edits in the morning
This commit is contained in:
Robin
parent
f9827aeee1
commit
cc2fd46219
@ -129,10 +129,11 @@ at a higher abstraction level.
|
||||
|
||||
\subsubsection{An algebraic notation for identifying FMMD enitities}
|
||||
Each component $C$ is a set of failure modes for the component.
|
||||
We can define a function $\mathcal FM$ that returns the
|
||||
We can define a function $FM$ that returns the
|
||||
set of failure modes $S$ for the component.
|
||||
|
||||
$$ \mathcal{FM}(C) \rightarrow S $$
|
||||
%$$ \mathcal{FM}(C) \rightarrow S $$
|
||||
$$ {FM}(C) \rightarrow S $$
|
||||
|
||||
We can indicate the abstraction level of a component by using a superscript.
|
||||
Thus for the component $C$, where it is a `base component' we can asign it
|
||||
@ -182,11 +183,11 @@ $$ \bowtie( FG^0_1 ) = C^1_1 $$
|
||||
|
||||
to look at this analysis process in more detail.
|
||||
|
||||
By way of exqample applying $\mathcal{FM}$ to obtain the failure modes $f_N$
|
||||
By way of exqample applying ${FM}$ to obtain the failure modes $f_N$
|
||||
|
||||
|
||||
$$ \mathcal{FM}(C^0_1) = \{ f_1, f_2 \} $$
|
||||
$$ \mathcal{FM}(C^0_2) = \{ f_3, f_4, f_5 \} $$
|
||||
$$ {FM}(C^0_1) = \{ f_1, f_2 \} $$
|
||||
$$ {FM}(C^0_2) = \{ f_3, f_4, f_5 \} $$
|
||||
|
||||
|
||||
The analyst now considers failure modes $f_{1..5}$ in the context of the functional group.
|
||||
@ -196,7 +197,7 @@ We can now create a derived component $C^1_1$ with this set of failure modes.
|
||||
|
||||
Thus:
|
||||
|
||||
$$ \mathcal{FM}(C^1_1) = \{ f_6, f_7, f_8 \} $$
|
||||
$$ {FM}(C^1_1) = \{ f_6, f_7, f_8 \} $$
|
||||
|
||||
|
||||
We can represent this analysis process in a diagram see figure \ref{fig:onestage}
|
||||
@ -452,8 +453,36 @@ simply be given a different index number and re-used.
|
||||
|
||||
\subsection{ Multi Channel Safety Critical Systems }
|
||||
|
||||
Where a system has several independent parallel tasks, each one can be a separate hierarchy.
|
||||
It is common in safety critical systems to use redundancy.
|
||||
Two or sometimes three control systems will be assigned to the same process.
|
||||
An arbittraion system, the arbiter, will decide which channel may control
|
||||
the equipment.
|
||||
Where a system has several independent parallel control channels, each one can be a separate FMMD hierarchy.
|
||||
|
||||
The FMMD trees for the channels can converge
|
||||
up to a top hierarchy representing the arbiter (which is the sub-system that decides which control channels are valid).
|
||||
This is commponly referred to as a multi-channel safety critical system.
|
||||
Where there are 2 channels and one arbiter, the term 1oo2 is used (one out of two).
|
||||
The Ericsson AXE telephone exchange hardware is a 1oo2 system, and the arbiter (the AMD)
|
||||
can detect and switch control within on processor instruction. Should a hardware error
|
||||
be detected,\footnote{or in a test plant environment more likely someone coming along and `borrowing' a cpu board from
|
||||
your working exchange} the processor will side to the redundant side without breaking any telephone calls
|
||||
or any being set up. An alarm will be raised to inform that this has happened, but the impact to
|
||||
the 1oo2 system, is a one micro-processor instruction delay to the entire process.
|
||||
|
||||
The premise here is that the arbiter should be able to determine which
|
||||
of the two control channels is faulty and use the data/allow control from the non-faulty one.
|
||||
1oo3 systems are common in highly critical systems.
|
||||
|
||||
\paragraph{Fault mode mode of interfaces}
|
||||
An advantage with FMMD in this case is that the interface between the channels and the
|
||||
safety arbiter is not only defined functionally but as a failure model as well.
|
||||
Thus failures in the interfacing between the safety arbiter and the
|
||||
each channel is modelled.
|
||||
|
||||
\paragraph{re-use of FMMD analysis}
|
||||
Note that we can reuse the results from analysing one channel to model them all.
|
||||
Identical channels will have the same high level failure modes.
|
||||
% \small
|
||||
% \bibliography{vmgbibliography,mybib}
|
||||
% \normalsize
|
||||
|
||||
@ -501,9 +501,9 @@ It has three SMG's Q,R and P. Thus there are three ways in which this functional
|
||||
\vspace{0.3cm}
|
||||
\begin{tabular}{||c|c|l||} \hline \hline
|
||||
{\em $SMG$ } & {\em Failure Mode equation } & {\em comments } \\ \hline
|
||||
Q & $(a)$ & T \\ \hline
|
||||
P & $(b \oplus c)$ & T \\ \hline
|
||||
R & $(b \wedge c)$ & F \\ \hline
|
||||
Q & $(a)$ & Symptom Q is active when fault mode `a` is \\ \hline
|
||||
P & $(b \wedge c)$ & Symptom P is active when `$b \wedge a$' is \\ \hline
|
||||
R & $(b \oplus c)$ & Symptom R is active when either `b' or `c' is \\ \hline
|
||||
% T & T & T \\ \hline \hline
|
||||
\end{tabular}
|
||||
\vspace{0.3cm}
|
||||
@ -831,8 +831,7 @@ volcanic ash intake, affecting all engines.
|
||||
Obviously the symptom of this multiple failure would be loss of propulsion and more importantly
|
||||
the loss of ability to maintain altitude.
|
||||
% and maybe even the APU !
|
||||
The test case AFE provides the system modeller to introduce this
|
||||
possibility into the design.
|
||||
The test case AFE represents the condition where all four engines have failed.
|
||||
\begin{figure}[h]
|
||||
\centering
|
||||
\includegraphics[width=400pt,bb=0 0 349 236,keepaspectratio=true]{logic_diagram/allfourengines.jpg}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user