91 lines
3.3 KiB
TeX
91 lines
3.3 KiB
TeX
|
|
|
|
|
|
|
|
\ifthenelse {\boolean{paper}}
|
|
{
|
|
\abstract{ This chapter looks at current methodologies
|
|
for static analysis of safety critical systems
|
|
and looks at the statistical justifications for their application.}
|
|
}
|
|
{}
|
|
|
|
|
|
\section{Introduction}
|
|
|
|
|
|
\section{Current Methods for Safety Critical Analysis}
|
|
|
|
|
|
\subsection{Deterministic Approach}
|
|
\paragraph{NOT WRITTEN YET PLEASE IGNORE}
|
|
No single component fault may lead to a dangerous condition.
|
|
EN298 En230 etc
|
|
|
|
\subsection{Bayes Theorem}
|
|
\paragraph{NOT WRITTEN YET PLEASE IGNORE}
|
|
\label{bayes}
|
|
Describe application - likely hood of faults being the cause of symptoms -
|
|
probablistic approach - no direct causation paths to the higher~abstraction fault mode.
|
|
Often for instance a component in a module within a module within a module etc
|
|
that has a probability of causing a SYSTEM level fault.
|
|
|
|
Used in FTA\cite{NASA}\cite{NUK}.
|
|
The idea being that probabilities can be assigned to components
|
|
failing, causing system level errors.
|
|
|
|
Problems, difficult to get reliable stats
|
|
for probability to cause because of small sample numbers...
|
|
|
|
FMMD approach can by traversing down the tree use known component failure figures
|
|
to get {\em accurate} probabilities and potential causes.
|
|
%$$ c1 \cap c2 \eq \emptyset | c1 \neq c2 \wedge c1,c2 \in C \wedge C \in U $$
|
|
|
|
%Thus if the failure~modes are pairwaise mutually exclusive they qualify for inclusion into the
|
|
%unitary~state set family.
|
|
|
|
\subsection{ Saftey Integrity Level Analysis }
|
|
\paragraph{NOT WRITTEN YET PLEASE IGNORE}
|
|
\label{sil}
|
|
This technique looks at all components in the parts list
|
|
and asks what the effect of the component failing will be.
|
|
Note that particular failure modes of the compoent are not considered.
|
|
The component can fail in any of its failure modes from the perspective of this analysis.
|
|
The analyst has to make a choice between four conditions:
|
|
|
|
\begin{itemize}
|
|
\item sd - A safe fault that is detected by an automated system
|
|
\item su - A safe fault that is undetected by an automated system
|
|
\item dd - A potentially dangerous fault that is detected by an automated system
|
|
\item du - A potentially dangerous fault that is not detected by an automated system
|
|
\end{itemize}
|
|
Actually this is almost how sil analysis is done, because
|
|
the base components are listed
|
|
and their failure result as either sd su dd du
|
|
|
|
A formula is then applied according to the system architecture 1oo1 2oo3 3oo3 etc
|
|
|
|
What is not done is the probability for all these conditions, the sil analysis
|
|
person simple has to decide which it is.
|
|
Another fault in this is that it is very difficult to
|
|
extract meaning ful stats
|
|
for how likely the detection systems are to pick the fault up, or even to introduce a fault of their own.
|
|
|
|
\subsection{Tests of Hypotheses and Significance}
|
|
\paragraph{NOT WRITTEN YET PLEASE IGNORE}
|
|
Linked in with Bayes theorem
|
|
Accident analysis
|
|
plane crashes and faults etc
|
|
In high reliability systems the fauls are often logged - strange occurances -
|
|
processors resetting - what are the common factors - P values -
|
|
for instance very high voltage spikes can reset micro controllers -
|
|
but how do you corrollate that with unshielded suppressed contactors...
|
|
|
|
Maybe looking at the equipment and seeing if there is a 5\%
|
|
level of the error being caused ?
|
|
i.e. using it to search for these conditions ?
|
|
|
|
|
|
Actually this could be used to refine the SIL method \ref{sil}
|
|
and give probabilities for the four conditions.
|