robin/Robin_PHD
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

JMC proof read.

Browse Source
This commit is contained in:
Robin Clark 2010-12-10 18:53:48 +00:00
parent 2281c2d95a
commit f2a853a6d4
1 changed files with 25 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
fmmd_concept/fmmd_concept.tex
View File

@ -167,7 +167,7 @@ are held in a computer program, we can determine if the model is complete
\subsection{General comments on bottom-up and top down approaches}
\paragraph{A general defeciency in top-down systems analysis.}
\paragraph{A general deficiency in top-down systems analysis.}
With a top down approach the investigator has to determine
a set of undesirable outcomes or `accidents'.
As most accidents are unexpected and the causes unforeseen \cite{safeware}
@ -227,8 +227,8 @@ To look in detail at a quarter of a million test cases is obviously impractical.
If we were to consider multiple simultaneous failure modes,
we have yet another cross product of checks to be performed.
For instance for looking at double simultaneous failure modes, where $\#C$
%
For instance looking at double simultaneous failure modes, where $\#C$
is the number of checks to perform
the equation reads $\#C = (N-2) \times (N-1) \times N \times K \times E$.
@ -271,7 +271,7 @@ experienced engineers sitting around a large diagram and discussing the safety a
Also the nature of a large rocket with red wire, and remote detonation
failsafes meant that the objective was to iron out common failures
not to rigorously detect all possible failures.
Consequently it was not designed to guarantee to cover all component failure modes,
Consequently it was not designed to guarantee to covering all component failure modes,
and has no rigorous in-built safeguards to ensure coverage of all possible
system level outcomes.
@ -291,7 +291,7 @@ The investigation will typically point to a particular failure
of a component.
The methodology is now applied to find the significance of the failure.
Its is based on a simple equation where $S$ ranks the severity (or cost \cite{bfmea}) of the identified SYSTEM failure,
$O$ its occurrance\footnote{The occurrance $O$ is the
$O$ its occurrence\footnote{The occurrence $O$ is the
probability of the failure happening.},
and $D$ giving the failures detectability\footnote{Detectability: often failures
may occur but not be noticed or cause an effect.
@ -311,7 +311,7 @@ a prioritised `todo list', with higher the $RPN$ values being the most urgent.
\paragraph{Note.} FMEA is sometimes used in its literal sense, that is to say
Failure Mode Effects analysis, simply looking at a systems internal failure
modes and determing what may happen as a result.
modes and determining what may happen as a result.
FMEA described in this section (\ref{pfmea}) is sometimes called `production FMEA'.
\subsection{FMECA}
@ -336,12 +336,12 @@ This is termed the $\beta$ factor.
This lacks precision, or in other words, determinability prediction accuracy \cite{fafmea},
as often the component failure mode cannot be proven to cause a SYSTEM level failure, but is
assigned a probability $\beta$ factor by the design engineer. The use of a $\beta$ factor
is often justified using bayes theorem \cite{probstat}.
is often justified using Bayes theorem \cite{probstat}.
%Also, it can miss combinations of failure modes that will cause SYSTEM level errors.
%
The results of FMECA are similar to FMEA, in that component errors are
listed according to importance, based on
probability of occurrance and criticallity.
probability of occurrence and criticallity.
% to prevent the SYSTEM fault of given criticallity.
Again this essentially produces a prioritised `todo' list.
@ -428,7 +428,7 @@ Failure modes are now classified as safe or dangerous.
This is done by taking a component failure mode and determining
if the SYSTEM error it is tied to is dangerous or safe.
The decision for this may be
based on hueristics or field data.
based on heuristics or field data.
EN61508 uses the $\lambda$ symbol to represent probabilities.
Because we have statistics for each component failure mode,
we can now now classify these in terms of safe and dangerous lambda values.
@ -465,7 +465,7 @@ These new failures are added to the model.
With these classifications, and statistics for each component
we can now calculate statistics for the diagnostic coverage (how good at `self checking' the system is)
and its safe failure fraction (how many of its failures are self detected or safe compred to
and its safe failure fraction (how many of its failures are self detected or safe compared to
all failures possible).
The calculations for these are described below.
@ -707,7 +707,7 @@ A SYSTEM level failure mode is an abstracted failure mode, in that
it is a symptom of some lower level failure or failures.
Tracing the SYSTEM level failure or symptom, down through
a decomposed system, will give a fault tree. This will typically
trace the SYSTEM level failure mode to some individual base compoenent failures
trace the SYSTEM level failure mode to some individual base component failures
or combinations thereof.
% ABSTRACTION
For instance a failed resistor in a sensor at a base component level is a specific
@ -783,10 +783,10 @@ is a small set of components that perform a simple
task.
%
%The functional group should perform a clearly defined task.
The design engineer must chose the components that for a {\fg}.
It should be possible to consider the {\fg} as a a component or
The design engineer must chose the components that form a {\fg}.
It should be possible to consider the {\fg} as a component or
black box, performing a given function.
The {\fg} should be chosen as to be as small
The {\fg} should be chosen to be as small
(in terms of the number of components) as possible.
%
This should be small enough to be able %Another advantage of the functional group being small
@ -864,8 +864,8 @@ there is a phase of symptom collection.
We can use the symbol $alpha$ to represent the abstraction level
and make it an attribute of a component.
Base components will have an $\alpha$ level of zero.
A derived component when created must always be greater than any
of the components included in the {\fg} it was derived from.
A derived component when created must alwayave a graater $\alpha$ value than any
of the components included in the {\fg} from which it was derived.
\paragraph{Natural Reduction in number of failure modes with abstraction level}
@ -895,7 +895,7 @@ Functional groups are collections of components
that work together to perform a simple function.
%
We can perform a failure mode effects analysis on each of the component failure
modes within a {\fg}. Because we can implemnent the process in software we can
modes within a {\fg}. Because we can implemenent the process in software we can
thus ensure that all component failure modes
are included in the model.
%
@ -928,7 +928,7 @@ new {\fg}s and we can build a hierarchical `failure~mode' model of the SYSTEM.
A {\fg} is a set components (each with a set of of failure modes)
that collectively group together to serve some purpose (to perform some function),
and derived components are determined
from analysis and symtom collection
from analysis and symptom collection
of the {\fg}.
The {\dc} is equipped with a new set of failure modes
@ -971,8 +971,8 @@ must be analysed for each operational state
and environment condition that can affect it.
%
Two design decisions are required here: which objects should we
analyse the environment and the operational states with respect to.
There are three objects in our model that these considerations could be applied to.
analyse the environmental and the operational states with respect to.
There are three objects in our model to which these considerations could be applied.
We could apply these conditions for analysis
to the functional group, the components, or the derived
component.
@ -980,7 +980,7 @@ component.
\paragraph {Environmental Conditions and FMMD.}
Environmental conditions are external to the
{\fg} and are often things the system has no direct control over.
{\fg} and are often things over which the system has no direct control.
Consider ambient temperature, pressure or even electrical interference levels.
%
Environmental conditions may affect different components in a {\fg}
@ -1084,18 +1084,18 @@ The bottom-up approach fulfils the logical de-composition requirement, because
are built from components performing a given task.
\subsubsection{ Multiple failure modes may be modelled from the base component level up}
\subsubsection{ Multiple failure modes may be modelled from the base component level up.}
By breaking the problem of failure mode analysis into small stages
and building a hierarchy, the problems associated with the cross products of
all failure modes within a system are reduced by an exponential order.
This is because the mutliple failure modes are considered
within {\fgs} which have fewer failure modes to consider
at each FMMD stage.
Where appropriate multiple simultaneous failures can be modelled, by
Where appropriate, multiple simultaneous failures can be modelled by
intoducing test~cases where the conjunction of failure modes is considered.
\subsubsection {Inhibit Conditions}
Some failure modes only occur when another failure has occured, or
Some failure modes only occur when another failure has occurred, or
due to an environmental condition reaching a critical value. This is specifically
dealt with using the FTA methodology~\cite{nucfta}[IV 9].
An example FTA inhibit gate is shown in figure \ref{fig:inhibitconcept}.
@ -1141,7 +1141,7 @@ An example FTA inhibit gate is shown in figure \ref{fig:inhibitconcept}.
\paragraph{Static or Dynamic Modelling of Inhibit}
If the model is static we can consider the conditional failure
at a lower probability of occuring (i.e. pthe probability
at a lower probability of occurring (i.e. the probability
of A multiplied by the probability of Q).
If we wish to dynamically model the conditional failure
an attribute to the failure~modes must be added