diff --git a/fmmd_concept/fmmd_concept.tex b/fmmd_concept/fmmd_concept.tex index c9c52c2..442d99c 100644 --- a/fmmd_concept/fmmd_concept.tex +++ b/fmmd_concept/fmmd_concept.tex @@ -7,8 +7,8 @@ \abstract{ This paper proposes a methodology for creating failure mode models of safety critical systems, which -have a common notation -for mechanical, electronic and software domains and apply an +has a common notation +for mechanical, electronic and software domains and applies an incremental and rigorous approach. %% What I have done @@ -20,8 +20,10 @@ a wish list for a more ideal methodology. %% What I have found %% -From the wish list and considering some constraints determined from -the evaluation of the four established methodologies, a new +From the wish list +%and considering some constraints determined from +%the evaluation of the four established methodologies, +a new methodology is developed and proposed. The has been named Failure Mode Modular De-Composition (FMMD). %% Sell it @@ -39,8 +41,8 @@ It is also modular, meaning that the results of analysed components may be re-us This chapter proposes a methodology for creating failure mode models of safety critical systems, which -have a common notation -for mechanical, electronic and software domains and apply an +has a common notation +for mechanical, electronic and software domains and applies an incremental and rigorous approach. %% What I have done @@ -52,8 +54,10 @@ a wish list for a more ideal methodology. %% What I have found %% -From the wish list and considering some constraints determined from -the evaluation of the four established methodologies, a new +From the wish list % +%and considering some constraints determined from +%the evaluation of the four established methodologies, +a new methodology is developed and proposed. The has been named Failure Mode Modular De-Composition (FMMD). %% Sell it @@ -82,11 +86,11 @@ advantages that are discussed in the next section. %FTA, due to its top down nature, can overlook error conditions. FMEA and the Statistical Methods %lack precision in predicting failure modes at the SYSTEM level. -\paragraph{FMMD outline.} -The Failure Mode Modular De-composition +\paragraph{FMMD in context.} +Failure Mode Modular De-composition (FMMD) aims to address the -weaknesses in these methodoligies and to add -features such as the ability to analyse double +weaknesses in the four established methodoligies, and to add +features such as the ability to analyse multiple failure mode scenarios, and to allow modular re-use of analysis. @@ -95,14 +99,18 @@ of analysis. The FMMD methodology provides a detailed, hierarchical, incremental and analytical modelling system which will create a failure mode model from which -the data models from FTA, FMEA, FMECA and FMEDA (the statistical approach) can be -derived if required. +the data models from FTA, FMEA, FMECA and FMEDA % (the statistical approach) +can be +derived. % if required. An FMMD model is effectively a super set of all the four traditional models. -It also focuses on component interaction within the model. +It also focuses on component interaction within the model, +something not formally considered in the four established methodologies. +% In addition it applies rigorous checking in all the analysis stages ensuring that all component failure modes must be considered in the model. % +\paragraph{FMMD Process outline.} This methodology has been named Failure Mode Modular De-composition (FMMD) because it de-composes a SYSTEM into a hierarchy of modules or {\dc}s. This @@ -121,7 +129,7 @@ static failure mode analysis methodologies and lists their known weaknesses. A wish list is then drawn up addressing these weaknesses and adding some extra requirements. Using this wish list the philosophy for the new methodology -is built up. +is determined. % FMMD works from the bottom up, taking small groups of components, {\fgs}, and then analysing how they can fail. @@ -163,9 +171,9 @@ predict all possible undesirable outcomes. It also can miss known component failure modes, by simply not de-composing down to the base component failure level of detail. -\paragraph{A general problem with bottom-up} +\paragraph{A general problem with bottom-up static failure analysis.} With the bottom up techniques we have all the known component failure modes -and the freedom to determine how each of these may affect the SYSTEM. +and the relative freedom to determine how each of these may affect the SYSTEM. % A problem with this is that a component typically interacts in a complex way with several other functionally @@ -178,7 +186,7 @@ The difficulty lies in % %Because of the number of components -our one failure mode may interact with is large. +our failure mode under investigation may interact with is typically very large. % We cannot consider all the components in the SYSTEM when looking at a single failure mode, @@ -303,12 +311,16 @@ electronic components was published by the DOD in 1991 (MIL HDK 1991 \cite{mil1991}) and is a typical source for MTFF data. % -It can do this using probability \footnote{for a given component failure mode there will be a $\beta$ value, the -probability that the component failure mode will cause a given SYSTEM failure}. +FMECA has a probability factor for a component causing +a SYSTEM level error. +This is termed the $\beta$ factor. +%\footnote{for a given component failure mode there will be a $\beta$ value, the +%probability that the component failure mode will cause a given SYSTEM failure}. % This lacks precision, or in other words, determinability prediction accuracy \cite{fafmea}, as often the component failure mode cannot be proven to cause a SYSTEM level failure, but -assigned a probability $\beta$ fator by the design engineer. +assigned a probability $\beta$ factor by the design engineer. The use of a $\beta$ factor +is often justified using bayes theorem \cite{probstat}. %Also, it can miss combinations of failure modes that will cause SYSTEM level errors. % The results, as with FMEA are an $RPN$ number determining the significance of the SYSTEM fault. @@ -335,8 +347,8 @@ The results, as with FMEA are an $RPN$ number determining the significance of th Failure Modes, Effects, and Diagnostic Analysis (FMEDA). This is a process that takes all the components in a system, -and from the failure modes of those components, the investigating engineer -must tie them to possible SYSTEM level events/failure modes. +and using the failure modes of those components, the investigating engineer +ties them to possible SYSTEM level events/failure modes. This technique evaluates a products statistical level of safety taking into account its self-diagnostic ability. @@ -369,7 +381,7 @@ Failure rates of individual components in the SYSTEM are calculated based on component type and environmental conditions. % -Statistical data exists for most component types \cite{mil1992}. +%Statistical data exists for most component types \cite{mil1992}. % This phase is typically implemented on a spreadsheet with rows representing each component. A typical component spreadshet row would @@ -380,7 +392,8 @@ component type, placing in the system, part number, environmental stress factors \paragraph{Overall SYSTEM failure rate.} The product failure rate is the sum of all component -failure rates. +failure rates. Typically the sum of all MTTF rates for all +components in an FMEDA spreadsheet. %This is the sum of safe and unsafe %failures. @@ -390,14 +403,18 @@ We next evaluate the SYSTEM's self-diagnostic ability. %Each component’s failure modes and failure rate are now available. Failure modes are now classified as safe or dangerous. This is done by taking a component failure mode and determining -how it may react with any other components in the SYSTEM, and taking a final decision +if the SYSTEM error it is tied to is dangerous or safe. +The decision for this may be based on hueristics or field data. +Because we have statistics for each component failure mode, +we can now now classify these in terms of safe and dangerous lambda values. Detectable failure probabilities are labelled `$\lambda_D$' (for dangerous) and `$\lambda_S$' (for safe) \cite{EN61508}. -\paragraph{Determine Detectable and Undetecable Failures} +\paragraph{Determine Detectable and Undetecable Failures.} Each safe and dangerous failure mode is now -determined as detectable or un-detectable by the SYSTEM’s +classified as detectable or un-detectable, this +is determined by the SYSTEM’s self checking features. % This gives us four level failure mode classifications: @@ -406,10 +423,11 @@ and the probablistic failure rate of each classification is represented by lambda variables (i.e. $\lambda_{SD}$, $\lambda_{SU}$, $\lambda_{DD}$, $\lambda_{DU}$). -Because some failure modes may not be discovered theoretically during the static +Because it is recognised that some failure modes may not be discovered theoretically during the static analysis, the % admission of how daft it is to take a component failure mode on its own % and guess how it will affect an ENTIRE complex SYSTEM +% Admission of failure of the process really !!!! next step is to investigate using an actual working SYSTEM. Failures are deliberately caused (by physical intervention), and any new SYSTEM level @@ -476,8 +494,8 @@ There are four SIL levels, from 1 to 4 with 4 being the highest safety level. In addition to probablistic risk factors, the diagnostic coverage and SFF have threshold bands beoming stricter for each level. -Software techniques and constraints are -also become stricter for each SIL level. +Demanded software techniques and constraints +become stricter for each SIL level. Thus FMEDA uses statistical methods to determine a safety level (SIL), typically used to meet an acceptable risk @@ -525,10 +543,11 @@ be linked to a dangerous system level failure in an FMEDA study. %A $\beta$ factor, the hueristically defined probability %of the failure causing the system fault may be applied. % -But because there is no detailed analysis of the failure mode behaviour -of the component in its local environment -but traceable directly to the SYSTEM level, it becomes more -guess work than science. +%In FMEDA there is no detailed analysis of the failure mode behaviour +%of the component in its local environment +%Component failure modes are traceable directly to the SYSTEM level. +%it becomes more +%guess work than science. % With FMEDA, there is no rigorous cause and effect analysis for the failure modes and how they interact on the micro scale (the components adjacent to them in terms of functionality). @@ -576,12 +595,12 @@ to smaller and smaller functional modules \cite{maikowski}. \section{Design of a new static failure mode based methodology} -\paragraph{New methodology must be bottom-up} +\paragraph{New methodology must be bottom-up.} In order to ensure that all component failure modes have been covered the methodology will have to work from the bottom-up and start with the component failure modes. % -\paragraph{Natural Fault Finding is top down} +\paragraph{Natural Fault Finding is top down.} The traditional fault finding, or natural fault finding is to work from the top down. % @@ -596,7 +615,7 @@ Simpler and simpler functional blocks are discovered as we delve further into the way the system works and is built. -\paragraph{Need for a `bottom-up' system de-composition} +\paragraph{Need for a `bottom-up' system de-composition.} There is an apparent conflict here. The natural way to de-compose a system is from the top down. % @@ -618,7 +637,7 @@ de-composition, because it seeks to break the system down into manageable and separately testable entities. A second justification for this is that the design process for a product requires both top down and bottom-up thinking. To analyse a system from the bottom-up is a useful -design validatio process in itself \cite{sommerville}. +design validation process in itself \cite{sommerville}. \paragraph{Design Decision: Methodology must be bottom-up.} In order to ensure that all component failure modes are handled,