From c3fe94959e7b4865de3361070444ee1161dd43b3 Mon Sep 17 00:00:00 2001 From: Robin Clark Date: Sat, 25 Sep 2010 12:02:00 +0100 Subject: [PATCH] edits b4 walk with Rosa by the river --- .../component_failure_modes_definition.tex | 668 ------------------ mybib.bib | 16 + survey/survey.tex | 20 + 3 files changed, 36 insertions(+), 668 deletions(-) delete mode 100644 component_failure_modes_definition/component_failure_modes_definition.tex diff --git a/component_failure_modes_definition/component_failure_modes_definition.tex b/component_failure_modes_definition/component_failure_modes_definition.tex deleted file mode 100644 index e68097f..0000000 --- a/component_failure_modes_definition/component_failure_modes_definition.tex +++ /dev/null @@ -1,668 +0,0 @@ - - - -\ifthenelse {\boolean{paper}} -{ -\abstract{ -This paper defines %what is meant by -the terms -components, derived~components, functional~groups, component fault modes and `unitary~state' component fault modes. -%The application of Bayes theorem in current methodologies, and -%the suitability of the `null hypothesis' or `P' value statistical approach -%are discussed. -The general concept of the cardinality constrained powerset is introduced -and calculations for it described, and then for -calculations under `unitary state' fault mode conditions. -Data types and their relationships are described using UML. -Mathematical constraints and definitions are made using set theory.} -} -{ -\section{Overview} -This chapter defines %what is meant by -the terms -components, derived~components, functional~groups, component fault modes and `unitary~state' component fault modes. -The general concept of the cardinality constrained powerset is introduced -and calculations for it described, and then for -calculations under `unitary state' fault mode conditions. -Data types and their relationships are described using UML. -Mathematical constraints and definitions are made using set theory. -} - - -\section{Introduction} -This chapter describes the data types and concepts for the Failure Mode Modular De-composition (FMMD) method. -When analysing a safety critical system using -this technique, we need clearly defined failure modes for -all the components that are used to model the system. -In our model we have a constraint that -the component failure modes must be mutually exclusive. -When this constraint is complied with we can use the FMMD method to -build hierarchical bottom-up models of failure mode behaviour. -%This and the definition of a component are -%described in this chapter. -%When building a system from components, -%we should be able to find all known failure modes for each component. -%For most common electrical and mechanical components, the failure modes -%for a given type of part can be obtained from standard literature\cite{mil1991} -%\cite{mech}. %The failure modes for a given component $K$ form a set $F$. - - -%% -%% Paragraph component and its relationship to its failure modes -%% - -\section{ Defining the term Component } - - -\begin{figure}[h] - \centering - \includegraphics[width=300pt,bb=0 0 437 141,keepaspectratio=true]{component_failure_modes_definition/component.jpg} - % component.jpg: 437x141 pixel, 72dpi, 15.42x4.97 cm, bb=0 0 437 141 - \caption{A Component and its Failure Modes} - \label{fig:component} -\end{figure} - -Let us first define a component. This is anything which we use to build a -product or system with. -It could be something quite complicated -like an integrated microcontroller, or quite simple like the humble resistor. -We can define a -component by its name, a manufacturers' part number and perhaps -a vendors' reference number. -What these components all have in common is that they can fail, and fail in -a number of well defined ways. For common components -there is established literature for the failure modes for the system designer to consider (often with accompanying statistical -failure rates)\cite{mil1991}. For instance, a simple resistor is generally considered -to fail in two ways, it can go open circuit or it can short. -Thus we can associate a set of faults to this component $ResistorFaultModes=\{OPEN, SHORT\}$. -The UML diagram in figure -\ref{fig:component} shows a component as a data -structure with its associated failure modes. - -From this diagram we see that each component must have at least one failure mode. -To clearly show that the failure modes are mutually exclusive states, or unitary states associated with one component, -each failure mode is referenced back to only one component. - -%%-%% MTTF STATS CHAPTER MAYBE ?? -%%-%% -%%-%% This modelling constraint is due to the fact that even generic components with the same -%%-%% failure mode types, may have different statistical MTTF properties within the same -%%-%% circuitry\footnote{For example, consider resistors one of high resistance and one low. -%%-%% The generic failure modes for a resistor will be the same for both. -%%-%% The lower resistance part will draw more current and therefore have a statistically higher chance of failure.}. - - -A product naturally consists of many components and these are traditionally -kept in a `parts list'. For a safety critical product this is usually a formal document -and is used by quality inspectors to ensure the correct parts are being fitted. -The parts list is shown for -completeness here, as people involved with PCB and electronics production, verification -and testing would want to know where it lies in the model. -The parts list is not actively used in the FMMD method. -For the UML diagram in figure \ref{fig:componentpl} the parts list is simply a collection of components. -\begin{figure}[h] - \centering - \includegraphics[width=400pt,bb=0 0 712 68,keepaspectratio=true]{component_failure_modes_definition/componentpl.jpg} - % componentpl.jpg: 712x68 pixel, 72dpi, 25.12x2.40 cm, bb=0 0 712 68 - \caption{Parts List of Components} - \label{fig:componentpl} -\end{figure} - -Components in the parts list % (bought in parts) -will be termed `base~components'. -Components derived from base~components will not always require -parts~numbers\footnote{It is common practise for sub assemblies, PCB's, mechanical parts, -software modules and some collections of components to have part numbers. -This is a production/configuration~control issue and linked to Bill of Material (BOM) -database structures etc. Parts numbers for derived components are not directly related to the analysis process -we are concerned with here.}, and will -not require a vendor reference, but must be named locally in the FMMD model. - -We can term `modularising a system', to mean recursively breaking it into smaller sections for analysis. -When modularising a system from the top~down, as in Fault Tree Analysis\cite{nasafta}\cite{nucfta} (FTA) -it is common to term the modules identified as sub-systems. -When building from the bottom up, it is more meaningful to call them `derived~components'. - - -%% -%% Paragraph using failure modes to build from bottom up -%% - -\section{Fault Mode Analysis, \\ top down or bottom up?} - -Traditional static fault analysis methods work from the top down. -They identify faults that can occur in a system, and then work down -to see how they could be caused. Some apply statistical techniques to -determine the likelihood of component failures -causing specific system level errors. For example, Bayes theorem \ref{bayes}, the relation between a conditional probability and its inverse, -can be applied to specific failure modes in components and the probability of them causing given system level errors. -Another top down technique is to apply cost benefit analysis -to determine which faults are the highest priority to fix\cite{bfmea}. -The aim of FMMD analysis is to produce complete failure -models of safety critical systems from the bottom-up, -starting, where possible with known base~component failure~modes. - -An advantage of working from the bottom up is that we can ensure that -all component failure modes must be considered. A top down approach -can miss individual failure modes of components\cite{faa}[Ch.~9], -especially where they are non obvious top-level faults. - -In order to analyse from the bottom-up, we need to take -small groups of components from the parts~list that naturally -work together to perform a simple function. -The components to include in a {\fg} are chosen by a human, the analyst. -%We can represent the `Functional~Group' as a class. - When we have a -`{\fg}' we can look at the components it contains, -and from this determine the failure modes of all the components that belong to it. -% -% and determine a failure mode model for that group. -% -% expand 21sep2010 -%The `{\fg}' as used by the analyst is a collection of component failures modes. -The analysts interest is the ways in which the components within the {\fg} -can fail. All the failure modes of all the components with an {\fg} are collected -into a flat set of failure modes. -% -Each of these failure modes, and optionally combinations of them, are -formed into `test cases' which are -analysed for their effect on the failure mode behaviour of the `{\fg}'. -% -Once we have the failure mode behaviour of the {\fg}, we can determine a new set of failure modes, the derived failure modes of the -`{\fg}'. -% -Or in other words we can determine how the `{\fg}' can fail. -We can now consider the {\fg} as a sort of super component -with its own set of failure modes. - - -\subsection{From functional group to newly derived component} - -The process for taking a {\fg}, considering -all the failure modes of all the components in the group, -and analysing it is called `symptom abstraction' and -is dealt with in detail in chapter \ref{symptom_abstraction}. -% define difference between a \fg and a \dc -A {\fg} is a collection of components, a {\dc} is a new `theorectical' -component which has a set of failure modes, which -correspond to the failure modes of the {\fg} is was derived from. -We could consider a {\fg} as a black box, or component -to use, and in this case it would have a set of failure modes. -Looking at the {\fg} in this way is seeing it as a {\dc}. - -In terms of our UML model, the symptom abstraction process takes a {\fg} -and creates a new {\dc} from it. -%To do this it first creates -%a new set of failure modes, representing the fault behaviour -%of the functional group. This is a human process and to do this the analyst -%must consider all the failure modes of the components in the functional -%group. -The newly created {\dc} requires a set of failure modes of its own. -These failure modes are the failure mode behaviour of the {\fg} that it was derived from. -Because these new failure modes were derived from a {\fg} we can call -these `derived~failure~modes'. -%It then creates a new derived~component object, and associates it to this new set of derived~failure~modes. -We thus have a `new' component, or system building block, but with a known and traceable -fault behaviour. - -The UML representation shows a `functional group' having a one to one relationship with a derived~component, -which we represent in the UML diagram in figure \ref{fig:cfg}. - -The symbol $\bowtie$ is used to indicate the analysis process that takes a -functional group and converts it into a new component. - -This can be expresed as $ \bowtie ( FG ) \mapsto DerivedComponent $ . - - -\begin{figure}[h] - \centering - \includegraphics[width=400pt,bb=0 0 712 286,keepaspectratio=true]{./component_failure_modes_definition/cfg.jpg} - % cfg.jpg: 712x286 pixel, 72dpi, 25.12x10.09 cm, bb=0 0 712 286 - \caption{UML Meta model for FMMD hierarchy} - \label{fig:cfg} -\end{figure} - - -\subsection{Keeping track of the derived \\ components position in the hierarchy} - -The UML meta model in figure \ref{fig:cfg}, shows the relationships -between the classes and sub-classes. -Note that because we can use derived components to build functional groups, -this model intrinsically supports building a hierarchy. -% -In use we will build a hierarchy of -objects, with derived~components forming functional~groups, and creating -derived components higher up in the structure. -% -To keep track of the level in the hierarchy (i.e. how many stages of component -derivation `$\bowtie$' have lead to the current derived component) -we can add an attribute to the component data type. -This can be a natural number called the level variable $\alpha \in \mathbb{N}_0$. -The $\alpha$ level variable in each component, -indicates the position in the hierarchy. Base or parts~list components -have a `level' of $\alpha=0$. -% I do not know how to make this simpler -Derived~components take a level based on the highest level -component used to build the functional group it was derived from plus 1. -So a derived component built from base level or parts list components -would have an $\alpha$ value of 1. -%\clearpage - - - -% \section{Set Theory Description} -% -% $$ System \stackrel{has}{\longrightarrow} PartsList $$ -% -% $$ PartsList \stackrel{has}{\longrightarrow} Components $$ -% -% $$ Component \stackrel{has}{\longrightarrow} FailureModes $$ -% -% $$ FunctionalGroup \stackrel{has}{\longrightarrow} Components $$ -% -% Using the symbol $\bowtie$ to indicate an analysis process that takes a -% functional group and converts it into a new component. -% -% $$ \bowtie ( FG ) \mapsto DerivedComponent $$ -% - -\subsection{Relationships between functional~groups and failure modes} - -Let the set of all possible components be $\mathcal{C}$ -and let the set of all possible failure modes be $\mathcal{F}$. - -We can define a function $fm$ as equation \ref{eqn:fmset}. - -\begin{equation} -fm : \mathcal{C} \mapsto \mathcal{P}\mathcal{F} - \label{eqn:fmset} -\end{equation} - -The is defined by equation \ref{eqn:fminstance}, where C is a component and F is a set of failure modes. - -\begin{equation} - fm ( C ) = F - \label{eqn:fminstance} -\end{equation} - -\paragraph{Finding all failure modes within the functional group} - -For FMMD failure mode analysis we need to consider the failure modes -from all the components in a functional~group as a flat set. -Consider the components in a functional group to be $C_1...C_N$. -The flat set of failure modes $FSF$ we are after can be found by applying function $fm$ to all the components -in the functional~group and taking the union of them thus: - -$$ FSF = \bigcup_{j=1}^{N} FM(C_j) $$ - -We can actually overload the notation for the function $fm$ % FM -and define it for the set components within a functional group $\mathcal{FG}$ (i.e. where $\mathcal{FG} \subset \mathcal{C} $) -in equation \ref{eqn:fmoverload}. - -\begin{equation} -fm : \mathcal{FG} \mapsto \mathcal{F} -\label{eqn:fmoverload} -\end{equation} - - -\section{Unitary State Component \\ Failure Mode sets} - -\paragraph{Design Descision/Constraint} -An important factor in defining a set of failure modes is that they -should be represent the failure modes as simply and minimally as possible. -It should not be possible, for instance for -a component to have two or more failure modes active at once. -Were this to be the case, we would have to consider additional combinations of -failure modes within the component. -Having a set of failure modes where $N$ modes could be active simultaneously -would mean having to consider an additional $2^N-1$ failure mode scenarios. -Should a component be analysed and simultaneous failure mode cases exit, -the combinations could be represented by new failure modes, or -the component should be considered from a fresh perspective, -perhaps considering it as several smaller components -within one package. -This property, failure modes being mutually exclusive, is termed `unitary state failure modes' -in this study. -This corresponds to the `mutually exclusive' definition in -probability theory \cite{probstat}. - - -\begin{definition} -A set of failure modes where only one failure mode -can be active at one time is termed a `unitary~state' failure mode set. -\end{definition} - -Let the set of all possible components to be $ \mathcal{C}$ -and let the set of all possible failure modes be $ \mathcal{F}$. - -\begin{definition} -We can define a set $\mathcal{U}$ which is a set of sets of failure modes, where -the component failure modes in each of its members are unitary~state. -Thus if the failure modes of a component $F$ are unitary~state, we can say $F \in \mathcal{U}$ is true. -\end{definition} - -\section{Component failure modes:\\ Unitary State example} - -An example of a component with an obvious set of ``unitary~state'' failure modes is the electrical resistor. - -Electrical resistors can fail by going OPEN or SHORTED. - -For a given resistor R we can apply the -the function $fm$ to find its set of failure modes thus $ fm(R) = \{R_{SHORTED}, R_{OPEN}\} $. -A resistor cannot fail with both conditions open and short active at the same time! The conditions -OPEN and SHORT are thus mutually exclusive. -Because of this, the failure mode set $F=fm(R)$ is `unitary~state'. - - -Thus because both fault modes cannot be active at the same time, the intersection of $ R_{SHORTED} $ and $ R_{OPEN} $ cannot exist. - -The intersection of these is therefore the empty set, $$ R_{SHORTED} \cap R_{OPEN} = \emptyset $$, -therefore -$ fm(R) \in \mathcal{U} $. - - - -We can make this a general case by taking a set $F$ (where $f_1, f_2 \in F$) representing a collection -of component failure modes. -We can define a boolean function {\ensuremath{\mathcal{ACTIVE}}} that returns -whether a fault mode is active (true) or dormant (false). - -We can say that if any pair of fault modes is active at the same time, then the failure mode set is not -unitary state: -we state this formally - - - \begin{equation} - \forall f_1,f_2 \in F \dot ( f_1 \neq f_2 \wedge \mathcal{ACTIVE}({f_1}) \wedge \mathcal{ACTIVE}({f_2}) ) \implies F \not\in \mathcal{U} - \end{equation} - - -% -% \begin{equation} -% c1 \cap c2 \neq \emptyset | c1 \neq c2 \wedge c1,c2 \in C \wedge C \not\in U -% \end{equation} - -That is to say that it is impossible that any pair of failure modes can be active at the same time -for the failure mode set $F$ to exist in the family of sets $\mathcal{U}$. -Note where there are more than two failure~modes, -by banning any pairs from being active at the same time, -we have banned larger combinations as well. - -\subsection{Design Rule: Unitary State} - -All components must have unitary state failure modes to be used with the FMMD methodology. -Where a complex component is used, for instance a microcontroller -with several modules that could all fail simultaneously, a process -of reduction into smaller theoretical components will have to be made -\footnote{A modern microcontroller will typically have several modules, which are configurged to operate on -pre-assigned pins on the device. Typically voltage inputs (\adcten / \adctw), digital input and outputs, -PWM (pulse width modulation), UARTs and other modules will be found on simple cheap microcontrollers \cite{pic18f2523}}. -For instance the voltage reading functions which consist -of an ADC multiplexer and ADC can be considered to be components -inside the microcontroller package. -The microcontroller thuis becomes a collection of smaller components -the can be analysed separately. -\paragraph{Reason for Constraint} Were this constraint to not be applied -each component could not have $N$ failure modes to consider but potentially -$2^N$. This would make the job of analysing the failure modes -in a {\fg} impractical due to the sheer size of the task. - -%%- Need some refs here because that is the way gastec treat the ADC on microcontroller on the servos - -\section{Handling Simultaneous \\ Component Faults} - -For some integrity levels of static analysis, there is a need to consider not only single -failure modes in isolation, but cases where more then one failure mode may occur -simultaneously. -Note that the `unitary state' conditions apply to failure modes within a component. -The scenarios presented here are where two or more components fail simultaneously. -It is an implied requirement of EN298 \cite{en298} for instance to -consider double simultaneous faults\footnote{This is under the conditions -of LOCKOUT in an industrial burner controller that has detected one fault already. -However, from the perspective of static failure mode analysis, this amounts -to dealing with double simultaneous failure modes.}. -To generalise, we may need to consider $N$ simultaneous -failure modes when analysing a functional group. This involves finding -all combinations of failures modes of size $N$ and less. -The Powerset concept from Set theory is useful to model this. -The powerset, when applied to a set S is the set of all subsets of S, including the empty set -\footnote{The empty set ( $\emptyset$ ) is a special case for FMMD analysis, it simply means there -is no fault active in the functional~group under analysis.} -and S itself. -In order to consider combinations for the set S where the number of elements in each sub-set of S is $N$ or less, a concept of the `cardinality constrained powerset' -is proposed and described in the next section. - -%\pagebreak[1] -\subsection{Cardinality Constrained Powerset } -\label{ccp} - -A Cardinality Constrained powerset is one where sub-sets of a cardinality greater than a threshold -are not included. This threshold is called the cardinality constraint. -To indicate this, the cardinality constraint $cc$ is subscripted to the powerset symbol thus $\mathcal{P}_{cc}$. -Consider the set $S = \{a,b,c\}$. - -The powerset of S: - -$$ \mathcal{P} S = \{ \emptyset, \{a,b,c\}, \{a,b\},\{b,c\},\{c,a\},\{a\},\{b\},\{c\} \} $$ - - -$\mathcal{P}_{2} S $ means all non-empty subsets of S where the cardinality of the subsets is -less than or equal to 2 or less. - -$$ \mathcal{P}_{2} S = \{ \{a,b\},\{b,c\},\{c,a\},\{a\},\{b\},\{c\} \} $$ - -Note that $\mathcal{P}_{1} S $ (non-empty subsets where cardinality $\leq 1$) for this example is: - -$$ \mathcal{P}_{1} S = \{ \{a\},\{b\},\{c\} \} $$ - -\paragraph{Calculating the number of elements in a cardinality constrained powerset} - -A $k$ combination is a subset with $k$ elements. -The number of $k$ combinations (each of size $k$) from a set $S$ -with $n$ elements (size $n$) is the binomial coefficient \cite{probstat} shown in equation \ref{bico}. - -\begin{equation} -C^n_k = {n \choose k} = \frac{n!}{k!(n-k)!} -\label{bico} -\end{equation} - -To find the number of elements in a cardinality constrained subset S with up to $cc$ elements -in each combination sub-set, -we need to sum the combinations, -%subtracting $cc$ from the final result -%(repeated empty set counts) -from $1$ to $cc$ thus - -% -% $$ {\sum}_{k = 1..cc} {\#S \choose k} = \frac{\#S!}{k!(\#S-k)!} $$ -% - -\begin{equation} - |{\mathcal{P}_{cc}S}| = \sum^{cc}_{k=1} \frac{|{S}|!}{ k! ( |{S}| - k)!} - \label{eqn:ccps} -\end{equation} - - - -\subsection{Actual Number of combinations to check \\ with Unitary State Fault mode sets} - -If all of the fault modes in $S$ were independent, -the cardinality constrained powerset -calculation (in equation \ref {eqn:ccps}) would give the correct number of test case combinations to check. -Because sets of failure modes in FMMD analysis are constrained to be unitary state, -the actual number of test cases to check will usually -be less than this. -This is because combinations of faults within a components failure mode set, -are impossible under the conditions of unitary state failure mode. -To modify equation \ref{eqn:ccps} for unitary state conditions, we must subtract the number of component `internal combinations' -for each component in the functional group under analysis. -Note we must sequentially subtract using combinations above 1 up to the cardinality constraint. -For example, say -the cardinality constraint was 3, we would need to subtract both -$|{n \choose 2}|$ and $|{n \choose 3}|$ for each component in the functional~group. - -\subsubsection{Example: Two Component functional group \\ cardinality Constraint of 2} - -For example: suppose we have a simple functional group with two components R and T, of which -$$fm(R) = \{R_o, R_s\}$$ and $$fm(T) = \{T_o, T_s, T_h\}$$. - -This means that the functional~group $FG=\{R,T\}$ will have a component failure mode set -of $fm(FG) = \{R_o, R_s, T_o, T_s, T_h\}$ - -For a cardinality constrained powerset of 2, because there are 5 error modes ( $|fm(FG)|=5$), -applying equation \ref{eqn:ccps} gives :- - -$$ | P_2 (fm(FG)) | = \frac{5!}{1!(5-1)!} + \frac{5!}{2!(5-2)!} = 15$$. - -This is composed of ${5 \choose 1}$ -five single fault modes, and ${5 \choose 2}$ ten double fault modes. -However we know that the faults are mutually exclusive within a component. -We must then subtract the number of `internal' component fault combinations -for each component in the functional~group. -For component R there is only one internal component fault that cannot exist -$R_o \wedge R_s$. As a combination ${2 \choose 2} = 1$. For the component $T$ which has - three fault modes ${3 \choose 2} = 3$. -Thus for $cc == 2$, under the conditions of unitary state failure modes in the components $R$ and $T$, we must subtract $(3+1)$. -The number of combinations to check is thus 11, $|\mathcal{P}_{2}(fm(FG))| = 11$, for this example and this can be verified -by listing all the required combinations: - - - -$$ \mathcal{P}_{2}(fm(FG)) = \{ - \{R_o T_o\}, \{R_o T_s\}, \{R_o T_h\}, \{R_s T_o\}, \{R_s T_s\}, \{R_s T_h\}, \{R_o \}, \{R_s \}, \{T_o \}, \{T_s \}, \{T_h \} - \} -$$ - -And % by inspection -$$ -| -\{ - \{R_o T_o\}, \{R_o T_s\}, \{R_o T_h\}, \{R_s T_o\}, \{R_s T_s\}, \{R_s T_h\}, \{R_o \}, \{R_s \}, \{T_o \}, \{T_s \}, \{T_h \} -\} -| = 11 -$$ - - -\pagebreak[1] -\subsubsection{Establishing Formulae for unitary state failure mode \\ -cardinality calculation} - -The cardinality constrained powerset in equation \ref{eqn:ccps}, can be modified for % corrected for -unitary state failure modes. -This is written as a general formula in equation \ref{eqn:correctedccps}. - -%\indent{ -To define terms : -\begin{itemize} -\item Let $C$ be a set of components (indexed by $j \in J$) -that are members of the functional group $FG$ -i.e. $ \forall j \in J | C_j \in FG $ -\item Let $|fm({C}_{j})|$ -indicate the number of mutually exclusive fault modes of component $C_j$. -\item Let $fm(FG)$ be the collection of all failure modes -from all the components in the functional group. -\item Let $SU$ be the set of failure modes from the {\fg} where all $FG$ is such that -components $C_j$ are in -`unitary state' i.e. $(SU = fm(FG)) \wedge (\forall j \in J | fm(C_j) \in \mathcal{U}) $ -\end{itemize} -%} - -\begin{equation} - |{\mathcal{P}_{cc}SU}| = {\sum^{cc}_{k=1} \frac{|{SU}|!}{k!(|{SU}| - k)!}} - - {\sum_{j \in J} {|FM({C_{j})}| \choose 2}} - \label{eqn:correctedccps} -\end{equation} - -Expanding the combination in equation \ref{eqn:correctedccps} - - -\begin{equation} - |{\mathcal{P}_{cc}SU}| = {\sum^{cc}_{k=1} \frac{|{SU}|!}{k!(|{SU}| - k)!}} -- {{\sum_{j \in J} \frac{|FM({C_j})|!}{2!(|FM({C_j})| - 2)!}} } - \label{eqn:correctedccps2} -\end{equation} - -\paragraph{Use of Equation \ref{eqn:correctedccps2} } -Equation \ref{eqn:correctedccps2} is useful for an automated tool that -would verify that a single or double simultaneous failures model has complete failure mode coverage. -By knowing how many test cases should be covered, and checking the cardinality -associated with the test cases, complete coverage would be verified. - -\paragraph{N Venn disallowed combinations} -The general case of equation \ref{eqn:correctedccps2}, involves not just dis-allowing pairs -of failure modes within components, but also ensuring that combinations across components -do not involve any pairs of failure modes within the same component. -A recursive algorithm and proof is described in appendix \ref{chap:vennccps}. - -%%\paragraph{Practicality} -%%Functional Group may consist, typically of four or five components, which typically -%%have two or three failure modes each. Taking a worst case of mutiplying these -%%by a factor of five (the number of failure modes and components) would give -%%$25 \times 15 = 375$ -%% -%% -%% -%%\begin{verbatim} -%% -%%# define a factorial function -%%# gives 1 for negative values as well -%%define f(x) { -%% if (x>1) { -%% return (x * f (x-1)) -%% } -%% return (1) -%% -%%} -%%define u1(c,x) { -%% return f(c*x)/(f(1)*f(c*x-1)) -%%} -%%define u2(c,x) { -%% return f(c*x)/(f(2)*f(c*x-2)) -%%} -%% -%%define uc(c,x) { -%% return c * f(x)/(f(2)*f(x-2)) -%%} -%% -%%# where c is number of components, and x is number of failure modes -%%# define function u to calculate combinations to check for double sim failure modes -%%define u(c,x) { -%%f(c*x)/(f(1)*f(c*x-1)) + f(c*x)/(f(2)*f(c*x-2)) - c * f(c)/(f(2)*f(c-2)) -%%} -%% -%% -%%\end{verbatim} -%% - -\pagebreak[1] -\section{Component Failure Modes \\ and Statistical Sample Space} -%\paragraph{NOT WRITTEN YET PLEASE IGNORE} -A sample space is defined as the set of all possible outcomes. -For a component in FMMD analysis, this set of all possible outcomes is its normal correct -operating state and all its failure modes. -When dealing with failure modes, we are not interested in -the state where the component is working perfectly or `OK' (i.e. operating with no error). -We are interested only in ways in which it can fail. -By definition while all components in a system are `working perfectly' -that system will not exhibit faulty behaviour. -Thus the statistical sample space $\Omega$ for a component or derived~component $C$ is -%$$ \Omega = {OK, failure\_mode_{1},failure\_mode_{2},failure\_mode_{3} ... failure\_mode_{N} $$ -$$ \Omega(C) = \{OK, failure\_mode_{1},failure\_mode_{2},failure\_mode_{3}, \ldots ,failure\_mode_{N}\} $$ -The failure mode set $F$ for a given component or derived~component $C$ -is therefore -$$ F = \Omega(C) \backslash \{OK\} $$ - -The $OK$ statistical case is the largest in probability, and is therefore -of interest when analysing systems from a statistical perspective. -This is of interest for the application of conditional probability calculations -such as Bayes theorem \cite{probstat}. - - -%%- -%%- Need a complete and more complicated UML diagram here -%%- the other parts were just fragments to illustrate points -%%- -%%- - - -\vspace{40pt} diff --git a/mybib.bib b/mybib.bib index a4eb705..01fe7f7 100644 --- a/mybib.bib +++ b/mybib.bib @@ -5,6 +5,12 @@ % $Id: mybib.bib,v 1.3 2009/11/28 20:05:52 robin Exp $ +@ARTICLE{fmeda, + AUTHOR = "John C. Grebe Dr. William M. Goble", + TITLE = "FMEDA – Accurate Product Failure Metrics", + JOURNAL = "EXIDA publication. www.exida.com/articles/FMEDA\%20Development.pdf", + YEAR = "2007" +} @ARTICLE{canspec, AUTHOR = "Bosch.", TITLE = "CAN Specification 2.0", @@ -107,6 +113,16 @@ YEAR = "1996" } + + + +@PHDTHESIS{maikowski, + AUTHOR = "Leo M Maikowski", + TITLE = "Tolreranced Multiple Fault Diagnosis of Analog Circuits", + SCHOOL = " Brighton University, School of Electrical Engineering", + YEAR = "1995" +} + @BOOK{sem, AUTHOR = "J.~Woodcock,~Martin~Loomes", TITLE = "Software Engineering Mathematics ISBN 0-273-02673-9", diff --git a/survey/survey.tex b/survey/survey.tex index 5f33a38..74a1800 100644 --- a/survey/survey.tex +++ b/survey/survey.tex @@ -33,6 +33,26 @@ EN298 no two individual component failures may give rise to a dangerous conditio \section{FMEDA Failure effect Mode Diagnositic Analysis} +This is the main babsis of SIL certification for Programmed Electronic Equipment. +Itr applies FMEA, with classification of criticality of +components, adjustment to MTTF values by self checking mechanisms in the product, +and mitigation for a safe failure fraction. This leads to a probablistic +mean time to failure or probability of failure on demand, that will +fall within the criteria for a given SIL safety level. +An overview for this method can be found in an EXIDA paper \cite{fmeda} +and detailed description of the method for SIL certification in part 2 of +EN61508 \cite{en61508}. + +disadvantage: single component failure is used to determine its effect on +the entire system. This leads to classifying components as safety or non-safety critical +at an early stage in the analysis. This means that complex interactions or side effects +of the components failing may not be taken into account. + +advantage: concepts of self checking systems, and safe failure fraction\footnote{Safe Failure Fraction (SFF) is the number of non-safety critical components +that can be detected as failed compared to the number of safety critcal components. The thinking here is that is components are detected as failing +even though they are not safety critical, the system is self checking a greater proportion of its own systems, and is therefore safer. This +is applying bayes theorem for probablistic error detection} + This is a probablistic based methodology. \subsection{Safe Failure Fraction}