.
This commit is contained in:
parent
a98b4ee918
commit
dd56d45404
@ -23,15 +23,22 @@ There are four methodologies in common use for failure mode modelling.
|
||||
These are FTA, FMEA, FMECA
|
||||
and FMEDA (a form of statistical analysis).
|
||||
|
||||
These methodologies have several draw backs.
|
||||
In short
|
||||
FTA, due to its top down nature, can overlook error conditions. FMEA and the Statistical Methods
|
||||
lack precision in predicting failure modes at the SYSTEM level.
|
||||
These methodologies date from the 1940's onwards and have several draw backs.
|
||||
%In short
|
||||
%FTA, due to its top down nature, can overlook error conditions. FMEA and the Statistical Methods
|
||||
%lack precision in predicting failure modes at the SYSTEM level.
|
||||
|
||||
|
||||
The Failure Mode Modular De-composition
|
||||
(FMMD) methodology presented here provides a more detailed and analytical
|
||||
modelling system from which
|
||||
(FMMD) aims to address the
|
||||
weaknesses in these methodoligies and to add
|
||||
features such as the ability to analyse double
|
||||
failure mode scenarios, and to allow modular re-use
|
||||
of analysis.
|
||||
|
||||
The FMMD
|
||||
methodology presented here provides a more detailed and analytical
|
||||
modelling system which will create a more complete and detail hierarchical failure mode model from which
|
||||
the data models from FTA, FMEA and the statistical approach can be
|
||||
derived if required.
|
||||
It also applies rigorous checking in the analysis stages
|
||||
@ -99,6 +106,13 @@ Consequently it was not designed to guarantee to cover all component failure mod
|
||||
and has no rigorous in-built safeguards to ensure coverage of all possible
|
||||
system level outcomes.
|
||||
|
||||
\subsubsection{ FTA weaknesses }
|
||||
\begin{itemize}
|
||||
\item Possibility to miss component failure modes
|
||||
\item Possibility to miss environemtal affects.
|
||||
\item No possibility to model base component level double failure modes.
|
||||
\end{itemize}
|
||||
|
||||
\subsection { FMEA }
|
||||
|
||||
This is an early static analysis methodology, and concentrates
|
||||
@ -113,13 +127,23 @@ gives a risk probability number, i.e. $RPN = S \times O \times D$.
|
||||
This gives in effect
|
||||
a prioritised todo list, with higher the $RPN$ values being the most urgent.
|
||||
|
||||
|
||||
\subsubsection{ FMEA weaknesses }
|
||||
\begin{itemize}
|
||||
\item Possibility to miss the effects of failure modes at SYSTEM level.
|
||||
\item Possibility to miss environemtal affects.
|
||||
\item No possibility to model base component level double failure modes.
|
||||
\end{itemize}
|
||||
|
||||
|
||||
|
||||
\subsection{FMECA}
|
||||
|
||||
Failure mode, effects, and criticality analysis (FMECDA) extends FMEA.
|
||||
This is a bottom up methodology, which takes component failure modes
|
||||
and traces them to the SYSTEM level failures. The components
|
||||
have reliability data and this can be used to predict the
|
||||
failure statistics in the design stage \cite{mil1992}.
|
||||
failure statistics in the design stage \cite{mil1991}.
|
||||
It can do this using probability \footnote{for a given component failure mode there will be a $\beta$ value, the
|
||||
probability that the component failure mode will cause a given SYSTEM failure}.
|
||||
%
|
||||
@ -139,6 +163,13 @@ The results, as with FMEA are an $RPN$ number determing the significance of the
|
||||
%%-WIKI- while various forms of FMEA predominate in other industries.
|
||||
|
||||
|
||||
\subsubsection{ FMEA weaknesses }
|
||||
\begin{itemize}
|
||||
\item Possibility to miss the effects of failure modes at SYSTEM level.
|
||||
\item Possibility to miss environemtal affects.
|
||||
\item No possibility to model base component level double failure modes.
|
||||
\end{itemize}
|
||||
|
||||
|
||||
\subsection { FMEDA or Statistical Analyis }
|
||||
|
||||
@ -205,6 +236,14 @@ The Statistical Analyis methodology is the core philosophy
|
||||
of the Safety Integrity Levels (SIL) of EN61508 \cite{en61508}.
|
||||
|
||||
|
||||
|
||||
\subsubsection{ FMEDA weaknesses }
|
||||
\begin{itemize}
|
||||
\item Possibility to miss the effects of failure modes at SYSTEM level.
|
||||
\item Statistical nature allows critical failures considered acceptable for given S.I.L. level.
|
||||
\item Allows a small proportion of `undetectable' error conditions.
|
||||
\item No possibility to model base component level double failure modes.
|
||||
\end{itemize}
|
||||
%AND then how we can solve all there problems
|
||||
|
||||
\section{A wish list for a failure mode methodolgy}
|
||||
@ -218,14 +257,14 @@ for its results.
|
||||
\item It should be easy to use, Ideally useing a graphical syntax (as oppossed to a formal mathematical one).
|
||||
\item From the top down the failure mode model should follow a logical de-composition of the functionality
|
||||
to smaller and smaller functional modules \cite{maikowski}.
|
||||
\item Multiple failure modes may be modelled from the base component level up.
|
||||
\end{itemize}
|
||||
|
||||
|
||||
\section{Proposed Methodology \\ Failure Mode Modular De-Composition (FMMD)}
|
||||
|
||||
The proposed methodology will be bottom-up.
|
||||
Thiure that all component failure modes are handled.
|
||||
The bottom-up approach also fulfills the logical de-composition requirement.
|
||||
\subsection{Outline of the FMMD process}
|
||||
|
||||
FMMD builds {\fg}s of components from the bottom-up.
|
||||
Thus the {\fg}s are minimal collections of components
|
||||
that work together to perform a simple function.
|
||||
@ -242,135 +281,67 @@ modes, the collected symptoms of the {\fg}.
|
||||
Because we can now have a {\dcs} we can use these to form
|
||||
new {\fg}s and we can build a hierarchical model of the system failure modes.
|
||||
|
||||
Advantages
|
||||
\subsection{Justification of wishlist}
|
||||
|
||||
\subsubsection{All component failure modes must be considered in the model.}
|
||||
The proposed methodology will be bottom-up.
|
||||
This ensures that all component failure modes are handled.
|
||||
|
||||
|
||||
\subsubsection{ It should be easy to integrate mechanical, electronic and software models.}
|
||||
Each functional components failure modes are considered. Because of this
|
||||
the failure modes of a mechanical, electrical or software system can be modelled
|
||||
using a common notation.
|
||||
|
||||
\subsubsection{ It should be re-usable, in that commonly used modules can be re-used in other designs/projects.}
|
||||
The hierarchical nature, taking {\fg}s and deriving components from them, means that
|
||||
commonly used {\dcs} can be re-used in a design (for instance self checking digital inputs)
|
||||
or even in other projects where the same {\dc} is used.
|
||||
\subsubsection{ It should have a formal basis, that is to say, it should be able to produce mathematical proofs
|
||||
for its results}
|
||||
Because the failure mode mode of a SYSTEM is a hierarchy of {\fg}s and derived components
|
||||
SYSTEM level failure modes are traceable back down the tree to
|
||||
component level failure modes. This proivides causation minimal cut sets \cite{sccs}
|
||||
for all SYSTEM failure modes.
|
||||
|
||||
\subsubsection{ It should be capable of producing reliability and danger evaluation statistics.}
|
||||
The Minimal cuts sets for the SYSTEM level failures, can have computed MTTF
|
||||
and danger evaluation statistics sourced from the component failure mode statistics \cite {mil1991}.
|
||||
|
||||
\subsubsection{ It should be easy to use, Ideally useing a graphical syntax (as oppossed to a formal mathematical one).}
|
||||
A modified form of constraint diagram (an extension of Euler diagrams) has been developed to support the FMMD methodology.
|
||||
This uses Euler circles to represent failure modes, and spiders to collect symptoms, to
|
||||
advance a {\fg} to a {\dc}.
|
||||
\subsubsection{ From the top down the failure mode model should follow a logical de-composition of the functionality
|
||||
to smaller and smaller functional modules \cite{maikowski}.}
|
||||
The bottom-up approach fulfills the logical de-composition requirement, because the {\fg}s
|
||||
are built from components performing a given task.
|
||||
|
||||
|
||||
\subsubsection{ Multiple failure modes may be modelled from the base component level up}
|
||||
By breaking the problem of failure mode analysis into small stages
|
||||
and building a hierarchy, the problems associated with the cross products of
|
||||
all failure modes within a system are greatly by an exponential order.
|
||||
|
||||
|
||||
|
||||
\subsection{Advantages of FMMD Methodology}
|
||||
|
||||
\begin{itemize}
|
||||
\item It can be checked, automatically that, all component failure modes have been considered in the model.
|
||||
\item Because we are modelling with {\fgs} and {\dcs} these can be generic, i.e. mechanical, electronic or software components.
|
||||
\item The {\dcs} are re-usable, in that commonly used modules can be re-used in other designs/projects.
|
||||
\item It will have a formal basis, that is to say, it should be able to produce mathematical proofs
|
||||
for its results (MTTF and the causes for SYSTEM level faults).
|
||||
\item It will have a formal basis, that is to say, it is able to produce mathematical proofs
|
||||
for its results (MTTF and the cause trees for SYSTEM level faults).
|
||||
\item Overall reliability and danger evaluation statistics can be computed.
|
||||
\item A graphical representation based on Euler diagrams is proposed.
|
||||
\item From the top down the failure mode model should will a logical de-composition of the functionality, by
|
||||
chosing {\fg}s this happens as a natural consequence.
|
||||
|
||||
\item A graphical representation based on Euler diagrams is used.
|
||||
\item From the top down the failure mode model will follow a logical de-composition of the functionality; by
|
||||
chosing {\fg}s and working bottom-up the hierarchy this happens as a natural consequence.
|
||||
\item Undetectable or unhandled failure modes will be specifically flagged.
|
||||
\item It is possible to model multiple failure modes.
|
||||
\end{itemize}
|
||||
|
||||
\section{Conclusion}
|
||||
|
||||
|
||||
%%- \section{building blocks of a safety critical systen}
|
||||
%%-
|
||||
%%- This section looks at common features in a safety critical system and
|
||||
%%- then looks at the building blocks of these systems
|
||||
%%- and their characteristics.
|
||||
%%-
|
||||
%%- \subsection{what is a safety critical system?}
|
||||
%%-
|
||||
%%- DEFINITIONS GET REFS
|
||||
%%-
|
||||
%%-
|
||||
%%- TYPICALLY HAS MECHANICAL, ELECTRONIC and SOFTWARE
|
||||
%%- actuators control intelligence
|
||||
%%-
|
||||
%%- \subsection{An example : industrial burner}
|
||||
%%-
|
||||
%%- An industrial burner is a nice example of a safety critical system.
|
||||
%%- It has some lethal risks and some environmental.
|
||||
%%- It could, by igniting an explosive mixture, cause an explosion.
|
||||
%%- By burning incorrect proportions of fuel and air, it could be ineffecient and waste
|
||||
%%- resources, or worse could cause poisonous burning (typically carbon monoxide, but also
|
||||
%%- where flame temperature is very high, can produce NOX emmissions).
|
||||
%%-
|
||||
%%- To prevent igniting an explosive mixture, air is pumped though the furnace
|
||||
%%- chamber on start-up, and this is verified with an air pressure switch.
|
||||
%%-
|
||||
%%-
|
||||
%%- NEED A DIAGRAM HERE
|
||||
%%-
|
||||
%%-
|
||||
%%- NEED A STATE CHART TOO
|
||||
%%-
|
||||
%%- It is interesting here to compare how the different methodologies
|
||||
%%- would deal with a particular sub-system in the burner controller
|
||||
%%- and compare how they analyse it.
|
||||
%%- The Flame scanner is a good example for this.
|
||||
%%- We shall consider a simple infra red (IR) flame scanner.
|
||||
%%- This is in the form of an IR sensitive resistor.
|
||||
%%- The flame type we will be looking for will have a characteristic
|
||||
%%- flicker frequency of around 13Hz.
|
||||
%%- The circuit is then simply a resitor voltage divider connected to
|
||||
%%- a micro-controller reading the voltage.
|
||||
%%- The flame scanner is thus a two resistor voltage divider.
|
||||
%%-
|
||||
%%- \subsection{The Flame Scanner}
|
||||
%%- \subsubsection{Macro FTA perspective}
|
||||
%%-
|
||||
%%- SHOW ALL TOP LEVEL FAULTS. EXPLOSION, POISONOUS BURNING CO, POISONOUS BURNING NOX, FAILS TO LIGHT etc
|
||||
%%-
|
||||
%%- Follow the explosion tree down to flame scanner fails ON, and OFF
|
||||
%%-
|
||||
%%- etc
|
||||
%%- \subsubsection{Macro FMEA/Statistical perspective}
|
||||
%%-
|
||||
%%- Each of the resistors is considered critical, in the statistical case, and so the MTTF
|
||||
%%- is added inot the DANGEROUS section.
|
||||
%%-
|
||||
%%- For FMEA the resistor failures add up to the SYSTEM level, show this is inappropriate
|
||||
%%- and makes several jumps in applied knowledge, thus Bayes theorem etc
|
||||
%%-
|
||||
%%- \subsubsection{Micro FMMD perspective}
|
||||
%%-
|
||||
%%-
|
||||
%%- Here show how the flame scanner becomes a black box, or component in itself.
|
||||
%%- How it is now available to be integrated into higher level designs.
|
||||
%%-
|
||||
%%- %and then an ignition position is checked.
|
||||
%%- %Initially a pilot flame is started and when this is stable, the main
|
||||
%%- %flame is fired.
|
||||
%%- %To check the stability of the flame, a flame scanner is required.
|
||||
%%- %To mix the fuel and air, motors to position valves are generally used.
|
||||
%%- %To prevent fuel leakage into the furnace, safety shut-off valves are used \footnote{These generally open slowly under power, and when power is removed `slam shut'. Thus
|
||||
%%- %in the event of a general power failure, the default to safe behaviour.}
|
||||
%%-
|
||||
%%-
|
||||
%%-
|
||||
%%-
|
||||
%%- Motors controlling air and fuel flow
|
||||
%%- safety chain to power for shutdown valves
|
||||
%%- safety shutdown valves on fuel
|
||||
%%- flame sensor
|
||||
%%- air pressure sensor
|
||||
%%-
|
||||
%%-
|
||||
%%- \section{Base Level Components}
|
||||
%%-
|
||||
%%- A common factor with all safety critical systems, is
|
||||
%%- base level -or- bought in components. Be these
|
||||
%%- electrical, mechanical or firmware, they should all
|
||||
%%- have known failure modes.
|
||||
%%-
|
||||
%%- \subsection { Failure modes defining the component}
|
||||
%%- We can consider each bought-in component as a base level component,
|
||||
%%- and it should have an associated set of failure modes.
|
||||
%%-
|
||||
%%-
|
||||
%%-
|
||||
%%- \subsection { Complication of multiple failure modes }
|
||||
%%- A very complicated component, like an integrated circuit or perhaps a servo motor, has
|
||||
%%- a set of failure modes, where several things could go worng with it within the $\tau$ period.
|
||||
%%- This is a simultaneous failure, or more than one failure mode being active during the same time period.
|
||||
%%-
|
||||
%%-
|
||||
%%- \section{FMMD Proposed Methology Outline}
|
||||
%%-
|
||||
%%- fire away, essentially the elevator pitch
|
||||
%%-
|
||||
%%- \subsection{Treating a functional group as a component}
|
||||
%%- \subsection{Using a derived component in designs}
|
||||
%%- \section{Building a failure Mode model Hierarchy}
|
||||
%%-
|
||||
%%- AND the hierarchy...
|
||||
%%-
|
||||
%%-
|
||||
%%- Probab about 3 pages
|
||||
\vspace{30pt}
|
||||
\today
|
||||
|
||||
@ -877,7 +877,7 @@ volcanic ash intake, affecting all engines.
|
||||
Obviously the symptom of this multiple failure would be loss of propulsion and more importantly
|
||||
the loss of ability to maintain altitude.
|
||||
% and maybe even the APU !
|
||||
The test case AFE represents the condition where all four engines have failed.
|
||||
The test case AFE represents the condition where all four engines have failed \cite{allfour}.
|
||||
\begin{figure}[h]
|
||||
\centering
|
||||
\includegraphics[width=400pt,bb=0 0 349 236,keepaspectratio=true]{logic_diagram/allfourengines.jpg}
|
||||
|
||||
11
mybib.bib
11
mybib.bib
@ -136,6 +136,17 @@
|
||||
YEAR = "1988"
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
@BOOK{allfour,
|
||||
AUTHOR = "Betty Tootell",
|
||||
TITLE = "All Four Engines Have Failed ISBN 0-233-97758-9",
|
||||
PUBLISHER = "Andre deutsch",
|
||||
YEAR = "1985"
|
||||
}
|
||||
|
||||
|
||||
@BOOK{f77,
|
||||
AUTHOR = "A.~Balfour D.H.~Marwick",
|
||||
TITLE = "Programming in Standard Fortran 77 ISBN 0-435-77486-7",
|
||||
|
||||
Loading…
Reference in New Issue
Block a user