168 lines
8.6 KiB
TeX
168 lines
8.6 KiB
TeX
\documentclass[twocolumn]{article}
|
|
%\documentclass[a4paper,10pt]{report}
|
|
|
|
\usepackage{graphicx}
|
|
\usepackage{fancyhdr}
|
|
\usepackage{tikz}
|
|
\usetikzlibrary{shapes,snakes}
|
|
\usepackage{amsfonts,amsmath,amsthm}
|
|
%\input{../style}
|
|
\usepackage{ifthen}
|
|
\usepackage{lastpage}
|
|
|
|
\newboolean{paper}
|
|
\setboolean{paper}{true} % boolvar=true or false
|
|
|
|
|
|
%\newtheorem{definition}{Definition:}
|
|
|
|
\begin{document}
|
|
\pagestyle{fancy}
|
|
\fancyhf{}
|
|
%\renewcommand{\chaptermark}[1]{\markboth{ \emph{#1}}{}}
|
|
\fancyhead[LO]{}
|
|
\fancyhead[RE]{\leftmark}
|
|
%\fancyfoot[LE,RO]{\thepage}
|
|
\cfoot{Page \thepage\ of \pageref{LastPage}}
|
|
\rfoot{\today}
|
|
\lhead{Developing a rigorous bottom-up modular static failure mode modelling methodology}
|
|
|
|
%\outerhead{{\small\bf Developing a rigorous bottom-up modular static failure mode modelling methodology}}
|
|
%\innerfoot{{\small\bf R.P. Clark } }
|
|
% numbers at outer edges
|
|
\pagenumbering{arabic} % Arabic page numbers hereafter
|
|
\author{R.P.Clark}
|
|
\title{Developing a rigorous bottom-up modular static failure mode modelling methodology}
|
|
\maketitle
|
|
|
|
|
|
\abstract{
|
|
This paper proposes a methodology for
|
|
creating failure mode models of safety critical systems, which
|
|
has a common notation
|
|
for mechanical, electronic and software domains and applies an
|
|
incremental and rigorous approach.
|
|
|
|
The four main static failure mode analysis methodologies were examined and
|
|
in the context of newer European safety standards, assessed.
|
|
Some of the deficiencies identified in these methodologies led to
|
|
a wish list for a more rigorous methodology.
|
|
%%
|
|
%% What I have found
|
|
%%
|
|
From the wish list
|
|
%and considering some constraints determined from
|
|
%the evaluation of the four established methodologies,
|
|
a new
|
|
methodology is developed and proposed.
|
|
This has been named Failure Mode Modular De-Composition (FMMD).
|
|
|
|
%% Sell it
|
|
%%
|
|
In addition to addressing the traditional weaknesses of
|
|
Fault Tree Analysis (FTA), Fault Mode Effects Analysis (FMEA), Failure Mode Effects Criticality Analysis (FMECA)
|
|
and Failure Mode Effects and Diagnostic Analysis (FMEDA), FMMD provides the means to model multiple failure mode scenarios
|
|
as specified in newer European Safety Standards \cite{en298}.
|
|
The proposed methodology is bottom-up and can guarantee to leave no component failure mode un-handled.
|
|
It is also modular, meaning that the results of analysed components may be re-used in other projects.
|
|
}
|
|
|
|
\section{Introduction}
|
|
The certification process of safety critical products for European and
|
|
other international standards often involve environmental stress,
|
|
endurance and EMC testing. Theoretical, or 'static testing',
|
|
is often also required to highlight modifications that must be made to
|
|
improve the product safety, or identify theoretical weaknesses in the design.
|
|
This paper proposes a new theoretical methodology for creating failure mode models of safety critical systems.
|
|
It has a common notation for mechanical, electronic and software domains and is modular and hierarchical.
|
|
These properties provide advantages in rigour and efficiency when compared to current methodologies.
|
|
Current methodologies We briefly analyse the four current methodologies:
|
|
Fault Tree Analysis (FTA) is a top down methodology in which a diagram is drawn for
|
|
each undesirable top level event, presenting the conditions that must arise to cause
|
|
the event. It is suitable for large complicated systems with few undesirable top
|
|
level events and focuses on those events considered most important or most catastrophic.
|
|
Effects of duplication/redundancy of safety systems can be readily assessed.
|
|
It uses notations that are readily understood by engineers.
|
|
However, it cannot guarantee to model all base component failure modes
|
|
or be used to determine system level errors other than those modelled.
|
|
Each diagram is a separate model, creating duplication of modelled elements,
|
|
and there is no facility to cross check between diagrams. It has limited
|
|
support for environmental and operational states.
|
|
Fault Mode Effects Analysis (FMEA) is used principally in manufacturing.
|
|
Each defect is assessed by its cost to repair and its frequency, using a
|
|
failure mode ratio. A list of failures and their cost is generated.
|
|
It is easy to identify single component failure to system failure scenarios
|
|
and an estimate of product reliability can be calculated. It cannot focus on
|
|
component interactions that cause system failure modes or determine potential
|
|
problems from simultaneous failure modes. It does not consider environmental
|
|
or operational states in sub-systems or components. It cannot model
|
|
self-checking safety elements or other in-built safety features or
|
|
analyse how particular components may fail.
|
|
Failure Mode Criticality Analysis (FMECA) is a refinement of FMEA, using
|
|
two extra variables: the probability of a component failure mode occurring
|
|
and the probability that this will cause a top level failure, and the perceived
|
|
criticality. It gives better estimations of product reliability/safety and the
|
|
occurrence of particular system failure modes than FMEA but has similar deficiencies.
|
|
Failure Modes, Effects and Diagnostic Analysis (FMEDA) is a refinement of
|
|
FMEA and FMECA and models self-checking safety elements. It assigns two
|
|
attributes to component failure modes: detectable/undetectable and safe/dangerous.
|
|
Statistical measures about the system can be made and used to classify a
|
|
safety integrity level. It allows designs with in-built safety features to be assessed.
|
|
Otherwise, it has similar deficiencies to FMEA but has limited support
|
|
for environmental and operational states in sub-systems or components,
|
|
via self checking statistical mitigation.
|
|
Requirements for an improved methodology The deficiencies identified in the
|
|
current methodologies are used to establish criteria for an improved methodology.
|
|
It must include all component failure modes and therefore should be bottom-up,
|
|
starting with individual component failure modes. Components should be broken
|
|
down into small functional groups to enable the examination of the effect of a
|
|
component failure mode on the other components in the group.
|
|
Development of the new methodology An ontology is developed of
|
|
failure modes and their relationship to environmental factors,
|
|
operational states and the hierarchical nature inherent in product design,
|
|
defining the relationships between the system as a whole, components,
|
|
failure modes, operational and environmental states. The ontology is used
|
|
to determine the nature of a hierarchy modelling the system, and to which
|
|
entities, various conditions/procedures are germane. From the ontology,
|
|
we determine that environmental effects relate to components, and
|
|
operational states to functional groups. A functional group can be
|
|
analysed with respect to its component failure modes, operational
|
|
states and environmental conditions and from this a set of failures
|
|
modes, or symptoms for the functional group can be determined. A functional group
|
|
can be treated as a derived component. Derived components can be
|
|
used to build functional groups at a higher level. In this manner we
|
|
can build a hierarchical model with each layer consisting of
|
|
components derived from the functional groups of derived components.
|
|
From the ontology, a set of rules for simplifying the failure
|
|
modes (collecting them into common symptoms) as we traverse up the
|
|
hierarchy is developed. The hierarchical model can have layers added
|
|
until it converges to a top level single functional group. On collecting
|
|
symptoms from this, we are left with the top level, or system level, failure modes.
|
|
The model is presented in a diagrammatic notation that has been
|
|
designed to be intuitive and understandable. It uses well tested
|
|
visual techniques to represent the elements of the model and their
|
|
relationships. Software support for the development of models in this
|
|
notation has been designed and proof-of-concept tools have been implemented.
|
|
This new approach is called
|
|
Failure Mode Modular De-Composition (FMMD) and is designed
|
|
to be a superset of the current four approaches, that is to say,
|
|
from an FMMD model, we should be able to
|
|
derive models that the other four methodologies would have been
|
|
able to create. As this approach is modular, many of the results of
|
|
analysed components may be re-used in other projects, so
|
|
test efficiency is improved.
|
|
FMMD is based on generic failure modes, so it is not constrained to a
|
|
particular field. It can be applied to mechanical, electrical or software domains.
|
|
It can therefore be used to analyse systems comprised of electrical,
|
|
mechanical and software elements in one integrated model.
|
|
|
|
|
|
%
|
|
|
|
\bibliographystyle{plain}
|
|
\bibliography{../vmgbibliography,../mybib}
|
|
|
|
\today
|
|
\end{document}
|
|
|