robin/Robin_PHD
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

.

Browse Source
This commit is contained in:
Robin Clark 2010-11-16 11:37:29 +00:00
parent e977502eb7
commit ba702f32b7
1 changed files with 59 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

99
fmmd_concept/fmmd_concept.tex
View File

@ -7,8 +7,8 @@
\abstract{
This paper proposes a methodology for
creating failure mode models of safety critical systems, which
have a common notation
for mechanical, electronic and software domains and apply an
has a common notation
for mechanical, electronic and software domains and applies an
incremental and rigorous approach.
%% What I have done
@ -20,8 +20,10 @@ a wish list for a more ideal methodology.
%% What I have found
%%
From the wish list and considering some constraints determined from
the evaluation of the four established methodologies, a new
From the wish list
%and considering some constraints determined from
%the evaluation of the four established methodologies,
a new
methodology is developed and proposed. The has been named Failure Mode Modular De-Composition (FMMD).
%% Sell it
@ -39,8 +41,8 @@ It is also modular, meaning that the results of analysed components may be re-us
This chapter proposes a methodology for
creating failure mode models of safety critical systems, which
have a common notation
for mechanical, electronic and software domains and apply an
has a common notation
for mechanical, electronic and software domains and applies an
incremental and rigorous approach.
%% What I have done
@ -52,8 +54,10 @@ a wish list for a more ideal methodology.
%% What I have found
%%
From the wish list and considering some constraints determined from
the evaluation of the four established methodologies, a new
From the wish list %
%and considering some constraints determined from
%the evaluation of the four established methodologies,
a new
methodology is developed and proposed. The has been named Failure Mode Modular De-Composition (FMMD).
%% Sell it
@ -82,11 +86,11 @@ advantages that are discussed in the next section.
%FTA, due to its top down nature, can overlook error conditions. FMEA and the Statistical Methods
%lack precision in predicting failure modes at the SYSTEM level.
\paragraph{FMMD outline.}
The Failure Mode Modular De-composition
\paragraph{FMMD in context.}
Failure Mode Modular De-composition
(FMMD) aims to address the
weaknesses in these methodoligies and to add
features such as the ability to analyse double
weaknesses in the four established methodoligies, and to add
features such as the ability to analyse multiple
failure mode scenarios, and to allow modular re-use
of analysis.
@ -95,14 +99,18 @@ of analysis.
The FMMD
methodology provides a detailed, hierarchical, incremental and analytical
modelling system which will create a failure mode model from which
the data models from FTA, FMEA, FMECA and FMEDA (the statistical approach) can be
derived if required.
the data models from FTA, FMEA, FMECA and FMEDA % (the statistical approach)
can be
derived. % if required.
An FMMD model is effectively a super set of all the four traditional models.
It also focuses on component interaction within the model.
It also focuses on component interaction within the model,
something not formally considered in the four established methodologies.
%
In addition it applies rigorous checking in all the analysis stages
ensuring that all component failure modes must be considered in the model.
%
\paragraph{FMMD Process outline.}
This methodology has been named Failure Mode Modular De-composition (FMMD)
because it de-composes a SYSTEM into a hierarchy of modules or {\dc}s.
This
@ -121,7 +129,7 @@ static failure mode analysis methodologies and
lists their known weaknesses. A wish list is then drawn up
addressing these weaknesses and adding some extra requirements.
Using this wish list the philosophy for the new methodology
is built up.
is determined.
%
FMMD works from the bottom up, taking small groups
of components, {\fgs}, and then analysing how they can fail.
@ -163,9 +171,9 @@ predict all possible undesirable outcomes.
It also can miss known component failure modes, by
simply not de-composing down to the base component failure level of detail.
\paragraph{A general problem with bottom-up}
\paragraph{A general problem with bottom-up static failure analysis.}
With the bottom up techniques we have all the known component failure modes
and the freedom to determine how each of these may affect the SYSTEM.
and the relative freedom to determine how each of these may affect the SYSTEM.
%
A problem with this is that a component typically
interacts in a complex way with several other functionally
@ -178,7 +186,7 @@ The difficulty lies in
%
%Because of
the number of components
our one failure mode may interact with is large.
our failure mode under investigation may interact with is typically very large.
%
We cannot consider all the components in the SYSTEM
when looking at a single failure mode,
@ -303,12 +311,16 @@ electronic components was published by the DOD
in 1991 (MIL HDK 1991 \cite{mil1991}) and is a typical
source for MTFF data.
%
It can do this using probability \footnote{for a given component failure mode there will be a $\beta$ value, the
probability that the component failure mode will cause a given SYSTEM failure}.
FMECA has a probability factor for a component causing
a SYSTEM level error.
This is termed the $\beta$ factor.
%\footnote{for a given component failure mode there will be a $\beta$ value, the
%probability that the component failure mode will cause a given SYSTEM failure}.
%
This lacks precision, or in other words, determinability prediction accuracy \cite{fafmea},
as often the component failure mode cannot be proven to cause a SYSTEM level failure, but
assigned a probability $\beta$ fator by the design engineer.
assigned a probability $\beta$ factor by the design engineer. The use of a $\beta$ factor
is often justified using bayes theorem \cite{probstat}.
%Also, it can miss combinations of failure modes that will cause SYSTEM level errors.
%
The results, as with FMEA are an $RPN$ number determining the significance of the SYSTEM fault.
@ -335,8 +347,8 @@ The results, as with FMEA are an $RPN$ number determining the significance of th
Failure Modes, Effects, and Diagnostic Analysis (FMEDA).
This is a process that takes all the components in a system,
and from the failure modes of those components, the investigating engineer
must tie them to possible SYSTEM level events/failure modes.
and using the failure modes of those components, the investigating engineer
ties them to possible SYSTEM level events/failure modes.
This technique
evaluates a products statistical level of safety
taking into account its self-diagnostic ability.
@ -369,7 +381,7 @@ Failure rates of individual components in the SYSTEM
are calculated based on component type and
environmental conditions.
%
Statistical data exists for most component types \cite{mil1992}.
%Statistical data exists for most component types \cite{mil1992}.
%
This phase is typically implemented on a spreadsheet
with rows representing each component. A typical component spreadshet row would
@ -380,7 +392,8 @@ component type, placing in the system, part number, environmental stress factors
\paragraph{Overall SYSTEM failure rate.}
The product failure rate is the sum of all component
failure rates.
failure rates. Typically the sum of all MTTF rates for all
components in an FMEDA spreadsheet.
%This is the sum of safe and unsafe
%failures.
@ -390,14 +403,18 @@ We next evaluate the SYSTEM's self-diagnostic ability.
%Each components failure modes and failure rate are now available.
Failure modes are now classified as safe or dangerous.
This is done by taking a component failure mode and determining
how it may react with any other components in the SYSTEM, and taking a final decision
if the SYSTEM error it is tied to is dangerous or safe.
The decision for this may be
based on hueristics or field data.
Because we have statistics for each component failure mode,
we can now now classify these in terms of safe and dangerous lambda values.
Detectable failure probabilities are labelled `$\lambda_D$' (for
dangerous) and `$\lambda_S$' (for safe) \cite{EN61508}.
\paragraph{Determine Detectable and Undetecable Failures}
\paragraph{Determine Detectable and Undetecable Failures.}
Each safe and dangerous failure mode is now
determined as detectable or un-detectable by the SYSTEMs
classified as detectable or un-detectable, this
is determined by the SYSTEMs
self checking features.
%
This gives us four level failure mode classifications:
@ -406,10 +423,11 @@ and the probablistic failure rate of each classification
is represented by lambda variables
(i.e. $\lambda_{SD}$, $\lambda_{SU}$, $\lambda_{DD}$, $\lambda_{DU}$).
Because some failure modes may not be discovered theoretically during the static
Because it is recognised that some failure modes may not be discovered theoretically during the static
analysis, the
% admission of how daft it is to take a component failure mode on its own
% and guess how it will affect an ENTIRE complex SYSTEM
% Admission of failure of the process really !!!!
next step is to investigate using an actual working SYSTEM.
Failures are deliberately caused (by physical intervention), and any new SYSTEM level
@ -476,8 +494,8 @@ There are four SIL levels, from 1 to 4 with 4 being the highest safety level.
In addition to probablistic risk factors, the
diagnostic coverage and SFF
have threshold bands beoming stricter for each level.
Software techniques and constraints are
also become stricter for each SIL level.
Demanded software techniques and constraints
become stricter for each SIL level.
Thus FMEDA uses statistical methods to determine
a safety level (SIL), typically used to meet an acceptable risk
@ -525,10 +543,11 @@ be linked to a dangerous system level failure in an FMEDA study.
%A $\beta$ factor, the hueristically defined probability
%of the failure causing the system fault may be applied.
%
But because there is no detailed analysis of the failure mode behaviour
of the component in its local environment
but traceable directly to the SYSTEM level, it becomes more
guess work than science.
%In FMEDA there is no detailed analysis of the failure mode behaviour
%of the component in its local environment
%Component failure modes are traceable directly to the SYSTEM level.
%it becomes more
%guess work than science.
%
With FMEDA, there is no rigorous cause and effect analysis for the failure modes
and how they interact on the micro scale (the components adjacent to them in terms of functionality).
@ -576,12 +595,12 @@ to smaller and smaller functional modules \cite{maikowski}.
\section{Design of a new static failure mode based methodology}
\paragraph{New methodology must be bottom-up}
\paragraph{New methodology must be bottom-up.}
In order to ensure that all component failure modes have been covered
the methodology will have to work from the bottom-up
and start with the component failure modes.
%
\paragraph{Natural Fault Finding is top down}
\paragraph{Natural Fault Finding is top down.}
The traditional fault finding, or natural fault finding
is to work from the top down.
%
@ -596,7 +615,7 @@ Simpler and simpler functional blocks are discovered as we delve
further into the way the system works and is built.
\paragraph{Need for a `bottom-up' system de-composition}
\paragraph{Need for a `bottom-up' system de-composition.}
There is an apparent conflict here. The natural way to
de-compose a system is from the top down.
%
@ -618,7 +637,7 @@ de-composition, because it seeks to break the system down
into manageable and separately testable entities.
A second justification for this is that the design process for a product requires both top down and bottom-up
thinking. To analyse a system from the bottom-up is a useful
design validatio process in itself \cite{sommerville}.
design validation process in itself \cite{sommerville}.
\paragraph{Design Decision: Methodology must be bottom-up.}
In order to ensure that all component failure modes are handled,