robin/Robin_PHD
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

forgot to commit last night was in such as rush.

Browse Source 
This is the draft version of CH4 as sent to
Chris Garret och de javla lat skitstovlar.
This commit is contained in:
robin 2012-04-25 18:24:22 +01:00
parent 61e7eb800b
commit f30d53bb0f
3 changed files with 97 additions and 81 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

167
submission_thesis/CH4_FMMD/copy.tex
View File

@ -23,7 +23,7 @@ This chapter defines the FMMD process and related concepts and calculations.
FMMD is in essence modularised FMEA. Rather than taking each component failure mode FMMD is in essence modularised FMEA. Rather than taking each component failure mode
and extrapolating top level or system failure symptoms from it, and extrapolating top level or system failure symptoms from it,
small groups of components are collected into {\fgs} and analysed, small groups of components are collected into {\fgs} and analysed,
and then {\dcs} are used to represent the {fgs}. and then {\dcs} are used to represent the {\fgs}.
These {\dcs} are used to then build further {\fgs} until a hierarchy of {\fgs} These {\dcs} are used to then build further {\fgs} until a hierarchy of {\fgs}
and {\dcs} has been built, converging to a final {\dc} and {\dcs} has been built, converging to a final {\dc}
at the top of the hierarchy. at the top of the hierarchy.
@ -93,21 +93,21 @@ like an integrated micro controller, or quite simple like the humble resistor.
We can define a We can define a
component by its name, a manufacturers' part number and perhaps component by its name, a manufacturers' part number and perhaps
a vendors' reference number. a vendor's reference number.
Geffory Hall, writing in Spacecraft systems engineering\cite{scse}[p.619] Geoffrey Hall, writing in Spacecraft systems engineering\cite{scse}[p.619]
defines a `part' thus defines a `part' thus
``{{Part(definition)}---The lowest level of assembly, beyond which further disassembly irrevocably destroys the item'' ``{{Part(definition)}---The lowest level of assembly, beyond which further disassembly irrevocably destroys the item''
The term component, in American English, can mean a building block or a part. The term component, in American English, can mean a building block or a part.
In British-English a component generally is given to mean the definition for part above. In British-English a component generally is given to mean the definition for part above.
For this study, we will use {\bc} to mean a `part', and component For this study, we will use {\bc} to mean a `part', and component
to mean a part or a sub-assembly. Definitions used in FMMD is given in table~\ref{tbl:fmmd_defs} to mean a part or a sub-assembly. Definitions used in FMMD is listed in table~\ref{tbl:fmmd_defs} and discussed below.
%% %%
\subsection{Systems, functional groups, sub-systems and failure modes} \subsection{Systems, functional groups, sub-systems and failure modes}
It is helpful here to define the terms, `system', `functional~group', `component', `base~component', `symptom' and `derived~component/sub-system'. It is helpful here to define the terms, `system', `functional~group', `component', `base~component', `symptom' and `derived~component/sub-system'.
These are listed in table~\ref{tab:symexdef}. %These are listed in table~\ref{tab:symexdef}.
A system, is any coherent entity that would be sold as a product. % safety critical product. A system, is any coherent entity that would be sold as a product. % safety critical product.
A sub-system is a system that is part of some larger system. A sub-system is a system that is part of some larger system.
@ -140,7 +140,9 @@ For instance in the CD~player example; if we start at the bottom, we are present
a massive list of base~components, resistors, motors, user~switches, laser~diodes, all sorts! a massive list of base~components, resistors, motors, user~switches, laser~diodes, all sorts!
Clearly, working from the bottom~up, we need to pick small Clearly, working from the bottom~up, we need to pick small
collections of components that work together in some way. collections of components that work together in some way.
These are termed `functional~groups'. For instance the circuitry that powers the laser diode These are termed `functional~groups'.
%
For instance, the circuitry that powers the laser diode
to illuminate the CD might contain a handful of components, and as such would make a good candidate to illuminate the CD might contain a handful of components, and as such would make a good candidate
to be one of the base level functional~groups. to be one of the base level functional~groups.
@ -171,7 +173,7 @@ The symptoms of the {\fg} are the failure modes of this new `derived component'.
%\footnote{Microchip sources give an FIT of 4 for their PIC18 series micro~controllers\cite{microchip}, The DOD %\footnote{Microchip sources give an FIT of 4 for their PIC18 series micro~controllers\cite{microchip}, The DOD
%1991 reliability manual\cite{mil1991} applies a FIT of 100 for this generic type of component} %1991 reliability manual\cite{mil1991} applies a FIT of 100 for this generic type of component}
Electrical components have detailed datasheets associated with them. A useful extension of this could Electrical components have detailed data-sheets associated with them. A useful extension of this could
be failure modes of the component, with environmental factors and MTTF statistics. be failure modes of the component, with environmental factors and MTTF statistics.
Currently this sort of failure mode information is generally only available for generic component types \cite{mil1991}. Currently this sort of failure mode information is generally only available for generic component types \cite{mil1991}.
@ -189,7 +191,8 @@ System & A product designed to
Sub-system & A part of a system, Sub-system & A part of a system,
-or- derived component sub-systems may contain sub-systems. -or- derived component sub-systems may contain sub-systems.
derived~components may be derived derived~components may be derived
from derived components from derived components.
Constraint: This object must have a defined set of failure~modes \\ \hline Constraint: This object must have a defined set of failure~modes \\ \hline
Failure mode & A way in which a system, Failure mode & A way in which a system,
@ -203,14 +206,15 @@ Symptom & A failure mode of a functional group, caused by
a combination of its component failure modes \\ \hline a combination of its component failure modes \\ \hline
Base Component & Any bought in component, or Base Component & Any bought in component, or
lowest level module/or part lowest level module/or part.
Constraint: This object must have a defined set of failure~modes \\ \hline Constraint: This object must have a defined set of failure~modes \\ \hline
Unitary State & A component may be in only one of its failure modes at a time. \\ Unitary State & A component may be in only one of its failure modes at a time. \\
\hline \hline
\end{tabular} \end{tabular}
\caption{Failure Mode Modular De-composition: definitions and terms} \caption{Failure Mode Modular De-composition: definitions and terms}
\label{tab:fmmd_defs} \label{tbl:fmmd_defs}
\end{table} \end{table}
@ -279,7 +283,7 @@ will be termed `base~components'.
Components derived from base~components (i.e. sub-assemblies) will not always require Components derived from base~components (i.e. sub-assemblies) will not always require
parts~numbers\footnote{It is common practise for sub-assemblies, PCB's, mechanical parts, parts~numbers\footnote{It is common practise for sub-assemblies, PCB's, mechanical parts,
software modules and some collections of components to have part numbers. software modules and some collections of components to have part numbers.
This is a production/configuration~control issue and linked to Bill of Material (BOM)~\cite{opmanage} This is a production/configuration~control issue, and linked to Bill of Material (BOM)~\cite{opmanage}
database structures etc. Parts numbers for derived components are not directly related to the analysis process database structures etc. Parts numbers for derived components are not directly related to the analysis process
we are concerned with here.}, and will we are concerned with here.}, and will
not require a vendor reference, but must be named locally in the FMMD model. not require a vendor reference, but must be named locally in the FMMD model.
@ -324,7 +328,7 @@ They identify faults that can occur in a system, and then work down
to see how they could be caused. Some apply statistical techniques to to see how they could be caused. Some apply statistical techniques to
determine the likelihood of component failures determine the likelihood of component failures
causing specific system level errors. For example the FMEA variant FMECA, uses causing specific system level errors. For example the FMEA variant FMECA, uses
Bayes theorem~\ref{probstat}[p.170]~\cite{nucfta}[p.74] (the relation between a conditional probability and its reverse) Bayes theorem~\cite{probstat}[p.170]~\cite{nucfta}[p.74] (the relation between a conditional probability and its reverse)
and is applied to specific failure modes in components and their probability of causing given system level errors. and is applied to specific failure modes in components and their probability of causing given system level errors.
Another top down methodology is to apply cost benefit analysis Another top down methodology is to apply cost benefit analysis
to determine which faults are the highest priority to fix~\cite{bfmea}. to determine which faults are the highest priority to fix~\cite{bfmea}.
@ -335,12 +339,13 @@ starting, where possible with known base~component failure~modes.
An advantage of working from the bottom up is that we can ensure that An advantage of working from the bottom up is that we can ensure that
all component failure modes must be considered. A top down approach all component failure modes must be considered. A top down approach
can miss individual failure modes of components~\cite{faa}[Ch.~9], can miss individual failure modes of components~\cite{faa}[Ch.~9],
especially where there are non obvious top-level faults. especially where there are non-obvious top-level faults.
In order to analyse from the bottom-up, we need to take In order to analyse from the bottom-up, we need to take
small groups of components from the parts~list that naturally small groups of components from the parts~list that naturally
work together to perform a simple function. work together to perform a simple function.
The components to include in a {\fg} are chosen by hand.%a human, the analyst. The components to include in a {\fg} are chosen by hand.
%a human, the analyst.
%We can represent the `Functional~Group' as a class. %We can represent the `Functional~Group' as a class.
When we have a When we have a
`{\fg}' we can look at the components it contains, `{\fg}' we can look at the components it contains,
@ -477,7 +482,7 @@ would have an $\abslev$ value of 1.
\subsection{Relationships between functional~groups and failure modes} \subsection{Relationships between functional~groups and failure modes}
Let the set of all possible components be $\mathcal{C}$ Let the set of all possible components be $\mathcal{C}$
and let the set of all possible failure modes be $\mathcal{F}$ and $\mathcal{PF}$ is the powerset of and let the set of all possible failure modes be $\mathcal{F}$, and $\mathcal{PF}$ is the power-set of
all $\mathcal{F}$. all $\mathcal{F}$.
We can define a function $fm$ as equation \ref{eqn:fmset}. We can define a function $fm$ as equation \ref{eqn:fmset}.
@ -639,7 +644,7 @@ The micro-controller thus becomes a collection of smaller components
that can be analysed separately~\footnote{It is common for the signal paths that can be analysed separately~\footnote{It is common for the signal paths
in a safety critical product to be traced, and when entering a complex in a safety critical product to be traced, and when entering a complex
component like a micro-controller, the process of heuristic de-compostion component like a micro-controller, the process of heuristic de-compostion
applied to it.}. is then applied to it.}.
@ -681,7 +686,7 @@ The power-set, when applied to a set S is the set of all subsets of S, including
is no fault active in the functional~group under analysis.} is no fault active in the functional~group under analysis.}
and S itself. and S itself.
% %
We augment the concept the power-set concept here to deal with counting the number of We augment the power-set concept here to deal with counting the number of
combinations of failures to consider, under the conditions of simultaneous failures. combinations of failures to consider, under the conditions of simultaneous failures.
% %
In order to consider combinations for the set S where the number of elements in In order to consider combinations for the set S where the number of elements in
@ -703,7 +708,7 @@ $$ \mathcal{P} S = \{ \emptyset, \{a,b,c\}, \{a,b\},\{b,c\},\{c,a\},\{a\},\{b\},
$\mathcal{P}_{\le 2} S $ means all non-empty subsets of S where the cardinality of the subsets is $\mathcal{P}_{\le 2} S $ means all non-empty subsets of S where the cardinality of the subsets is
less than or equal to 2 or less. less than or equal to 2.
$$ \mathcal{P}_{\le 2} S = \{ \{a,b\},\{b,c\},\{c,a\},\{a\},\{b\},\{c\} \} . $$ $$ \mathcal{P}_{\le 2} S = \{ \{a,b\},\{b,c\},\{c,a\},\{a\},\{b\},\{c\} \} . $$
@ -748,7 +753,7 @@ calculation (in equation \ref {eqn:ccps}) would give the correct number of test
Because sets of failure modes in FMMD analysis are constrained to be unitary state, Because sets of failure modes in FMMD analysis are constrained to be unitary state,
the actual number of test cases to check will usually the actual number of test cases to check will usually
be less than this. be less than this.
This is because combinations of faults within a components failure mode set, This is because combinations of faults within a components failure mode set
are impossible under the conditions of unitary state failure mode. are impossible under the conditions of unitary state failure mode.
To modify equation \ref{eqn:ccps} for unitary state conditions, we must subtract the number of component `internal combinations' To modify equation \ref{eqn:ccps} for unitary state conditions, we must subtract the number of component `internal combinations'
for each component in the functional group under analysis. for each component in the functional group under analysis.
@ -778,7 +783,7 @@ for each component in the functional~group.
For component R there is only one internal component fault that cannot exist For component R there is only one internal component fault that cannot exist
$R_o \wedge R_s$. As a combination ${2 \choose 2} = 1$. For the component $T$ which has $R_o \wedge R_s$. As a combination ${2 \choose 2} = 1$. For the component $T$ which has
three fault modes ${3 \choose 2} = 3$. three fault modes ${3 \choose 2} = 3$.
Thus for $cc == 2$, under the conditions of unitary state failure modes in the components $R$ and $T$, we must subtract $(3+1)$. Thus for $cc = 2$, under the conditions of unitary state failure modes in the components $R$ and $T$, we must subtract $(3+1)$.
The number of combinations to check is thus 11, $|\mathcal{P}_{2}(fm(FG))| = 11$, for this example and this can be verified The number of combinations to check is thus 11, $|\mathcal{P}_{2}(fm(FG))| = 11$, for this example and this can be verified
by listing all the required combinations: by listing all the required combinations:
@ -910,7 +915,7 @@ When dealing with failure modes, we are not interested in
the state where the component is working correctly or `OK' (i.e. operating with no error). the state where the component is working correctly or `OK' (i.e. operating with no error).
% %
We are interested only in ways in which it can fail. We are interested only in ways in which it can fail.
By definition while all components in a system are `working~correctly' By definition, while all components in a system are `working~correctly',
that system will not exhibit faulty behaviour. that system will not exhibit faulty behaviour.
% %
We can say that the OK state corresponds to the empty set. We can say that the OK state corresponds to the empty set.
@ -924,7 +929,7 @@ $ fm(C) = \Omega(C) \backslash \{OK\} $
(or expressed as (or expressed as
$ \Omega(C) = fm(C) \cup \{OK\} $). $ \Omega(C) = fm(C) \cup \{OK\} $).
The $OK$ statistical case is the (usually) the largest in probability, and is therefore The $OK$ statistical case is the (usually) largest in probability, and is therefore
of interest when analysing systems from a statistical perspective. of interest when analysing systems from a statistical perspective.
This is of interest for the application of conditional probability calculations This is of interest for the application of conditional probability calculations
such as Bayes theorem~\cite{probstat}. such as Bayes theorem~\cite{probstat}.
@ -935,13 +940,13 @@ That is to say, a base component or a sub-system failure
has a probability of causing given system level failures\footnote{FMECA has a $\beta$ value that directly corresponds has a probability of causing given system level failures\footnote{FMECA has a $\beta$ value that directly corresponds
to the probability that a given part failure mode will cause a given system level failure/event.}. to the probability that a given part failure mode will cause a given system level failure/event.}.
Another way to view this is to consider the failure modes of Another way to view this is to consider the failure modes of a
component, with the $OK$ state, as a universal set $\Omega$, where component, with the $OK$ state, as a universal set $\Omega$, where
all sets within $\Omega$ are partitioned. all sets within $\Omega$ are partitioned.
Figure \ref{fig:partitioncfm} shows a partitioned set representing Figure \ref{fig:partitioncfm} shows a partitioned set representing
component failure modes $\{ B_1 ... B_8, OK \}$ : partitioned sets component failure modes $\{ B_1 ... B_8, OK \}$ : partitioned sets
where the OK or empty set condition is included, obey unitary state conditions. where the OK or empty set condition is included, obey unitary state conditions.
Because the subsets of $\Omega$ are partitioned we can say these Because the subsets of $\Omega$ are partitioned, we can say these
failure modes are unitary state. failure modes are unitary state.
\begin{figure}[h] \begin{figure}[h]
@ -1064,7 +1069,7 @@ a working temperature range for instance.
Mechanical components could be specified for stress and loading limits. Mechanical components could be specified for stress and loading limits.
Systems or sub-systems may have distict operational states. For instancea sefty critical controller Systems or sub-systems may have distinct operational states. For instance a safety critical controller
may have a LOCKOUT state where it has detected a serious problem and will not continue to operate until may have a LOCKOUT state where it has detected a serious problem and will not continue to operate until
authorised human intervention takes place. authorised human intervention takes place.
A safety critical circuit may have a self test mode. A safety critical circuit may have a self test mode.
@ -1076,14 +1081,16 @@ levels of electrical interference, high voltage contamination on supply
lines, radiation levels etc. lines, radiation levels etc.
Environmental influences will affect specific components in specific ways.\footnote{A good example of a part Environmental influences will affect specific components in specific ways.\footnote{A good example of a part
affected by environmental conditions, in this case temperature, is the opto-isolator affected by environmental conditions, in this case temperature, is the opto-isolator
which is typically affected at around \oc{60}. Most electrical components are far more robust than this~\cite{tlp181}.}. which is typically affected at around \oc{60}. Most electrical components are far more robust to temperature.~\cite{tlp181}.}.
Environmental analysis is thus applicable to components. Environmental analysis is thus applicable to components.
Environmental influences, such as over stress due to voltage Environmental influences, such as over stress due to voltage
can be eliminated by down-rating of components as discussed in section~\ref{downrate}. can be eliminated by down-rating of components as discussed in section~\ref{sec:determine_fms}.
With given environmental constraints, we can therefore eliminate some failure modes from the model. With given environmental constraints, we can therefore eliminate some failure modes from the model.
\paragraph{Operational states.} \paragraph{Operational states.}
Within the field of safety critical engineering we often encounter Within the field of safety critical engineering, we often encounter
sub-system that include test facilities. sub-system that include test or self-test facilities.
% %
We also encounter degraded performance We also encounter degraded performance
(such as only performing functions in an emergency) and lockout conditions. (such as only performing functions in an emergency) and lockout conditions.
@ -1115,7 +1122,7 @@ on a combination of environmental or failure modes.
\paragraph{UML Diagram Additional Objects.} \paragraph{UML Diagram Additional Objects.}
The additional objects System, Environment and Operational States The additional objects System, Environment and Operational States
are added to UML diagram in figure \ref{fig:cfg} and represented in figure \ref{fig:cfg2}. are added to UML diagram in figure \ref{fig:cfg} are represented in figure \ref{fig:cfg2}.
\label{completeuml} \label{completeuml}
@ -1209,7 +1216,8 @@ We can apply symptom abstraction to a {\fg} to find
its symptoms. its symptoms.
%We are interested in the failure modes %We are interested in the failure modes
%of all the components in the {\fg}. An analysis process %of all the components in the {\fg}. An analysis process
We define the symptom abstraction process with the symbol `$\derivec$'.% is applied to the {\fg}. We define the symptom abstraction process with the symbol `$\derivec$'.
% is applied to the {\fg}.
% %
The $\derivec$ function takes a {\fg} The $\derivec$ function takes a {\fg}
as an argument and returns a newly created {\dc}. as an argument and returns a newly created {\dc}.
@ -1222,29 +1230,30 @@ Using $\abslev$ (as described in~\ref{sec:alpha}) to symbolise the fault abstrac
$$ \derivec({\FG}^{\abslev}) \rightarrow c^{{\abslev}+N} | N \ge 1. $$ $$ \derivec({\FG}^{\abslev}) \rightarrow c^{{\abslev}+N} | N \ge 1. $$
\paragraph{Functional Groups may be indexed.} \paragraph{Functional Groups may be indexed.}
We will typically have more than one {\fg} on each level of FMMD hierarchy ( expect the top level where there will only be one) We will typically have more than one {\fg} on each level of FMMD hierarchy (expect the top level where there will only be one).
we could index the {\fgs} with a sub-script, and can then uniquely identify them using their level and their index. We index the {\fgs} with a sub-script, and can then uniquely identify them using their level and their index.
For example ${\FG}^{3}_{2}$ would be the second {\fg} at the third level of abstraction in an FMMD hierarchy. For example ${\FG}^{3}_{2}$ would be the second {\fg} at the third level of abstraction in an FMMD hierarchy.
\paragraph{The symptom abstraction process in outline.} \paragraph{The symptom abstraction process in outline.}
The $\derivec$ function processes a functional group and returns a derived component. The $\derivec$ function processes a functional group and returns a derived component.
Firstly, all the failure modes from all the components in the {\fg} Firstly, all the failure modes from all the components in the {\fg}
are used to create failure scenarios, which can be single failure modes are used to create failure scenarios, which can be single failure modes
or combinations of failure modes (where unitray state failure mode constraints do not apply). or combinations of failure modes where unitary state failure mode constraints do not apply.
% %
With all the failure scenarios, an analyst can With all the failure scenarios, an analyst can
determine how each scenario will affect the {\fg}. determine how each scenario will affect the {\fg}.
This will give one failure mode behaviour result for each failure scenario. This will give one failure mode behaviour result for each failure scenario.
With these results, we collect common symptoms. With these results, we collect common symptoms.
That is to say, that many of the resultant failure modes, will ehibit the same symptom of failure from the perspective That is to say, that many of the resultant failure modes, will exhibit the same symptom of failure from the perspective
of a user of the {\fg}. of a user of the {\fg}.
% %
We now can treat the functional group as a sort of `super~component'. We now can treat the functional group as a sort of `super~component'.
% %
In order to make this new `super~component' usable, it needs to be in the form of a In order to make this new `super~component' usable, it needs to be in the form of a
component, that is it has a name, and a set of failure modes. component, that is, it has a name, and a set of failure modes.
We can do this by creating a new {\dc} and assigning a name to it, as as its set of %
failure modes, the failure symptoms from the {\fg} from which it was derived. We can do this by creating a new {\dc} and assigning a name to it, and assigning its set of
failure modes being the failure symptoms of the {\fg} from which it was derived.
%A new {\dc} is created %A new {\dc} is created
%where its failure modes, are the symptoms from {\fg}. %where its failure modes, are the symptoms from {\fg}.
% %
@ -1257,7 +1266,7 @@ We can stipulate that symptom collection process is surjective.
% i.e. $ \forall f in F $ % i.e. $ \forall f in F $
By stipulating surjection for symptom collection, we ensure By stipulating surjection for symptom collection, we ensure
that each component failure mode maps to at least one symptom. that each component failure mode maps to at least one symptom.
We also ensure that all symptoms have at least one component failure This also ensures that all symptoms have at least one component failure
mode (i.e. one or more failure modes that caused it). mode (i.e. one or more failure modes that caused it).
% %
@ -1272,7 +1281,7 @@ to the sum of {\fms} in its base components.
In practise however, the number of symptoms greatly reduces as we traverse In practise however, the number of symptoms greatly reduces as we traverse
up the hierarchy. up the hierarchy.
The is echoed in real life systems, where the top level events/failures This is echoed in real life systems, where the top level events/failures
are always orders of magnitude smaller than sum of {\fms} in its base components. are always orders of magnitude smaller than sum of {\fms} in its base components.
%This is a natural process. When we have complicated systems %This is a natural process. When we have complicated systems
%they always have a small number of system failure modes in comparison to %they always have a small number of system failure modes in comparison to
@ -1284,7 +1293,7 @@ are always orders of magnitude smaller than sum of {\fms} in its base components
Integrated components such as OP-AMPS are already treated as {\dcs} Integrated components such as OP-AMPS are already treated as {\dcs}
in literature. in literature.
An Op-AMP is an integrated circuit comprising some hundred or so individual components An Op-AMP is an integrated circuit comprising some hundred or so individual components
but in the literature ~\ref{fmd91} is is described as a simple component with a set of failure modes. but in the literature ~\cite{fmd91} is is described as a simple component with a set of failure modes.
% Idea stage on this section, integrated circuits and some compond parts (like digital resistors) % Idea stage on this section, integrated circuits and some compond parts (like digital resistors)
% are treated like base components. i.e. this sets a precedent for {\dcs}. % are treated like base components. i.e. this sets a precedent for {\dcs}.
@ -1357,8 +1366,8 @@ but in the literature ~\ref{fmd91} is is described as a simple component with a
% RANGE == OUTPUTS % RANGE == OUTPUTS
% %
When performing FMEA we have a system under investigation, which will When performing FMEA, we have a system under investigation, which will be
comprise of a collection of components which have associated failure modes. comprised of a collection of components which have associated failure modes.
The object of FMEA is to determine cause and effect: The object of FMEA is to determine cause and effect:
from the failure modes (the causes, {\fms} of {\bcs}) to the effects (or symptoms of failure) at the top level. from the failure modes (the causes, {\fms} of {\bcs}) to the effects (or symptoms of failure) at the top level.
% %
@ -1366,20 +1375,20 @@ To perform FMEA rigorously
we could stipulate that every failure mode must be checked for effects we could stipulate that every failure mode must be checked for effects
against all the components in the system. against all the components in the system.
We could term this `rigorous~FMEA'~(RFMEA). We could term this `rigorous~FMEA'~(RFMEA).
The number of checks we have to make to achieve this gives an indication of the complexity of the task. The number of checks we have to make to achieve this, gives an indication of the complexity of the task.
% %
We could term this `comparison~complexity', as it is the number of We could term this `comparison~complexity', as the number of
paths between failure modes and components, necessary to achieve RFMEA, for a given system/functional~group. paths between failure modes and components necessary to achieve RFMEA for a given system/functional~group.
% (except its self of course, that component is already considered to be in a failed state!). % (except its self of course, that component is already considered to be in a failed state!).
% %
Obviously, for a small number of components and failure modes we have a smaller number Obviously, for a small number of components and failure modes, we have a smaller number
of checks to make than for a complicated larger system. of checks to make than for a complicated larger system.
% %
We can consider the system as a large {\fg} of components. We can consider the system as a large {\fg} of components.
We represent the number of components in the {\fg} $G$, by We represent the number of components in the {\fg} $G$, by
$ | G | $ $ | G | $,
(an indexing and sub-scripting notation to identify particular {\fgs} (an indexing and sub-scripting notation to identify particular {\fgs}
within an FMMD hierarchy is given in section~\ref{sec:indexsub}). within an FMMD hierarchy is given in section~\ref{sec:indexsub}).
@ -1497,9 +1506,10 @@ rigorous checking feasible.
\subsection{Comparing FMMD and RFMEA comparison complexity} \subsection{Comparing FMMD and RFMEA comparison complexity}
Because components have variable numbers of failure modes, Because components have variable numbers of failure modes,
and {\fgs} have variable numbers of components it is difficult to and {\fgs} have variable numbers of components, it is difficult to
use the general formula for comparing the number of checks to make for use the general formula for comparing the number of checks to make for
RFMEA and FMMD. RFMEA and FMMD.
%
If we were to create an example by fixing the number of components in a {\fg} If we were to create an example by fixing the number of components in a {\fg}
and the number of failure modes per component, we can derive formulae and the number of failure modes per component, we can derive formulae
to compare the number of checks to make from an FMMD hierarchy to RFMEA applied to to compare the number of checks to make from an FMMD hierarchy to RFMEA applied to
@ -1521,11 +1531,11 @@ there are ${k}^{n}$ {\fgs} within each level; we need to apply RFMEA to each {\f
The number of checks to make for RFMEA is number of components $k$ multiplied by the number of failure modes $f$ The number of checks to make for RFMEA is number of components $k$ multiplied by the number of failure modes $f$
checked against the remaining components in the {\fg} $(k-1)$. checked against the remaining components in the {\fg} $(k-1)$.
If, for the sake of example we fix the number of components in a {\fg} to three and If, for the sake of example, we fix the number of components in a {\fg} to three and
the number of failure modes per component to three, an FMMD hierarchy the number of failure modes per component to three, an FMMD hierarchy
would look like figure~\ref{fig:three_tree}. would look like figure~\ref{fig:three_tree}.
\subsection{Worked Example} \subsection{RFMEA FMMD Comparison Example}
Using the diagram in figure~\ref{fig:three_tree}, we have three levels of analysis. Using the diagram in figure~\ref{fig:three_tree}, we have three levels of analysis.
Starting at the top, we have a {\fg} with three derived components, each of which has Starting at the top, we have a {\fg} with three derived components, each of which has
@ -1544,7 +1554,7 @@ and $(|G|-1)$ is 26.
This gives: This gives:
$CC(G) = \sum_{n=1}^{27} |3|.(|27|-1) = 2106$. $CC(G) = \sum_{n=1}^{27} |3|.(|27|-1) = 2106$.
In order to get general equations with which to compare RFMEA with FMMD In order to get general equations with which to compare RFMEA with FMMD,
we can re-write equation~\ref{eqn:CC} in terms of the number of levels we can re-write equation~\ref{eqn:CC} in terms of the number of levels
in an FMMD hierarchy. in an FMMD hierarchy.
% %
@ -1610,7 +1620,7 @@ functional groups in the system we are examining.
A good example of this, are de-coupling capacitors, often used A good example of this, are de-coupling capacitors, often used
over the power supply pins of all chips in a digital logic circuit. over the power supply pins of all chips in a digital logic circuit.
Were any of these capacitors to fail $SHORT$ they could bring down Were any of these capacitors to fail $SHORT$, they could bring down
the supply voltage to the other logic chips. the supply voltage to the other logic chips.
@ -1627,7 +1637,7 @@ in the power-supply {\fg}.
% I think so % I think so
Because the capacitor has two potential failure modes (EN298) Because the capacitor has two potential failure modes (EN298),
this raises another issue for FMMD. A de-coupling capacitor going $OPEN$ might not be considered relevant to this raises another issue for FMMD. A de-coupling capacitor going $OPEN$ might not be considered relevant to
a power-supply module (but there might be additional noise on its output rails). a power-supply module (but there might be additional noise on its output rails).
But in {\fg} terms the power supply, now has a new symptom that of $INTERFERENCE$. But in {\fg} terms the power supply, now has a new symptom that of $INTERFERENCE$.
@ -1637,9 +1647,10 @@ A logic chip with de-coupling capacitor failing, may operate correctly
but interfere with other chips in the circuit. but interfere with other chips in the circuit.
There is no reason why the de-coupling capacitors could not be included {\em in the {\fg} they would intuitively be associated with as well}. There is no reason why the de-coupling capacitors could not be included {\em in the {\fg} they would intuitively be associated with as well}.
This allows for the general principle of a component failure affecting more than one {\fg} in a circuit. This allows for the general principle of a component failure affecting more than one {\fg} in a circuit.
This allows functional groups to share components where necessary. This allows functional groups to share components where necessary.
This does not break the modularity of the FMMD technique, because, as {\irl} This does not break the modularity of the FMMD technique, because, as {\irl},
one component failure may affect more than one sub-system. one component failure may affect more than one sub-system.
It does uncover a weakness in the FMMD methodology though. It does uncover a weakness in the FMMD methodology though.
It could be very easy to miss the side effect and include It could be very easy to miss the side effect and include
@ -1668,13 +1679,13 @@ other more complex double failures tricking the controller into thinking the
combustion was actually safe when it was not. combustion was actually safe when it was not.
% %
It would be impractical to It would be impractical to
perform the number of checks (as the checking is time-consuming human process) required of RFMEA on a system as complex as a burner controller. perform the number of checks (as the checking is a time-consuming human process) required of RFMEA on a system as complex as a burner controller.
It has been shown that, for all but trivial small systems, double failure mode checking It has been shown that, for all but trivial small systems, double failure mode checking
is impossible from a practical perspective. is impossible from a practical perspective.
FMMD can reduce the number of checks to make to achieve double simultaneous failure checking -- but by the very nature FMMD can reduce the number of checks to make to achieve double simultaneous failure checking -- but by the very nature
of choosing {\fgs} we will not (in the initial stages) be cross checking all possible of choosing {\fgs} we will not (in the initial stages) be cross checking all possible
combinations of double failures in all the components. combinations of double failures in all of the components.
The diagram in figure~\ref{fig:dubsim1}, uses Euler diagrams to model failure modes (as closed contours) and asterisks The diagram in figure~\ref{fig:dubsim1}, uses Euler diagrams to model failure modes (as closed contours) and asterisks
to model failure mode scenarios. The failure scenario is defined by the contours that enclose it. to model failure mode scenarios. The failure scenario is defined by the contours that enclose it.
@ -1715,11 +1726,11 @@ This guarantees to check the symptoms caused by the
failure modes in the other {\fgs} with the symptoms failure modes in the other {\fgs} with the symptoms
derived from the other {\fgs} modelling for double failures. derived from the other {\fgs} modelling for double failures.
% %
By traversing down the tree we can automatically determine which By traversing down the tree, we can automatically determine which
double simultaneous combinations have not been resolved. double simultaneous combinations have not been resolved.
% %
By applying double simultaneous checking until no single failures By applying double simultaneous checking until no single failures
canlead to a top level event, we can lead to a top level event, we
double failure move coverage. double failure move coverage.
To extend the example in figure~\ref{fig:dubsim1} we can map the failure To extend the example in figure~\ref{fig:dubsim1} we can map the failure
@ -1754,7 +1765,7 @@ A commonly used temperature measuring circuit, the $Pt100$, is analysed
for double simultaneous failure analysis in section~\ref{sec:pt100}. for double simultaneous failure analysis in section~\ref{sec:pt100}.
A software tool tracking the analysis process A software tool tracking the analysis process
could check, that, all possible single and double could check that all possible single and double
failure modes combinations have been analysed as failure scenarios. failure modes combinations have been analysed as failure scenarios.
%single %single
@ -1797,12 +1808,12 @@ failure modes combinations have been analysed as failure scenarios.
% %
\section{Algorithmic Description of Symptom Abstraction} \section{Algorithmic Description of Symptom Abstraction}
\label{sec:symptom_abstraction}
This section uses algorithms and set theory to describe the process for This section uses algorithms and set theory to describe the process for
analysing a {\fg} and determining from it a {\dc}. analysing a {\fg} and determining from it a {\dc}.
% %
\paragraph{Symptom Abstraction in brief} \paragraph{Symptom Abstraction in brief}
In essence, we take a {\fg} ( a collection of components), In essence, we take a {\fg} (a collection of components),
and apply FMEA analysis locally on this {\fg}. and apply FMEA analysis locally on this {\fg}.
% %
In this way, we determine how that {\fg} can fail. In this way, we determine how that {\fg} can fail.
@ -1825,7 +1836,7 @@ of a system can be built from the bottom~up. This process can continue
until there is a complete hierarchy representing the failure mode until there is a complete hierarchy representing the failure mode
behaviour of the entire system under analysis. behaviour of the entire system under analysis.
%FMMD hierarchy %FMMD hierarchy
Using the FMMD technique the hierarchy is built from the bottom up to Using the FMMD technique, the hierarchy is built from the bottom up to
ensure complete failure mode coverage. ensure complete failure mode coverage.
Because the process is bottom-up, syntax checking and tracking can ensure that Because the process is bottom-up, syntax checking and tracking can ensure that
no component failure mode can be overlooked. no component failure mode can be overlooked.
@ -1933,7 +1944,7 @@ The effects on the functional group can then be collected as common symptoms,
and now we may treat the functional group as a component, as it has a known set of failure modes. and now we may treat the functional group as a component, as it has a known set of failure modes.
% %
By reusing the `components' derived from functional~groups, an entire By reusing the `components' derived from functional~groups, an entire
hierihical failure mode model of the system can be built. hierarchical failure mode model of the system can be built.
That is to say, using derived components in higher level functional groups, That is to say, using derived components in higher level functional groups,
a hierarchy is naturally formed. a hierarchy is naturally formed.
% %
@ -1942,7 +1953,7 @@ that could cause a particular mode of equipment failure.
This means that at the design stage of a product all component failure This means that at the design stage of a product all component failure
modes must be considered. The aim here is for complete failure mode coverage. modes must be considered. The aim here is for complete failure mode coverage.
This also means that we can obtain statistical estimates based on the known reliabilities This also means that we can obtain statistical estimates based on the known reliabilities
of components\cite{mil1992}. of components~\cite{mil1991}.
%It also means that every component failure mode must at the very least be considered. %It also means that every component failure mode must at the very least be considered.
@ -2028,7 +2039,7 @@ The aim of this analysis is to find out how the functional~group fails given
the test case conditions, for each test case. the test case conditions, for each test case.
The goal of the process is to produce a set of failure modes from the perspective of the user of the functional~group. The goal of the process is to produce a set of failure modes from the perspective of the user of the functional~group.
% %
In other words, if a designer is handed an piece of circuitry to use, he need not be concerned with In other words, if a designer is handed a piece of circuitry to use, he need not be concerned with
the failure modes of its components. He is handed it as a derived component, which has the failure modes of its components. He is handed it as a derived component, which has
a set of failure mode symptoms. The designer can now treat this piece of circuitry as a black box, or {\dc}. a set of failure mode symptoms. The designer can now treat this piece of circuitry as a black box, or {\dc}.
@ -2080,13 +2091,18 @@ The common symptoms of failure and lone~symptoms are identified and collected.
We can now consider the functional~group as a component and the symptoms as its failure modes. We can now consider the functional~group as a component and the symptoms as its failure modes.
Note that here, because the process is bottom up, we can ensure that all failure modes Note that here, because the process is bottom up, we can ensure that all failure modes
from the components in a functional~group have been handled\footnote{Software can check that all from the components in a functional~group have been handled\footnote{Software can check that all
failure modes have been included in at least one test case, and modelled individually. For Double failure modes have been included in at least one test case, and modelled individually.
%
For Double
Simultaneous fault mode checking, all valid double failure modes can be checked for coverage as well.}. Simultaneous fault mode checking, all valid double failure modes can be checked for coverage as well.}.
Were failure~modes missed, any failure mode model could be dangerously incomplete. %
It is possible here for an automated system to flag unhandled failure modes, Were any failure~modes missed, the failure mode model could be dangerously incomplete.
which solves the main failing of top~down methodologies \cite{topdownmiss}, that of not It is possible here for an automated system to flag un-handled failure modes,
which solves the main failing of top~down methodologies
%\cite{topdownmiss},
that of not
guaranteeing to model all component failure modes. guaranteeing to model all component failure modes.
\ref{requirement at the start} %\ref{requirement at the start}
\section{The Process} \section{The Process}
@ -2110,12 +2126,13 @@ form `test cases'.
% \item For each region on the diagram, make a test case % \item For each region on the diagram, make a test case
\item Using the `test cases' as scenarios to examine the effects of component failures, \item Using the `test cases' as scenarios to examine the effects of component failures,
we determine the failure~mode behaviour of the functional group. we determine the failure~mode behaviour of the functional group.
%
This is a human process, involving detailed analysis of the component failure modes in the test case on the {\fg}. This is a human process, involving detailed analysis of the component failure modes in the test case on the {\fg}.
Where specific environment conditions, or applied states are germane to the {\fg}, these must be examined Where specific environment conditions, or applied states are germane to the {\fg}, these must be examined
for each test case. for each test case.
\item Collect common~symptoms by determining which test cases produce the same fault symptoms {\em from the perspective of the functional~group}. \item Collect common~symptoms by determining which test cases produce the same fault symptoms {\em from the perspective of the functional~group}.
\item The common~symptoms are now the fault mode behaviour of the {\fg}. i.e. given the {\fg} as a `black box' the symptoms are the ways in which it can fail. \item The common~symptoms are now the fault mode behaviour of the {\fg}. i.e. given the {\fg} as a `black box' the symptoms are the ways in which it can fail.
\item A new `derived component' can now be created where each common~symptom, or lone symptom is a failure~mode of this new component. \item A new `derived component' can now be created where each common~symptom, or lone symptom, is a failure~mode of this new component.
\end{itemize} \end{itemize}
@ -2377,7 +2394,7 @@ the SYSTEM level.
%% IF this is a paper it needs work on the description here. %% IF this is a paper it needs work on the description here.
} }
{ {
To re-cap from the formal FMMD description chapter \ref{chap:fmmdset}. %To re-cap from the formal FMMD description chapter \ref{chap:fmmdset}.
Let the set of all possible components be $\mathcal{C}$ Let the set of all possible components be $\mathcal{C}$
and let the set of all possible failure modes be $\mathcal{F}$. and let the set of all possible failure modes be $\mathcal{F}$.
@ -2514,7 +2531,7 @@ from the bottom-up.
The first stage is to find the failure modes to consider for The first stage is to find the failure modes to consider for
analysis, analysis,
using the earlier definition of the function `fm'. using the earlier definition of the function $fm$.
The function $fm$ applied to a component returns the failure modes for that component. The function $fm$ applied to a component returns the failure modes for that component.
Thus its domain is the set of all components $\mathcal{C}$ and its range Thus its domain is the set of all components $\mathcal{C}$ and its range
@ -2596,7 +2613,7 @@ $$ dtc(F) = TC $$
In algorithm \ref{alg22}, the function \textbf{chosen} means that the failure modes for a particular test case have been chosen by In algorithm \ref{alg22}, the function \textbf{chosen} means that the failure modes for a particular test case have been chosen by
a human operator and are additional to those chosen by the automated process (i.e they are special case test cases involving multiple failure modes) a human operator and are additional to those chosen by the automated process (i.e they are special case test cases involving multiple failure modes)
The function \textbf{unitarystate} means that all test cases can have no pairs of failure modes sourced from the same component. The function \textbf{unitary state} means that all test cases can have no pairs of failure modes sourced from the same component.
\ifthenelse {\boolean{paper}} \ifthenelse {\boolean{paper}}
{ {
%% perhaps ref a paper here XXXXX %% perhaps ref a paper here XXXXX

2
submission_thesis/CH5_Examples/copy.tex
View File

@ -121,7 +121,7 @@ from the FMD-91 reference source and from the guidelines of the
European burner standard EN298. European burner standard EN298.
\subsection{Failure mode determination for generic resistor.} \subsection{Failure mode determination for generic resistor.}
\label{sec:resistorfm}
%- Failure modes. Prescribed failure modes EN298 - FMD91 %- Failure modes. Prescribed failure modes EN298 - FMD91
\paragraph{Resistor failure modes according to FMD-91.} \paragraph{Resistor failure modes according to FMD-91.}

7
submission_thesis/Makefile
View File

@ -1,8 +1,7 @@
CHAPTERS = CH1 CH2 CH3 CH4 CH5 CH6 CH7 CH8
all: bib ${CHAPTERS}
all: bib chapters_sub_make
pdflatex thesis pdflatex thesis
makeindex thesis.glo -s thesis.ist -t thesis.glg -o thesis.gls makeindex thesis.glo -s thesis.ist -t thesis.glg -o thesis.gls
acroread thesis.pdf acroread thesis.pdf
@ -23,5 +22,5 @@ chapters_sub_make:
cd CH5_Examples; make copy cd CH5_Examples; make copy
cd CH6_Evaluation; make copy cd CH6_Evaluation; make copy
cd CH7_Conculsion; make copy cd CH7_Conculsion; make copy
cd CH8_finsh_appendixes; make copy #cd CH8_finsh_appendixes; make copy