diff --git a/fmmd_concept/System_safety_2011/submission.tex b/fmmd_concept/System_safety_2011/submission.tex index ba0f1ee..97f013e 100644 --- a/fmmd_concept/System_safety_2011/submission.tex +++ b/fmmd_concept/System_safety_2011/submission.tex @@ -57,6 +57,7 @@ failure mode of the component or sub-system}}} } \title{Developing a rigorous bottom-up modular static failure mode modelling methodology} +%\nodate \maketitle @@ -74,13 +75,19 @@ These properties provide advantages in rigour and efficiency when compared to cu \section{Introduction} -\subsection{Current methodologies} +This paper describes and criticises the four current failure mode methodologies, +presents a table of the deficiencies and advantages, and then presents a new proposed +methodology. A worked example is then provided, which models the failure mode +behaviour of a non inverting op-amp. + + +\paragraph{Current methodologies} We briefly analyse the four current methodologies. -\subsubsection{Fault Tree Analysis (FTA)} +\paragraph{Fault Tree Analysis (FTA)} -FTA is a top down methodology in which a diagram is drawn for +FTA is a top down methodology in which a hierarchical diagram is drawn for each undesirable top level failure, presenting the conditions that must arise to cause the event. % @@ -88,14 +95,26 @@ It is suitable for large complicated systems with few undesirable top level failures and focuses on those events considered most important or most catastrophic. % Effects of duplication/redundancy of safety systems can be readily assessed. -It uses notations that are readily understood by engineers (logic symbols from digtal electroics and a fault hierarchy). +It uses notations that are readily understood by engineers (logic symbols from digital electronics and a fault hierarchy). However, it cannot guarantee to model all base component failure modes or be used to determine system level errors other than those modelled. -Each diagram is a separate model, creating duplication of modelled elements, +% +Each FTA diagram models one top level event. +This creates duplication of modelled elements, and there is no facility to cross check between diagrams. It has limited support for environmental and operational states. +<<<<<<< HEAD +\paragraph{Fault Mode Effects Analysis FMEA)} is used principally in manufacturing. +Each top level failure is assessed by its cost to repair and its frequency,%, using a +%failure mode ratio. +A list of failures and their cost is then calculated. +It is easy to identify single component failure to system failure scenarios +and an estimate of product reliability can be calculated. +% +It cannot focus on +======= \subsection{Fault Mode Effects Analysis FMEA)} FMEA is used principally in manufacturing. Each defect is assessed by its cost to repair and its frequency. %, using a @@ -110,32 +129,30 @@ self-checking safety elements or other in-built safety features or analyse how particular components may fail. -\subsection{Failure Mode Criticality Analysis (FMECA)} -FMECA is a refinement of FMEA, using +\paragraph{Failure Mode Criticality Analysis (FMECA)} is a refinement of FMEA, using two extra variables: the probability of a component failure mode occurring and the probability that this will cause a top level failure, and the perceived criticallity. It gives better estimations of product reliability/safety and the occurrence of particular system failure modes than FMEA but has similar deficiencies. -\subsection{Failure Modes, Effects and Diagnostic Analysis (FMEDA)} - -FMEDA is a refinement of +\paragraph{Failure Modes, Effects and Diagnostic Analysis (FMEDA)} is a refinement of FMEA and FMECA and models self-checking safety elements. It assigns two attributes to component failure modes: detectable/undetectable and safe/dangerous. Statistical measures about the system can be made and used to classify a safety integrity level. It allows designs with in-built safety features to be assessed. Otherwise, it has similar deficiencies to FMEA but has limited support for environmental and operational states in sub-systems or components, -via self checking statistical mitigation. +via self checking statistical mitigation. FMEDA is the methodology associated with +the safety integrity standards IOC5108 and EN61508~\cite{en61508}. \subsection{Summary of Defeciencies in Current Methods} -\subsubsection{Top Down approach: FTA} The top down technique FTA, introduces the possibility of missing base component +\paragraph{Top Down approach: FTA} The top down technique FTA, introduces the possibility of missing base component level failure modes~\cite{faa}[Ch.9]. Since one FTA tree is drawn for each top level event, this leads to repeated work, with limited ability for cross checking/model validation. -\subsubsection{Bottom-up approach: FMEA, FMECA, FMEDA} +\subsection{Bottom-up approach: FMEA, FMECA, FMEDA} \paragraph{State Explosion problem} The bottom -up techniques all suffer from a problem of state explosion. @@ -144,7 +161,7 @@ of a component failure against all other components. Adding environmental and operational states further increases this effect. Let N be the number of components in our system, and K be the average number of component failure modes -(ways in which a component can fail). The total number of base component failure modes +(ways in which a component can fail). The approximate total number of base component failure modes is $N \times K$. To examine the effect that one failure mode has on all the other components\footnote{A %base component failure will typically affect the sub-system @@ -152,7 +169,7 @@ it is part of, and create a failure effect at the SYSTEM level.} will be $(N-1) \times N \times K$. %, in effect a very large set cross product. If $E$ is the number of environmental conditions to consider in a system, and $A$ the number of applied/operational states (or modes of the SYSTEM), -the job of the bottom-up analyst is presented with two +the bottom-up analyst is presented with two additional %cross product factors, $(N-1) \times N \times K \times E \times A$. @@ -193,28 +210,30 @@ To look in detail at a half of a million test cases is obviously impractical. \paragraph{Multiple Events from one base component failure mode} A base component failure may potentially cause more than one SYSTEM level failure mode. -It could be possible to identify one top level event associated with +It would be possible to identify one top level event associated with a {\bcfm} and not investigate other possibilities. %\section{Requirements for a new static failure mode Analysis methodology} -\section{Desireable Criteria for a failure mode methodology} -From the deficiencies outlined above, ideally we can form a wish list for a better methodology. +\section{Desireable Criteria for a failure mode methodology}. +From the deficiencies outlined above, ideally we can form a set of desirable criteria for a better methodology. { \small -\begin{itemize} +\begin{enumerate} +%\begin{itemize} \label{fmmdreq} -\item Address the state explosion problem. -\item Ensure that all component failure modes be considered in the model. -\item Be easy to integrate mechanical, electronic and software models \cite{sccs}[pp.287]. -\item Be re-usable, in that commonly used modules can be re-used in other designs/projects. -\item It should have a formal basis, that is to say, be able to produce mathematical traceability +\item Address the state explosion problem. % 1 +\item Ensure that all component failure modes be considered in the model. % 2 +\item Be easy to integrate mechanical, electronic and software models \cite{sccs}[pp.287]. %3 +\item Be re-usable, in that commonly used modules can be re-used in other designs/projects. %4 +\item It should have a formal basis, that is to say, be able to produce mathematical traceability %5 for its results, such as error causation trees.%, reliability and safety statistics. %\item It should be easy to use, ideally using a %graphical syntax (as opposed to a formal symbolic/mathematical text based language). %\item From the top down, the failure mode model should follow a logical de-composition of the functionality %to smaller and smaller functional groupings \cite{maikowski}. -\item Be able to model multiple (simultaneous) failure modes.% from the base component level up. -\end{itemize} +\item Be able to model multiple (simultaneous) failure modes.% 6 % from the base component level up. +\end{enumerate} +%\end{itemize} } % A new methodology must ensure that it represents all component failure modes and it therefore should be bottom-up,