robin/Robin_PHD
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Saturday afternoon edits

Browse Source
This commit is contained in:
Robin Clark 2010-11-20 14:28:41 +00:00
parent ba702f32b7
commit ca2a421add
3 changed files with 88 additions and 53 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

110
fmmd_concept/fmmd_concept.tex
View File

@ -13,9 +13,9 @@ incremental and rigorous approach.
%% What I have done
%%
The Four main static failure mode analysis methodologies were examined and
The four main static failure mode analysis methodologies were examined and
in the context of newer European safety standards, assessed.
Some of the defeciencies identified in these methodologies lead to
Some of the deficiencies identified in these methodologies lead to
a wish list for a more ideal methodology.
%% What I have found
@ -29,7 +29,7 @@ methodology is developed and proposed. The has been named Failure Mode Modular D
%% Sell it
%%
In addition to addressing the traditional weaknesses of
Fault Tree Analysis (FTA), Fault Mode Effects Analysis (FMEA), Failure Mode Effects Criticallity Analysis (FMECA)
Fault Tree Analysis (FTA), Fault Mode Effects Analysis (FMEA), Failure Mode Effects Criticality Analysis (FMECA)
and Failure Mode Effects and Diagnostic Analysis (FMEDA), FMMD provides the means to model multiple failure mode scenarios
as specified in newer European Safety Standards \cite{en298}.
The proposed methodology is bottom-up and can guarantee to leave no component failure mode unhandled.
@ -47,7 +47,7 @@ incremental and rigorous approach.
%% What I have done
%%
The Four main static failure mode analysis methodologies were examined and
The four main static failure mode analysis methodologies were examined and
in the context of newer European safety standards, assessed.
Some of the defeciencies identified in these methodologies lead to
a wish list for a more ideal methodology.
@ -63,7 +63,7 @@ methodology is developed and proposed. The has been named Failure Mode Modular D
%% Sell it
%%
In addition to addressing the traditional weaknesses of
Fault Tree Analysis (FTA), Fault Mode Effects Analysis (FMEA), Failure Mode Effects Criticallity Analysis (FMECA)
Fault Tree Analysis (FTA), Fault Mode Effects Analysis (FMEA), Failure Mode Effects Criticality Analysis (FMECA)
and Failure Mode Effects and Diagnostic Analysis (FMEDA), FMMD provides the means to model multiple failure mode scenarios
as specified in newer European Safety Standards \cite{en298}.
The proposed methodology is bottom-up and can guarantee to leave no component failure mode unhandled.
@ -78,7 +78,7 @@ It is also modular, meaning that the results of analysed components may be re-us
There are four methodologies in common use for failure mode modelling.
These are FTA, FMEA, FMECA
and FMEDA (a form of statistical assessment).
%
These methodologies date from the 1940's onwards, and were designed for
different application areas and reasons; all have drawbacks and
advantages that are discussed in the next section.
@ -160,12 +160,12 @@ are held in a computer program, we can determine if the model is complete
%%- then from that determine how it will react with other components
%%- and how it will be affected
\subsection{General Comments on bottom-up and top down approaches}
\subsection{General comments on bottom-up and top down approaches}
\paragraph{A general defeciency in top-down systems analysis.}
With a top down approach the investigator has to determine
a set of undesirable outcomes or `accidents'.
As most accidents are unexpected and the causes unforseen \cite{safeware}
As most accidents are unexpected and the causes unforeseen \cite{safeware}
it is fair to say that a top down approach is not guaranteed to
predict all possible undesirable outcomes.
It also can miss known component failure modes, by
@ -249,7 +249,7 @@ of missing component failure modes \cite{faa}[Ch.9].
FTA was invented for use on the minuteman nuclear defence missile
systems in the early 1960s and was not designed as a rigorous
fault/failure mode methodology.
It was designed to look for disasterous top level hazards and
It was designed to look for disastrous top level hazards and
determine how they could be caused.
It is more like a structure to
be applied when discussing the safety of a system, with a top down hierarchical
@ -266,7 +266,7 @@ system level outcomes.
\subsubsection{ FTA weaknesses }
\begin{itemize}
\item Possibility to miss component failure modes
\item Possibility to miss environmetal affects.
\item Possibility to miss environmental affects.
\item No possibility to model base component level double failure modes.
\end{itemize}
@ -279,7 +279,7 @@ The investigation will typically point to a particular failure
of a component.
The methodology is now applied to find the significance of the failure.
Its is based on a simple equation where $S$ ranks the severity (or cost \cite{bfmea}) of the identified SYSTEM failure,
$O$ its occurance, and $D$ giving the failures detectability. Muliplying these
$O$ its occurrance, and $D$ giving the failures detectability. Muliplying these
together,
gives a risk probability number (RPN), given by $RPN = S \times O \times D$.
This gives in effect
@ -289,12 +289,12 @@ a prioritised `todo list', with higher the $RPN$ values being the most urgent.
\subsubsection{ FMEA weaknesses }
\begin{itemize}
\item Possibility to miss the effects of failure modes at SYSTEM level.
\item Possibility to miss environemtal affects.
\item Possibility to miss environmental effects.
\item No possibility to model base component level double failure modes.
\end{itemize}
\paragraph{note.} FMEA is sometimes used in its literal sense, that is to say
failure Mode effects Analysis, simply looking at a systems internal failure
Failure Mode Effects analysis, simply looking at a systems internal failure
modes and determing what may happen as a result.
FMEA described in this section (\ref{pfmea}) is sometimes called `production FMEA'.
@ -306,7 +306,7 @@ and traces them to the SYSTEM level failures.
%
Reliability data for components is used to predict the
failure statistics in the design stage.
A openly published source for the reliability of generic
An openly published source for the reliability of generic
electronic components was published by the DOD
in 1991 (MIL HDK 1991 \cite{mil1991}) and is a typical
source for MTFF data.
@ -323,7 +323,9 @@ assigned a probability $\beta$ factor by the design engineer. The use of a $\be
is often justified using bayes theorem \cite{probstat}.
%Also, it can miss combinations of failure modes that will cause SYSTEM level errors.
%
The results, as with FMEA are an $RPN$ number determining the significance of the SYSTEM fault.
The results of FMECA are similar to FMEA, in that component errors are
listed according to importance of fixing it to prevent the SYSTEM fault of given criticallity.
Again this essentially produces a prioritised todo list.
%%-WIKI- Failure mode, effects, and criticality analysis (FMECA) is an extension of failure mode and effects analysis (FMEA).
%%-WIKI- FMEA is a a bottom-up, inductive analytical method which may be performed at either the functional or
@ -349,11 +351,13 @@ Failure Modes, Effects, and Diagnostic Analysis (FMEDA).
This is a process that takes all the components in a system,
and using the failure modes of those components, the investigating engineer
ties them to possible SYSTEM level events/failure modes.
%
This technique
evaluates a products statistical level of safety
taking into account its self-diagnostic ability.
The calculations and procedures for FMEDA are
described in EN61508 Part 2 Appendix C \cite{en61508}[Part 2 App C].
described in EN61508 %Part 2 Appendix C
\cite{en61508}[Part 2 App C].
The following gives an outline of the procedure.
@ -362,11 +366,11 @@ FMEDA is a statistical analysis methodology is used from one of two perspectives
Probability of Failure on Demand (PFD), and Probability of Failure
in continuous Operation, or Failure in Time (FIT).
\paragraph{Failure in Time (FIT).} Continuous operation is measured in failures per billion ($10^9$) hours of operation.
For a continuously running nuclear powerstation
For a continuously running nuclear powerstation, industrial burner or aircraft engine
we would be interested in its operational FIT values.
\paragraph{Probability of Failure on Demand (PFD).} For instance with an anti-lock system in
automobile braking, we would be interested in PFD.
automobile braking, or other fail safe measure applied in an emergency, we would be interested in PFD.
That is to say the ratio of it failing
to succeeding on demand.
@ -379,14 +383,14 @@ Each component is analysed in terms of how its failure
would affect the system.
Failure rates of individual components in the SYSTEM
are calculated based on component type and
environmental conditions.
environmental conditions. The SYSTEM errors are categorised as `safe' or `dangerous'.
%
%Statistical data exists for most component types \cite{mil1992}.
%
This phase is typically implemented on a spreadsheet
with rows representing each component. A typical component spreadshet row would
comprise of
component type, placing in the system, part number, environmental stress factors, MTTF etc.
component type, placing in the system, part number, environmental stress factors, MTTF, safe/dangerous etc.
%will be a determination of whether the component failing will lead to a `safe'
%or `unsafe' condition.
@ -397,7 +401,7 @@ components in an FMEDA spreadsheet.
%This is the sum of safe and unsafe
%failures.
\paragraph{Self Diagnostics}
\paragraph{Self Diagnostics.}
We next evaluate the SYSTEM's self-diagnostic ability.
%Each components failure modes and failure rate are now available.
@ -411,7 +415,7 @@ we can now now classify these in terms of safe and dangerous lambda values.
Detectable failure probabilities are labelled `$\lambda_D$' (for
dangerous) and `$\lambda_S$' (for safe) \cite{EN61508}.
\paragraph{Determine Detectable and Undetecable Failures.}
\paragraph{Determine Detectable and Undetectable Failures.}
Each safe and dangerous failure mode is now
classified as detectable or un-detectable, this
is determined by the SYSTEMs
@ -494,7 +498,7 @@ There are four SIL levels, from 1 to 4 with 4 being the highest safety level.
In addition to probablistic risk factors, the
diagnostic coverage and SFF
have threshold bands beoming stricter for each level.
Demanded software techniques and constraints
Demanded software verification and specification techniques and constraints (such as language sub-sets, s/w redundancy etc)
become stricter for each SIL level.
Thus FMEDA uses statistical methods to determine
@ -524,7 +528,7 @@ sub-systems are meaningless, and the nearest equivalent would be the FIT/PFD and
\subsubsection{FMEDA and failure outcome prediction accuracy.}
This suffers from the same problems of
FMEDA suffers from the same problems of
lack of component failure mode outcome prediction accuracy, as FMEA in section \ref{pfmea}.
%
This is because the analyst has to decide how particular components failing will impact on the SYSTEM or top level.
@ -645,17 +649,17 @@ this methodology must start at the bottom, with base component failure modes.
In this way automated checking can be applied to all component failure modes
to ensure none have been inadvertently excluded from the process.
\paragraph{Problem with functional group hierarchy.}
\paragraph{Problems with functional group hierarchy.}
A hierarchy of functional grouping, leading to a system model
still leaves us with the problem of the number of component failure modes.
The base components will typically have several failure modes each.
%
Given a typical embedded system may have hundreds of components
This means that we have to tie base component failure modes
This means that we would still have to tie base component failure modes
to SYSTEM level errors. This is the `possibility to miss failure mode effects
at SYSTEM level' criticism of the FTA, FMEDA and FMECA methodologies.
\paragraph{Design Decision: Methodolgy must reduce and collate errors at each functional group stage.}
\paragraph{Design Decision: Methodology must reduce and collate errors at each functional group stage.}
SYSTEMS typically have far fewer failure modes than the sum of their component failure modes.
SYSTEM level failures may be caused by a variety of component failure modes.
A SYSTEM level failure mode is an abstracted failure mode, in that
@ -693,24 +697,34 @@ It would be better to analyse the failure mode behaviour of each
functional group, and determine the ways in which it, rather than its
components, can fail.
%
By doing this, the natural process whereby symptoms of the {\fg},
which can potentially be caused by more then one
component failure mode, become the target for reducing the number
By doing this, the natural process whereby symptoms of the {\fg}
(which can potentially be caused by more then one component failure mode)
are extracted.
%
The number of symptoms will be less than or equal to the number
component failure modes, and in practise will be much less.
%
The symptoms thus become the objects used to reduce the number
of failure modes to handle as we traverse up the hierarchy.
\paragraph{Component failures and {\fg} failure symptoms.}
In other words we want to find out what the symptoms of the failures in the {\fg}s
are.
The number of symptoms of failure should be equal to or
less than the number of component failure modes, simply because
often there are several potential causes of failure symptoms.
%The number of symptoms of failure should be equal to or
%less than the number of component failure modes, simply because
%often there are several potential causes of failure symptoms.
%
When we have the symptoms, we can start thinking of the {\fg} as a component in its own right.
%with a simplified and reduced set of failure symptoms.
%
We can now create a new {\dc}, where its failure modes
are the failure symptoms of the {\fg}.
%
By taking {\dcs} to form higher level functional groups
we can build a bottom-up model incrementally.
In this way as we build the hierarchy, we naturally abstract the
failure mode behaviour, but can check that all failure modes in
the hierarchy have been considered and tied to causing symptoms.
@ -784,7 +798,7 @@ Secondly we can say that no component may be derived from itself.
Because common symptoms are being collected, as we build the tree up-ward
the number of failure modes decreases (or exceptionally stays the same) at each level.
%
This decreasing of the number of failure modes is bourne out {\irl}.
This decreasing of the number of failure modes is borne out {\irl}.
Of the thousands of component failure modes in a typical product
there are generally only a handful of SYSTEM level failure modes
(or top level `symptoms' of underlying failures).
@ -795,14 +809,15 @@ there are generally only a handful of SYSTEM level failure modes
FMMD builds {\fg}s of components from the bottom-up.
The lowest level of components are termed base components.
These are the initial building blocks.
In Electronics these would be the individual
In electronics these would be the individual
passive and active components on the parts~list.
In mechanics the the levers springs cogs etc.
In mechanics the levers, linkages, springs and cogs etc.
%
Functional groups are collections of components
that work together to perform a simple function.
%
We can perform a failure mode effects analysis on each of the component failure
modes within the {\fg}. We can thus ensure that all component failure modes
modes within a {\fg}. Because we can implemnent the process in software we can thus ensure that all component failure modes
are covered.
%
We can then treat the {\fg} as a `black box' or component in its own right.
@ -847,13 +862,15 @@ create higher level {\fg}s in later stages.
% \vspace{20pt}
\subsection{Environmental Conditoions, Operational States and FMMD}
\subsection{Environmental Conditions, Operational States and FMMD}
Any real world sub-system will exist in a variable environment and may have several modes of operation.
In order to find all possible failures, the sub-system must be analysed for each operational state
and environment condition that can affect it.
Two design decision are required here, which objects should we
%
Two design decisions are required here, which objects should we
analyse the environment and operational states with respect to.
we have three objects in our model that these considerations could be applied to.
We could apply these conditions for analysis
to the functional group, the components, or the derived
component.
@ -861,9 +878,9 @@ component.
\paragraph {Environmental Conditions and FMMD.}
Environmental conditions are external to the
{\fg} and are often things that the system has no direct control over.
Consider ambient temperature, pressure or even electrical interferrence levels.
{\fg} and are often things the system has no direct control over.
Consider ambient temperature, pressure or even electrical interference levels.
%
Environmental conditions may affect different components in a {\fg}
in different ways.
@ -872,19 +889,20 @@ For instance a system may be specified for
may show failure behaviour between 60 and 85
\footnote{Opto-islolators typically show marked performace decrease after
60oC whereas another common component, the resistor will be unaffected.}.
Other components may operate comfortably within that whole temperature range specified.
Environmental conditions will have an effect on the {\fg} and the {\dc}
but they will have specific effects on individual components.
\paragraph{Design Decision.}
Environmental constraints will be applied to components.
A component will hold a set of Environmental states that
A component will hold a set of environmental states that
affect it.
Environmental conditions will apply SYSTEM wide,
but may only affect specific components.
%Some may not be required for consideration
%for the analysis of particular systems.
\paragraph {Operational States and FMMD}
\paragraph {Operational States and FMMD.}
Sub-systems may have specific operational states.
These could be a general health level such as
@ -947,7 +965,7 @@ component level failure modes. This provides causation trees \cite{sccs} or, min
for all SYSTEM failure modes.
\subsubsection{ It should be capable of producing reliability and danger evaluation statistics.}
The Minimal cuts sets for the SYSTEM level failures can have computed MTTF
The minimal cuts sets for the SYSTEM level failures can have computed MTTF
and danger evaluation statistics sourced from the component failure mode statistics \cite {mil1991}.
\subsubsection{ It should be easy to use, ideally using a graphical syntax (as oppossed to a formal mathematical one).}
@ -994,6 +1012,6 @@ chosing {\fg}s and working bottom-up this hierarchical trait will occur as a nat
This paper provides the background for the need for a new methodology for
static analysis that can span the mechanical electrical and software domains
using a common notation.
The author believes it addresses mant short comings in current static failure mode analysis methodologies.
The author believes it addresses many short comings in current static failure mode analysis methodologies.
\vspace{60pt}
\today

14
fmmd_concept/paper.tex
View File

@ -6,6 +6,8 @@
\usepackage{amsfonts,amsmath,amsthm}
\input{../style}
\usepackage{ifthen}
\usepackage{lastpage}
\newboolean{paper}
\setboolean{paper}{true} % boolvar=true or false
@ -14,13 +16,21 @@
\begin{document}
\pagestyle{fancy}
\fancyhf{}
%\renewcommand{\chaptermark}[1]{\markboth{ \emph{#1}}{}}
\fancyhead[LO]{}
\fancyhead[RE]{\leftmark}
%\fancyfoot[LE,RO]{\thepage}
\cfoot{Page \thepage\ of \pageref{LastPage}}
\rfoot{\today}
\lhead{Developing a rigorous bottom-up modular static failure mode modelling methodology}
%\outerhead{{\small\bf Statistical Basis for Current Static Analysis Methodologies}}
%\outerhead{{\small\bf Developing a rigorous bottom-up modular static failure mode modelling methodology}}
%\innerfoot{{\small\bf R.P. Clark } }
% numbers at outer edges
\pagenumbering{arabic} % Arabic page numbers hereafter
\author{R.P.Clark}
\title{Developing A rigorous bottom-up modular static failure mode modelling methodology}
\title{Developing a rigorous bottom-up modular static failure mode modelling methodology}
\maketitle
\input{fmmd_concept_paper}

15
thesis.tex
View File

@ -7,6 +7,7 @@
\usepackage{amsfonts,amsmath,amsthm}
\usepackage{algorithm}
\usepackage{algorithmic}
\usepackage{lastpage}
%% fix for hyperref bug in algorithm package
\newcommand{\theHalgorithm}{\thechapter.\arabic{algorithm}}
@ -17,18 +18,20 @@
\usepackage{hyperref}
\begin{document}
\pagestyle{fancy}
\fancyhf{}
\cfoot{Page \thepage}
\input{titlepage/titlepage}
\clearpage
\rhead{{\small\bf Failure Mode Modular De-Composition}}
\rfoot{{\small\bf PhD Thesis : R.P. Clark } }
%\rhead{{\small\bf Failure Mode Modular De-Composition}}
%\rfoot{{\small\bf PhD Thesis : R.P. Clark } }
% Contents
% --------
\cfoot{Page \thepage} % Contents page numbers centred
%\cfoot{Page \thepage} % Contents page numbers centred
\clearpage
%\input{colophon/colophon}
@ -49,7 +52,11 @@
%\middlefoot{ } \outerfoot{{Page \bf\thepage}} % Body of manual has bolded page
% numbers at outer edges
\pagenumbering{arabic} % Arabic page numbers hereafter
\cfoot{Page \thepage\ of \pageref{LastPage}}
\lfoot{Brighton University 2011}
\rfoot{R.P.Clark \today}
\lhead{Failure Mode Modular De-Composition}
\rhead{PhD Thesis}
%\begin{document}
\typeout{>>--------------------->> introduction}