robin/Robin_PHD
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

.

Browse Source
This commit is contained in:
Robin Clark 2010-10-13 15:46:46 +01:00
parent a98b4ee918
commit dd56d45404
3 changed files with 116 additions and 134 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

237
fmmd_concept/fmmd_concept.tex
View File

@ -23,15 +23,22 @@ There are four methodologies in common use for failure mode modelling.
These are FTA, FMEA, FMECA These are FTA, FMEA, FMECA
and FMEDA (a form of statistical analysis). and FMEDA (a form of statistical analysis).
These methodologies have several draw backs. These methodologies date from the 1940's onwards and have several draw backs.
In short %In short
FTA, due to its top down nature, can overlook error conditions. FMEA and the Statistical Methods %FTA, due to its top down nature, can overlook error conditions. FMEA and the Statistical Methods
lack precision in predicting failure modes at the SYSTEM level. %lack precision in predicting failure modes at the SYSTEM level.
The Failure Mode Modular De-composition The Failure Mode Modular De-composition
(FMMD) methodology presented here provides a more detailed and analytical (FMMD) aims to address the
modelling system from which weaknesses in these methodoligies and to add
features such as the ability to analyse double
failure mode scenarios, and to allow modular re-use
of analysis.
The FMMD
methodology presented here provides a more detailed and analytical
modelling system which will create a more complete and detail hierarchical failure mode model from which
the data models from FTA, FMEA and the statistical approach can be the data models from FTA, FMEA and the statistical approach can be
derived if required. derived if required.
It also applies rigorous checking in the analysis stages It also applies rigorous checking in the analysis stages
@ -99,6 +106,13 @@ Consequently it was not designed to guarantee to cover all component failure mod
and has no rigorous in-built safeguards to ensure coverage of all possible and has no rigorous in-built safeguards to ensure coverage of all possible
system level outcomes. system level outcomes.
\subsubsection{ FTA weaknesses }
\begin{itemize}
\item Possibility to miss component failure modes
\item Possibility to miss environemtal affects.
\item No possibility to model base component level double failure modes.
\end{itemize}
\subsection { FMEA } \subsection { FMEA }
This is an early static analysis methodology, and concentrates This is an early static analysis methodology, and concentrates
@ -113,13 +127,23 @@ gives a risk probability number, i.e. $RPN = S \times O \times D$.
This gives in effect This gives in effect
a prioritised todo list, with higher the $RPN$ values being the most urgent. a prioritised todo list, with higher the $RPN$ values being the most urgent.
\subsubsection{ FMEA weaknesses }
\begin{itemize}
\item Possibility to miss the effects of failure modes at SYSTEM level.
\item Possibility to miss environemtal affects.
\item No possibility to model base component level double failure modes.
\end{itemize}
\subsection{FMECA} \subsection{FMECA}
Failure mode, effects, and criticality analysis (FMECDA) extends FMEA. Failure mode, effects, and criticality analysis (FMECDA) extends FMEA.
This is a bottom up methodology, which takes component failure modes This is a bottom up methodology, which takes component failure modes
and traces them to the SYSTEM level failures. The components and traces them to the SYSTEM level failures. The components
have reliability data and this can be used to predict the have reliability data and this can be used to predict the
failure statistics in the design stage \cite{mil1992}. failure statistics in the design stage \cite{mil1991}.
It can do this using probability \footnote{for a given component failure mode there will be a $\beta$ value, the It can do this using probability \footnote{for a given component failure mode there will be a $\beta$ value, the
probability that the component failure mode will cause a given SYSTEM failure}. probability that the component failure mode will cause a given SYSTEM failure}.
% %
@ -139,6 +163,13 @@ The results, as with FMEA are an $RPN$ number determing the significance of the
%%-WIKI- while various forms of FMEA predominate in other industries. %%-WIKI- while various forms of FMEA predominate in other industries.
\subsubsection{ FMEA weaknesses }
\begin{itemize}
\item Possibility to miss the effects of failure modes at SYSTEM level.
\item Possibility to miss environemtal affects.
\item No possibility to model base component level double failure modes.
\end{itemize}
\subsection { FMEDA or Statistical Analyis } \subsection { FMEDA or Statistical Analyis }
@ -205,6 +236,14 @@ The Statistical Analyis methodology is the core philosophy
of the Safety Integrity Levels (SIL) of EN61508 \cite{en61508}. of the Safety Integrity Levels (SIL) of EN61508 \cite{en61508}.
\subsubsection{ FMEDA weaknesses }
\begin{itemize}
\item Possibility to miss the effects of failure modes at SYSTEM level.
\item Statistical nature allows critical failures considered acceptable for given S.I.L. level.
\item Allows a small proportion of `undetectable' error conditions.
\item No possibility to model base component level double failure modes.
\end{itemize}
%AND then how we can solve all there problems %AND then how we can solve all there problems
\section{A wish list for a failure mode methodolgy} \section{A wish list for a failure mode methodolgy}
@ -218,14 +257,14 @@ for its results.
\item It should be easy to use, Ideally useing a graphical syntax (as oppossed to a formal mathematical one). \item It should be easy to use, Ideally useing a graphical syntax (as oppossed to a formal mathematical one).
\item From the top down the failure mode model should follow a logical de-composition of the functionality \item From the top down the failure mode model should follow a logical de-composition of the functionality
to smaller and smaller functional modules \cite{maikowski}. to smaller and smaller functional modules \cite{maikowski}.
\item Multiple failure modes may be modelled from the base component level up.
\end{itemize} \end{itemize}
\section{Proposed Methodology \\ Failure Mode Modular De-Composition (FMMD)} \section{Proposed Methodology \\ Failure Mode Modular De-Composition (FMMD)}
The proposed methodology will be bottom-up. \subsection{Outline of the FMMD process}
Thiure that all component failure modes are handled.
The bottom-up approach also fulfills the logical de-composition requirement.
FMMD builds {\fg}s of components from the bottom-up. FMMD builds {\fg}s of components from the bottom-up.
Thus the {\fg}s are minimal collections of components Thus the {\fg}s are minimal collections of components
that work together to perform a simple function. that work together to perform a simple function.
@ -242,135 +281,67 @@ modes, the collected symptoms of the {\fg}.
Because we can now have a {\dcs} we can use these to form Because we can now have a {\dcs} we can use these to form
new {\fg}s and we can build a hierarchical model of the system failure modes. new {\fg}s and we can build a hierarchical model of the system failure modes.
Advantages \subsection{Justification of wishlist}
\subsubsection{All component failure modes must be considered in the model.}
The proposed methodology will be bottom-up.
This ensures that all component failure modes are handled.
\subsubsection{ It should be easy to integrate mechanical, electronic and software models.}
Each functional components failure modes are considered. Because of this
the failure modes of a mechanical, electrical or software system can be modelled
using a common notation.
\subsubsection{ It should be re-usable, in that commonly used modules can be re-used in other designs/projects.}
The hierarchical nature, taking {\fg}s and deriving components from them, means that
commonly used {\dcs} can be re-used in a design (for instance self checking digital inputs)
or even in other projects where the same {\dc} is used.
\subsubsection{ It should have a formal basis, that is to say, it should be able to produce mathematical proofs
for its results}
Because the failure mode mode of a SYSTEM is a hierarchy of {\fg}s and derived components
SYSTEM level failure modes are traceable back down the tree to
component level failure modes. This proivides causation minimal cut sets \cite{sccs}
for all SYSTEM failure modes.
\subsubsection{ It should be capable of producing reliability and danger evaluation statistics.}
The Minimal cuts sets for the SYSTEM level failures, can have computed MTTF
and danger evaluation statistics sourced from the component failure mode statistics \cite {mil1991}.
\subsubsection{ It should be easy to use, Ideally useing a graphical syntax (as oppossed to a formal mathematical one).}
A modified form of constraint diagram (an extension of Euler diagrams) has been developed to support the FMMD methodology.
This uses Euler circles to represent failure modes, and spiders to collect symptoms, to
advance a {\fg} to a {\dc}.
\subsubsection{ From the top down the failure mode model should follow a logical de-composition of the functionality
to smaller and smaller functional modules \cite{maikowski}.}
The bottom-up approach fulfills the logical de-composition requirement, because the {\fg}s
are built from components performing a given task.
\subsubsection{ Multiple failure modes may be modelled from the base component level up}
By breaking the problem of failure mode analysis into small stages
and building a hierarchy, the problems associated with the cross products of
all failure modes within a system are greatly by an exponential order.
\subsection{Advantages of FMMD Methodology}
\begin{itemize} \begin{itemize}
\item It can be checked, automatically that, all component failure modes have been considered in the model. \item It can be checked, automatically that, all component failure modes have been considered in the model.
\item Because we are modelling with {\fgs} and {\dcs} these can be generic, i.e. mechanical, electronic or software components. \item Because we are modelling with {\fgs} and {\dcs} these can be generic, i.e. mechanical, electronic or software components.
\item The {\dcs} are re-usable, in that commonly used modules can be re-used in other designs/projects. \item The {\dcs} are re-usable, in that commonly used modules can be re-used in other designs/projects.
\item It will have a formal basis, that is to say, it should be able to produce mathematical proofs \item It will have a formal basis, that is to say, it is able to produce mathematical proofs
for its results (MTTF and the causes for SYSTEM level faults). for its results (MTTF and the cause trees for SYSTEM level faults).
\item Overall reliability and danger evaluation statistics can be computed. \item Overall reliability and danger evaluation statistics can be computed.
\item A graphical representation based on Euler diagrams is proposed. \item A graphical representation based on Euler diagrams is used.
\item From the top down the failure mode model should will a logical de-composition of the functionality, by \item From the top down the failure mode model will follow a logical de-composition of the functionality; by
chosing {\fg}s this happens as a natural consequence. chosing {\fg}s and working bottom-up the hierarchy this happens as a natural consequence.
\item Undetectable or unhandled failure modes will be specifically flagged.
\item It is possible to model multiple failure modes.
\end{itemize} \end{itemize}
\section{Conclusion}
\vspace{30pt}
%%- \section{building blocks of a safety critical systen} \today
%%-
%%- This section looks at common features in a safety critical system and
%%- then looks at the building blocks of these systems
%%- and their characteristics.
%%-
%%- \subsection{what is a safety critical system?}
%%-
%%- DEFINITIONS GET REFS
%%-
%%-
%%- TYPICALLY HAS MECHANICAL, ELECTRONIC and SOFTWARE
%%- actuators control intelligence
%%-
%%- \subsection{An example : industrial burner}
%%-
%%- An industrial burner is a nice example of a safety critical system.
%%- It has some lethal risks and some environmental.
%%- It could, by igniting an explosive mixture, cause an explosion.
%%- By burning incorrect proportions of fuel and air, it could be ineffecient and waste
%%- resources, or worse could cause poisonous burning (typically carbon monoxide, but also
%%- where flame temperature is very high, can produce NOX emmissions).
%%-
%%- To prevent igniting an explosive mixture, air is pumped though the furnace
%%- chamber on start-up, and this is verified with an air pressure switch.
%%-
%%-
%%- NEED A DIAGRAM HERE
%%-
%%-
%%- NEED A STATE CHART TOO
%%-
%%- It is interesting here to compare how the different methodologies
%%- would deal with a particular sub-system in the burner controller
%%- and compare how they analyse it.
%%- The Flame scanner is a good example for this.
%%- We shall consider a simple infra red (IR) flame scanner.
%%- This is in the form of an IR sensitive resistor.
%%- The flame type we will be looking for will have a characteristic
%%- flicker frequency of around 13Hz.
%%- The circuit is then simply a resitor voltage divider connected to
%%- a micro-controller reading the voltage.
%%- The flame scanner is thus a two resistor voltage divider.
%%-
%%- \subsection{The Flame Scanner}
%%- \subsubsection{Macro FTA perspective}
%%-
%%- SHOW ALL TOP LEVEL FAULTS. EXPLOSION, POISONOUS BURNING CO, POISONOUS BURNING NOX, FAILS TO LIGHT etc
%%-
%%- Follow the explosion tree down to flame scanner fails ON, and OFF
%%-
%%- etc
%%- \subsubsection{Macro FMEA/Statistical perspective}
%%-
%%- Each of the resistors is considered critical, in the statistical case, and so the MTTF
%%- is added inot the DANGEROUS section.
%%-
%%- For FMEA the resistor failures add up to the SYSTEM level, show this is inappropriate
%%- and makes several jumps in applied knowledge, thus Bayes theorem etc
%%-
%%- \subsubsection{Micro FMMD perspective}
%%-
%%-
%%- Here show how the flame scanner becomes a black box, or component in itself.
%%- How it is now available to be integrated into higher level designs.
%%-
%%- %and then an ignition position is checked.
%%- %Initially a pilot flame is started and when this is stable, the main
%%- %flame is fired.
%%- %To check the stability of the flame, a flame scanner is required.
%%- %To mix the fuel and air, motors to position valves are generally used.
%%- %To prevent fuel leakage into the furnace, safety shut-off valves are used \footnote{These generally open slowly under power, and when power is removed `slam shut'. Thus
%%- %in the event of a general power failure, the default to safe behaviour.}
%%-
%%-
%%-
%%-
%%- Motors controlling air and fuel flow
%%- safety chain to power for shutdown valves
%%- safety shutdown valves on fuel
%%- flame sensor
%%- air pressure sensor
%%-
%%-
%%- \section{Base Level Components}
%%-
%%- A common factor with all safety critical systems, is
%%- base level -or- bought in components. Be these
%%- electrical, mechanical or firmware, they should all
%%- have known failure modes.
%%-
%%- \subsection { Failure modes defining the component}
%%- We can consider each bought-in component as a base level component,
%%- and it should have an associated set of failure modes.
%%-
%%-
%%-
%%- \subsection { Complication of multiple failure modes }
%%- A very complicated component, like an integrated circuit or perhaps a servo motor, has
%%- a set of failure modes, where several things could go worng with it within the $\tau$ period.
%%- This is a simultaneous failure, or more than one failure mode being active during the same time period.
%%-
%%-
%%- \section{FMMD Proposed Methology Outline}
%%-
%%- fire away, essentially the elevator pitch
%%-
%%- \subsection{Treating a functional group as a component}
%%- \subsection{Using a derived component in designs}
%%- \section{Building a failure Mode model Hierarchy}
%%-
%%- AND the hierarchy...
%%-
%%-
%%- Probab about 3 pages

2
logic_diagram/logic_diagram.tex
View File

@ -877,7 +877,7 @@ volcanic ash intake, affecting all engines.
Obviously the symptom of this multiple failure would be loss of propulsion and more importantly Obviously the symptom of this multiple failure would be loss of propulsion and more importantly
the loss of ability to maintain altitude. the loss of ability to maintain altitude.
% and maybe even the APU ! % and maybe even the APU !
The test case AFE represents the condition where all four engines have failed. The test case AFE represents the condition where all four engines have failed \cite{allfour}.
\begin{figure}[h] \begin{figure}[h]
\centering \centering
\includegraphics[width=400pt,bb=0 0 349 236,keepaspectratio=true]{logic_diagram/allfourengines.jpg} \includegraphics[width=400pt,bb=0 0 349 236,keepaspectratio=true]{logic_diagram/allfourengines.jpg}

11
mybib.bib
View File

@ -136,6 +136,17 @@
YEAR = "1988" YEAR = "1988"
} }
@BOOK{allfour,
AUTHOR = "Betty Tootell",
TITLE = "All Four Engines Have Failed ISBN 0-233-97758-9",
PUBLISHER = "Andre deutsch",
YEAR = "1985"
}
@BOOK{f77, @BOOK{f77,
AUTHOR = "A.~Balfour D.H.~Marwick", AUTHOR = "A.~Balfour D.H.~Marwick",
TITLE = "Programming in Standard Fortran 77 ISBN 0-435-77486-7", TITLE = "Programming in Standard Fortran 77 ISBN 0-435-77486-7",