From e3a27047ea4b950241b27c440fa2d68e83efbe14 Mon Sep 17 00:00:00 2001 From: Robin Clark Date: Sun, 16 Jan 2011 21:06:29 +0000 Subject: [PATCH] ... --- survey/paper.tex | 9 +- survey/survey.tex | 323 +++++++++++++++++++++++++++------------------- 2 files changed, 199 insertions(+), 133 deletions(-) diff --git a/survey/paper.tex b/survey/paper.tex index 7789b37..ebf259a 100644 --- a/survey/paper.tex +++ b/survey/paper.tex @@ -15,7 +15,14 @@ \begin{document} \pagestyle{fancy} - +\fancyhf{} +%\renewcommand{\chaptermark}[1]{\markboth{ \emph{#1}}{}} +\fancyhead[LO]{} +\fancyhead[RE]{\leftmark} +%\fancyfoot[LE,RO]{\thepage} +\cfoot{Page \thepage\ of \pageref{LastPage}} +\rfoot{\today} +\lhead{A survey of failure mode analysis methodologies for safety critical systems} %\outerhead{{\small\bf Survey of Safety Critical Static Analysis Methods}} %\innerfoot{{\small\bf R.P. Clark } } % numbers at outer edges diff --git a/survey/survey.tex b/survey/survey.tex index ae0a326..16c2ec1 100644 --- a/survey/survey.tex +++ b/survey/survey.tex @@ -88,6 +88,100 @@ trees can be derived. Maintainability and consistency cannot therefore be automa \item No possibility to model base component level double failure modes. \end{itemize} + + + +\subsection {FTA Example} + +Fault tree Analysis +Show how it works, top down, + +FROM INTERBET HISTORY OF FTA + +% A simple fault tree +% Author: Zhang Long, Mail: zhangloong[at]gmail.com +%\def\pgfsysdriver{pgfsys-dvipdfm.def} +%\documentclass{minimal} +%\usepackage{tikz} +%\usetikzlibrary{shapes.gates.logic.US,trees,positioning,arrows} +%\begin{document} + +\begin{figure} +\begin{tikzpicture}[ +% Gates and symbols style + and/.style={and gate US,thick,draw,fill=blue!40,rotate=90, + anchor=east,xshift=-1mm}, + or/.style={or gate US,thick,draw,fill=blue!40,rotate=90, + anchor=east,xshift=-1mm}, + be/.style={circle,thick,draw,fill=white!60,anchor=north, + minimum width=0.7cm}, + tr/.style={buffer gate US,thick,draw,fill=white!60,rotate=90, + anchor=east,minimum width=0.8cm}, +% Label style + label distance=3mm, + every label/.style={blue}, +% Event style + event/.style={rectangle,thick,draw,fill=yellow!20,text width=2cm, + text centered,font=\sffamily,anchor=north}, +% Children and edges style + edge from parent/.style={very thick,draw=black!70}, + edge from parent path={(\tikzparentnode.south) -- ++(0,-1.05cm) + -| (\tikzchildnode.north)}, + level 1/.style={sibling distance=7cm,level distance=1.4cm, + growth parent anchor=south,nodes=event}, + level 2/.style={sibling distance=7cm}, + level 3/.style={sibling distance=6cm}, + level 4/.style={sibling distance=3cm} +%% For compatability with PGF CVS add the absolute option: +% absolute + ] +%% Draw events and edges + \node (g1) [event] {No flow to receiver} + child{node (g2) {No flow from Component B} + child {node (g3) {No flow into Component B} + child {node (g4) {No flow from Component A1} + child {node (t1) {No flow from source1}} + child {node (b2) {Component A1 blocks flow}} + } + child {node (g5) {No flow from Component A2} + child {node (t2) {No flow from source2}} + child {node (b3) {Component A2 blocks flow}} + } + } + child {node (b1) {Component B blocks flow}} + }; +%% Place gates and other symbols +%% In the CVS version of PGF labels are placed differently than in PGF 2.0 +%% To render them correctly replace '-20' with 'right' and add the 'absolute' +%% option to the tikzpicture environment. The absolute option makes the +%% node labels ignore the rotation of the parent node. + \node [or] at (g2.south) [label=-20:G02] {}; + \node [and] at (g3.south) [label=-20:G03] {}; + \node [or] at (g4.south) [label=-20:G04] {}; + \node [or] at (g5.south) [label=-20:G05] {}; + \node [be] at (b1.south) [label=below:B01] {}; + \node [be] at (b2.south) [label=below:B02] {}; + \node [be] at (b3.south) [label=below:B03] {}; + \node [tr] at (t1.south) [label=below:T01] {}; + \node [tr] at (t2.south) [label=below:T02] {}; +%% Draw system flow diagram +% \begin{scope}[xshift=-7.5cm,yshift=-5cm,very thick, +% node distance=1.6cm,on grid,>=stealth', +% block/.style={rectangle,draw,fill=cyan!20}, +% comp/.style={circle,draw,fill=orange!40}] +% \node [block] (re) {Receiver}; +% \node [comp] (cb) [above=of re] {B} edge [->] (re); +% \node [comp] (ca1) [above=of cb,xshift=-0.8cm] {A1} edge [->] (cb); +% \node [comp] (ca2) [right=of ca1] {A2} edge [->] (cb); +% \node [block] (s1) [above=of ca1] {Source1} edge [->] (ca1); +% \node [block] (s2) [right=of s1] {Source2} edge [->] (ca2); +% \end{scope} +\end{tikzpicture} +\caption{Example FTA for a Gas Supply with two Shutoff Valves} +\end{figure} +\clearpage + + \subsection { FMEA } \label{pfmea} @@ -149,7 +243,7 @@ The results of FMECA are similar to FMEA, in that component errors are listed according to importance, based on probability of occurrence and criticallity. % to prevent the SYSTEM fault of given criticallity. -Again this essentially produces a prioritised `todo' list. +Again this essentially produces a prioritised `to~do~list'. %%-WIKI- Failure mode, effects, and criticality analysis (FMECA) is an extension of failure mode and effects analysis (FMEA). %%-WIKI- FMEA is a a bottom-up, inductive analytical method which may be performed at either the functional or @@ -470,97 +564,6 @@ Reducing FIT with detecting a fraction of the faults within an interval. Give fo OK for EN61508, not OK for nuclear industry find refs. - -\section {FTA} - -Fault tree Analysis -Show how it works, top down, - -FROM INTERBET HISTORY OF FTA - -% A simple fault tree -% Author: Zhang Long, Mail: zhangloong[at]gmail.com -%\def\pgfsysdriver{pgfsys-dvipdfm.def} -%\documentclass{minimal} -%\usepackage{tikz} -%\usetikzlibrary{shapes.gates.logic.US,trees,positioning,arrows} -%\begin{document} - -\begin{figure} -\begin{tikzpicture}[ -% Gates and symbols style - and/.style={and gate US,thick,draw,fill=blue!40,rotate=90, - anchor=east,xshift=-1mm}, - or/.style={or gate US,thick,draw,fill=blue!40,rotate=90, - anchor=east,xshift=-1mm}, - be/.style={circle,thick,draw,fill=white!60,anchor=north, - minimum width=0.7cm}, - tr/.style={buffer gate US,thick,draw,fill=white!60,rotate=90, - anchor=east,minimum width=0.8cm}, -% Label style - label distance=3mm, - every label/.style={blue}, -% Event style - event/.style={rectangle,thick,draw,fill=yellow!20,text width=2cm, - text centered,font=\sffamily,anchor=north}, -% Children and edges style - edge from parent/.style={very thick,draw=black!70}, - edge from parent path={(\tikzparentnode.south) -- ++(0,-1.05cm) - -| (\tikzchildnode.north)}, - level 1/.style={sibling distance=7cm,level distance=1.4cm, - growth parent anchor=south,nodes=event}, - level 2/.style={sibling distance=7cm}, - level 3/.style={sibling distance=6cm}, - level 4/.style={sibling distance=3cm} -%% For compatability with PGF CVS add the absolute option: -% absolute - ] -%% Draw events and edges - \node (g1) [event] {No flow to receiver} - child{node (g2) {No flow from Component B} - child {node (g3) {No flow into Component B} - child {node (g4) {No flow from Component A1} - child {node (t1) {No flow from source1}} - child {node (b2) {Component A1 blocks flow}} - } - child {node (g5) {No flow from Component A2} - child {node (t2) {No flow from source2}} - child {node (b3) {Component A2 blocks flow}} - } - } - child {node (b1) {Component B blocks flow}} - }; -%% Place gates and other symbols -%% In the CVS version of PGF labels are placed differently than in PGF 2.0 -%% To render them correctly replace '-20' with 'right' and add the 'absolute' -%% option to the tikzpicture environment. The absolute option makes the -%% node labels ignore the rotation of the parent node. - \node [or] at (g2.south) [label=-20:G02] {}; - \node [and] at (g3.south) [label=-20:G03] {}; - \node [or] at (g4.south) [label=-20:G04] {}; - \node [or] at (g5.south) [label=-20:G05] {}; - \node [be] at (b1.south) [label=below:B01] {}; - \node [be] at (b2.south) [label=below:B02] {}; - \node [be] at (b3.south) [label=below:B03] {}; - \node [tr] at (t1.south) [label=below:T01] {}; - \node [tr] at (t2.south) [label=below:T02] {}; -%% Draw system flow diagram -% \begin{scope}[xshift=-7.5cm,yshift=-5cm,very thick, -% node distance=1.6cm,on grid,>=stealth', -% block/.style={rectangle,draw,fill=cyan!20}, -% comp/.style={circle,draw,fill=orange!40}] -% \node [block] (re) {Receiver}; -% \node [comp] (cb) [above=of re] {B} edge [->] (re); -% \node [comp] (ca1) [above=of cb,xshift=-0.8cm] {A1} edge [->] (cb); -% \node [comp] (ca2) [right=of ca1] {A2} edge [->] (cb); -% \node [block] (s1) [above=of ca1] {Source1} edge [->] (ca1); -% \node [block] (s2) [right=of s1] {Source2} edge [->] (ca2); -% \end{scope} -\end{tikzpicture} -\caption{Example FTA for a Gas Supply with two Shutoff Valves} -\end{figure} - - \subsection{Bayes Theorm in Relation to Failure Modes} \paragraph{Conditional Probability} @@ -598,8 +601,10 @@ $$ P(B) P(B|S) = P(S \cap B) $$ As for one being the cause of the other, both equations must be equal, we can state, - -$$ P(B) P(B|S) = P(S \cap B) = P(S) P(S|B). $$ +\begin{equation} +\label{eqn:bayes0} + P(B) P(B|S) = P(S \cap B) = P(S) P(S|B). +\end{equation} We can now re-arrange the equation~\cite{probstat} to remove the intersection $P(S \cap B)$ term thus @@ -614,6 +619,26 @@ This equation gives us the probability that if event B has occurred, of the event S occurring. In the context of failure mode analysis, the event B would be the occurance of a component failure mode, and S would be a system level error. + +We can redefine $P(B)$ using equation \ref{eqn:bayes0} + + +$$ S = \bigcup_{i=1}^{i=N} S \cap B_n $$ + +now to find the probabilities we can express this as + +$$ P(S) = P \big( \bigcup_{i=1}^{i=N} S \cap B_n \big) = \sum_{i=1}^{i=N} P(B|S) P(B) $$ +and +$$ P(S) = P \big( \bigcup_{i=1}^{i=N} S \cap B_n \big) = \sum_{i=1}^{i=N} P(S|B) P(S) $$ + + +We can express bayes theorem thus + +\begin{equation} +\label{eqn:bayes2} + P(S|B) = \frac{P(S) P(B|S)} { \sum_{i=1}^{i=N} P(S|B) P(S) } . +\end{equation} + % %Equation \ref{eqn:bayes1} means, given the event $B$ what is the probability it was caused by $S$. @@ -629,37 +654,13 @@ be the occurance of a component failure mode, and S would be a system level erro Typically a system level failure will have a number of possible causes, or base component failure -modes. Some base component failure modes may not be able to cause given system failures. -We can represent the the base component failure modes as a partioned set~\cite{nucfta}[fig VI-7], and overlay +modes. +For probability we are interested in these failure modes occuring, or rather +the event of the failure modes becoming active. + +We can represent the the base component failure mode events as a partioned set~\cite{nucfta}[fig VI-7], and overlay a given system failure mode on it. -\begin{figure}[h] - \centering - \includegraphics[width=350pt,keepaspectratio=true]{./survey/partition.jpg} - % partition.jpg: 510x264 pixel, 72dpi, 17.99x9.31 cm, bb=0 0 510 264 - \caption{Base Component Failure Modes represented as partitioned sets} - \label{fig:partitionbcfm} -\end{figure} - - -Figure \ref{fig:partitionbcfm} represents a small theoretical system -with nine base component failure modes. These are represented as partitions -in a set theoretic model of the systems possible failure mode causes. - -\begin{figure}[h] - \centering - \includegraphics[width=350pt,keepaspectratio=true]{./survey/partition2.jpg} - % partition.jpg: 510x264 pixel, 72dpi, 17.99x9.31 cm, bb=0 0 510 264 - \caption{Base Component Failure Modes with Overlaid System Error} - \label{fig:partitionbcfm2} -\end{figure} - -Figure \ref{fig:partitionbcfm2} represents the case where we are looking at a particular -system level failure $S_k$. Looking at the diagram we can see that this system failure -could be, but is not necessarily caused by base component failure modes $B_1, B_2 \; or \; B_4$. -Should any other base component failure mode (causation event occur) according to the diagram -it will not be able to cause the system failure $S_k$. - \paragraph{Bayes Theorem} Consider a SYSTEM error that has several potential base component causes. @@ -671,19 +672,49 @@ say the iprobability od $S_k$ occuring with no information about possible cause base component `potential cause' events as $B_n$ where $n$ is an index. Our sample space $SS$, for investigating the system failure mode/symptom $S_k$ is thus $ SS = \{B_1 ... B_n\} $. -Thus if B is any event, we can apply bayes theorem +We can apply bayes theorem to determine the statistical likelihood that a given failure mode $B_n$ -will cause the system level error $S_k$ +will cause the system level error $S_k$ useing equation \ref{eqn:bayes1}. + + +\begin{figure}[h] + \centering + \includegraphics[width=350pt,keepaspectratio=true]{./survey/partition.jpg} + % partition.jpg: 510x264 pixel, 72dpi, 17.99x9.31 cm, bb=0 0 510 264 + \caption{Base Component Failure Modes represented as partitioned sets} + \label{fig:partitionbcfm} +\end{figure} + + +Figure \ref{fig:partitionbcfm} represents a small theoretical system +with nine events. +representing +failure mode events. + +\begin{figure}[h] + \centering + \includegraphics[width=350pt,keepaspectratio=true]{./survey/partition2.jpg} + % partition.jpg: 510x264 pixel, 72dpi, 17.99x9.31 cm, bb=0 0 510 264 + \caption{Base Component Failure Modes with Overlaid System Error} + \label{fig:partitionbcfm2} +\end{figure} + +Some base component failure modes may not be able to cause given system failures. +Figure \ref{fig:partitionbcfm2} represents the case where we are looking at a particular +system level failure $S_k$. Looking at the diagram we can see that this system failure +could be, but is not necessarily caused by base component failure modes $B_1, B_2 \; or \; B_4$. +Should any other base component failure mode (causation event occur) according to the diagram +it will not be able to cause the system failure $S_k$. + %IN ENGLEEEESH Inverse causality..... %Prob $B_n$ caused $S_k$ is the prob $S_k$ caused by $B_n$ divided by prob of $B_n$ -$$ - P(S_k|B_n) = \frac{P(S_k) \; P(B_n | S_k) }{P(B_n)} - -%alternate form of no use to MEEEEEE -%P(B_n|S_k) = \frac{P(B_n) \; P(S_k | B_n) }{P(S_k)} -$$ +%%% \begin{equation} +%%% P(S_k|B_n) = \frac{P(S_k) \; P(B_n | S_k) }{P(B_n)} +%%% %alternate form of no use to MEEEEEE +%%% %P(B_n|S_k) = \frac{P(B_n) \; P(S_k | B_n) }{P(S_k)} +%%% \end{equation} For example were we to have a component that has a failure mode $B_n$ with an MTTF of $10^{-7}$ hours and its associated system failure mode $S_k$ has a MTTF of $5.10^{-8}$ hours, and given that @@ -696,6 +727,9 @@ P(S_k|B_n) = \frac{5.10^{-8} .\; 0.1 }{ 10^{-7}} = 0.05 = 5\% $$ +Some base component failure modes may not be able to cause given system failures. +For instance in the diagram \ref{fig:partitionbcfm2} +events $B_5 ... B_9$ cannot cause event $S_k$. Taking an example from the diagram (figure \ref{fig:partitionbcfm2}), where the base component fault cannot lead to the system failure $S_k$. Taking say $B_9$ which does not overlap with $S_k$ (i.e. $B_9 \cap S_k = \emptyset $), @@ -708,15 +742,40 @@ As $ P(S_k | B_n)$ is a factor in the numerator, the application of bayes theorem to $B_9$ being a cause for $S_k$ has a probability of zero, as we would expect. + +%%%% + +%% BAYES + Because we are interested in finding the probability of $S_k$ for all base component failure modes, it is helpful to re-define -$P(B_n)$. +$P(S_k)$. + +In terms oif set intersection, we can express $S_k$ as +$$ S_k = \bigcup_{i=1}^{i=N} S_k \cap B_n .$$ + +now to find the probabilities we can express this as + +$$ P(S_k) = P \big( \bigcup_{i=1}^{i=N} S_k \cap B_n \big) = \sum_{i=1}^{i=N} P(B_i|S_k) P(B_i) $$ +and +$$ P(S_k) = P \big( \bigcup_{i=1}^{i=N} S_k \cap B_n \big) = \sum_{i=1}^{i=N} P(S_k|B_i) P(S_k) $$ + + +We can express bayes theorem thus + +\begin{equation} +\label{eqn:bayes2} + P(S_k|B_n) = \frac{P(S_k) P(B|S_k)} {\sum_{i=1}^{i=n} P(B_i|S_k) P(B_i)} . +\end{equation} % % here derive the trad version of bayes with the summation as the denominator % + + + RESTRICTIONS: Because this uses conditional probability for multiple independent events