diff --git a/submission_thesis/CH1_introduction/copy.tex b/submission_thesis/CH1_introduction/copy.tex index b4c652d..167d0c0 100644 --- a/submission_thesis/CH1_introduction/copy.tex +++ b/submission_thesis/CH1_introduction/copy.tex @@ -13,7 +13,7 @@ As part of the assessment/certification process, we typically apply a battery of tests, examining features such as resistance to extremes of environment, Electro Magnetic Compatibility (EMC), endurance regimes and static testing. % -Static testing is at the theoretical, or design level and involves +Static testing is at the theoretical, or design level, and involves looking at failure scenarios and trying to predict how systems would react. % This thesis deals with one area of static testing, that of Failure Mode Effects Analysis (FMEA), a commonly @@ -22,7 +22,7 @@ used technique that is legally mandatory for a wide range of equipment certifica The ability to assess the safety of man made equipment has been a concern since the dawn of the industrial age~\cite{usefulinfoengineers,steamboilers}. The philosophy behind safety measure has progressed -with time, and by World War Two we begin to see concepts such as `no single component failure should cause +with time, and by World War Two we began to see concepts such as `no single component failure should cause a dangerous system failure'~\cite{boffin} emerging~\cite{echoesofwar}[Ch.13]. % Concepts such as these allow us to apply @@ -56,6 +56,8 @@ the higher SIL rating we can demand for it. A band-saw with one operative may require a SIL rating of 1, a nuclear power-station, with far greater consequences on dangerous failure may require a SIL rating of 4. +What we are saying is that while we may tolerate a low incidence of failure on a band-saw, +we will only tolerate extremely low incidences of failure in nuclear plant. SIL ratings give us another objective yardstick for the measurement of system safety. %governing failure conditions and determining risk levels associated with systems. @@ -89,6 +91,8 @@ firstly looking at common electronic circuits and then at electronic/software hy \section{Motivation} The motivation for this study came from two sources, one academic (my Software Engineering MSc project) and the other practical (as a practising embedded software engineer working with FMEA on safety critical burner systems). +% +% AF does not think the paragraph below should be included 12JAN2013 \paragraph{MSc Project: Euler/Spider diagram Editor.} I had recently completed an MSc and my project was to create an Euler/Spider~Diagram~\cite{howse:spider} editor in Java. @@ -98,12 +102,14 @@ The primary motive for writing the Spider diagram editor was to provide an alter to formal languages for software specification. Because of my exposure to FMEA, I started thinking of ways to apply formal languages and spider diagrams to failure mode analysis. +% +% \paragraph{European Safety Requirements increase in scope and complexity.} At work---which consisted of designing, testing, building and writing embedded `C' and assembly language code for safety critical industrial burners---we were faced with a new and daunting requirement. Conformance to the latest European standard, EN298. % -It appeared to ask for the impossible, +It appeared to ask for the impossible: not only did it require the usual safety measures (self checking of ROM and RAM, watchdog processors with separate clock sources, EMC and the triple fail safe control of valves), it had one new clause in it that had far reaching consequences. % @@ -112,18 +118,19 @@ applies all possible safety measures to stop fuel entering the burner---it could % In short this meant we had to be able to deal with double failures. % -Any of the components that could, in failing create a dangerous state were already +Any of the components that could, in failing, create a dangerous state were already documented and approved using failure mode effects analysis (FMEA). % This new requirement -effectively meant that all single component failures and double combinations of component failures were +effectively meant that all single and double component failures +%double combinations of component failures were now required to be analysed. This, from a state explosion problem alone, meant that it was going to be virtually impossible to perform. % -To compound the state explosion problem +To compound the problem %state explosion problem FMEA has a deficiency of repeated work, as each component failure is typically represented by one line or entry in a spreadsheet~\cite{bfmea}; analysis on repeated sections of -circuitry (for instance repeated 4-20mA outputs on a PCB), meant that +circuitry (for instance repeated 4-20mA outputs on a PCB) meant that analysis of identical circuitry was performed many times. % @@ -140,7 +147,8 @@ I wondered if this thinking could be applied to the state explosion problems enc %Following the concept of de-composing a problem, and thus simplifying the state explosion---using the thinking behind %the fast Fourier transform (FFT)~\cite{fpodsadsp}[Ch.8], which takes a complex intermeshed series of real and imaginary number calculations %and by de-composing them, simplifies the problem. -My reasoning was that were we to analyse the problem in small modules, from the bottom-up following the FFT example, we could apply +My reasoning was that if we analysed %were we to analyse +the problem in small modules, from the bottom-up following the FFT example, we could apply checking for all double failure scenarios. % Once these first modules were analysed---we now call them {\fgs}---we could determine the symptoms of failure for them. @@ -150,7 +158,8 @@ representing a failure mode model for the system. % Because this is modular, we can apply double simultaneous failure mode checking; and as %because the number of components -in each {\fg} is typically small---we avoid state explosion problems. +in each {\fg} is typically small---we avoid state explosion problems. % for the general case. % AF says `in the general case' here 12JAN2013 +% % If we apply double checking all the way up the hierarchy we can guarantee to have considered @@ -160,8 +169,9 @@ This means, as a fortunate by-product, that many multiple as well as double failures would be analysed, but because failure modes are traceable from the base components to the top level---or system---failure modes these relationships can be held in a traversable data structure. % -If held in a traversable data structure we can apply automated methods to search all the cardinalities of multiple failure modes -within the model. +If held in a traversable data structure we can apply automated methods to search for all the combinations of multiple failure modes +within the model that have been analysed. Because of this, it may not be necessary to apply double checking +at all higher levels in the analysis hierarchy, to achieve complete double failure coverage. % \subsection{Initial direction: Application of Spider diagrams to FMEA.} diff --git a/submission_thesis/CH5_Examples/software.tex b/submission_thesis/CH5_Examples/software.tex index 8212fda..1374e48 100644 --- a/submission_thesis/CH5_Examples/software.tex +++ b/submission_thesis/CH5_Examples/software.tex @@ -1473,7 +1473,7 @@ failure modes. % This means that by using FMMD, we can identify the sub-systems which require re-design to eliminate unobservable failure modes. -The demands of EN61508~\cite{en61508} for minimum safe failure fraction~\cite{scsh}[p.52] thresholds associated with +The demands of EN61508~\cite{en61508} for minimum safe failure fraction thresholds~\cite{scsh}[p.52] associated with SIL levels, make this a desirable feature of any FMEA based methodology. % For the failure modes caused diff --git a/submission_thesis/thesis.tex b/submission_thesis/thesis.tex index 24ce050..c36f405 100644 --- a/submission_thesis/thesis.tex +++ b/submission_thesis/thesis.tex @@ -66,7 +66,7 @@ \lfoot{University of Brighton 2012} %% Year keeps fucking incrementing \rfoot{R.P.Clark \today} \lhead{Failure Mode Modular De-Composition} -\rhead{PhD Thesis} +\rhead{Ph.D Thesis} %\begin{document} %\typeout{>>--------------------->> introduction} diff --git a/submission_thesis/titlepage/titlepage.tex b/submission_thesis/titlepage/titlepage.tex index 04485af..1b81b88 100644 --- a/submission_thesis/titlepage/titlepage.tex +++ b/submission_thesis/titlepage/titlepage.tex @@ -32,7 +32,7 @@ \rule{120pt}{1pt} \vspace{0.1in} -{\bf PhD Thesis} +{\bf Ph.D Thesis} \vspace{0.1in} \rule{120pt}{1pt}