diff --git a/fmmd_concept/fmmd_concept.tex b/fmmd_concept/fmmd_concept.tex index 051f339..c9c52c2 100644 --- a/fmmd_concept/fmmd_concept.tex +++ b/fmmd_concept/fmmd_concept.tex @@ -346,15 +346,15 @@ The following gives an outline of the procedure. \subsubsection{Two statistical perspectives} -he Statistical Analysis method is used from two perspectives, +FMEDA is a statistical analysis methodology is used from one of two perspectives, Probability of Failure on Demand (PFD), and Probability of Failure -in continuous Operation, Failure in Time (FIT). +in continuous Operation, or Failure in Time (FIT). \paragraph{Failure in Time (FIT).} Continuous operation is measured in failures per billion ($10^9$) hours of operation. For a continuously running nuclear powerstation we would be interested in its operational FIT values. -\paragraph{Probability of Failure on Demand (PFD).} For instance with the anti-lock system on a automobile braking -system, we would be interested in PFD. +\paragraph{Probability of Failure on Demand (PFD).} For instance with an anti-lock system in +automobile braking, we would be interested in PFD. That is to say the ratio of it failing to succeeding on demand. @@ -364,44 +364,47 @@ to succeeding on demand. The first stage is to apply FMEA to the SYSTEM. % Each component is analysed in terms of how its failure -would affact the system.% +would affect the system. Failure rates of individual components in the SYSTEM are calculated based on component type and environmental conditions. % Statistical data exists for most component types \cite{mil1992}. % -This phase is typically implemented on a spreadsheet. Along with a components -type, placing in the system, part number, environmental stress factors etc. +This phase is typically implemented on a spreadsheet +with rows representing each component. A typical component spreadshet row would +comprise of +component type, placing in the system, part number, environmental stress factors, MTTF etc. %will be a determination of whether the component failing will lead to a `safe' %or `unsafe' condition. \paragraph{Overall SYSTEM failure rate.} -Product failure rate is the sum of all component -failure rates. This is the sum of safe and unsafe -failures. +The product failure rate is the sum of all component +failure rates. +%This is the sum of safe and unsafe +%failures. \paragraph{Self Diagnostics} -We next evaluate the SYSTEMS’s self-diagnostic ability. +We next evaluate the SYSTEM's self-diagnostic ability. -Each component’s failure modes and failure rate are now available. +%Each component’s failure modes and failure rate are now available. Failure modes are now classified as safe or dangerous. This is done by taking a component failure mode and determining -how it will react with any other components in the SYSTEM and taking a decision -based on hueristics. +how it may react with any other components in the SYSTEM, and taking a final decision +based on hueristics or field data. Detectable failure probabilities are labelled `$\lambda_D$' (for dangerous) and `$\lambda_S$' (for safe) \cite{EN61508}. \paragraph{Determine Detectable and Undetecable Failures} Each safe and dangerous failure mode is now -determined as detectable or un-detectable by the SYSTEMS’s +determined as detectable or un-detectable by the SYSTEM’s self checking features. % -This gives us four failure mode classifications: +This gives us four level failure mode classifications: Safe-Detected (SD), Safe-Undetected (SU), Dangerous-Detected (DD) or Dangerous-Undetected (DU), -and the failure rate of each classification +and the probablistic failure rate of each classification is represented by lambda variables -($\lambda_{SD}$, $\lambda_{SU}$, $\lambda_{DD}$, $\lambda_{DU}$). +(i.e. $\lambda_{SD}$, $\lambda_{SU}$, $\lambda_{DD}$, $\lambda_{DU}$). Because some failure modes may not be discovered theoretically during the static analysis, the @@ -409,11 +412,11 @@ analysis, the % and guess how it will affect an ENTIRE complex SYSTEM next step is to investigate using an actual working SYSTEM. -Failures are deliberately caused (by physical intervetion), and any new SYSTEM level +Failures are deliberately caused (by physical intervention), and any new SYSTEM level failures are added to the model. -Hueristics and MTTF failure rate for the components +Hueristics and MTTF failure rates for the components are used to calculate probabilities for these new failure modes -according to their saefty and detectability classifications (i.e. +along with their safety and detectability classifications (i.e. $\lambda_{SD}$, $\lambda_{SU}$, $\lambda_{DD}$, $\lambda_{DU}$). These new failures are added to the model. %SD, SU, DD, DU. @@ -441,7 +444,7 @@ $$ SF = \frac{\Sigma\lambda_SD}{\Sigma\lambda_S} $$ \paragraph{Safe Failure Fraction.} A key concept in FMEDA is Safe Failure Fraction (SFF). This is the ratio of safe and dangerous detected failures -against the safe and dangerous failure probabilities. +against all safe and dangerous failure probabilities. Again this is usually expressed as a percentage. $$ SFF = \big( \Sigma\lambda_S + \Sigma\lambda_{DD} \big) / \big( \Sigma\lambda_S + \Sigma\lambda_D \big) $$ @@ -476,20 +479,26 @@ have threshold bands beoming stricter for each level. Software techniques and constraints are also become stricter for each SIL level. -FMEDA uses MTFF and other statistical models to determine the probability of -failures occurring, and provide an adaquate risk level. +Thus FMEDA uses statistical methods to determine +a safety level (SIL), typically used to meet an acceptable risk +value, specified for the environment the SYSTEM must work in. + +%the probability of +%failures occurring, and provide an adaquate risk level. % %A component failure mode, given its MTTF %the probability of detecting the fault and its safety relevant validation time $\tau$, %contributes a simple risk factor that is summed %in to give a final risk result. % -Thus a statistical +Thus an FMEDA model can be implemented on a spreadsheet, where each component has a calculated risk, a fault detection time (if any), an estimated risk importance and other factors such as de-rating and environmental stress. With one component failure mode per row, -all the statistical factors for SIL rating can be produced\footnote{A SIL rating will apply to an installed plant, i.e. A complete SYSTEM. SIL ratings for individual components or sub-systems are meaningless, and the nearest equivalent would be the FIT/PFD and SFF and diagnostic coverage figures}. +all the statistical factors for SIL rating can be produced\footnote{A SIL rating will apply +to an installed plant, i.e. A complete SYSTEM. SIL ratings for individual components or +sub-systems are meaningless, and the nearest equivalent would be the FIT/PFD and SFF and diagnostic coverage figures.}.