From d1e0a1ced262aacf7019b1881f2eeb6fc034829c Mon Sep 17 00:00:00 2001 From: Robin Clark Date: Fri, 28 Dec 2012 14:34:46 +0000 Subject: [PATCH] First stab at introduction chapter --- mybib.bib | 15 ++ submission_thesis/CH1_introduction/copy.tex | 240 +++++++++++------- submission_thesis/CH3_FMEA_criticism/copy.tex | 2 + submission_thesis/CH4_FMMD/copy.tex | 2 +- submission_thesis/CH6_Evaluation/copy.tex | 2 + submission_thesis/CH7_Conclusion/copy.tex | 2 +- .../CH8_finish_appendixes/copy.tex | 2 +- 7 files changed, 177 insertions(+), 88 deletions(-) diff --git a/mybib.bib b/mybib.bib index 90d56b3..6498d39 100644 --- a/mybib.bib +++ b/mybib.bib @@ -62,6 +62,21 @@ ISSN={Doi:10.1145/2330667.2330683},} YEAR = "2003" } +@BOOK{echoesofwar, + AUTHOR = "Bernard Lovell", + TITLE = "Echoes of War: The story of H2S RADAR ", + PUBLISHER = " Adam Hilger: ISBN 0750301309", + YEAR = "1991" +} + +@BOOK{boffin, + AUTHOR = "R Hanbury Brown", + TITLE = "Boffin: A Personal Story of the Early Days of Radar, Radio Astronomy and Quantum Optics: + Personal Story of the Early Days of Radar and Radio Astronomy and Quantum Optics ", + PUBLISHER = " Adam Hilger: ISBN 0-85274-317-3", + YEAR = "1991" +} + @BOOK{dmfnt, AUTHOR = "R Garnier, J Taylor", diff --git a/submission_thesis/CH1_introduction/copy.tex b/submission_thesis/CH1_introduction/copy.tex index 7276a68..86186e7 100644 --- a/submission_thesis/CH1_introduction/copy.tex +++ b/submission_thesis/CH1_introduction/copy.tex @@ -1,158 +1,226 @@ -\paragraph{Abstract}{ +%\paragraph{Abstract} % : The Scope of this study.}{ +{ +% Increasingly we rely on automation in everyday life. -Many of the automated systems have the potential to cause harm or even death, should they fail. -Safety assessment and certification is now required of +Many % of the +automated systems have the potential to cause harm or even death should they fail. +% +Safety assessment and certification is now required for %of almost all potentially dangerous equipment. % As part of the assessment/certification process, we typically apply -a battery of tests; examining features such as resistance to extremes of environment, electro magnetic compatibility (EMC), -endurance and static testing. +a battery of tests, examining features such as resistance to extremes of environment, Electro Magnetic Compatibility (EMC), +endurance regimes and static testing. % -Static testing is at the theoretical, or design level, and involves -looking a failure scenarios and trying to predict how systems would react. +Static testing is at the theoretical, or design level and involves +looking at failure scenarios and trying to predict how systems would react. % This thesis deals with one area of static testing, that of Failure Mode Effects Analysis (FMEA), a commonly -used technique that is legally mandatory for a wide range of equipment. +used technique that is legally mandatory for a wide range of equipment certification. The ability to assess the safety of man made equipment has been a concern -since the dawn of the industrial age~\cite{indacc01,usefulinfoengineers,steamboilers}. +since the dawn of the industrial age~\cite{usefulinfoengineers,steamboilers}. The philosophy behind safety measure has progressed -with time, and by world war two~\cite{boffin} we begin to see concepts such as `no single component failure should cause -a dangerous system failure' emerging. Concepts such as these allow us to apply -objective criteria to safety assessment. We can extend the `no~single~failure' concept -to double or even multiple failures not being allowed to cause dangerous states. +with time, and by World War Two we begin to see concepts such as `no single component failure should cause +a dangerous system failure'~\cite{echoesofwar}[Ch.13] emerging. % -The concept of a double failure causing a dangerous condition being unacceptable, -can be found in the legally binding European standard EN298 which became +Concepts such as these allow us to apply +objective criteria to safety assessment. We can extend the `no~single~failure' concept +to double or even multiple failures being unacceptable as the cause of dangerous states. +% +The concept of a double failure causing a dangerous condition being forbidden +can be found in the legally binding European standard EN298\footnote{EN298:2003 became +a legal requirement for all new forced draft industrial burner controllers in 2006 within +the European Union.} which became a legal requirement in 2006~\cite{en298}. +% More sophisticated statistically based standards, i.e EN61508~\cite{en61508} and variants thereof, are based on statistical thresholds for the frequency of dangerous failures. +% We could state, for instance, that we can tolerate an `acceptable' maximum number of -dangerous failure per billion hours of operation. -We can then broadly separate these ratings failure rates into safety integrity levels (SIL). -So for a maximum of 10 failures per billion hours of operation we assign a SIL level of 4, -for 100 a sil level of 3 etc. -If we can determine a SIL rating -we can match it against the risk. +dangerous failures per billion hours of operation. +% +We can then broadly categorise ratings of failure rates into Safety Integrity Levels (SIL)~\cite{scsh}. +% +So for a maximum of 10 potentially dangerous failures per billion hours of operation we assign a SIL level of 4, +for 100 a SIL level of 3, and so on in powers of ten. +% +If we can determine a SIL rating, +we can match it against a risk. +% The more dangerous the consequences of failure the higher SIL rating we can demand for it. +% A band-saw with one operative may require a SIL rating of 1, a nuclear power-station, with far greater consequences on dangerous failure may require a SIL rating of 4. SIL ratings give us another objective yardstick to measure system safety. %governing failure conditions and determining risk levels associated with systems. -All of these risk assessment techniques are based on variations on the theme of +All of these risk assessment techniques are based on variations of %on the theme of Failure Mode Effect Analysis (FMEA), which has its roots in the 1940's mass production industry -and was designed to save large companies money by fixing the most financially -draining problems in a product first. - -This thesis show that the refinements and additions made to -FMEA to tailor them for military or statistical commercial use, have common flaws +and was designed to save large companies money by prioritising most financially +draining problems in a product. % first. +% +The FMEA of the 1940's has been refined and extended into four main variants. +% +This thesis describes the refinements and additions made to +FMEA to tailor them for military or statistically biased % commercial +use. +It then reveals common flaws which make them unsuitable for the higher safety requirements of the 21st century. +% Problems with state explosion in failure mode reasoning and the impossibility of integrating software and hardware failure mode models are the most obvious of these. %flaws. -The methodologies are explained in chapter~\ref{sec:chap2} and the advantages and drawbacks -of each FMEA variant are examined in chapter~\ref{sec:chap3}. -In chapter~\ref{sec:chap4}, a new methodology is then proposed which addresses the state explosion problem +% +The four current methodologies are described in chapter~\ref{sec:chap2} and %the advantages and drawbacks +%of each FMEA variant are examined +critically assessed in chapter~\ref{sec:chap3}. +In chapter~\ref{sec:chap4}, a new methodology is proposed which addresses the state explosion problem and, using contract programmed software, allows the modelling of integrated software/electrical systems. +% This is followed by two chapters showing examples of the new modular FMEA analysis technique (Failure Mode Modular De-Composition FMMD) -firstly looking at electronic circuits and then at electronic/software hybrid systems. +firstly looking at common electronic circuits and then at electronic/software hybrid systems. } -\section{Introduction} -The motivation for this study came form two sources, one academic and the other -practical. +\section{Motivation} +The motivation for this study came from two sources, one academic (my Software Engineering MSc project) and the other +practical (as a practising embedded software engineer working with FMEA on safety critical burner systems). \paragraph{MSc Project: Euler/Spider diagram Editor.} I had recently completed an MSc and my project was to create an Euler/Spider~Diagram~\cite{howse:spider} editor in Java. This editor allowed the user to draw Euler/Spider diagrams, and could then represent these as abstract---i.e. mathematical---definitions. +The primary motive for writing the Spider diagram editor was to provide an alternative +to to formal languages for software specification. +Because of my exposure to FMEA, I started thinking of ways to apply formal languages and spider diagrams to +failure mode analysis. \paragraph{European Safety Requirements increase in scope and complexity.} -At work, writing embedded `C' and assembly language code for safety critical -industrial burners, we were faced with a new and daunting requirement. -Conformance to the latest European standard, EN298. It appeared to ask for the impossible, -not only did it require the usual safety measures (self checking of ROM and RAM, watchdog processors with separate clock sources, EMC -triple fail safe control of valves), it had one new clause in it, that had far reaching consequences. +At work---which consisted of designing, testing, building and writing embedded `C' and assembly language code for safety critical +industrial burners---we were faced with a new and daunting requirement. +Conformance to the latest European standard, EN298. +% +It appeared to ask for the impossible, +not only did it require the usual safety measures (self checking of ROM and RAM, watchdog processors with separate clock sources, EMC and the +triple fail safe control of valves), it had one new clause in it that had far reaching consequences. +% It stated that in the event of a failure, where the controller had gone into a `lockout~state'--- a state where the controller applies all possible safety measures to stop fuel entering the burner---it could not become dangerous should another fault occur. +% In short this meant we had to be able to deal with double failures. -Any of the components that could, in failing create a dangerous state, were already -documented and approved using failure mode effects analysis (FMEA). This new requirement -effectively meant that any all combinations of component failures were +% +Any of the components that could, in failing create a dangerous state were already +documented and approved using failure mode effects analysis (FMEA). +% +This new requirement +effectively meant that all single component failures and double combinations of component failures were now required to be analysed. This, from a state explosion problem alone, meant that it was going to be virtually impossible to perform. -FMEA had a deficiency of repeated work, as each component failure is typically represented -by one line or entry in a spreadsheet~\cite{bfmea}, analysis on repeated section of +% +To compound the state explosion problem +FMEA has a deficiency of repeated work, as each component failure is typically represented +by one line or entry in a spreadsheet~\cite{bfmea}; analysis on repeated sections of circuitry (for instance repeated 4-20mA outputs on a PCB), meant that analysis of identical circuitry was performed many times. -A desirable feature of a new methodology would be to be able to re-use -analysis for identical repeated modules. The development of this new methodology -was presented to the IET System safety conference in 2011~\cite{syssafe2011}. -FMEA, currently cannot integrate software into its failure mode models. -A modular variant of FMEA can use the existing structure of functional software, in conjunction -with contract programming, to model software~\cite{syssafe2012}. -% -\paragraph{Modularising FMEA and augmenting this with concepts from Euler/Spider Diagrams} -Following the concept of de-composing a problem, and thus simplifying the state explosion---using the thinking behind -the fast Fourier transform (FFT)~\cite{fpodsadsp}[Ch.8], which takes a complex intermeshed series of real and imaginary number calculations -and by de-composing them simplifies the problem. -My reasoning was that were I to analyse the problem in small modules, from the bottom-up following the FFT example, I could apply -checking for all double failure scenarios. -Once these first modules were analysed, I now call them {\fgs}, I could determine the symptoms of failure for them -Using the symptoms of failure, I could now treat these modules as components, now called {\dcs}, and use them to build higher level -modules. I could apply double simultaneous failure mode checking, because the number of components -in each module/{\fg} was quite small---thus avoiding state explosion problems, but I could apply -double checking all the way up the hierarchy. -In fact this means, as a by-product that many multiple as well as double -failures would be analysed, but because failure modes are traceable from the base components to the top level---or system---failure modes -and these are held in a data structure, we can apply automated methods to search all cardinalities of multiple failure modes -within the model. -% -Because, Euler/Spider Diagrams -could be used to model failure modes in components -it was thought that a diagrammatic notation would -be easier to demonstrate than using formal logic. % +% +\paragraph{Modularising/De-Composing FMEA: Initial concepts.} % and augmenting this with concepts from Euler/Spider Diagrams.} +In the field of digital signal processing there is an algorithm that revolutionised +access to frequency analysis of digital samples called the Fast Fourier transform (FFT)~\cite{fpodsadsp}[Ch.8]. +This took the discrete Fourier transform (DFT), and applied de-composition to its +mesh of (often repeated) complex number calculations. +By doing this it broke the problem down from having an exponential +order to a polynomial~\cite{ctw}[pp.401-3]. +I wondered if this thinking could be applied to the state explosion problems encountered in FMEA. +% +%Following the concept of de-composing a problem, and thus simplifying the state explosion---using the thinking behind +%the fast Fourier transform (FFT)~\cite{fpodsadsp}[Ch.8], which takes a complex intermeshed series of real and imaginary number calculations +%and by de-composing them, simplifies the problem. +My reasoning was that were we to analyse the problem in small modules, from the bottom-up following the FFT example, we could apply +checking for all double failure scenarios. +% +Once these first modules were analysed---we now call them {\fgs}--we could determine the symptoms of failure for them. +Using the symptoms of failure, we could now treat these modules as components in their own right---or {\dcs}---and use them to build higher level +{\fgs}. Higher and higher levels of {\fgs} could be built until we had a hierarchy +representing a failure mode model for the system. +% +Because this is modular, we can apply double simultaneous failure mode checking; and as %because +the number of components +in each {\fg} is typically small---we avoid state explosion problems. +% +If we apply +double checking all the way up the hierarchy we can guarantee to have considered +every double simultaneous failure of all components in a system. +% +This means, as a fortunate by-product, that many multiple as well as double +failures would be analysed, but because failure modes are traceable from the base components to the top level---or system---failure modes +and these can be held in a traversable data structure. +% +If held in a traversable data structure we can apply automated methods to search all the cardinalities of multiple failure modes +within the model. +% +\subsection{Initial direction: Application of Spider diagrams to FMEA.} + +Because, Euler/Spider Diagrams~\cite{howse:spider} +could be used to model failure modes in components +it was thought that a diagrammatic notation would +be more user friendly than using formal logic. +% For an FMEA Spider diagram, contours represent failure modes, and the spider diagram -`existential~points' instances of failure modes. +`existential~points' represent instances of failure modes. +% Overlapping contours could represent multiple failure modes. +% By drawing a spider collecting existential points, a common failure symptom could -be determined and from this a new diagram generated automatically, to represent the {\dc}. +be determined and from this a new diagram generated automatically to represent the {\dc}. % Each spider represented a derived failure mode. The act of collecting common symptoms by drawing spiders meant that the analyst was forced to associate one component failure mode with one symptom/derived~failure~mode of failure. % These concepts were presented at the ``Euler~2004''~\cite{Clark200519} conference held at Brighton University. -This brought together concepts for modularising FMEA and the formal visual notations from Spider diagrams. +This defined the concepts for modularising FMEA using the formal visual notations from Spider diagrams. +% +The spider diagram notation was useful in defining the concepts and +initial ideas, but a more traditional `spreadsheet' format has been used +for the analysis stages of the new methodology. +% Euler diagrams have been used later in the thesis to describe the containment relationships of derived components building hierarchical analysis models with the modularised variant of FMEA that this thesis proposes and defends. +% -\paragraph{Objectives of the thesis}. -The primary objective of the work performed for this thesis is to propose a modularised variant of -FMEA that solves the problems of: +% +\subsection{Objectives of the thesis.} +The primary objective of the work performed for this thesis is to present a new modularised variant of +FMEA which solves the problems of: \begin{itemize} \item State Explosion, \item Multiple failure mode modelling, \item Re-usability of pre-analysed modules, \item Inclusion of software in failure mode modelling. \end{itemize} +To support this worked examples using the new methodology were created and the work published and presented to +IET safety conferences. % in 2011~\cite{syssafe2011} and 2012~\cite{syssafe2012}. +The development of this new methodology +was presented to the IET System safety conference in 2011,~\cite{syssafe2011}. +FMEA, currently cannot integrate software into its failure mode models~\cite{sfmea,modelsfmea,embedsfmea,sfmeainterface}. +A modular variant of FMEA can use the existing structure of functional software, in conjunction +with contract programming, to model software~\cite{syssafe2012}. -Chapter~\ref{chap2} examines the current state of FMEA based methodologies, Chapter~\ref{chap3} -examines the benifits and drawbacks of these these methodologies +Chapter~\ref{sec:chap2} examines the current state of FMEA based methodologies, Chapter~\ref{sec:chap3} +examines the benefits and drawbacks of these methodologies and proposes a detailed wish list for an ideal FMEA technique. -Chapter~\ref{chap4} proposes Failure Mode Modular de-composition (FMMD)---a modularised variant +Chapter~\ref{sec:chap4} proposes Failure Mode Modular de-composition (FMMD)---a modularised variant of FMEA designed to address the points in the detailed wish list. -Chapter~\ref{chap5} provides worked examples usin g common electronic circuits. -Chapter~\ref{chap6} gives two examples of integgrated software and electronic systems anyalysed using FMMD. -Metrics and evaluation, along with an example showing double simultaneous failure analysis -are dealt with in Chapter~\ref{chap7} +Chapter~\ref{sec:chap5} provides worked examples using common electronic circuits. +Chapter~\ref{sec:chap6} gives two examples of integrated software and electronic systems analysed using FMMD. +Metrics and evaluation, along with an example showing double simultaneous failure analysis, +are provided in Chapter~\ref{sec:chap7}, with a conclusion and further work in Chapter~\ref{sec:chap8}. @@ -169,4 +237,6 @@ are dealt with in Chapter~\ref{chap7} % rather than a polynomial i.e. $N^2$. % % Impossible to perform double simultaneous failure analysis (as demanded by EN298~\cite{en298}). - +%---------------------------------------------------------------------------------------------------- +%% A desirable feature of a new methodology would be to be able to re-use +%% analysis for identical repeated modules. diff --git a/submission_thesis/CH3_FMEA_criticism/copy.tex b/submission_thesis/CH3_FMEA_criticism/copy.tex index 9fb37a3..c56565e 100644 --- a/submission_thesis/CH3_FMEA_criticism/copy.tex +++ b/submission_thesis/CH3_FMEA_criticism/copy.tex @@ -1,3 +1,5 @@ +\label{sec:chap3} + \section{Historical Origins of FMEA} \subsection{FMEA designed for simple electro-mechanical systems} diff --git a/submission_thesis/CH4_FMMD/copy.tex b/submission_thesis/CH4_FMMD/copy.tex index 05efe22..deaf333 100644 --- a/submission_thesis/CH4_FMMD/copy.tex +++ b/submission_thesis/CH4_FMMD/copy.tex @@ -1,7 +1,7 @@ %% %% CHAPTER 4 : Failure Mode Modular Discrimination %% - +\label{sec:chap4} % \ifthenelse {\boolean{paper}} % { % \abstract{ diff --git a/submission_thesis/CH6_Evaluation/copy.tex b/submission_thesis/CH6_Evaluation/copy.tex index 9b870b8..b705fcd 100644 --- a/submission_thesis/CH6_Evaluation/copy.tex +++ b/submission_thesis/CH6_Evaluation/copy.tex @@ -1,3 +1,5 @@ +\label{sec:chap7} + \section*{Metrics} diff --git a/submission_thesis/CH7_Conclusion/copy.tex b/submission_thesis/CH7_Conclusion/copy.tex index 44cda5f..8e931a8 100644 --- a/submission_thesis/CH7_Conclusion/copy.tex +++ b/submission_thesis/CH7_Conclusion/copy.tex @@ -1,4 +1,4 @@ - +\label{sec:chap8} \section{Further Work} \subsection{Environment, operational states and inhibit gates: additions to the UML model.} diff --git a/submission_thesis/CH8_finish_appendixes/copy.tex b/submission_thesis/CH8_finish_appendixes/copy.tex index 6ee5ba8..4e0d10d 100644 --- a/submission_thesis/CH8_finish_appendixes/copy.tex +++ b/submission_thesis/CH8_finish_appendixes/copy.tex @@ -1,4 +1,4 @@ - +\label{sec:chap8} %% %% CH8 finishing up and appendixes