robin/Robin_PHD
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

JMC proof read.

Browse Source
This commit is contained in:
Robin Clark 2010-12-10 18:53:48 +00:00
parent 2281c2d95a
commit f2a853a6d4
1 changed files with 25 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
fmmd_concept/fmmd_concept.tex
View File

@ -167,7 +167,7 @@ are held in a computer program, we can determine if the model is complete
\subsection{General comments on bottom-up and top down approaches} \subsection{General comments on bottom-up and top down approaches}
\paragraph{A general defeciency in top-down systems analysis.} \paragraph{A general deficiency in top-down systems analysis.}
With a top down approach the investigator has to determine With a top down approach the investigator has to determine
a set of undesirable outcomes or `accidents'. a set of undesirable outcomes or `accidents'.
As most accidents are unexpected and the causes unforeseen \cite{safeware} As most accidents are unexpected and the causes unforeseen \cite{safeware}
@ -227,8 +227,8 @@ To look in detail at a quarter of a million test cases is obviously impractical.
If we were to consider multiple simultaneous failure modes, If we were to consider multiple simultaneous failure modes,
we have yet another cross product of checks to be performed. we have yet another cross product of checks to be performed.
%
For instance for looking at double simultaneous failure modes, where $\#C$ For instance looking at double simultaneous failure modes, where $\#C$
is the number of checks to perform is the number of checks to perform
the equation reads $\#C = (N-2) \times (N-1) \times N \times K \times E$. the equation reads $\#C = (N-2) \times (N-1) \times N \times K \times E$.
@ -271,7 +271,7 @@ experienced engineers sitting around a large diagram and discussing the safety a
Also the nature of a large rocket with red wire, and remote detonation Also the nature of a large rocket with red wire, and remote detonation
failsafes meant that the objective was to iron out common failures failsafes meant that the objective was to iron out common failures
not to rigorously detect all possible failures. not to rigorously detect all possible failures.
Consequently it was not designed to guarantee to cover all component failure modes, Consequently it was not designed to guarantee to covering all component failure modes,
and has no rigorous in-built safeguards to ensure coverage of all possible and has no rigorous in-built safeguards to ensure coverage of all possible
system level outcomes. system level outcomes.
@ -291,7 +291,7 @@ The investigation will typically point to a particular failure
of a component. of a component.
The methodology is now applied to find the significance of the failure. The methodology is now applied to find the significance of the failure.
Its is based on a simple equation where $S$ ranks the severity (or cost \cite{bfmea}) of the identified SYSTEM failure, Its is based on a simple equation where $S$ ranks the severity (or cost \cite{bfmea}) of the identified SYSTEM failure,
$O$ its occurrance\footnote{The occurrance $O$ is the $O$ its occurrence\footnote{The occurrence $O$ is the
probability of the failure happening.}, probability of the failure happening.},
and $D$ giving the failures detectability\footnote{Detectability: often failures and $D$ giving the failures detectability\footnote{Detectability: often failures
may occur but not be noticed or cause an effect. may occur but not be noticed or cause an effect.
@ -311,7 +311,7 @@ a prioritised `todo list', with higher the $RPN$ values being the most urgent.
\paragraph{Note.} FMEA is sometimes used in its literal sense, that is to say \paragraph{Note.} FMEA is sometimes used in its literal sense, that is to say
Failure Mode Effects analysis, simply looking at a systems internal failure Failure Mode Effects analysis, simply looking at a systems internal failure
modes and determing what may happen as a result. modes and determining what may happen as a result.
FMEA described in this section (\ref{pfmea}) is sometimes called `production FMEA'. FMEA described in this section (\ref{pfmea}) is sometimes called `production FMEA'.
\subsection{FMECA} \subsection{FMECA}
@ -336,12 +336,12 @@ This is termed the $\beta$ factor.
This lacks precision, or in other words, determinability prediction accuracy \cite{fafmea}, This lacks precision, or in other words, determinability prediction accuracy \cite{fafmea},
as often the component failure mode cannot be proven to cause a SYSTEM level failure, but is as often the component failure mode cannot be proven to cause a SYSTEM level failure, but is
assigned a probability $\beta$ factor by the design engineer. The use of a $\beta$ factor assigned a probability $\beta$ factor by the design engineer. The use of a $\beta$ factor
is often justified using bayes theorem \cite{probstat}. is often justified using Bayes theorem \cite{probstat}.
%Also, it can miss combinations of failure modes that will cause SYSTEM level errors. %Also, it can miss combinations of failure modes that will cause SYSTEM level errors.
% %
The results of FMECA are similar to FMEA, in that component errors are The results of FMECA are similar to FMEA, in that component errors are
listed according to importance, based on listed according to importance, based on
probability of occurrance and criticallity. probability of occurrence and criticallity.
% to prevent the SYSTEM fault of given criticallity. % to prevent the SYSTEM fault of given criticallity.
Again this essentially produces a prioritised `todo' list. Again this essentially produces a prioritised `todo' list.
@ -428,7 +428,7 @@ Failure modes are now classified as safe or dangerous.
This is done by taking a component failure mode and determining This is done by taking a component failure mode and determining
if the SYSTEM error it is tied to is dangerous or safe. if the SYSTEM error it is tied to is dangerous or safe.
The decision for this may be The decision for this may be
based on hueristics or field data. based on heuristics or field data.
EN61508 uses the $\lambda$ symbol to represent probabilities. EN61508 uses the $\lambda$ symbol to represent probabilities.
Because we have statistics for each component failure mode, Because we have statistics for each component failure mode,
we can now now classify these in terms of safe and dangerous lambda values. we can now now classify these in terms of safe and dangerous lambda values.
@ -465,7 +465,7 @@ These new failures are added to the model.
With these classifications, and statistics for each component With these classifications, and statistics for each component
we can now calculate statistics for the diagnostic coverage (how good at `self checking' the system is) we can now calculate statistics for the diagnostic coverage (how good at `self checking' the system is)
and its safe failure fraction (how many of its failures are self detected or safe compred to and its safe failure fraction (how many of its failures are self detected or safe compared to
all failures possible). all failures possible).
The calculations for these are described below. The calculations for these are described below.
@ -707,7 +707,7 @@ A SYSTEM level failure mode is an abstracted failure mode, in that
it is a symptom of some lower level failure or failures. it is a symptom of some lower level failure or failures.
Tracing the SYSTEM level failure or symptom, down through Tracing the SYSTEM level failure or symptom, down through
a decomposed system, will give a fault tree. This will typically a decomposed system, will give a fault tree. This will typically
trace the SYSTEM level failure mode to some individual base compoenent failures trace the SYSTEM level failure mode to some individual base component failures
or combinations thereof. or combinations thereof.
% ABSTRACTION % ABSTRACTION
For instance a failed resistor in a sensor at a base component level is a specific For instance a failed resistor in a sensor at a base component level is a specific
@ -783,10 +783,10 @@ is a small set of components that perform a simple
task. task.
% %
%The functional group should perform a clearly defined task. %The functional group should perform a clearly defined task.
The design engineer must chose the components that for a {\fg}. The design engineer must chose the components that form a {\fg}.
It should be possible to consider the {\fg} as a a component or It should be possible to consider the {\fg} as a component or
black box, performing a given function. black box, performing a given function.
The {\fg} should be chosen as to be as small The {\fg} should be chosen to be as small
(in terms of the number of components) as possible. (in terms of the number of components) as possible.
% %
This should be small enough to be able %Another advantage of the functional group being small This should be small enough to be able %Another advantage of the functional group being small
@ -864,8 +864,8 @@ there is a phase of symptom collection.
We can use the symbol $alpha$ to represent the abstraction level We can use the symbol $alpha$ to represent the abstraction level
and make it an attribute of a component. and make it an attribute of a component.
Base components will have an $\alpha$ level of zero. Base components will have an $\alpha$ level of zero.
A derived component when created must always be greater than any A derived component when created must alwayave a graater $\alpha$ value than any
of the components included in the {\fg} it was derived from. of the components included in the {\fg} from which it was derived.
\paragraph{Natural Reduction in number of failure modes with abstraction level} \paragraph{Natural Reduction in number of failure modes with abstraction level}
@ -895,7 +895,7 @@ Functional groups are collections of components
that work together to perform a simple function. that work together to perform a simple function.
% %
We can perform a failure mode effects analysis on each of the component failure We can perform a failure mode effects analysis on each of the component failure
modes within a {\fg}. Because we can implemnent the process in software we can modes within a {\fg}. Because we can implemenent the process in software we can
thus ensure that all component failure modes thus ensure that all component failure modes
are included in the model. are included in the model.
% %
@ -928,7 +928,7 @@ new {\fg}s and we can build a hierarchical `failure~mode' model of the SYSTEM.
A {\fg} is a set components (each with a set of of failure modes) A {\fg} is a set components (each with a set of of failure modes)
that collectively group together to serve some purpose (to perform some function), that collectively group together to serve some purpose (to perform some function),
and derived components are determined and derived components are determined
from analysis and symtom collection from analysis and symptom collection
of the {\fg}. of the {\fg}.
The {\dc} is equipped with a new set of failure modes The {\dc} is equipped with a new set of failure modes
@ -971,8 +971,8 @@ must be analysed for each operational state
and environment condition that can affect it. and environment condition that can affect it.
% %
Two design decisions are required here: which objects should we Two design decisions are required here: which objects should we
analyse the environment and the operational states with respect to. analyse the environmental and the operational states with respect to.
There are three objects in our model that these considerations could be applied to. There are three objects in our model to which these considerations could be applied.
We could apply these conditions for analysis We could apply these conditions for analysis
to the functional group, the components, or the derived to the functional group, the components, or the derived
component. component.
@ -980,7 +980,7 @@ component.
\paragraph {Environmental Conditions and FMMD.} \paragraph {Environmental Conditions and FMMD.}
Environmental conditions are external to the Environmental conditions are external to the
{\fg} and are often things the system has no direct control over. {\fg} and are often things over which the system has no direct control.
Consider ambient temperature, pressure or even electrical interference levels. Consider ambient temperature, pressure or even electrical interference levels.
% %
Environmental conditions may affect different components in a {\fg} Environmental conditions may affect different components in a {\fg}
@ -1084,18 +1084,18 @@ The bottom-up approach fulfils the logical de-composition requirement, because
are built from components performing a given task. are built from components performing a given task.
\subsubsection{ Multiple failure modes may be modelled from the base component level up} \subsubsection{ Multiple failure modes may be modelled from the base component level up.}
By breaking the problem of failure mode analysis into small stages By breaking the problem of failure mode analysis into small stages
and building a hierarchy, the problems associated with the cross products of and building a hierarchy, the problems associated with the cross products of
all failure modes within a system are reduced by an exponential order. all failure modes within a system are reduced by an exponential order.
This is because the mutliple failure modes are considered This is because the mutliple failure modes are considered
within {\fgs} which have fewer failure modes to consider within {\fgs} which have fewer failure modes to consider
at each FMMD stage. at each FMMD stage.
Where appropriate multiple simultaneous failures can be modelled, by Where appropriate, multiple simultaneous failures can be modelled by
intoducing test~cases where the conjunction of failure modes is considered. intoducing test~cases where the conjunction of failure modes is considered.
\subsubsection {Inhibit Conditions} \subsubsection {Inhibit Conditions}
Some failure modes only occur when another failure has occured, or Some failure modes only occur when another failure has occurred, or
due to an environmental condition reaching a critical value. This is specifically due to an environmental condition reaching a critical value. This is specifically
dealt with using the FTA methodology~\cite{nucfta}[IV 9]. dealt with using the FTA methodology~\cite{nucfta}[IV 9].
An example FTA inhibit gate is shown in figure \ref{fig:inhibitconcept}. An example FTA inhibit gate is shown in figure \ref{fig:inhibitconcept}.
@ -1141,7 +1141,7 @@ An example FTA inhibit gate is shown in figure \ref{fig:inhibitconcept}.
\paragraph{Static or Dynamic Modelling of Inhibit} \paragraph{Static or Dynamic Modelling of Inhibit}
If the model is static we can consider the conditional failure If the model is static we can consider the conditional failure
at a lower probability of occuring (i.e. pthe probability at a lower probability of occurring (i.e. the probability
of A multiplied by the probability of Q). of A multiplied by the probability of Q).
If we wish to dynamically model the conditional failure If we wish to dynamically model the conditional failure
an attribute to the failure~modes must be added an attribute to the failure~modes must be added