robin/Robin_PHD
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Night time edit

Browse Source
This commit is contained in:
Robin Clark 2011-06-20 21:50:13 +01:00
parent ae4f384f06
commit ce15cb51bd
1 changed files with 49 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

88
fmmd_concept/System_safety_2011/submission.tex
View File

@ -80,27 +80,30 @@ It has a common notation for mechanical, electronic and software domains and is
These properties provide advantages in rigour and efficiency when compared to current methodologies. These properties provide advantages in rigour and efficiency when compared to current methodologies.
} }
\section{Introduction} \paragraph{Introduction}
{
This paper describes and criticises the four current failure mode methodologies, This paper describes and appraises four current failure mode methodologies.
discusses their advantages and deficiencies and defines a desirable criteria list Their advantages and deficiencies are discussed and a desirable criteria list
for an ideal static failure mode methodology. for an `ideal' static failure mode methodology is developed.
A new proposed A new proposed
methodology is then described and discussed. A worked example is then provided, which models the failure mode methodology is then described.% and discussed.
behaviour of a non inverting op-amp. A worked example is then presented, using the new methodology, which models the failure mode
Using the worked example the new methodology is evaluated. behaviour of a non inverting op-amp circuit.
Using the worked example the new methodology is evaluated.
Finally the desirable criteria list is presented as a check box table alongside
the four current methodologies.
}
\paragraph{Current methodologies} \paragraph{Current methodologies}
We briefly analyse the four current methodologies. We briefly analyse four current methodologies.
Comprehensive overviews of these methodologies maybe found Comprehensive overviews of these methodologies maybe found
in ~\cite{safeware,sccs}. in ~\cite{safeware,sccs}.
\paragraph{Fault Tree Analysis (FTA)} \paragraph{Fault Tree Analysis (FTA)}
FTA~\cite{nucfta,nasafta} is a top down methodology in which a hierarchical diagram is drawn for FTA~\cite{nucfta,nasafta} is a top down methodology in which a hierarchical diagram is drawn for
each undesirable top level failure, presenting the conditions that must arise to cause each undesirable top level failure/event, presenting the conditions that must arise to cause
the event. the event.
% %
It is suitable for large complicated systems with few undesirable top It is suitable for large complicated systems with few undesirable top
@ -117,18 +120,19 @@ and there is no facility to cross check between diagrams. It has limited
support for environmental and operational states. support for environmental and operational states.
\paragraph{Fault Mode Effects Analysis FMEA)} is used principally in manufacturing. \paragraph{Fault Mode Effects Analysis (FMEA)} is used principally to determine system reliability.
It is bottom up and starts with component failure modes, which It is bottom up and starts with component failure modes, which
lead to top level failure/events. lead to top level failure/events.
Each top level failure is assessed by its cost to repair and its estimated frequency.%, using a Each top level failure is assessed by its cost to repair (or perceived criticality) and its estimated frequency. %, using a
%failure mode ratio. %failure mode ratio.
A list of failures according to their cost to repair~\cite{bfmea}, or effect on system reliability is then calculated. A list of failures according to their cost to repair~\cite{bfmea}, or effect on system reliability is then calculated.
It is easy to identify single component failure to system failure scenarios It is easy to identify single component failure to system failure scenarios
and an estimate of product reliability can be calculated. and an estimate of product reliability can be calculated.
%This can be viewed as a prioritised `to~fix' list.
% %
It cannot focus on It cannot focus on complex
component interactions that cause system failure modes or determine potential component interactions that cause system failure modes or determine potential
problems from simultaneous failure modes. It does not consider environmental problems from simultaneous failure modes. It does not consider changing environmental
or operational states in sub-systems or components. It cannot model or operational states in sub-systems or components. It cannot model
self-checking safety elements or other in-built safety features or self-checking safety elements or other in-built safety features or
analyse how particular components may fail. analyse how particular components may fail.
@ -309,9 +313,11 @@ for its results, such as error causation trees.%, reliability and safety statis
\section{The proposed Methodology} \section{The proposed Methodology}
\label{fmmdproc} \label{fmmdproc}
Any new static failure mode methodology must ensure that it % Any new static failure mode methodology must ensure that it
represents all component failure modes and it therefore should be bottom-up, % represents all component failure modes and it therefore should be bottom-up,
starting with individual component failure modes. % starting with individual component failure modes.
To ensure all component failure modes are represented the new methodology must be bottom-up.
%
This seems essential to satisfy criteria 2. This seems essential to satisfy criteria 2.
The proposed methodology is therefore a bottom-up process The proposed methodology is therefore a bottom-up process
starting with base~components. starting with base~components.
@ -321,7 +327,7 @@ mechanical, electronic or software components,
criteria 3 is satisfied. criteria 3 is satisfied.
% %
In order to address the state explosion problem, the process must be modular In order to address the state explosion problem, the process must be modular
and deal with small groups of components at a time, should address criteria 1. and deal with small groups of components at a time, this should address criteria 1.
In the proposed methodology components are collected into functional groups In the proposed methodology components are collected into functional groups
and each component failure mode (and optionally combinations) are considered in the and each component failure mode (and optionally combinations) are considered in the
context of the {\fg}. context of the {\fg}.
@ -332,11 +338,11 @@ there will be a corresponding resultant failure, from the perspective of the {\f
% MAYBE NEED TO DESCRIBE WHAT A SYMPTOM IS HERE % MAYBE NEED TO DESCRIBE WHAT A SYMPTOM IS HERE
% %
From the perspective of the {\fg} failures of components will be symptoms. From the perspective of the {\fg} failures of components will be symptoms.
It is proposed that many symptoms will be common. That is to say It is conjectured that many symptoms will be common. That is to say
that component failure modes, will often cause the same symptoms of failure that component failure modes, will often cause the same symptoms of failure
from the perspective of a {\fg}. from the perspective of a {\fg}.
% %
A common symptom collection stage is then applied. Here common symptoms are collected A common symptom collection stage is now applied. Here common symptoms are collected
from the results of the test~cases. Because optional combinations of failures are possible, from the results of the test~cases. Because optional combinations of failures are possible,
multiple failures can be modelled, satisfying criteria 6. multiple failures can be modelled, satisfying criteria 6.
% %
@ -477,9 +483,9 @@ in the potential divider, shown in figure \ref{fig:fg1}.
\ifthenelse {\boolean{dag}} \ifthenelse {\boolean{dag}}
{ {
Modelling this as a functional group, we can draw this as a directed graph Modelling this as a functional group, we can draw a directed graph
failure modes, taken from the components R1 and R2, of failure modes, starting from the components R1 and R2,
in the potential divider, shown in figure \ref{fig:fg1dag}. in the potential divider, as shown in figure \ref{fig:fg1dag}.
\begin{figure} \begin{figure}
\centering \centering
\begin{tikzpicture}[shorten >=1pt,->,draw=black!50, node distance=\layersep] \begin{tikzpicture}[shorten >=1pt,->,draw=black!50, node distance=\layersep]
@ -525,7 +531,7 @@ in the potential divider, shown in figure \ref{fig:fg1dag}.
{ {
} }
We can now look at each of these base component failure modes, We shall now look at each of these base component failure modes,
and determine how they will affect the operation of the potential divider. and determine how they will affect the operation of the potential divider.
%Each failure mode scenario we look at will be given a test case number, %Each failure mode scenario we look at will be given a test case number,
%which is represented on the diagram, with an asterisk marking %which is represented on the diagram, with an asterisk marking
@ -559,7 +565,7 @@ on the potential dividers' operation. For instance
were the resistor $R_1$ to go open, the circuit would not be grounded and the were the resistor $R_1$ to go open, the circuit would not be grounded and the
voltage output from it would be high (+ve). voltage output from it would be high (+ve).
This would mean the symptom of the failed potential divider, would be that it This would mean the symptom of the failed potential divider, would be that it
gives an output high voltage reading.%We can now consider the {\fg} gives a high voltage output.%We can now consider the {\fg}
%as a component in its own right, and its symptoms as its failure modes. %as a component in its own right, and its symptoms as its failure modes.
From table \ref{pdfmea} we can see that resistor From table \ref{pdfmea} we can see that resistor
@ -672,8 +678,8 @@ We can use the symbol $\bowtie$ to represent taking the analysed
\ifthenelse {\boolean{dag}} \ifthenelse {\boolean{dag}}
{ {
We can now represent the potential divider as a {\dc}. We can now represent the potential divider as a {\dc}.
Because we have its symptoms or failure mode behaviour, Because we have its symptoms (or failure mode behaviour),
we can treat these as the failure modes of a a new {\dc}. we can treat these as the failure modes of a new {\dc}.
We can represent this as a DAG (see figure \ref{fig:dc1dag}). We can represent this as a DAG (see figure \ref{fig:dc1dag}).
\begin{figure}[h+] \begin{figure}[h+]
@ -700,8 +706,10 @@ We can represent this as a DAG (see figure \ref{fig:dc1dag}).
} }
Because the derived component is defined by its failure modes and The derived component is defined by its failure modes and
the functional group used to derive it, we can use it the functional group used to derive it.
%We can consider this an an orthogonal WHAT???? Group ???? Collection ????
We now have a {\dc} model for a generic potential divider, and can use it
as a building block for other {\fgs} in the same way as we used the base components $R1$ and $R2$. as a building block for other {\fgs} in the same way as we used the base components $R1$ and $R2$.
%\clearpage %\clearpage
@ -765,9 +773,9 @@ We can represent these failure modes on a DAG (see figure~\ref{fig:op1dag}).
%\clearpage %\clearpage
\paragraph{Modelling the OP amp with the potential divider.} \paragraph{Modelling the OP amp with the potential divider.}
We can now consider bringing the OP amp and the potential divider components to We can now consider merging the OP amp and the potential divider, to
form a {\fg} to represent the non inverting amplifier. We have the failure modes of the {\fg} for the potential divider, form a {\fg} to represent the non inverting amplifier. We have the failure modes of the {\dc} for the potential divider,
so we do not need to go back and consider the individual resistor failure modes that define its behaviour. so we do not need to go back and consider the individual resistor failure modes that defined its behaviour.
\ifthenelse {\boolean{pld}} \ifthenelse {\boolean{pld}}
{ {
We can make a new functional group to represent the amplifier, by bringing the component \textbf{opamp} We can make a new functional group to represent the amplifier, by bringing the component \textbf{opamp}
@ -1078,9 +1086,9 @@ base component failures from eight to three failure symptoms.
% %
In general, In general,
because symptoms are collected, we can state because symptoms are collected, we can state
the the number of failure symptoms for a {\fg} will be less then or equal to the number the the number of failure symptoms for a {\fg} will be less than or equal to the number
of component failures. In practise the number of symptoms is usually around half the of component failures. In practise the number of symptoms is usually around half the
number of component failure modes, at each stage of FMMD analysis. number of component failure modes, for each stage of FMMD analysis.
@ -1127,9 +1135,9 @@ This allows causation trees \cite{sccs} or, minimal cut sets~\cite{nasafta}[Ch.1
to be determined by traversing the DAG from top level events down to their causes. to be determined by traversing the DAG from top level events down to their causes.
\item{ It should be capable of producing reliability and danger evaluation statistics.} % \item{ It should be capable of producing reliability and danger evaluation statistics.}
The minimal cuts sets for the SYSTEM level failures can have computed MTTF % The minimal cuts sets for the SYSTEM level failures can have computed MTTF
and danger evaluation statistics sourced from the component failure mode statistics~\cite{fmd91,mil1991}. % and danger evaluation statistics sourced from the component failure mode statistics~\cite{fmd91,mil1991}.
% \item{ It should be easy to use, ideally % \item{ It should be easy to use, ideally
% using a graphical syntax (as opposed to a formal mathematical one).} % using a graphical syntax (as opposed to a formal mathematical one).}
@ -1174,7 +1182,9 @@ FMMD is based on generic failure modes, so it is not constrained to a
particular field. It can be applied to mechanical, electrical or software domains. particular field. It can be applied to mechanical, electrical or software domains.
It can therefore be used to analyse systems comprised of electrical, It can therefore be used to analyse systems comprised of electrical,
mechanical and software elements in one integrated model. mechanical and software elements in one integrated model.
Furthermore the reasoning path is traceable. By being able to trace a
top level event down through derived components, to base component
failure modes, with each step annotated as test cases, the model is easier to maintain.
{ %\tiny { %\tiny
\begin{table}[ht] \begin{table}[ht]