robin/Robin_PHD
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

turd polishing

Browse Source
This commit is contained in:
Robin Clark 2013-09-25 14:05:56 +01:00
parent cd0ec8fa69
commit c4bf1cd625
1 changed files with 16 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
submission_thesis/CH8_Conclusion/copy.tex
View File

@ -1,5 +1,7 @@
\label{sec:chap8}
%
\fmeagloss
%
This study has examined the %processes and state of the art of the
four main FMEA variants.
%
@ -150,7 +152,7 @@ Because an FMMD model can be used to generate an FMEA report,
with additional {\bc} failure mode statistics
an FMEDA report can be produced.
%
FMMD has been applied to the Pt100 example in appendix~\ref{detailed:Pt100stats}.
FMMD has been applied with component failure statistics to the Pt100 example in appendix~\ref{detailed:Pt100stats}.
%
This demonstrates FIT values being obtained for single and doubly sourced system failure modes
in a way that is compatible with FMEDA/EN61508.
@ -282,7 +284,7 @@ be factored into the UML model.
An undesired condition may occur where it could be necessary to inhibit some action of the system.
This is rather like a logical guard criterion. For instance in the gas burner standard EN298 it
states that a flame detector must confirm that a pilot flame has been established before the main burner fuel can be applied.
In FTA terms this would be an inhibit condition on the main fuel, i.e. PILOT\_NOT\_CONFIRMED.
In FTA terms this would be an `inhibit' condition on the main fuel, i.e. PILOT\_NOT\_CONFIRMED.
\fmmdglossFTA
The nature of these three attributes is examined and decisions are made as how they should fit into the UML
model for FMMD developed in section~\ref{sec:fmmd_uml}.
@ -316,7 +318,7 @@ are also common conditions that are considered.
These can be broadly termed operational states. %, and apply to the
%functional groups.
%
The UML class is most appropriate to hold a relationship
The UML class most appropriate to hold a relationship
to operational states must be chosen.
%
Consider for instance an electrical circuit that has a TEST line.
@ -415,10 +417,10 @@ sub-system it could be difficult to know
which parts of the FMEA analysis to
re-visit.
%
For instance, which components in the system should
For instance, which components in the system should the
newly discovered failure mode be checked against?
%
This is linked to the concepts behind
This concern is linked to the concepts behind
the need for failure mode coverage against all components in the system, that provoked discussions
leading to idealised XFMEA requirements (see section~\ref{sec:reasoningdistance}).
%
@ -454,7 +456,7 @@ thus it can be verified that all
failure modes from the electronics module have been dealt
with by the controlling software.
%
If not, they would be an un-handled error condition relating to the software/hardware interface.
If not, this would be an un-handled error condition relating to the software/hardware interface.
%
This again can be flagged using an automated tool.
%
@ -493,12 +495,13 @@ the Human Machine Interface~(HMI)~\cite{stranks2007human}.
\paragraph{Objective and Subjective Reasoning in FMEA: Three Mile Island nuclear accident example.}
An example of objective and subjective factors is demonstrated in the accident report on the 1979 Three Mile Island
nuclear accident~\cite{safeware}[App.D]. Here, a vent valve for the primary reactor coolant (pressurised water) became stuck open.
This condition causes an objectively derived failure mode --- `leakage~of~coolant' --- due to a stuck valve.
This condition caused an objectively derived failure mode --- `leakage~of~coolant' --- due to a stuck valve.
%
This, if recognised correctly by the operators, would have lead quickly to a reactor shut-down and
a maintenance procedure to replace the valve.
%
The failure was not recognised in time however, and coolant was lost
The failure was not recognised in time %however,
and coolant was lost
until a partial meltdown of the reactor fuel occurred, with a resulting
leak of radioactive material into the environment.
%
@ -506,10 +509,11 @@ For the objective failure mode determined by
FMEA, that of leakage of coolant,
it would not be reasonable to expect this to go unchecked and unresolved for an extended period and cause such a critical failure.
%
The criticality level of that accident was therefore subjective.
The criticality level of that {\fm} %accident
was therefore subjective.
%
It was not known how the operators
would have reacted, and deficiencies in the Human Machine Interface (HMI) were not a factor in the failure analysis.
would have reacted and deficiencies in the Human Machine Interface (HMI) were not a factor in the failure analysis.
\paragraph{Further Work: Objective and Subjective Reasoning in FMEA.}
@ -521,6 +525,7 @@ it is often required to next determine its level of criticality, or how serious
%
Two methodologies have started to consider this aspect, FMECA~\cite{fmeca} with its criticality and probability factors, and
FMEDA~\cite{en61508,fmeda} with its classification of dangerous and safe failures.
%
\fmmdglossFMEDA
\fmmdglossFMECA
%
@ -530,7 +535,7 @@ Accurate models of objective failure modes, are seen by the author to be a pre-r
for subjective assessment.
%
The scope of FMMD is the objective level only,
but offers significant benefits in terms of accuracy and work savings.
but offers significant benefits in terms of accuracy and labour savings.
%
It also offers integrated modelling of software and hardware.
%