From be082d9311588c7b16fa4051b42a177a2b7b6be1 Mon Sep 17 00:00:00 2001 From: Robin Clark Date: Sun, 7 Apr 2013 10:11:20 +0100 Subject: [PATCH 1/2] Added links to MUTEX in there Very important to stress the results from one stage of FMMD analysis create a {\dc} with mut ex failure modes. --- submission_thesis/CH2_FMEA/copy.tex | 16 ++++++++++++++-- submission_thesis/CH4_FMMD/copy.tex | 9 +++++++++ 2 files changed, 23 insertions(+), 2 deletions(-) diff --git a/submission_thesis/CH2_FMEA/copy.tex b/submission_thesis/CH2_FMEA/copy.tex index 457ff4b..3347b9f 100644 --- a/submission_thesis/CH2_FMEA/copy.tex +++ b/submission_thesis/CH2_FMEA/copy.tex @@ -625,16 +625,28 @@ approach in looking for system failures. In this section we examine some fundamental concepts and underlying philosophies of FMEA. +\paragraph{Failure modes of a component and mutual exclusivity.} +It is desirable that the failure modes for a component are mutually exclusive, were a component able +to fail in several ways at the same time, this would complicate analysis. +It would mean having to consider combinations of internal component failures +as separate failure modes. This concept is discussed in sections ~\ref{ch4:mutex} +and ~\ref{ch7:mutex}. +% +In general failure modes +for simple components are mutually exclusive +but large and complex components (such as integrated circuits), especially where they contain separate modules, +could have non mutually exclusive failure modes and these need spacial handling, see section~\ref{ch3:mutex}. \paragraph{The signal path.} % C Garret does not like the terms afferent and efferent here, try to think of something else Most electronic systems are used to process a signal: with signal processing -there is usually a clear afferent to transform to efferent path. +there is usually a clear path from the signal coming into the system, it being processed in some way, and a resultant effect on +an output or control signal. % afferent to transform to efferent path. % That is, there is an input, some processing and an output. % -We define the signal path as the components used to process the signal. +For the purpose of FMEA, we define the signal path as the components used to process the signal. % Some circuits have feedback loops or even circular signal paths, but it is normal for a signal path to exist. diff --git a/submission_thesis/CH4_FMMD/copy.tex b/submission_thesis/CH4_FMMD/copy.tex index 03c1076..5922815 100644 --- a/submission_thesis/CH4_FMMD/copy.tex +++ b/submission_thesis/CH4_FMMD/copy.tex @@ -2204,6 +2204,15 @@ in the model. With the above condition true, we term this a `complete' FMMD failure model. Ensuring this condition is described in section~\ref{sec:completetest}. +\paragraph{Mutual exclusivity of {\dc} failure modes.} +It is a desirable feature of a component that its failure modes +are mutually exclusive. +This also applies to {\dcs} produced in the FMMD process. +In the FMMD process symptoms are are collected, i.e no component failure modes may be shared +by a symptom within a {\fg}, and therefore the failure modes of a {\dc} are mutually exclusive. +Thus FMMD naturally produces {\dc} failure modes that are mutually exclusive. +This property is examined in more detail in section~\ref{ch7:mutex}. + \paragraph{State explosion problem of FMEA solved by FMMD.} % Because FMMD considers failure modes within functional groups; From 5fb18627076e14bfcfebd12add2371a7132a904f Mon Sep 17 00:00:00 2001 From: Robin Clark Date: Sun, 7 Apr 2013 22:08:23 +0100 Subject: [PATCH 2/2] Sunday edit --- submission_thesis/CH7_Evaluation/copy.tex | 83 +++++++++++--------- submission_thesis/appendixes/algorithmic.tex | 10 ++- 2 files changed, 56 insertions(+), 37 deletions(-) diff --git a/submission_thesis/CH7_Evaluation/copy.tex b/submission_thesis/CH7_Evaluation/copy.tex index 2cd2ec0..28b0b63 100644 --- a/submission_thesis/CH7_Evaluation/copy.tex +++ b/submission_thesis/CH7_Evaluation/copy.tex @@ -659,6 +659,7 @@ are level shifted, adding to the complication of analysing it for failures. % \section{Unitary State Component Failure Mode Sets} \label{sec:unitarystate} +\label{ch7:mutex} \paragraph{Design Decision/Constraint} An important factor in defining a set of failure modes is that they should represent the failure modes as simply and minimally as possible. @@ -679,29 +680,30 @@ This corresponds to the `mutually exclusive' definition in probability theory~\cite{probstat}. -\begin{definition} -A set of failure modes where only one failure mode -can be active at one time is termed a {\textbf{unitary~state}} failure mode set. -\end{definition} +% \begin{definition} +% A set of failure modes where only one failure mode +% can be active at one time is termed a {\textbf{unitary~state}} failure mode set. +% \end{definition} +% +% Let the set of all possible components be $ \mathcal{C}$ +% and let the set of all possible failure modes be $ \mathcal{F}$. +% The set of failure modes of a particular component are of interest +% here. -Let the set of all possible components be $ \mathcal{C}$ -and let the set of all possible failure modes be $ \mathcal{F}$. -The set of failure modes of a particular component are of interest -here. What is required is to define a property for a set of failure modes where only one failure mode can be active at a time; or borrowing from the terms of statistics, the failure mode being an event that is mutually exclusive with a set $F$. We can define a set of failure mode sets called $\mathcal{U}$ to represent this property for a set of failure modes. +% +% \begin{definition} +% We can define a set $\mathcal{U}$ which is a set of sets of failure modes, where +% the component failure modes in each of its members are unitary~state. +% Thus if the failure modes of a component $F$ are unitary~state, we can say $F \in \mathcal{U}$ is true. +% \end{definition} -\begin{definition} -We can define a set $\mathcal{U}$ which is a set of sets of failure modes, where -the component failure modes in each of its members are unitary~state. -Thus if the failure modes of a component $F$ are unitary~state, we can say $F \in \mathcal{U}$ is true. -\end{definition} - -\section{Component failure modes: Unitary State example} +\subsection{Example of unitary state component failure modes} An example of a component with an obvious set of ``unitary~state'' failure modes is the electrical resistor. % @@ -750,10 +752,10 @@ Note where there are more than two failure~modes, by banning any pairs from being active at the same time, we have banned larger combinations as well. -\subsection{Design Rule: Unitary State} - +%\subsection{Design Rule: Unitary State} +\paragraph{Design Rule: Unitary State} All components must have unitary state failure modes to be used with the FMMD methodology and for base~components this is usually the case. Most simple components fail in one @@ -761,15 +763,15 @@ clearly defined way and generally stay in that state. Traditional FMEA has problems dealing with non unitary state failure modes. This is mainly because combinations of failure modes could cause effects very difficult to predict (as they are in effect new failure modes of the component). - -However, where a complex component is used, for instance a microcontroller +% +However, where a complex component is used, for instance a micro-controller with several modules that could all fail simultaneously, a process of reduction into smaller theoretical components will have to be made. We can term this `heuristic~de-composition'. % A modern micro-controller will typically have several modules which are configured to operate on pre-assigned pins on the device. Typically voltage inputs (\adcten / \adctw), digital input and outputs, -PWM (pulse width modulation), UARTs and other modules will be found on simple cheap microcontrollers~\cite{pic18f2523}. +PWM (pulse width modulation), UARTs and other modules will be found on simple cheap micro-controllers~\cite{pic18f2523}. % For instance, the voltage reading functions which consist of a multiplexer and ADC---which must work together to channel readings--- could be considered to be components @@ -780,10 +782,9 @@ that can be analysed separately~\footnote{It is common for the signal paths in a safety critical product to be traced, and when entering a complex component like a micro-controller, the process of heuristic de-compostion is then applied to it.}. - - - -\paragraph{Reason for FMMD unitary failure mode constraint.} Were this constraint not to be applied, +% +%\paragraph{Reason for FMMD unitary failure mode constraint.} +Were this constraint not to be applied, each component would not contribute $N$ failure modes, % to consider but potentially $2^N$. @@ -892,20 +893,27 @@ be less than this. This is because certain combinations of faults within a components failure mode set are impossible under the conditions of unitary state failure mode. To modify equation \ref{eqn:ccps} for unitary state conditions, we must subtract the number of component `internal combinations' -for each component in the functional group under analysis. +for each component in the {\fg} under analysis. Note we must sequentially subtract using combinations above 1 up to the cardinality constraint. For example, say the cardinality constraint was 3, we would need to subtract both -$|{n \choose 2}|$ and $|{n \choose 3}|$ for each component in the functional~group. +$|{n \choose 2}|$ and $|{n \choose 3}|$ for each component in the {\fg}. -\subsubsection{Example: Two Component functional group Cardinality Constraint of 2} +\subsubsection{Example: Two Component {\fg} Cardinality Constraint of 2} -For example: suppose we have a simple functional group with two components R and T, of which +For example: suppose we have a simple {\fg} with two components R and T, of which $$fm(R) = \{R_o, R_s\}$$ and $$fm(T) = \{T_o, T_s, T_h\}.$$ -This means that the functional~group $FG=\{R,T\}$ will have a component failure mode set -of $fm(FG) = \{R_o, R_s, T_o, T_s, T_h\}$ - +This means that the {\fg} $FG=\{R,T\}$ will have a component failure mode set +of $fm(FG) = \{R_o, R_s, T_o, T_s, T_h\}$. Note this set of failure modes +is as we would use them for single failure analysis. +% Did J Howse actually read this? 06APR2013 +% This set does not contain +% mutually exclusive failure modes, because both $R$ and $T$ could fail. +% The failure modes of $R$ and $T$ are mutually exclusive though, and so some +% combinations of the failure mode set $\{R_o, R_s, T_o, T_s, T_h\}$ cannot occur. +% We use equation~\ref{eqn:ccps} to determine the number of valid combinations. +% For a cardinality constrained powerset of 2, because there are 5 error modes ( $|fm(FG)|=5$), applying equation \ref{eqn:ccps} gives :- @@ -913,17 +921,22 @@ $$ | P_2 (fm(FG)) | = \frac{5!}{1!(5-1)!} + \frac{5!}{2!(5-2)!} = 15.$$ This is composed of ${5 \choose 1}$ five single fault modes, and ${5 \choose 2}$ ten double fault modes. -However we know that the faults are mutually exclusive within a component. +% +However we know that the {\fms} are mutually exclusive within a component. +% We must then subtract the number of `internal' component fault combinations -for each component in the functional~group. +for each component in the {\fg}. +% For component R there is only one internal component fault that cannot exist $R_o \wedge R_s$. As a combination ${2 \choose 2} = 1$. For the component $T$ which has three fault modes ${3 \choose 2} = 3$. + % Thus for $cc = 2$, under the conditions of unitary state failure modes in the components $R$ and $T$, we must subtract $(3+1)$. The number of combinations to check is thus 11, $|\mathcal{P}_{2}(fm(FG))| = 11$, for this example and this can be verified by listing all the required combinations: - +% Because there are only two components, this is simply the cross product +% of fm(R) and fm(T) but this does not hold for larger {\fgs}... $$ \mathcal{P}_{2}(fm(FG)) = \{ \{R_o T_o\}, \{R_o T_s\}, \{R_o T_h\}, \{R_s T_o\}, \{R_s T_s\}, \{R_s T_h\}, \{R_o \}, \{R_s \}, \{T_o \}, \{T_s \}, \{T_h \} @@ -986,7 +999,7 @@ Expanding the combination in equation \ref{eqn:correctedccps} \label{eqn:correctedccps2} \end{equation} -\paragraph{Use of Equation \ref{eqn:correctedccps2} } +%\paragraph{Use of Equation \ref{eqn:correctedccps2} } Equation \ref{eqn:correctedccps2} is useful for an automated tool that would verify that a single or double simultaneous failures model has complete failure mode coverage. By knowing how many test cases should be covered, and checking the cardinality diff --git a/submission_thesis/appendixes/algorithmic.tex b/submission_thesis/appendixes/algorithmic.tex index dd0a7be..07c2241 100644 --- a/submission_thesis/appendixes/algorithmic.tex +++ b/submission_thesis/appendixes/algorithmic.tex @@ -37,6 +37,7 @@ we are able to collect common symptoms of failure for the {\fg}. With the collected common symptoms, we can treat the {\fg} as a component in its own right. This new component being derived from the {\fg}. +% In the field of safety engineering this derived component corresponds to a low~level sub-system. %The technique uses a graphical notation, based on Euler\cite{eulerviz} and Constraint diagrams\cite{constraint} to model failure modes and failure mode common symptom collection. The technique is designed for making building blocks for a hierarchical fault model. % @@ -66,8 +67,13 @@ The symptom extraction or abstraction process, is the key process in creating an } \vspace{40pt} %\today - - +\paragraph{Mutual exclusive property of the failure modes of a {\dc}} +Because the symptoms have been collected from +identical failure effects of the {\fg} they are mutually exclusive. +That is to say no failure mode effects of a component of a {\fg} +can be shared by a {\dc} failure mode. +This ensures the mutually exclusive, or unitary state failure mode property, meaning +the failure modes of a {\dc} are suitable for use in higher level {\fgs}. \subsection{Diagnostic analysis and Failure Mode Analysis} Fault finding is a closely related discipline to failure mode analysis.