating FMMD a number of further areas for research revealed themselves.
These are explained below.
These are presented below.
%\section{Conclusion}
@ -94,27 +94,32 @@ These are explained below.
\section{Further Work}
%This section describes areas that the study has revealed where the FMMD methodology may be extended or improved.
\section{How traditional FMEA reports can be derived from an FMMD model.}
\subsection{How traditional FMEA reports can be derived from an FMMD model.}
%
An FMMD model has a data structure (described by UML diagrams, see figure~\ref{fig:cfg}), and by traversing this
An FMMD model has a data structure (described by UML diagrams, see figure~\ref{fig:cfg}), and by traversing an FMMD hierarchy
we can map system level failures back to {\bc} {\fms} (or combinations thereof).
%
Because we can determine these mappings we can produce reports in the traditional FMEA format ({\bc}~{\fm}~$\mapsto$~{system failure}).
%
With the addition of {\bc} {\fm} statistics~\cite{mil1991} we can provide reliability predictions for system level failures.
%
The Pt100 example is revisited for this purpose and analysed for single and double failures, with statistics for {\bcs}
taken from MIL1991 %~\cite{mil1991},
in section~\ref{sec:bcstats}.
%
With an FMMD failure mode model a top down perspective is possible.
%
We could for instance take each system level failure and produce a causation tree for it, tracing back
to all {\bc} {\fms}.
%
This is very closely related to the structure of FTA (top down) failure causation graphs.
%
The possibility of automatically producing FTA diagrams from FMMD models
is examined in section~\ref{sec:fta}.
%
\section{Statistics: From base component failure modes to System level events/failures.}
\subsection{Statistics: From base component failure modes to System level events/failures.}
\label{sec:bcstats}
Knowing the statistical likelihood of a component failing can give a good indication
of the reliability of a system, or in the case of dangerous failures, the Safety Integrity Level
@ -132,7 +137,7 @@ we can %therefore
use FMMD to produce an FMEDA report.
\subsection{Pt100 Example: Single Failures and statistical data}. %Mean Time to Failure}
\paragraph{Pt100 Example: Single Failures and statistical data} %Mean Time to Failure}
From an earlier example, the model for the failure mode behaviour of the Pt100 circuit,
we can add {\bc} {\fm} statistics and determine the probability of symptoms of failure.
@ -205,22 +210,22 @@ compromises and uses a 9:1 OPEN:SHORT ratio, for resistor failure.
%
Thus for this example resistors are expected to fail OPEN in 90\% of cases and SHORTED
in the other 10\%.
A standard fixed film resistor, for use in a benign environment, non military spec at
A standard fixed film resistor, for use in a benign environment, non military specification at
temperatures up to {60\oc} is given a probability of 13.8 failures per billion ($10^9$)
hours of operation (see equation \ref{eqn:resistor}).
This figure is referred to as a FIT\footnote{FIT values are measured as the number of
In EN61508 terminology, this figure is referred to as a Failure in Time FIT\footnote{FIT values are measured as the number of
failures per Billion (${10}^9$) hours of operation, (roughly 114,000 years). The smaller the
FIT number the more reliable the fault~mode} Failure in time.
FIT number the more reliable the component.}.
%
The formula given for a thermistor in MIL-HDBK-217F\cite{mil1991}[9.8] is reproduced in
equation \ref{thermistorfit}. The variable meanings and values are described in table \ref{tab:thermistor}.
%
\begin{equation}
% fixed comp resistor{\lambda}_p = {\lambda}_{b}{\pi}_{R}{\pi}_Q{\pi}_E
resistor{\lambda}_p = {\lambda}_{b}{\pi}_Q{\pi}_E
\label{thermistorfit}
\end{equation}
%
\begin{table}[ht]
\caption{Bead type Thermistor Failure in time assessment} % title of Table
\centering % used for centering table
@ -238,23 +243,18 @@ resistor{\lambda}_p = {\lambda}_{b}{\pi}_Q{\pi}_E
\end{tabular}
\label{tab:thermistor}
\end{table}
%
\begin{equation}
0.021 \times 1.0 \times 15.0 \times 1.0 = 0.315 \; {failures}/{{10}^{6} Hours}
\label{eqn:thermistor}
\end{equation}
%
Thus thermistor, bead type, `non~military~spec' is given a FIT of 315.0
%
Using the RIAC finding we can draw up the following table (table \ref{tab:stat_single}),
showing the FIT values for all faults considered.
\glossary{name={FIT}, description={Failure in Time (FIT). The number of times a particular failure is expected to occur in a $10^{9}$ hour time period.}}
\begin{table}[h+]
\caption{Pt100 FMEA Single // Fault Statistics} % title of Table
\centering % used for centering table
@ -331,16 +331,19 @@ This is an astronomically small MTTF, and so small that it would
probably fall below a threshold to sensibly consider.
%
However, it is very interesting from a failure analysis perspective,
because here we have found a fault that we cannot detect at this
level. This means that should we wish to cope with
this fault, we need to devise a way of detecting this
condition in higher levels of the system.
because here we have found a fault that we cannot detect (at least at this
level in the FMMD hierarchy).
%
This means that should we wish to cope with
this fault, we need to devise a new way of detecting this
condition, perhaps in higher levels of the system/FMMD hierarchy.
%
\glossary{name={FIT}, description={Failure in Time (FIT). The number of times a particular failure is expected to occur in a $10^{9}$ hour time period. Associated with continuous demand systems under EN61508~\cite{en61508}}}
%
%
\subsection{Deriving FTA diagrams from FMMD models}
\label{sec:fta}
%
Fault Tree Analysis (FTA)~\cite{ftahistory} is a top down methodology that
draws a fault tree---or top down fault causation diagram---for each given top-level
failure. With an FMMD model, we can trace all the causes of system failures
@ -357,7 +360,10 @@ The FTA perspective is that some safety can be built in
by preventing certain things happening (inhibit gates), and by considering
different behaviour due to environmental or operational states~\cite{nucfta,nasafta}.
%
If we require FMMD to produce full FTA diagrams, we need to add these attributes to the FMMD UML model.
If we require FMMD to produce full FTA diagrams, we need to add these
attributes to the FMMD UML model\footnote{Top down failure mode models, such as FTA, are additionally
useful in guiding diagnostic analysis.}.
\paragraph{Environment, operational states and inhibit gates: additions to the UML model.}
@ -484,9 +490,8 @@ all failure modes of the resultant {\dcs} as we progress up a hierarchy.
FMMD requires that all failure modes of components in a {\fg} are resolved to
a symptom in the resulting {\dc}.
%
FMMD thus finds failure modes that are not
dealt with as a symptom, i.e. were ignored
or forgotten, meaning that the FMMD process will expose un-handled
Because we can enforce a `complete' analysis, FMMD can find failure modes were missed by
other FMEA processes; meaning that the FMMD process can expose un-handled
failure modes.
%come to light.
@ -521,7 +526,7 @@ By performing FMMD on a software electronic hybrid system,
we thus reveal design deficiencies in both the software, the electronics and the software/electronics interface.
%in the hardware/software interface.
%
FMEDA does not handle software ---or---the software hardware interface.
FMEDA does not handle software ---or---the software/hardware interface.
It thus potentially misses many undetected failures (in EN61508 terms undetected-dangerous and undetected safe failures).
In Safety Integrity Level (SIL)~\cite{en61508} terms, by identifying undetectable faults and fixing them, we raise
the safe failure fraction (SFF).
@ -532,7 +537,8 @@ the safe failure fraction (SFF).
\section{Objective and Subjective Reasoning stages}
%Opportunity for formal definitions and perhaps an interface or process for achieving it....
The act of applying failure mode effects analysis, in terms of cause and effect is viewed from
an engineering perspective. This is the realm of the objective.
an `engineering' mentality cause and effect perspective. This is the realm of the objective.
%
The executive decisions about deploying systems are in the domain of management and politics.
%
The dangers, or potential negative effects of a safety critical system depend not only on the system itself,
@ -545,8 +551,8 @@ An example of objective and subjective factors is demonstrated in the accident r
nuclear accident~\cite{safeware}[App.D]. Here, a vent valve for the primary reactor coolant (pressurised water) became stuck open.
This condition causes an objectively derived failure mode --- `leakage~of~coolant' --- due to a stuck valve.
%
This, if recognised correctly by the operators, would have lead to
a short reactor shut-down and then
This, if recognised correctly by the operators, would have lead quickly to
to a reactor shut-down and
a maintenance procedure to replace the valve.
%
The failure was not recognised in time however, and coolant was lost
@ -557,8 +563,8 @@ For the objective failure mode determined by
FMEA, that of leakage of coolant,
we would not reasonably expect this to go unchecked and unresolved for an extended period and cause such a critical failure.
%
The criticality level is therefore subjective. We cannot know how the operators
would have reacted, and deficiencies in the HMI were not a factor in the failure analysis.
The criticality level of that accident was therefore subjective. It was not known how the operators
would have reacted, and deficiencies in the Human Machine Interface (HMI) were not a factor in the failure analysis.
\paragraph{Further Work: Objective and Subjective Reasoning in FMEA.}