robin/Robin_PHD
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

...

Browse Source
This commit is contained in:
Robin Clark 2011-01-16 21:06:29 +00:00
parent 526cee6384
commit e3a27047ea
2 changed files with 199 additions and 133 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
survey/paper.tex
View File

@ -15,7 +15,14 @@
\begin{document} \begin{document}
\pagestyle{fancy} \pagestyle{fancy}
\fancyhf{}
%\renewcommand{\chaptermark}[1]{\markboth{ \emph{#1}}{}}
\fancyhead[LO]{}
\fancyhead[RE]{\leftmark}
%\fancyfoot[LE,RO]{\thepage}
\cfoot{Page \thepage\ of \pageref{LastPage}}
\rfoot{\today}
\lhead{A survey of failure mode analysis methodologies for safety critical systems}
%\outerhead{{\small\bf Survey of Safety Critical Static Analysis Methods}} %\outerhead{{\small\bf Survey of Safety Critical Static Analysis Methods}}
%\innerfoot{{\small\bf R.P. Clark } } %\innerfoot{{\small\bf R.P. Clark } }
% numbers at outer edges % numbers at outer edges

323
survey/survey.tex
View File

@ -88,6 +88,100 @@ trees can be derived. Maintainability and consistency cannot therefore be automa
\item No possibility to model base component level double failure modes. \item No possibility to model base component level double failure modes.
\end{itemize} \end{itemize}
\subsection {FTA Example}
Fault tree Analysis
Show how it works, top down,
FROM INTERBET HISTORY OF FTA
% A simple fault tree
% Author: Zhang Long, Mail: zhangloong[at]gmail.com
%\def\pgfsysdriver{pgfsys-dvipdfm.def}
%\documentclass{minimal}
%\usepackage{tikz}
%\usetikzlibrary{shapes.gates.logic.US,trees,positioning,arrows}
%\begin{document}
\begin{figure}
\begin{tikzpicture}[
% Gates and symbols style
and/.style={and gate US,thick,draw,fill=blue!40,rotate=90,
anchor=east,xshift=-1mm},
or/.style={or gate US,thick,draw,fill=blue!40,rotate=90,
anchor=east,xshift=-1mm},
be/.style={circle,thick,draw,fill=white!60,anchor=north,
minimum width=0.7cm},
tr/.style={buffer gate US,thick,draw,fill=white!60,rotate=90,
anchor=east,minimum width=0.8cm},
% Label style
label distance=3mm,
every label/.style={blue},
% Event style
event/.style={rectangle,thick,draw,fill=yellow!20,text width=2cm,
text centered,font=\sffamily,anchor=north},
% Children and edges style
edge from parent/.style={very thick,draw=black!70},
edge from parent path={(\tikzparentnode.south) -- ++(0,-1.05cm)
-| (\tikzchildnode.north)},
level 1/.style={sibling distance=7cm,level distance=1.4cm,
growth parent anchor=south,nodes=event},
level 2/.style={sibling distance=7cm},
level 3/.style={sibling distance=6cm},
level 4/.style={sibling distance=3cm}
%% For compatability with PGF CVS add the absolute option:
% absolute
]
%% Draw events and edges
\node (g1) [event] {No flow to receiver}
child{node (g2) {No flow from Component B}
child {node (g3) {No flow into Component B}
child {node (g4) {No flow from Component A1}
child {node (t1) {No flow from source1}}
child {node (b2) {Component A1 blocks flow}}
}
child {node (g5) {No flow from Component A2}
child {node (t2) {No flow from source2}}
child {node (b3) {Component A2 blocks flow}}
}
}
child {node (b1) {Component B blocks flow}}
};
%% Place gates and other symbols
%% In the CVS version of PGF labels are placed differently than in PGF 2.0
%% To render them correctly replace '-20' with 'right' and add the 'absolute'
%% option to the tikzpicture environment. The absolute option makes the
%% node labels ignore the rotation of the parent node.
\node [or] at (g2.south) [label=-20:G02] {};
\node [and] at (g3.south) [label=-20:G03] {};
\node [or] at (g4.south) [label=-20:G04] {};
\node [or] at (g5.south) [label=-20:G05] {};
\node [be] at (b1.south) [label=below:B01] {};
\node [be] at (b2.south) [label=below:B02] {};
\node [be] at (b3.south) [label=below:B03] {};
\node [tr] at (t1.south) [label=below:T01] {};
\node [tr] at (t2.south) [label=below:T02] {};
%% Draw system flow diagram
% \begin{scope}[xshift=-7.5cm,yshift=-5cm,very thick,
% node distance=1.6cm,on grid,>=stealth',
% block/.style={rectangle,draw,fill=cyan!20},
% comp/.style={circle,draw,fill=orange!40}]
% \node [block] (re) {Receiver};
% \node [comp] (cb) [above=of re] {B} edge [->] (re);
% \node [comp] (ca1) [above=of cb,xshift=-0.8cm] {A1} edge [->] (cb);
% \node [comp] (ca2) [right=of ca1] {A2} edge [->] (cb);
% \node [block] (s1) [above=of ca1] {Source1} edge [->] (ca1);
% \node [block] (s2) [right=of s1] {Source2} edge [->] (ca2);
% \end{scope}
\end{tikzpicture}
\caption{Example FTA for a Gas Supply with two Shutoff Valves}
\end{figure}
\clearpage
\subsection { FMEA } \subsection { FMEA }
\label{pfmea} \label{pfmea}
@ -149,7 +243,7 @@ The results of FMECA are similar to FMEA, in that component errors are
listed according to importance, based on listed according to importance, based on
probability of occurrence and criticallity. probability of occurrence and criticallity.
% to prevent the SYSTEM fault of given criticallity. % to prevent the SYSTEM fault of given criticallity.
Again this essentially produces a prioritised `todo' list. Again this essentially produces a prioritised `to~do~list'.
%%-WIKI- Failure mode, effects, and criticality analysis (FMECA) is an extension of failure mode and effects analysis (FMEA). %%-WIKI- Failure mode, effects, and criticality analysis (FMECA) is an extension of failure mode and effects analysis (FMEA).
%%-WIKI- FMEA is a a bottom-up, inductive analytical method which may be performed at either the functional or %%-WIKI- FMEA is a a bottom-up, inductive analytical method which may be performed at either the functional or
@ -470,97 +564,6 @@ Reducing FIT with detecting a fraction of the faults within an interval. Give fo
OK for EN61508, not OK for nuclear industry find refs. OK for EN61508, not OK for nuclear industry find refs.
\section {FTA}
Fault tree Analysis
Show how it works, top down,
FROM INTERBET HISTORY OF FTA
% A simple fault tree
% Author: Zhang Long, Mail: zhangloong[at]gmail.com
%\def\pgfsysdriver{pgfsys-dvipdfm.def}
%\documentclass{minimal}
%\usepackage{tikz}
%\usetikzlibrary{shapes.gates.logic.US,trees,positioning,arrows}
%\begin{document}
\begin{figure}
\begin{tikzpicture}[
% Gates and symbols style
and/.style={and gate US,thick,draw,fill=blue!40,rotate=90,
anchor=east,xshift=-1mm},
or/.style={or gate US,thick,draw,fill=blue!40,rotate=90,
anchor=east,xshift=-1mm},
be/.style={circle,thick,draw,fill=white!60,anchor=north,
minimum width=0.7cm},
tr/.style={buffer gate US,thick,draw,fill=white!60,rotate=90,
anchor=east,minimum width=0.8cm},
% Label style
label distance=3mm,
every label/.style={blue},
% Event style
event/.style={rectangle,thick,draw,fill=yellow!20,text width=2cm,
text centered,font=\sffamily,anchor=north},
% Children and edges style
edge from parent/.style={very thick,draw=black!70},
edge from parent path={(\tikzparentnode.south) -- ++(0,-1.05cm)
-| (\tikzchildnode.north)},
level 1/.style={sibling distance=7cm,level distance=1.4cm,
growth parent anchor=south,nodes=event},
level 2/.style={sibling distance=7cm},
level 3/.style={sibling distance=6cm},
level 4/.style={sibling distance=3cm}
%% For compatability with PGF CVS add the absolute option:
% absolute
]
%% Draw events and edges
\node (g1) [event] {No flow to receiver}
child{node (g2) {No flow from Component B}
child {node (g3) {No flow into Component B}
child {node (g4) {No flow from Component A1}
child {node (t1) {No flow from source1}}
child {node (b2) {Component A1 blocks flow}}
}
child {node (g5) {No flow from Component A2}
child {node (t2) {No flow from source2}}
child {node (b3) {Component A2 blocks flow}}
}
}
child {node (b1) {Component B blocks flow}}
};
%% Place gates and other symbols
%% In the CVS version of PGF labels are placed differently than in PGF 2.0
%% To render them correctly replace '-20' with 'right' and add the 'absolute'
%% option to the tikzpicture environment. The absolute option makes the
%% node labels ignore the rotation of the parent node.
\node [or] at (g2.south) [label=-20:G02] {};
\node [and] at (g3.south) [label=-20:G03] {};
\node [or] at (g4.south) [label=-20:G04] {};
\node [or] at (g5.south) [label=-20:G05] {};
\node [be] at (b1.south) [label=below:B01] {};
\node [be] at (b2.south) [label=below:B02] {};
\node [be] at (b3.south) [label=below:B03] {};
\node [tr] at (t1.south) [label=below:T01] {};
\node [tr] at (t2.south) [label=below:T02] {};
%% Draw system flow diagram
% \begin{scope}[xshift=-7.5cm,yshift=-5cm,very thick,
% node distance=1.6cm,on grid,>=stealth',
% block/.style={rectangle,draw,fill=cyan!20},
% comp/.style={circle,draw,fill=orange!40}]
% \node [block] (re) {Receiver};
% \node [comp] (cb) [above=of re] {B} edge [->] (re);
% \node [comp] (ca1) [above=of cb,xshift=-0.8cm] {A1} edge [->] (cb);
% \node [comp] (ca2) [right=of ca1] {A2} edge [->] (cb);
% \node [block] (s1) [above=of ca1] {Source1} edge [->] (ca1);
% \node [block] (s2) [right=of s1] {Source2} edge [->] (ca2);
% \end{scope}
\end{tikzpicture}
\caption{Example FTA for a Gas Supply with two Shutoff Valves}
\end{figure}
\subsection{Bayes Theorm in Relation to Failure Modes} \subsection{Bayes Theorm in Relation to Failure Modes}
\paragraph{Conditional Probability} \paragraph{Conditional Probability}
@ -598,8 +601,10 @@ $$ P(B) P(B|S) = P(S \cap B) $$
As for one being the cause of the other, both equations must be equal, As for one being the cause of the other, both equations must be equal,
we can state, we can state,
\begin{equation}
$$ P(B) P(B|S) = P(S \cap B) = P(S) P(S|B). $$ \label{eqn:bayes0}
P(B) P(B|S) = P(S \cap B) = P(S) P(S|B).
\end{equation}
We can now re-arrange the equation~\cite{probstat} to remove the intersection $P(S \cap B)$ term We can now re-arrange the equation~\cite{probstat} to remove the intersection $P(S \cap B)$ term
thus thus
@ -614,6 +619,26 @@ This equation gives us the probability that if event B has occurred, of
the event S occurring. the event S occurring.
In the context of failure mode analysis, the event B would In the context of failure mode analysis, the event B would
be the occurance of a component failure mode, and S would be a system level error. be the occurance of a component failure mode, and S would be a system level error.
We can redefine $P(B)$ using equation \ref{eqn:bayes0}
$$ S = \bigcup_{i=1}^{i=N} S \cap B_n $$
now to find the probabilities we can express this as
$$ P(S) = P \big( \bigcup_{i=1}^{i=N} S \cap B_n \big) = \sum_{i=1}^{i=N} P(B|S) P(B) $$
and
$$ P(S) = P \big( \bigcup_{i=1}^{i=N} S \cap B_n \big) = \sum_{i=1}^{i=N} P(S|B) P(S) $$
We can express bayes theorem thus
\begin{equation}
\label{eqn:bayes2}
P(S|B) = \frac{P(S) P(B|S)} { \sum_{i=1}^{i=N} P(S|B) P(S) } .
\end{equation}
% %
%Equation \ref{eqn:bayes1} means, given the event $B$ what is the probability it was caused by $S$. %Equation \ref{eqn:bayes1} means, given the event $B$ what is the probability it was caused by $S$.
@ -629,37 +654,13 @@ be the occurance of a component failure mode, and S would be a system level erro
Typically a system level failure will have a number of possible causes, Typically a system level failure will have a number of possible causes,
or base component failure or base component failure
modes. Some base component failure modes may not be able to cause given system failures. modes.
We can represent the the base component failure modes as a partioned set~\cite{nucfta}[fig VI-7], and overlay For probability we are interested in these failure modes occuring, or rather
the event of the failure modes becoming active.
We can represent the the base component failure mode events as a partioned set~\cite{nucfta}[fig VI-7], and overlay
a given system failure mode on it. a given system failure mode on it.
\begin{figure}[h]
\centering
\includegraphics[width=350pt,keepaspectratio=true]{./survey/partition.jpg}
% partition.jpg: 510x264 pixel, 72dpi, 17.99x9.31 cm, bb=0 0 510 264
\caption{Base Component Failure Modes represented as partitioned sets}
\label{fig:partitionbcfm}
\end{figure}
Figure \ref{fig:partitionbcfm} represents a small theoretical system
with nine base component failure modes. These are represented as partitions
in a set theoretic model of the systems possible failure mode causes.
\begin{figure}[h]
\centering
\includegraphics[width=350pt,keepaspectratio=true]{./survey/partition2.jpg}
% partition.jpg: 510x264 pixel, 72dpi, 17.99x9.31 cm, bb=0 0 510 264
\caption{Base Component Failure Modes with Overlaid System Error}
\label{fig:partitionbcfm2}
\end{figure}
Figure \ref{fig:partitionbcfm2} represents the case where we are looking at a particular
system level failure $S_k$. Looking at the diagram we can see that this system failure
could be, but is not necessarily caused by base component failure modes $B_1, B_2 \; or \; B_4$.
Should any other base component failure mode (causation event occur) according to the diagram
it will not be able to cause the system failure $S_k$.
\paragraph{Bayes Theorem} \paragraph{Bayes Theorem}
Consider a SYSTEM error that has several potential base component causes. Consider a SYSTEM error that has several potential base component causes.
@ -671,19 +672,49 @@ say the iprobability od $S_k$ occuring with no information about possible cause
base component `potential cause' events as $B_n$ where $n$ is an index. base component `potential cause' events as $B_n$ where $n$ is an index.
Our sample space $SS$, for investigating the system failure mode/symptom Our sample space $SS$, for investigating the system failure mode/symptom
$S_k$ is thus $ SS = \{B_1 ... B_n\} $. $S_k$ is thus $ SS = \{B_1 ... B_n\} $.
Thus if B is any event, we can apply bayes theorem We can apply bayes theorem
to determine the statistical likelihood that a given failure mode $B_n$ to determine the statistical likelihood that a given failure mode $B_n$
will cause the system level error $S_k$ will cause the system level error $S_k$ useing equation \ref{eqn:bayes1}.
\begin{figure}[h]
\centering
\includegraphics[width=350pt,keepaspectratio=true]{./survey/partition.jpg}
% partition.jpg: 510x264 pixel, 72dpi, 17.99x9.31 cm, bb=0 0 510 264
\caption{Base Component Failure Modes represented as partitioned sets}
\label{fig:partitionbcfm}
\end{figure}
Figure \ref{fig:partitionbcfm} represents a small theoretical system
with nine events.
representing
failure mode events.
\begin{figure}[h]
\centering
\includegraphics[width=350pt,keepaspectratio=true]{./survey/partition2.jpg}
% partition.jpg: 510x264 pixel, 72dpi, 17.99x9.31 cm, bb=0 0 510 264
\caption{Base Component Failure Modes with Overlaid System Error}
\label{fig:partitionbcfm2}
\end{figure}
Some base component failure modes may not be able to cause given system failures.
Figure \ref{fig:partitionbcfm2} represents the case where we are looking at a particular
system level failure $S_k$. Looking at the diagram we can see that this system failure
could be, but is not necessarily caused by base component failure modes $B_1, B_2 \; or \; B_4$.
Should any other base component failure mode (causation event occur) according to the diagram
it will not be able to cause the system failure $S_k$.
%IN ENGLEEEESH Inverse causality..... %IN ENGLEEEESH Inverse causality.....
%Prob $B_n$ caused $S_k$ is the prob $S_k$ caused by $B_n$ divided by prob of $B_n$ %Prob $B_n$ caused $S_k$ is the prob $S_k$ caused by $B_n$ divided by prob of $B_n$
$$ %%% \begin{equation}
P(S_k|B_n) = \frac{P(S_k) \; P(B_n | S_k) }{P(B_n)} %%% P(S_k|B_n) = \frac{P(S_k) \; P(B_n | S_k) }{P(B_n)}
%%% %alternate form of no use to MEEEEEE
%alternate form of no use to MEEEEEE %%% %P(B_n|S_k) = \frac{P(B_n) \; P(S_k | B_n) }{P(S_k)}
%P(B_n|S_k) = \frac{P(B_n) \; P(S_k | B_n) }{P(S_k)} %%% \end{equation}
$$
For example were we to have a component that has a failure mode $B_n$ with an MTTF of $10^{-7}$ hours For example were we to have a component that has a failure mode $B_n$ with an MTTF of $10^{-7}$ hours
and its associated system failure mode $S_k$ has a MTTF of $5.10^{-8}$ hours, and given that and its associated system failure mode $S_k$ has a MTTF of $5.10^{-8}$ hours, and given that
@ -696,6 +727,9 @@ P(S_k|B_n) = \frac{5.10^{-8} .\; 0.1 }{ 10^{-7}} = 0.05 = 5\%
$$ $$
Some base component failure modes may not be able to cause given system failures.
For instance in the diagram \ref{fig:partitionbcfm2}
events $B_5 ... B_9$ cannot cause event $S_k$.
Taking an example from the diagram (figure \ref{fig:partitionbcfm2}), where the base component fault cannot Taking an example from the diagram (figure \ref{fig:partitionbcfm2}), where the base component fault cannot
lead to the system failure $S_k$. lead to the system failure $S_k$.
Taking say $B_9$ which does not overlap with $S_k$ (i.e. $B_9 \cap S_k = \emptyset $), Taking say $B_9$ which does not overlap with $S_k$ (i.e. $B_9 \cap S_k = \emptyset $),
@ -708,15 +742,40 @@ As $ P(S_k | B_n)$ is a factor in the numerator,
the application of bayes theorem to $B_9$ being a cause for $S_k$ has a probability the application of bayes theorem to $B_9$ being a cause for $S_k$ has a probability
of zero, as we would expect. of zero, as we would expect.
%%%%
%% BAYES
Because we are interested in finding the probability of $S_k$ for all Because we are interested in finding the probability of $S_k$ for all
base component failure modes, it is helpful to re-define base component failure modes, it is helpful to re-define
$P(B_n)$. $P(S_k)$.
In terms oif set intersection, we can express $S_k$ as
$$ S_k = \bigcup_{i=1}^{i=N} S_k \cap B_n .$$
now to find the probabilities we can express this as
$$ P(S_k) = P \big( \bigcup_{i=1}^{i=N} S_k \cap B_n \big) = \sum_{i=1}^{i=N} P(B_i|S_k) P(B_i) $$
and
$$ P(S_k) = P \big( \bigcup_{i=1}^{i=N} S_k \cap B_n \big) = \sum_{i=1}^{i=N} P(S_k|B_i) P(S_k) $$
We can express bayes theorem thus
\begin{equation}
\label{eqn:bayes2}
P(S_k|B_n) = \frac{P(S_k) P(B|S_k)} {\sum_{i=1}^{i=n} P(B_i|S_k) P(B_i)} .
\end{equation}
% %
% here derive the trad version of bayes with the summation as the denominator % here derive the trad version of bayes with the summation as the denominator
% %
RESTRICTIONS: RESTRICTIONS:
Because this uses conditional probability for multiple independent events Because this uses conditional probability for multiple independent events