First stab at introduction chapter
This commit is contained in:
Robin Clark
parent
8cb5124c28
commit
d1e0a1ced2
15
mybib.bib
15
mybib.bib
@ -62,6 +62,21 @@ ISSN={Doi:10.1145/2330667.2330683},}
|
||||
YEAR = "2003"
|
||||
}
|
||||
|
||||
@BOOK{echoesofwar,
|
||||
AUTHOR = "Bernard Lovell",
|
||||
TITLE = "Echoes of War: The story of H2S RADAR ",
|
||||
PUBLISHER = " Adam Hilger: ISBN 0750301309",
|
||||
YEAR = "1991"
|
||||
}
|
||||
|
||||
@BOOK{boffin,
|
||||
AUTHOR = "R Hanbury Brown",
|
||||
TITLE = "Boffin: A Personal Story of the Early Days of Radar, Radio Astronomy and Quantum Optics:
|
||||
Personal Story of the Early Days of Radar and Radio Astronomy and Quantum Optics ",
|
||||
PUBLISHER = " Adam Hilger: ISBN 0-85274-317-3",
|
||||
YEAR = "1991"
|
||||
}
|
||||
|
||||
|
||||
@BOOK{dmfnt,
|
||||
AUTHOR = "R Garnier, J Taylor",
|
||||
|
||||
@ -1,158 +1,226 @@
|
||||
|
||||
\paragraph{Abstract}{
|
||||
%\paragraph{Abstract} % : The Scope of this study.}{
|
||||
{
|
||||
%
|
||||
Increasingly we rely on automation in everyday life.
|
||||
Many of the automated systems have the potential to cause harm or even death, should they fail.
|
||||
Safety assessment and certification is now required of
|
||||
Many % of the
|
||||
automated systems have the potential to cause harm or even death should they fail.
|
||||
%
|
||||
Safety assessment and certification is now required for %of
|
||||
almost all potentially dangerous equipment.
|
||||
%
|
||||
As part of the assessment/certification process, we typically apply
|
||||
a battery of tests; examining features such as resistance to extremes of environment, electro magnetic compatibility (EMC),
|
||||
endurance and static testing.
|
||||
a battery of tests, examining features such as resistance to extremes of environment, Electro Magnetic Compatibility (EMC),
|
||||
endurance regimes and static testing.
|
||||
%
|
||||
Static testing is at the theoretical, or design level, and involves
|
||||
looking a failure scenarios and trying to predict how systems would react.
|
||||
Static testing is at the theoretical, or design level and involves
|
||||
looking at failure scenarios and trying to predict how systems would react.
|
||||
%
|
||||
This thesis deals with one area of static testing, that of Failure Mode Effects Analysis (FMEA), a commonly
|
||||
used technique that is legally mandatory for a wide range of equipment.
|
||||
used technique that is legally mandatory for a wide range of equipment certification.
|
||||
|
||||
The ability to assess the safety of man made equipment has been a concern
|
||||
since the dawn of the industrial age~\cite{indacc01,usefulinfoengineers,steamboilers}.
|
||||
since the dawn of the industrial age~\cite{usefulinfoengineers,steamboilers}.
|
||||
The philosophy behind safety measure has progressed
|
||||
with time, and by world war two~\cite{boffin} we begin to see concepts such as `no single component failure should cause
|
||||
a dangerous system failure' emerging. Concepts such as these allow us to apply
|
||||
objective criteria to safety assessment. We can extend the `no~single~failure' concept
|
||||
to double or even multiple failures not being allowed to cause dangerous states.
|
||||
with time, and by World War Two we begin to see concepts such as `no single component failure should cause
|
||||
a dangerous system failure'~\cite{echoesofwar}[Ch.13] emerging.
|
||||
%
|
||||
The concept of a double failure causing a dangerous condition being unacceptable,
|
||||
can be found in the legally binding European standard EN298 which became
|
||||
Concepts such as these allow us to apply
|
||||
objective criteria to safety assessment. We can extend the `no~single~failure' concept
|
||||
to double or even multiple failures being unacceptable as the cause of dangerous states.
|
||||
%
|
||||
The concept of a double failure causing a dangerous condition being forbidden
|
||||
can be found in the legally binding European standard EN298\footnote{EN298:2003 became
|
||||
a legal requirement for all new forced draft industrial burner controllers in 2006 within
|
||||
the European Union.} which became
|
||||
a legal requirement in 2006~\cite{en298}.
|
||||
%
|
||||
More sophisticated statistically based standards, i.e EN61508~\cite{en61508} and variants thereof,
|
||||
are based on statistical thresholds for the frequency of dangerous failures.
|
||||
%
|
||||
We could state, for instance, that we can tolerate an `acceptable' maximum number of
|
||||
dangerous failure per billion hours of operation.
|
||||
We can then broadly separate these ratings failure rates into safety integrity levels (SIL).
|
||||
So for a maximum of 10 failures per billion hours of operation we assign a SIL level of 4,
|
||||
for 100 a sil level of 3 etc.
|
||||
If we can determine a SIL rating
|
||||
we can match it against the risk.
|
||||
dangerous failures per billion hours of operation.
|
||||
%
|
||||
We can then broadly categorise ratings of failure rates into Safety Integrity Levels (SIL)~\cite{scsh}.
|
||||
%
|
||||
So for a maximum of 10 potentially dangerous failures per billion hours of operation we assign a SIL level of 4,
|
||||
for 100 a SIL level of 3, and so on in powers of ten.
|
||||
%
|
||||
If we can determine a SIL rating,
|
||||
we can match it against a risk.
|
||||
%
|
||||
The more dangerous the consequences of failure
|
||||
the higher SIL rating we can demand for it.
|
||||
%
|
||||
A band-saw with one operative may require a SIL rating of 1,
|
||||
a nuclear power-station, with far greater consequences on dangerous failure
|
||||
may require a SIL rating of 4.
|
||||
SIL ratings give us another objective yardstick to measure system safety.
|
||||
%governing failure conditions and determining risk levels associated with systems.
|
||||
|
||||
All of these risk assessment techniques are based on variations on the theme of
|
||||
All of these risk assessment techniques are based on variations of %on the theme of
|
||||
Failure Mode Effect Analysis (FMEA), which has its roots in the 1940's mass production industry
|
||||
and was designed to save large companies money by fixing the most financially
|
||||
draining problems in a product first.
|
||||
|
||||
This thesis show that the refinements and additions made to
|
||||
FMEA to tailor them for military or statistical commercial use, have common flaws
|
||||
and was designed to save large companies money by prioritising most financially
|
||||
draining problems in a product. % first.
|
||||
%
|
||||
The FMEA of the 1940's has been refined and extended into four main variants.
|
||||
%
|
||||
This thesis describes the refinements and additions made to
|
||||
FMEA to tailor them for military or statistically biased % commercial
|
||||
use.
|
||||
It then reveals common flaws
|
||||
which make them unsuitable for the higher safety requirements of the 21st century.
|
||||
%
|
||||
Problems with state explosion in failure mode reasoning and the impossibility
|
||||
of integrating software and hardware failure mode models are the most obvious of these. %flaws.
|
||||
The methodologies are explained in chapter~\ref{sec:chap2} and the advantages and drawbacks
|
||||
of each FMEA variant are examined in chapter~\ref{sec:chap3}.
|
||||
In chapter~\ref{sec:chap4}, a new methodology is then proposed which addresses the state explosion problem
|
||||
%
|
||||
The four current methodologies are described in chapter~\ref{sec:chap2} and %the advantages and drawbacks
|
||||
%of each FMEA variant are examined
|
||||
critically assessed in chapter~\ref{sec:chap3}.
|
||||
In chapter~\ref{sec:chap4}, a new methodology is proposed which addresses the state explosion problem
|
||||
and, using contract programmed software, allows the modelling of integrated
|
||||
software/electrical systems.
|
||||
%
|
||||
This is followed by two chapters showing examples of the new modular FMEA analysis technique (Failure Mode Modular De-Composition FMMD)
|
||||
firstly looking at electronic circuits and then at electronic/software hybrid systems.
|
||||
firstly looking at common electronic circuits and then at electronic/software hybrid systems.
|
||||
}
|
||||
|
||||
\section{Introduction}
|
||||
The motivation for this study came form two sources, one academic and the other
|
||||
practical.
|
||||
\section{Motivation}
|
||||
The motivation for this study came from two sources, one academic (my Software Engineering MSc project) and the other
|
||||
practical (as a practising embedded software engineer working with FMEA on safety critical burner systems).
|
||||
\paragraph{MSc Project: Euler/Spider diagram Editor.}
|
||||
I had recently completed an
|
||||
MSc and my project was to create an Euler/Spider~Diagram~\cite{howse:spider} editor in Java.
|
||||
This editor allowed the user to draw Euler/Spider diagrams, and could then
|
||||
represent these as abstract---i.e. mathematical---definitions.
|
||||
The primary motive for writing the Spider diagram editor was to provide an alternative
|
||||
to to formal languages for software specification.
|
||||
Because of my exposure to FMEA, I started thinking of ways to apply formal languages and spider diagrams to
|
||||
failure mode analysis.
|
||||
\paragraph{European Safety Requirements increase in scope and complexity.}
|
||||
At work, writing embedded `C' and assembly language code for safety critical
|
||||
industrial burners, we were faced with a new and daunting requirement.
|
||||
Conformance to the latest European standard, EN298. It appeared to ask for the impossible,
|
||||
not only did it require the usual safety measures (self checking of ROM and RAM, watchdog processors with separate clock sources, EMC
|
||||
triple fail safe control of valves), it had one new clause in it, that had far reaching consequences.
|
||||
At work---which consisted of designing, testing, building and writing embedded `C' and assembly language code for safety critical
|
||||
industrial burners---we were faced with a new and daunting requirement.
|
||||
Conformance to the latest European standard, EN298.
|
||||
%
|
||||
It appeared to ask for the impossible,
|
||||
not only did it require the usual safety measures (self checking of ROM and RAM, watchdog processors with separate clock sources, EMC and the
|
||||
triple fail safe control of valves), it had one new clause in it that had far reaching consequences.
|
||||
%
|
||||
It stated that in the event of a failure, where the controller had gone into a `lockout~state'--- a state where the controller
|
||||
applies all possible safety measures to stop fuel entering the burner---it could not become dangerous should another fault occur.
|
||||
%
|
||||
In short this meant we had to be able to deal with double failures.
|
||||
Any of the components that could, in failing create a dangerous state, were already
|
||||
documented and approved using failure mode effects analysis (FMEA). This new requirement
|
||||
effectively meant that any all combinations of component failures were
|
||||
%
|
||||
Any of the components that could, in failing create a dangerous state were already
|
||||
documented and approved using failure mode effects analysis (FMEA).
|
||||
%
|
||||
This new requirement
|
||||
effectively meant that all single component failures and double combinations of component failures were
|
||||
now required to be analysed. This, from a state explosion problem alone,
|
||||
meant that it was going to be virtually impossible to perform.
|
||||
FMEA had a deficiency of repeated work, as each component failure is typically represented
|
||||
by one line or entry in a spreadsheet~\cite{bfmea}, analysis on repeated section of
|
||||
%
|
||||
To compound the state explosion problem
|
||||
FMEA has a deficiency of repeated work, as each component failure is typically represented
|
||||
by one line or entry in a spreadsheet~\cite{bfmea}; analysis on repeated sections of
|
||||
circuitry (for instance repeated 4-20mA outputs on a PCB), meant that
|
||||
analysis of identical circuitry was performed many times.
|
||||
A desirable feature of a new methodology would be to be able to re-use
|
||||
analysis for identical repeated modules. The development of this new methodology
|
||||
was presented to the IET System safety conference in 2011~\cite{syssafe2011}.
|
||||
FMEA, currently cannot integrate software into its failure mode models.
|
||||
A modular variant of FMEA can use the existing structure of functional software, in conjunction
|
||||
with contract programming, to model software~\cite{syssafe2012}.
|
||||
%
|
||||
\paragraph{Modularising FMEA and augmenting this with concepts from Euler/Spider Diagrams}
|
||||
Following the concept of de-composing a problem, and thus simplifying the state explosion---using the thinking behind
|
||||
the fast Fourier transform (FFT)~\cite{fpodsadsp}[Ch.8], which takes a complex intermeshed series of real and imaginary number calculations
|
||||
and by de-composing them simplifies the problem.
|
||||
My reasoning was that were I to analyse the problem in small modules, from the bottom-up following the FFT example, I could apply
|
||||
checking for all double failure scenarios.
|
||||
Once these first modules were analysed, I now call them {\fgs}, I could determine the symptoms of failure for them
|
||||
Using the symptoms of failure, I could now treat these modules as components, now called {\dcs}, and use them to build higher level
|
||||
modules. I could apply double simultaneous failure mode checking, because the number of components
|
||||
in each module/{\fg} was quite small---thus avoiding state explosion problems, but I could apply
|
||||
double checking all the way up the hierarchy.
|
||||
In fact this means, as a by-product that many multiple as well as double
|
||||
failures would be analysed, but because failure modes are traceable from the base components to the top level---or system---failure modes
|
||||
and these are held in a data structure, we can apply automated methods to search all cardinalities of multiple failure modes
|
||||
within the model.
|
||||
%
|
||||
Because, Euler/Spider Diagrams
|
||||
could be used to model failure modes in components
|
||||
it was thought that a diagrammatic notation would
|
||||
be easier to demonstrate than using formal logic.
|
||||
%
|
||||
|
||||
%
|
||||
\paragraph{Modularising/De-Composing FMEA: Initial concepts.} % and augmenting this with concepts from Euler/Spider Diagrams.}
|
||||
In the field of digital signal processing there is an algorithm that revolutionised
|
||||
access to frequency analysis of digital samples called the Fast Fourier transform (FFT)~\cite{fpodsadsp}[Ch.8].
|
||||
This took the discrete Fourier transform (DFT), and applied de-composition to its
|
||||
mesh of (often repeated) complex number calculations.
|
||||
By doing this it broke the problem down from having an exponential
|
||||
order to a polynomial~\cite{ctw}[pp.401-3].
|
||||
I wondered if this thinking could be applied to the state explosion problems encountered in FMEA.
|
||||
%
|
||||
%Following the concept of de-composing a problem, and thus simplifying the state explosion---using the thinking behind
|
||||
%the fast Fourier transform (FFT)~\cite{fpodsadsp}[Ch.8], which takes a complex intermeshed series of real and imaginary number calculations
|
||||
%and by de-composing them, simplifies the problem.
|
||||
My reasoning was that were we to analyse the problem in small modules, from the bottom-up following the FFT example, we could apply
|
||||
checking for all double failure scenarios.
|
||||
%
|
||||
Once these first modules were analysed---we now call them {\fgs}--we could determine the symptoms of failure for them.
|
||||
Using the symptoms of failure, we could now treat these modules as components in their own right---or {\dcs}---and use them to build higher level
|
||||
{\fgs}. Higher and higher levels of {\fgs} could be built until we had a hierarchy
|
||||
representing a failure mode model for the system.
|
||||
%
|
||||
Because this is modular, we can apply double simultaneous failure mode checking; and as %because
|
||||
the number of components
|
||||
in each {\fg} is typically small---we avoid state explosion problems.
|
||||
%
|
||||
If we apply
|
||||
double checking all the way up the hierarchy we can guarantee to have considered
|
||||
every double simultaneous failure of all components in a system.
|
||||
%
|
||||
This means, as a fortunate by-product, that many multiple as well as double
|
||||
failures would be analysed, but because failure modes are traceable from the base components to the top level---or system---failure modes
|
||||
and these can be held in a traversable data structure.
|
||||
%
|
||||
If held in a traversable data structure we can apply automated methods to search all the cardinalities of multiple failure modes
|
||||
within the model.
|
||||
%
|
||||
\subsection{Initial direction: Application of Spider diagrams to FMEA.}
|
||||
|
||||
Because, Euler/Spider Diagrams~\cite{howse:spider}
|
||||
could be used to model failure modes in components
|
||||
it was thought that a diagrammatic notation would
|
||||
be more user friendly than using formal logic.
|
||||
%
|
||||
For an FMEA Spider diagram, contours represent failure modes, and the spider diagram
|
||||
`existential~points' instances of failure modes.
|
||||
`existential~points' represent instances of failure modes.
|
||||
%
|
||||
Overlapping contours could represent multiple failure modes.
|
||||
%
|
||||
By drawing a spider collecting existential points, a common failure symptom could
|
||||
be determined and from this a new diagram generated automatically, to represent the {\dc}.
|
||||
be determined and from this a new diagram generated automatically to represent the {\dc}.
|
||||
%
|
||||
Each spider represented a derived failure mode.
|
||||
The act of collecting common symptoms by drawing spiders
|
||||
meant that the analyst was forced to associate one component failure mode with one symptom/derived~failure~mode of failure.
|
||||
%
|
||||
These concepts were presented at the ``Euler~2004''~\cite{Clark200519} conference held at Brighton University.
|
||||
This brought together concepts for modularising FMEA and the formal visual notations from Spider diagrams.
|
||||
This defined the concepts for modularising FMEA using the formal visual notations from Spider diagrams.
|
||||
%
|
||||
The spider diagram notation was useful in defining the concepts and
|
||||
initial ideas, but a more traditional `spreadsheet' format has been used
|
||||
for the analysis stages of the new methodology.
|
||||
%
|
||||
Euler diagrams have been used later in the thesis to describe the containment relationships
|
||||
of derived components building hierarchical analysis models with the modularised
|
||||
variant of FMEA that this thesis proposes and defends.
|
||||
%
|
||||
|
||||
\paragraph{Objectives of the thesis}.
|
||||
The primary objective of the work performed for this thesis is to propose a modularised variant of
|
||||
FMEA that solves the problems of:
|
||||
%
|
||||
\subsection{Objectives of the thesis.}
|
||||
The primary objective of the work performed for this thesis is to present a new modularised variant of
|
||||
FMEA which solves the problems of:
|
||||
\begin{itemize}
|
||||
\item State Explosion,
|
||||
\item Multiple failure mode modelling,
|
||||
\item Re-usability of pre-analysed modules,
|
||||
\item Inclusion of software in failure mode modelling.
|
||||
\end{itemize}
|
||||
To support this worked examples using the new methodology were created and the work published and presented to
|
||||
IET safety conferences. % in 2011~\cite{syssafe2011} and 2012~\cite{syssafe2012}.
|
||||
|
||||
The development of this new methodology
|
||||
was presented to the IET System safety conference in 2011,~\cite{syssafe2011}.
|
||||
FMEA, currently cannot integrate software into its failure mode models~\cite{sfmea,modelsfmea,embedsfmea,sfmeainterface}.
|
||||
A modular variant of FMEA can use the existing structure of functional software, in conjunction
|
||||
with contract programming, to model software~\cite{syssafe2012}.
|
||||
|
||||
Chapter~\ref{chap2} examines the current state of FMEA based methodologies, Chapter~\ref{chap3}
|
||||
examines the benifits and drawbacks of these these methodologies
|
||||
Chapter~\ref{sec:chap2} examines the current state of FMEA based methodologies, Chapter~\ref{sec:chap3}
|
||||
examines the benefits and drawbacks of these methodologies
|
||||
and proposes a detailed wish list for an ideal FMEA technique.
|
||||
Chapter~\ref{chap4} proposes Failure Mode Modular de-composition (FMMD)---a modularised variant
|
||||
Chapter~\ref{sec:chap4} proposes Failure Mode Modular de-composition (FMMD)---a modularised variant
|
||||
of FMEA designed to address the points in the detailed wish list.
|
||||
Chapter~\ref{chap5} provides worked examples usin g common electronic circuits.
|
||||
Chapter~\ref{chap6} gives two examples of integgrated software and electronic systems anyalysed using FMMD.
|
||||
Metrics and evaluation, along with an example showing double simultaneous failure analysis
|
||||
are dealt with in Chapter~\ref{chap7}
|
||||
Chapter~\ref{sec:chap5} provides worked examples using common electronic circuits.
|
||||
Chapter~\ref{sec:chap6} gives two examples of integrated software and electronic systems analysed using FMMD.
|
||||
Metrics and evaluation, along with an example showing double simultaneous failure analysis,
|
||||
are provided in Chapter~\ref{sec:chap7}, with a conclusion and further work in Chapter~\ref{sec:chap8}.
|
||||
|
||||
|
||||
|
||||
@ -169,4 +237,6 @@ are dealt with in Chapter~\ref{chap7}
|
||||
% rather than a polynomial i.e. $N^2$.
|
||||
%
|
||||
% Impossible to perform double simultaneous failure analysis (as demanded by EN298~\cite{en298}).
|
||||
|
||||
%----------------------------------------------------------------------------------------------------
|
||||
%% A desirable feature of a new methodology would be to be able to re-use
|
||||
%% analysis for identical repeated modules.
|
||||
|
||||
@ -1,3 +1,5 @@
|
||||
\label{sec:chap3}
|
||||
|
||||
\section{Historical Origins of FMEA}
|
||||
\subsection{FMEA designed for simple electro-mechanical systems}
|
||||
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
%%
|
||||
%% CHAPTER 4 : Failure Mode Modular Discrimination
|
||||
%%
|
||||
|
||||
\label{sec:chap4}
|
||||
% \ifthenelse {\boolean{paper}}
|
||||
% {
|
||||
% \abstract{
|
||||
|
||||
@ -1,3 +1,5 @@
|
||||
\label{sec:chap7}
|
||||
|
||||
\section*{Metrics}
|
||||
|
||||
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
|
||||
\label{sec:chap8}
|
||||
\section{Further Work}
|
||||
|
||||
\subsection{Environment, operational states and inhibit gates: additions to the UML model.}
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
|
||||
\label{sec:chap8}
|
||||
|
||||
%%
|
||||
%% CH8 finishing up and appendixes
|
||||
|
||||
Loading…
Reference in New Issue
Block a user