From c0852cd424215bf84ab2ef4cbd1057c4aa667124 Mon Sep 17 00:00:00 2001 From: Robin Clark Date: Sat, 25 Jun 2011 08:57:31 +0100 Subject: [PATCH] fuck forgot to commit, thank god for wake up on lan --- .../System_safety_2011/submission.tex | 77 ++++++++++--------- 1 file changed, 42 insertions(+), 35 deletions(-) diff --git a/fmmd_concept/System_safety_2011/submission.tex b/fmmd_concept/System_safety_2011/submission.tex index 80f8b17..4fa8c02 100644 --- a/fmmd_concept/System_safety_2011/submission.tex +++ b/fmmd_concept/System_safety_2011/submission.tex @@ -19,8 +19,8 @@ \newcommand{\adctw}{{${\mathcal{ADC}}_{12}$}} \newcommand{\adcten}{{${\mathcal{ADC}}_{10}$}} \newcommand{\ohms}[1]{\ensuremath{#1\Omega}} -\newcommand{\fg}{\em functional~group} -\newcommand{\fgs}{\em functional~groups} +\newcommand{\fg}{functional~group} +\newcommand{\fgs}{functional~groups} \newcommand{\dc}{\em derived~component} \newcommand{\dcs}{\em derived~components} \newcommand{\bc}{\em base~component} @@ -56,14 +56,16 @@ failure mode of the component or sub-system}}} \cfoot{Page \thepage\ of \pageref{LastPage}} \rfoot{\today} -\lhead{Developing a rigorous bottom-up modular static failure mode modelling methodology} +%\lhead{Developing a rigorous bottom-up modular static failure mode modelling methodology} +\lhead{Developing a rigorous bottom-up modular static failure modelling methodology} % numbers at outer edges \pagenumbering{arabic} % Arabic page numbers hereafter \author{R.P.Clark$^\star$ , A.~Fish$^\dagger$ , C.~Garrett$^\dagger$, J.~Howse$^\dagger$ \\ $^\star${\em Energy Technology Control, 25 North Street, Lewes, BN7 2PE, UK} \and $^\dagger${\em University of Brighton, UK} } -\title{Developing a rigorous bottom-up modular static failure mode modelling methodology} +%\title{Developing a rigorous bottom-up modular static failure mode modelling methodology} +\title{Developing a rigorous bottom-up modular static failure modelling methodology} %\nodate \maketitle @@ -82,7 +84,7 @@ These properties provide advantages in rigour and efficiency when compared to cu \paragraph{Introduction} { -This paper describes and appraises four current failure mode methodologies. +This paper describes and appraises four current failure modelling methodologies. Their advantages and deficiencies are discussed and a desirable criteria list for an `ideal' static failure mode methodology is developed. A new proposed @@ -110,8 +112,8 @@ It is suitable for large complicated systems with few undesirable top level failures and focuses on those events considered most important or most catastrophic. % Effects of duplication/redundancy of safety systems can be readily assessed. -It uses notations that are readily understood by engineers (logic symbols from digital electronics and a fault hierarchy). -However, it cannot guarantee to model all base component failure modes +It uses notations that are readily understood by engineers (logic symbols borrowed from digital electronics and a fault hierarchy). +However, it cannot guarantee to model all base component failures or be used to determine system level errors other than those modelled. % Each FTA diagram models one top level event. @@ -126,13 +128,13 @@ lead to top level failure/events. Each top level failure is assessed by its cost to repair (or perceived criticality) and its estimated frequency. %, using a %failure mode ratio. A list of failures according to their cost to repair~\cite{bfmea}, or effect on system reliability is then calculated. -It is easy to identify single component failure to system failure scenarios +It is easy to identify single component failure to system failure mappings and an estimate of product reliability can be calculated. %This can be viewed as a prioritised `to~fix' list. % It cannot focus on complex component interactions that cause system failure modes or determine potential -problems from simultaneous failure modes. It does not consider changing environmental +problems from simultaneous failures. It does not consider changing environmental or operational states in sub-systems or components. It cannot model self-checking safety elements or other in-built safety features or analyse how particular components may fail. @@ -164,7 +166,8 @@ event, this leads to repeated work, with limited ability for cross checking/mode %\subsection{Bottom-up approach: } \paragraph{State Explosion problem for FMEA, FMECA, FMEDA.} -The bottom -up techniques all suffer from a problem of state explosion. +The bottom -up techniques all suffer from % a problem of +state explosion. To perform the analysis rigorously, we would need to consider the effect of a component failure against all other components. Adding environmental and operational states further increases this effect. @@ -216,11 +219,11 @@ To look in detail at a half of a million test cases is obviously impractical. % % take a circuit or system and follow all the interactions % % to the components that cause the system level event. -\paragraph{Multiple Events from one base component failure mode} -A base component failure may potentially cause more than one -SYSTEM level failure mode. -It would be possible to identify one top level event associated with -a {\bcfm} and not investigate other possibilities. +%\paragraph{Multiple Events from one base component failure mode} +%A base component failure may potentially cause more than one +%SYSTEM level failure mode. +%It would be possible to identify one top level event associated with +%a {\bcfm} and not investigate other possibilities. %\section{Requirements for a new static failure mode Analysis methodology} @@ -326,20 +329,21 @@ Because we are only modelling failure modes, which could arise from mechanical, electronic or software components, criteria 3 is satisfied. % -In order to address the state explosion problem, the process must be modular -and deal with small groups of components at a time, this should address criteria 1. +In order to address the state explosion problem, the process must be modular and hierarchical +dealing with small groups of components at a time; this should address criteria 1. +% In the proposed methodology components are collected into functional groups -and each component failure mode (and optionally combinations) are considered in the +and each component failure (and optionally combinations) are considered in the context of the {\fg}. % -The component failure modes (and optional combinations) are termed `test~cases'. For each test~case -there will be a corresponding resultant failure, from the perspective of the {\fg}. +The component failures (and optional combinations) are termed `test~cases'. For each test~case +there will be a corresponding resultant failure, or `symptom', from the perspective of the {\fg}. % % MAYBE NEED TO DESCRIBE WHAT A SYMPTOM IS HERE % -From the perspective of the {\fg} failures of components will be symptoms. +%From the perspective of the {\fg} failures of components will be symptoms. It is conjectured that many symptoms will be common. That is to say -that component failure modes, will often cause the same symptoms of failure +that component failures, will often cause the same symptoms of failure from the perspective of a {\fg}. % A common symptom collection stage is now applied. Here common symptoms are collected @@ -348,8 +352,8 @@ multiple failures can be modelled, satisfying criteria 6. % With a collection of the {\fg} failure symptoms, we can now create a {\dc}. The failure modes of this new {\dc} are the symptoms of the {\fg} it was derived from. -This satisfies criteria 3, as we can now treat {\dcs} as ready analysed -modules to re-use. +This satisfies criteria 3, as we can now treat {\dcs} as pre-analysed +modules available for re-use. By using {\dcs} in higher level functional groups, a hierarchy can be built representing the failure mode behaviour of a SYSTEM. Because the hierarchy maintains information @@ -406,7 +410,7 @@ Operational states are conditions that apply to some functional groups, not indi \section{Worked Example: Non-Inverting Operational Amplifier} -A standard non inverting op amp (from ``The Art of Electronics'' ~\cite{aoe}[pp.234]) is shown in figure \ref{fig:noninvamp}. +A standard non inverting op amp~\cite{aoe}[pp.234] is shown in figure \ref{fig:noninvamp}. \begin{figure}[h] @@ -563,7 +567,7 @@ we can assign a test case number (see table \ref{pdfmea}). Each test case is analysed to determine the `symptom' on the potential dividers' operation. For instance were the resistor $R_1$ to go open, the circuit would not be grounded and the -voltage output from it would be high (+ve). +voltage output from it would float high (+ve). This would mean the symptom of the failed potential divider, would be that it gives a high voltage output.%We can now consider the {\fg} %as a component in its own right, and its symptoms as its failure modes. @@ -948,9 +952,10 @@ back to their potential causes. \ifthenelse {\boolean{dag}} { -We can now expand the $PD$ {\dc} and now have a full FMMD failure mode model +We can now expand the $PD$ {\dc} and now have a full FMMD failure %mode +model drawn as a DAG, which we can use to traverse to determine the possible causes to -the three high level symptoms, or failure~modes of the non-inverting amplifier. +the three high level symptoms, i.e. the failure~modes of the non-inverting amplifier. Figure \ref{fig:noninvdag1} shows a fully expanded DAG, from which we can derive information to assist in building models for FTA, FMEA, FMECA and FMEDA failure mode analysis methodologies. } @@ -1090,6 +1095,8 @@ the the number of failure symptoms for a {\fg} will be less than or equal to the of component failures. In practise the number of symptoms is usually around half the number of component failure modes, for each stage of FMMD analysis. +This methodology has also been applied elsewhere to the inverting amplifier configuration. +Clearly one can then use use these derived components in more complex circuits where the advantages of FMMD become more obvious. \subsection{Evaluation against Desirable Criteria} @@ -1101,18 +1108,18 @@ We can now evaluate the FMMD method using the criteria in section \ref{fmmdreq}. { \small \begin{itemize} -\item{State Explosion must be reduced.} -Because small collections of components are dealt with in functional groups -the state explosion problem is effectively dealt with. +\item{State Explosion is reduced,} +because small collections of components are dealt with in functional groups +to produce derived components which are used in an hierarchical manner. \item{All component failure modes must be considered in the model.} -The proposed methodology will be bottom-up. +Since the proposed methodology is bottom-up. This means that we can ensure/check that all component failure modes are handled. -\item{ It should be easy to integrate mechanical, electronic and software models.} -Because FMMD models in terms of failure modes only, we have a generic failure mode entities to model. -We can describe a mechanical, electrical or software component in terms of its failure modes. +\item{ It should be straight forward to integrate mechanical, electronic and software models,} +because FMMD models in terms of failure modes only. % we have a generic failure mode entities to model. +%We can describe a mechanical, electrical or software component in terms of its failure modes. % Because of this we can model and analyse integrated electromechanical systems, controlled by computers,