robin/Robin_PHD
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
83a297a193
Robin_PHD/submission_thesis/CH6_Evaluation/copy.tex
Robin Clark 83a297a193 Working through RFMEA and FMMD 
comparison complexity examples.
Re-calculating some, because they were
removed and not left commented out.
Annoying but good revision in how I came
up with the metrics.
2013-02-01 14:07:56 +00:00

1076 lines
43 KiB
TeX
Raw Blame History

\label{sec:chap7}
\section*{Metrics}
%
This chapter begins by defining a metric for the complexity of an FMEA analysis task.
%
This concept is called `comparison~complexity' and is a means to assess
the performance of FMMD against current FMEA methodologies.
%
This metric is developed using set threory % formally
and then formulae are presented for calculating the
complexity of applying FMEA to a group of components.
%
These formulae are then used for a hypothetical example, which is analysed by both FMEA and FMMD.
Following on from the formal definitions, `unitary state failure modes' are defined. In short these
ensure that component failure modes are mutually exclusive.
% MOVE TO CH5 FMMD makes the claim that it can perform double simultaneous failure mode analysis without an undue
% MOVE TO CH5 state explosion drawback.
% MOVE TO CH5 To support this, an example of single and double failure analysis is provided, using the four wire Pt100
% MOVE TO CH5 temperature measurement sensor circuit. This example is also used to show how component failure rate statistics can be
% MOVE TO CH5 used with FMMD.
This is followed by some critiques i.e. possible areas of difficulty when performing FMMD, and then
a general evaluation. % comparing it with traditional FMEA.
%
% Moving Pt100 to metrics
%Sections~\ref{sec:Pt100}~and~\ref{sec:Pt100d} demonstrate both statistical
%failure mode classification % analysis for top level events traced back to {\bc} failure modes
%and the analysis of double simultaneous failure modes.
%
\section{Defining the concept of `comparison~complexity' in FMEA}
\label{sec:cc}
%
% DOMAIN == INPUTS
% RANGE == OUTPUTS
%
When we hear of a safety critical system we typically think of it in terms of
the physical plant---or in terms of its safety functionality.
%
When performing FMEA we consider the system under investigation
to be a collection of components which have associated failure modes.
%
The object of FMEA is to determine cause and effect.
%We apply reasoning to calculate, using the failure modes, the effects
%from these failure modes (the causes, {\fms} of {\bcs}) to the effects
%(or symptoms of failure) at the top level.
%
We can view FMEA as a process, taking each component in the system and for each of its failure modes
applying analysis with respect to the whole system.
%
This however entails a problem: which other components in the system must we
check, against %current failure mode.
each particular failure mode?
%
Often a component failing will have obvious effects on functionally adjacent components.
Sometimes %though, perhaps in the case of de-coupling capacitors in a digital ciruit,
side effects of failure may manifest due interaction with other components not obviously functionally related.
%% CONTEXT OF SYSTEM FAILURE: PERHAPS NOT RELEVANT HERE
%
% The symptoms of failure are dependent upon the context, or environment that the system operates in.
% We can trace all base component failure modes to corresponding system failures: but the effect
% of the system failure depends upon how the system is used.
% %
% A resistor failure could, for instance, make a process reading go out of range.
% This could cause the process to be stopped or simply one reading out of many would
% be marked faulty and be dealt with in the next maintenance phase of the plant.
% %
% Another resistor failing could cause a dangerous control problem.
%
%The context of the system failures is the important thingy bob dooo dah.
%
%
%Also a particular component failure mode may affect the performance of another.
The temptation with FMEA can be to follow direct lines of failure effect reasoning without considering
side effects.
%%
To perform FMEA rigorously
we could stipulate that every failure mode must be checked for effects
against all the components in the system.
%
This would mean we would be looking for all possible side effects that a base component failure could cause.
%
We could term this `rigorous~FMEA'~(RFMEA).
The number of checks we have to make to achieve this, gives an indication of the complexity of the analysis task.
%
%This is described in section~\ref{sec:rd}, where the reasoning distance, or complexity to
%analyse a single FMEA failure scenario, is given in equation~\ref{eqn:complexity}.
%
%
It is desirable to be able to measure the complexity of an analysis task.
%
Comparison~complexity is a count of
paths between failure modes and components necessary to achieve RFMEA for a given group G. %system or {\fg}.
% (except its self of course, that component is already considered to be in a failed state!).
%
%Obviously, f
For a small number of components and failure modes, we have a smaller number
of checks to make than for a complicated larger system.
%
%
\subsection{Formal definitions of entities used in FMEA}
%
%\paragraph{Considering a system as a group of Components.}
Using the language developed in the previous chapters
we consider a system for analysis as a collection %{\fg}
of components.
We can represent this set of components as $G$, and the number of components in it by
$ | G | $. %,
%(an indexing and sub-scripting notation to identify particular {\fgs}
%within an FMMD hierarchy is given in section~\ref{sec:indexsub}).
%\paragraph{Defining Components}
$G$ is simply a sub-set of all possible components.
We define the set of all components as $\mathcal{C}$ and can state $G \subset \mathcal{C}$.. Individual components are denoted as $c$
with additional indexing when appropriate.
\paragraph{Defining a function that returns failure modes given a component.}
The function $fm$ has a component as its domain and the components failure modes, $fms$, as its range. % (see equation~\ref{eqn:fm}).
Where $\mathcal{F}$ is the set of all failures,
$$ fm: \mathcal{C} \rightarrow \mathcal{F}$$.
We can represent the number of potential failure modes of a component $c$, to be $ | fm(c) | .$
\paragraph{Indexing components with the group $G$.}
If we index all the components in the system under investigation $ c_1, c_2 \ldots c_{|G|} $ we can express
the number of checks required to rigorously examine every
failure mode against all the other components in the system.
Comparison Complexity can be represented by a function $CC$, with its domain as $G$, and
its range as the number of checks---or reasoning stages---to perform to satisfy a rigorous FMEA inspection.
Where $\mathcal{G}$ represents the set of all {\fgs}, and $ \mathbb{Z}^{+} $, $CC$ is defined by,
\begin{equation}
%$$
CC:\mathcal{G} \rightarrow \mathbb{Z}^{+},
%$$
\end{equation}
%
%and, where n is the number of components in the system/{\fg},
and $|fm(c_i)|$ is the number of failure modes
in component ${c_i}$, is given by
\begin{equation}
\label{eqn:CC}
%$$
%%% when it was called reasoning distance -- 19NOV2011 -- RD(fg) = \sum_{n=1}^{|fg|} |fm(c_n)|.(|fg|-1)
CC(G) = (n-1) \sum_{1 \le i \le n} fm(c_i).
%$$
\end{equation}
This can be simplified if we can determine the total number of failure modes in the system $K$, (i.e. $ K = \sum_{n=1}^{|G|} {|fm(c_n)|}$);
equation~\ref{eqn:CC} becomes
%$$
\begin{equation}
\label{eqn:rd2}
CC(G) = K.(|G|-1).
\end{equation}
An FMMD hierarchy consists of many {\fgs} which are subsets of $G$.
We define the set of all {\fgs} as $\mathcal{FG}$.
Using $FG$ to represent individual {\fgs} we %can therefore
state $$ \forall FG \in \mathcal{FG} | FG \subset \mathcal{G} .$$
FMMD analysis creates a hierarchy $H$ of {\fgs} where $H \subset \mathcal{FG}$.
%
We can define individual {\fgs} using $FG$ with an index to identify them and a superscript
to identify the hierarchy level. For instance the first {\fg} in a hierarchy, containing base components only
i.e. at the zeroth level of an FMMD hierarchy, would have the superscript 0 and a subscript of 1, i.e. $FG^{0}_{1}$.
%$$
%Equation~\ref{eqn:rd} can also be expressed as
%
% \begin{equation}
% \label{eqn:rd2}
% %$$
% CC(G) = {|G|}.{|fm(c_n)|}.{(|fg|-1)} .
% %$$
% \end{equation}
\subsection{A general formula for counting Comparison Complexity in an FMMD hierarchy}
An FMMD Hierarchy will have reducing numbers of {\fgs} as we progress up the hierarchy.
In order to calculate its comparison~complexity we need to apply equation~\ref{eqn:CC} to
all {\fgs} on each level.
We can define an FMMD hierarchy as a set of {\fgs}, $H$.
We define a helper function $g$ with a domain of the level $i$ in an FMMD hierarchy $H$, and a co-domain of a set of {\fgs} (specifically all the {\fgs} on the given level),
defined by,
\begin{equation}
%$$
g(H, i) \rightarrow \forall {\FG}^{\xi} \;where\; ({\xi} = {i}) \wedge ({\FG}^{\xi} \in H) .
%$$
\end{equation}
IN ENGLISH: A helper function $g$ that returns all {\fgs} at a particular hierarchy level in a particular FMMD hierarchy.
Where $L$ represents the number of levels in the FMMD hierarchy,
$|g(\xi)|$ represents the number of {\fgs} on the level
and $H$ represents an FMMD hierarchy,
we overload the comparison complexity thus:
%$$
\begin{equation}
\label{eqn:gf}
CC(H) = \sum_{\xi=0}^{L} \sum_{j=1}^{|g(H,\xi)|} CC({\FG}_{j}^{\xi}).
%$$
\end{equation}
\subsection{Complexity Comparison Examples}
%\pagebreak[4]
The potential divider discussed in section~\ref{subsec:potdiv} has four failure modes and two components and therefore has $CC$ of 4.
$$CC(potdiv) = \sum_{n=1}^{2} |2| \times (|1|) = 4 $$
We combine the potential divider with an op-amp which has four failure modes
to form a {\fg} with two components one with four failure modes and the other (the potential divider) with two.
$$CC(invamp) = 2 \times 1 + 4 \times 1 = 6 $$
To analyse the inverting amplifier with FMMD we required 10 reasoning stages.
Using RFMEA we obtain $ 2 \times (3-1) + 2 \times (3-1) + 4 \times (3-1)$ = 16.
\paragraph{Complexity Comparison for an 81 component system.}
%Even considering a $example$
A system, $example$, with just 81 components (with these components
having 3 failure modes each) we would have an $CC$ of
$$CC(example) = \sum_{n=1}^{81} |3|.(|80|) = 19440 .$$
Ensuring all component failure modes are checked against all other components in a system
-- applying FMEA rigorously -- could be termed
Rigorous FMEA (RFMEA).
The computational order for RFMEA would be polynomial ($O(N^2.K)$) (where $K$ is the variable number of failure modes).
This order may be acceptable in a computational environment: However, the choosing of {\fgs} and the analysis
process are by-hand/human activities. It can be seen that it is practically impossible to achieve
RFMEA for anything but trivial systems.
%
% Next statement needs alot of justification
%
It is the authors belief that FMMD reduces the comparison complexity enough to make
rigorous checking feasible.
\pagebreak[4]
%\subsection{Using the concept of Complexity Comparison to compare RFMEA with FMMD}
% \begin{figure}
% \centering
% \includegraphics[width=400pt,keepaspectratio=true]{CH5_Examples/three_tree.png}
% % three_tree.png: 851x385 pixel, 72dpi, 30.02x13.58 cm, bb=0 0 851 385
% \caption{FMMD Hierarchy with number of components in {\fg} fixed to 3 $(|G| = 3)$ } % \wedge (|fm(c)| = 3)$}
% \label{fig:three_tree}
% \end{figure}
\begin{figure}[h]
\centering
\includegraphics[width=400pt]{./CH6_Evaluation/components_81_euler.png}
% components_81_euler.png: 3056x2532 pixel, 72dpi, 107.81x89.32 cm, bb=0 0 3056 2532
\caption{FMMD Hierarchy with number of components in each $FG$ fixed to three ($|FG|=3$)}
\label{fig:three_tree}
\end{figure}
\subsection{Comparing FMMD and RFMEA comparison complexity}
Because components have variable numbers of failure modes,
and {\fgs} have variable numbers of components, it is difficult to
use the general formula for comparing the number of checks to make for
RFMEA and FMMD.
%
If we were to create an example by fixing the number of components in a {\fg}
and the number of failure modes per component, we can derive formulae
to compare the number of checks to make from an FMMD hierarchy to RFMEA applied to
all components in a system.
Consider $k$ to be the number of components in a {\fg} (i.e. $k=|{\FG}|$),
$f$ is the number of failure modes per component (i.e. $f=|fm(c)|$), and
$L$ to be the number of levels in the hierarchy of an FMMD analysis.
We can represent the number of failure scenarios to check in a (fixed parameter for $|{\FG}|$ and $|fm(c_i)|$) FMMD hierarchy
with equation~\ref{eqn:anscen}.
\begin{equation}
\label{eqn:anscen}
\sum_{n=0}^{L} {k}^{n}.k.f.(k-1)
\end{equation}
The thinking behind equation~\ref{eqn:anscen}, is that for each level of analysis -- counting down from the top --
there are ${k}^{n}$ {\fgs} within each level; we need to apply RFMEA to each {\fg} on the level.
The number of checks to make for RFMEA is number of components $k$ multiplied by the number of failure modes $f$
checked against the remaining components in the {\fg} $(k-1)$.
If, for the sake of example, we fix the number of components in a {\fg} to three and
the number of failure modes per component to three, an FMMD hierarchy
would look like figure~\ref{fig:three_tree}.
\subsection{RFMEA FMMD Comparison Example}
Using the diagram in figure~\ref{fig:three_tree}, we have three levels of analysis.
%
Starting at the top, we have a {\fg} with three derived components, each of which has
three failure modes.
%
Thus the number of checks to make in the top level is $3^0\times3\times2\times3 = 18$.
On the level below that, we have three {\fgs} each with
an identical number of checks, $3^1 \times 3 \times 2 \times 3 = 56$.%{\fg}
%
On the level below that we have nine {\fgs}, $3^2 \times 3\times2\times3=168$.
Adding these together gives $242$ checks to make to perform FMMD (i.e. RFMEA {\em{within the}}
{\fgs}).
If we were to take the system represented in figure~\ref{fig:three_tree}, and
apply RFMEA on it as a whole system, we can use equation~\ref{eqn:CC},
$CC(G) = \sum_{n=1}^{|G|} |fm(c_n)|.(|G|-1)$, where $|G|$ is 27, $fm(c_n)$ is 3
and $(|G|-1)$ is 26.
This gives:
$CC(G) = \sum_{n=1}^{27} |3|.(|27|-1) = 2106$.
In order to get general equations with which to compare RFMEA with FMMD,
we can re-write equation~\ref{eqn:CC} in terms of the number of levels
in an FMMD hierarchy.
%
The number of components in the system, is number of components
in a {\fg} raised to the power of the level plus one.
Thus we re-write equation~\ref{eqn:CC} as:
\begin{equation}
\label{eqn:fmea_state_exp21}
\sum_{n=1}^{k^{L+1}}.(k^{L+1}-1).f \; , % \\
%(N^2 - N).f
\end{equation}
or
\begin{equation}
\label{eqn:fmea_state_exp22}
k^{L+1}.(k^{L+1}-1).f \;. % \\
%(N^2 - N).f
\end{equation}
We can now use equation~\ref{eqn:anscen} and \ref{eqn:fmea_state_exp22} to compare (for fixed sizes of $|G|$ and $|fm(c)|$)
the two approaches, for the work required to perform rigorous checking.
For instance, having four levels
of FMMD analysis, with these fixed numbers,
%(in addition to the top zeroth level)
will require 81 base level components.
$$
%\begin{equation}
\label{eqn:fmea_state_exp22}
3^4.(3^4-1).3 = 81.(81-1).3 = 19440 % \\
%(N^2 - N).f
%\end{equation}
$$
$$
%\begin{equation}
% \label{eqn:anscen}
\sum_{n=0}^{3} {3}^{n}.3.3.(2) = 720
%\end{equation}
$$
\subsection{Complexity Comparison applied to previous FMMD Examples}
All the FMMD examples in chapters \ref{sec:chap5} and \ref{sec:chap6} showed a marked reduction in comparison
complexity compared to the RFMEA worst case figures.
%
%
A table of complexity comparison vs. RFMEA is presented below.
%\usepackage{multirow}
\begin{tabular}{ |l|l|l| }
\hline
\textbf{Hierarchy} & \textbf{Analysis object} & \textbf{Complexity} \\
\textbf{Level} & \textbf{Description} & \textbf{Comparison} \\
%\hline \hline
%\multicolumn{3}{ |c| }{Complexity Comparison against RFMEA for examples in Chapter~\ref{sec:chap5}} \\
%\hline \hline
%Goalkeeper & GK & Paul Robinson \\ \hline
\hline
\multicolumn{3}{ |c| }{Inverting Amplifier Two stage FMMD Hierarchy: section~\ref{sec:invamp}} \\ \hline
%\multirow{3}{*} {Inverting Amplifier Two stage FMMD Hierarchy: section~\ref{sec:invamp}} & & \\
0 & Potential Divider & 4 \\
1 & PD + Opamp & 8 \\
& Inverting Amplifier: & FMMD 10 \\
& Inverting Amplifier: & RFMEA 16 \\
\hline
\multicolumn{3}{ |c| } {Inverting Amplifier One stage FMMD Hierarchy: section~\ref{sec:invamp}} \\ \hline
0 & Resistors + Opamp & 16 \\
& Inverting Amplifier: & FMMD 16 \\
& Inverting Amplifier: & RFMEA 16 \\
\hline
\multicolumn{3}{ |c| } {Differencing Amplifier One stage FMMD Hierarchy: section~\ref{sec:invamp}} \\ \hline
%\multirow{4}{*} {Differencing Amplifier FMMD Hierarchy: section~\ref{sec:diffamp}} & & \\
2 & Non inv Amp reused (see section~\ref{sec:noninvamp}) & 10 \\
0 & Inverting amplifier & 16 \\
& Differencing Amplifier: & FMMD 26 \\
& Differencing Amplifier: & RFMEA 80 \\ \hline
\hline
\hline \hline
\end{tabular}
The complexity comparison figures for the example circuits in chapter~\ref{sec:chap5} show
that for increasing complexity the performance benefits from FMMD become apparent.
% \subsection{Exponential squared to Exponential}
%
% can I say that ?
\section{Unitary State Component Failure Mode sets}
\label{sec:unitarystate}
\paragraph{Design Descision/Constraint}
An important factor in defining a set of failure modes is that they
should represent the failure modes as simply and minimally as possible.
It should not be possible, for instance, for
a component to have two or more failure modes active at once.
Were this to be the case, we would have to consider additional combinations of
failure modes within the component.
Having a set of failure modes where $N$ modes could be active simultaneously
would mean having to consider an additional $2^N-1$ failure mode scenarios.
Should a component be analysed and simultaneous failure mode cases exist,
the combinations could be represented by new failure modes, or
the component should be considered from a fresh perspective,
perhaps considering it as several smaller components
within one package.
This property, failure modes being mutually exclusive, is termed `unitary state failure modes'
in this study.
This corresponds to the `mutually exclusive' definition in
probability theory~\cite{probstat}.
\begin{definition}
A set of failure modes where only one failure mode
can be active at one time is termed a {\textbf{unitary~state}} failure mode set.
\end{definition}
Let the set of all possible components be $ \mathcal{C}$
and let the set of all possible failure modes be $ \mathcal{F}$.
The set of failure modes of a particular component are of interest
here.
What is required is to define a property for
a set of failure modes where only one failure mode can be active at a time;
or borrowing from the terms of statistics, the failure mode being an event that is mutually exclusive
with a set $F$.
We can define a set of failure mode sets called $\mathcal{U}$ to represent this
property for a set of failure modes.
\begin{definition}
We can define a set $\mathcal{U}$ which is a set of sets of failure modes, where
the component failure modes in each of its members are unitary~state.
Thus if the failure modes of a component $F$ are unitary~state, we can say $F \in \mathcal{U}$ is true.
\end{definition}
\section{Component failure modes: Unitary State example}
An example of a component with an obvious set of ``unitary~state'' failure modes is the electrical resistor.
Electrical resistors can fail by going OPEN or SHORTED.
For a given resistor R we can apply the
function $fm$ to find its set of failure modes thus $ fm(R) = \{R_{SHORTED}, R_{OPEN}\} $.
A resistor cannot fail with the conditions open and short active at the same time,
that would be physically impossible! The conditions
OPEN and SHORT are thus mutually exclusive.
Because of this, the failure mode set $F=fm(R)$ is `unitary~state'.
%
%
%Thus because both fault modes cannot be active at the same time, the intersection of $ R_{SHORTED} $ and $ R_{OPEN} $ cannot exist.
%
The intersection of these is therefore the empty set, $ R_{SHORTED} \cap R_{OPEN} = \emptyset $,
therefore
$ fm(R) \in \mathcal{U} $.
We can make this a general case by taking a set $F$ (with $f_1, f_2 \in F$) representing a collection
of component failure modes.
We can define a boolean function {\ensuremath{\mathcal{ACTIVE}}} that returns
whether a fault mode is active (true) or dormant (false).
We can say that if any pair of fault modes is active at the same time, then the failure mode set is not
unitary state:
we state this formally
\begin{equation}
\exists f_1,f_2 \in F \dot ( f_1 \neq f_2 \wedge \mathcal{ACTIVE}({f_1}) \wedge \mathcal{ACTIVE}({f_2}) ) \implies F \not\in \mathcal{U}
\end{equation}
%
% \begin{equation}
% c1 \cap c2 \neq \emptyset | c1 \neq c2 \wedge c1,c2 \in C \wedge C \not\in U
% \end{equation}
That is to say that it is impossible that any pair of failure modes can be active at the same time
for the failure mode set $F$ to exist in the family of sets $\mathcal{U}$.
Note where there are more than two failure~modes,
by banning any pairs from being active at the same time,
we have banned larger combinations as well.
\subsection{Design Rule: Unitary State}
All components must have unitary state failure modes to be used with the FMMD methodology and
for base~components this is usually the case. Most simple components fail in one
clearly defined way and generally stay in that state.
However, where a complex component is used, for instance a microcontroller
with several modules that could all fail simultaneously, a process
of reduction into smaller theoretical components will have to be made.
We can term this `heuristic~de-composition'.
A modern micro-controller will typically have several modules, which are configured to operate on
pre-assigned pins on the device. Typically voltage inputs (\adcten / \adctw), digital input and outputs,
PWM (pulse width modulation), UARTs and other modules will be found on simple cheap microcontrollers~\cite{pic18f2523}.
For instance the voltage reading functions which consist
of an ADC multiplexer and ADC can be considered to be components
inside the micro-controller package.
The micro-controller thus becomes a collection of smaller components
that can be analysed separately~\footnote{It is common for the signal paths
in a safety critical product to be traced, and when entering a complex
component like a micro-controller, the process of heuristic de-compostion
is then applied to it.}.
\paragraph{Reason for Constraint.} Were this constraint to not be applied
each component would not contribute $N$ failure modes to consider but potentially
$2^N$.
%
This would make the job of analysing the failure modes
in a {\fg} impractical due to the sheer size of the task.
%Note that the `unitary state' conditions apply to failure modes within a component.
%%- Need some refs here because that is the way gastec treat the ADC on microcontroller on the servos
\section{Handling Simultaneous Component Faults}
For some integrity levels of static analysis, there is a need to consider not only single
failure modes in isolation, but cases where more then one failure mode may occur
simultaneously.
%
Note that the `unitary state' conditions apply to failure modes within a component.
This does not preclude the possibility of two or more components failing simultaneously.
%
%The scenarios presented deal with possibility of two or more components failing simultaneously.
%
It is an implied requirement of EN298~\cite{en298} for instance to
consider double simultaneous faults\footnote{Under the conditions
of LOCKOUT~\cite{en298} in an industrial burner controller that has detected one fault already.
However, from the perspective of static failure mode analysis, this amounts
to dealing with double simultaneous failure modes.}.
%
To generalise, we may need to consider $N$ simultaneous
failure modes when analysing a functional group.
%
This involves finding
all combinations of failures modes of size $N$ and less.
%The Powerset concept from Set theory is useful to model this.
%
The power-set, when applied to a set S is the set of all subsets of S, including the empty set
\footnote{The empty set ( $\emptyset$ ) is a special case for FMMD analysis, it simply means there
is no fault active in the functional~group under analysis.}
and S itself.
%
We augment the power-set concept here to deal with counting the number of
combinations of failures to consider, under the conditions of simultaneous failures.
%
In order to consider combinations for the set S where the number of elements in
each subset of S is $N$ or less, a concept of the `cardinality constrained power-set'
is proposed and described in the next section.
%\pagebreak[1]
\section{Cardinality Constrained Power-set }
\label{ccp}
A Cardinality Constrained power-set is one where subsets of a cardinality greater than a threshold
are not included. This threshold is called the cardinality constraint.
To indicate this, the cardinality constraint $cc$ is subscripted to the powerset symbol thus $\mathcal{P}_{cc}$.
Consider the set $S = \{a,b,c\}$.
The power-set of S:
$$ \mathcal{P} S = \{ \emptyset, \{a,b,c\}, \{a,b\},\{b,c\},\{c,a\},\{a\},\{b\},\{c\} \} .$$
$\mathcal{P}_{\le 2} S $ means all non-empty subsets of S where the cardinality of the subsets is
less than or equal to 2.
$$ \mathcal{P}_{\le 2} S = \{ \{a,b\},\{b,c\},\{c,a\},\{a\},\{b\},\{c\} \} . $$
Note that $\mathcal{P}_{1} S $ (non-empty subsets where cardinality $\leq 1$) for this example is:
$$ \mathcal{P}_{1} S = \{ \{a\},\{b\},\{c\} \} $$.
\paragraph{Calculating the number of elements in a cardinality constrained power-set}
A $k$ combination is a subset with $k$ elements.
The number of $k$ combinations (each of size $k$) from a set $S$
with $n$ elements (size $n$) is the binomial coefficient~\cite{probstat} shown in equation \ref{bico}.
\begin{equation}
C^n_k = {n \choose k} = \frac{n!}{k!(n-k)!} .
\label{bico}
\end{equation}
To find the number of elements in a cardinality constrained subset S with up to $cc$ elements
in each combination sub-set,
we need to sum the combinations,
%subtracting $cc$ from the final result
%(repeated empty set counts)
from $1$ to $cc$ thus
%
% $$ {\sum}_{k = 1..cc} {\#S \choose k} = \frac{\#S!}{k!(\#S-k)!} $$
%
\begin{equation}
|{\mathcal{P}_{cc}S}| = \sum^{cc}_{k=1} \frac{|{S}|!}{ cc! ( |{S}| - cc)!} . % was k in the frac part now cc
\label{eqn:ccps}
\end{equation}
\subsection{Actual Number of combinations to check with Unitary State Fault mode sets}
If all of the fault modes in $S$ were independent,
the cardinality constrained power-set
calculation (in equation \ref {eqn:ccps}) would give the correct number of test case combinations to check.
Because sets of failure modes in FMMD analysis are constrained to be unitary state,
the actual number of test cases to check will usually
be less than this.
This is because combinations of faults within a components failure mode set
are impossible under the conditions of unitary state failure mode.
To modify equation \ref{eqn:ccps} for unitary state conditions, we must subtract the number of component `internal combinations'
for each component in the functional group under analysis.
Note we must sequentially subtract using combinations above 1 up to the cardinality constraint.
For example, say
the cardinality constraint was 3, we would need to subtract both
$|{n \choose 2}|$ and $|{n \choose 3}|$ for each component in the functional~group.
\subsubsection{Example: Two Component functional group cardinality Constraint of 2}
For example: suppose we have a simple functional group with two components R and T, of which
$$fm(R) = \{R_o, R_s\}$$ and $$fm(T) = \{T_o, T_s, T_h\}.$$
This means that the functional~group $FG=\{R,T\}$ will have a component failure mode set
of $fm(FG) = \{R_o, R_s, T_o, T_s, T_h\}$
For a cardinality constrained powerset of 2, because there are 5 error modes ( $|fm(FG)|=5$),
applying equation \ref{eqn:ccps} gives :-
$$ | P_2 (fm(FG)) | = \frac{5!}{1!(5-1)!} + \frac{5!}{2!(5-2)!} = 15.$$
This is composed of ${5 \choose 1}$
five single fault modes, and ${5 \choose 2}$ ten double fault modes.
However we know that the faults are mutually exclusive within a component.
We must then subtract the number of `internal' component fault combinations
for each component in the functional~group.
For component R there is only one internal component fault that cannot exist
$R_o \wedge R_s$. As a combination ${2 \choose 2} = 1$. For the component $T$ which has
three fault modes ${3 \choose 2} = 3$.
Thus for $cc = 2$, under the conditions of unitary state failure modes in the components $R$ and $T$, we must subtract $(3+1)$.
The number of combinations to check is thus 11, $|\mathcal{P}_{2}(fm(FG))| = 11$, for this example and this can be verified
by listing all the required combinations:
$$ \mathcal{P}_{2}(fm(FG)) = \{
\{R_o T_o\}, \{R_o T_s\}, \{R_o T_h\}, \{R_s T_o\}, \{R_s T_s\}, \{R_s T_h\}, \{R_o \}, \{R_s \}, \{T_o \}, \{T_s \}, \{T_h \}
\}
$$
and whose cardinality is 11. % by inspection
%$$
%|
%\{
% \{R_o T_o\}, \{R_o T_s\}, \{R_o T_h\}, \{R_s T_o\}, \{R_s T_s\}, \{R_s T_h\}, \{R_o \}, \{R_s \}, \{T_o \}, \{T_s \}, \{T_h \}
%\}
%| = 11
%$$
\pagebreak[1]
\subsubsection{Establishing Formulae for unitary state failure mode
cardinality calculation}
The cardinality constrained power-set in equation \ref{eqn:ccps}, can be modified for % corrected for
unitary state failure modes.
%This is written as a general formula in equation \ref{eqn:correctedccps}.
%\indent{
%To define terms :
%\begin{itemize}
%\item
Let $C$ be a set of components (indexed by $j \in J$)
that are members of the functional group $FG$
i.e. $ \forall j \in J | C_j \in FG $.
%\item
Let $|fm({C}_{j})|$
indicate the number of mutually exclusive fault modes of component $C_j$.
%\item
Let $fm(FG)$ be the collection of all failure modes
from all the components in the functional group.
%\item
Let $SU$ be the set of failure modes from the {\fg} where all $FG$ is such that
components $C_j$ are in
`unitary state' i.e. $(SU = fm(FG)) \wedge (\forall j \in J | fm(C_j) \in \mathcal{U}) $, then
%\end{itemize}
%}
\begin{equation}
|{\mathcal{P}_{cc}SU}| = {\sum^{cc}_{k=1} \frac{|{SU}|!}{k!(|{SU}| - k)!}}
- {\sum_{j \in J} {|FM({C_{j})}| \choose 2}} .
\label{eqn:correctedccps}
\end{equation}
Expanding the combination in equation \ref{eqn:correctedccps}
\begin{equation}
|{\mathcal{P}_{cc}SU}| = {\sum^{cc}_{k=1} \frac{|{SU}|!}{k!(|{SU}| - k)!}}
- {{\sum_{j \in J} \frac{|FM({C_j})|!}{2!(|FM({C_j})| - 2)!}} } .
\label{eqn:correctedccps2}
\end{equation}
\paragraph{Use of Equation \ref{eqn:correctedccps2} }
Equation \ref{eqn:correctedccps2} is useful for an automated tool that
would verify that a single or double simultaneous failures model has complete failure mode coverage.
By knowing how many test cases should be covered, and checking the cardinality
associated with the test cases, complete coverage would be verified.
\subsection{Example: Pt100 Verifying complete coverage for a cardinality constrained power-set of 2}
\fmodegloss
We use the Pt100 example in~\ref{sec:Pt100} which performs double failure mode FMMD analysis.
It is important to check that we have covered all possible double fault combinations.
We can use the equation \ref{eqn:correctedccps2}
\ifthenelse {\boolean{paper}}
{
from the definitions paper
\ref{pap:compdef}
,
reproduced below to verify this.
\indent{
where:
\begin{itemize}
\item The set $SU$ represents the components in the functional~group, where all components are guaranteed to have unitary state failure modes.
\item The indexed set $C_j$ represents all components in set $SU$.
\item The function $FM$ takes a component as an argument and returns its set of failure modes.
\item $cc$ is the cardinality constraint, here 2 as we are interested in double and single faults.
\end{itemize}
}
\begin{equation}
|{\mathcal{P}_{cc}SU}| = {\sum^{k}_{1..cc} \frac{|{SU}|!}{k!(|{SU}| - k)!}}
- {{\sum^{j}_{j \in J} \frac{|FM({C_j})|!}{2!(|FM({C_j})| - 2)!}} }
\label{eqn:correctedccps2}
\end{equation}
}
{
\begin{equation}
|{\mathcal{P}_{cc}SU}| = {\sum^{cc}_{k=1} \frac{|{SU}|!}{k!(|{SU}| - k)!}}
- {{\sum^{j}_{j \in J} \frac{|FM({C_j})|!}{2!(|FM({C_j})| - 2)!}} }
%\label{eqn:correctedccps2}
\end{equation}
}
$|FM(C_j)|$ will always be 2 here, as all the components are resistors and have two failure modes.
%
% Factorial of zero is one ! You can only arrange an empty set one way !
Populating this equation with $|SU| = 6$ and $|FM(C_j)|$ = 2.
%is always 2 for this circuit, as all the components are resistors and have two failure modes.
\begin{equation}
|{\mathcal{P}_{2}SU}| = {\sum^{k}_{1..2} \frac{6!}{k!(6 - k)!}}
- {{\sum^{j}_{1..3} \frac{2!}{p!(2 - p)!}} }
%\label{eqn:correctedccps2}
\end{equation}
$|{\mathcal{P}_{2}SU}|$ is the number of valid combinations of faults to check
under the conditions of unitary state failure modes for the components (a resistor cannot fail by being shorted and open at the same time).
Expanding the sumations
$$ NoOfTestCasesToCheck = \frac{6!}{1!(6-1)!} + \frac{6!}{2!(6-2)!} - \Big( \frac{2!}{2!(2 - 2)!} + \frac{2!}{2!(2 - 2)!} + \frac{2!}{2!(2 - 2)!} \Big) $$
$$ NoOfTestCasesToCheck = 6 + 15 - ( 1 + 1 + 1 ) = 18 $$
As the test cases are all different and are of the correct cardinalities (6 single faults and (15-3) double)
we can be confident that we have looked at all `double combinations' of the possible faults
in the Pt100 circuit.
%The next task is to investigate
%these test cases in more detail to prove the failure mode hypothesis set out in table \ref{tab:ptfmea2}.
%\paragraph{Multiple simultaneous failure modes disallowed combinations}
%The general case of equation \ref{eqn:correctedccps2}, involves not just dis-allowing pairs
%of failure modes within components, but also ensuring that combinations across components
%do not involve any pairs of failure modes within the same component.
%%%%- NOT SURE ABOUT THAT !!!!!
%%%- A recursive algorithm and proof is described in appendix \ref{chap:vennccps}.
%%\paragraph{Practicality}
%%Functional Group may consist, typically of four or five components, which typically
%%have two or three failure modes each. Taking a worst case of mutiplying these
%%by a factor of five (the number of failure modes and components) would give
%%$25 \times 15 = 375$
%%
%%
%%
%%\begin{verbatim}
%%
%%# define a factorial function
%%# gives 1 for negative values as well
%%define f(x) {
%% if (x>1) {
%% return (x * f (x-1))
%% }
%% return (1)
%%
%%}
%%define u1(c,x) {
%% return f(c*x)/(f(1)*f(c*x-1))
%%}
%%define u2(c,x) {
%% return f(c*x)/(f(2)*f(c*x-2))
%%}
%%
%%define uc(c,x) {
%% return c * f(x)/(f(2)*f(x-2))
%%}
%%
%%# where c is number of components, and x is number of failure modes
%%# define function u to calculate combinations to check for double sim failure modes
%%define u(c,x) {
%%f(c*x)/(f(1)*f(c*x-1)) + f(c*x)/(f(2)*f(c*x-2)) - c * f(c)/(f(2)*f(c-2))
%%}
%%
%%
%%\end{verbatim}
%%
\pagebreak[1]
\section{Component Failure Modes and Statistical Sample Space}
%\paragraph{NOT WRITTEN YET PLEASE IGNORE}
A sample space is defined as the set of all possible outcomes.
For a component in FMMD analysis, this set of all possible outcomes is its normal (or `correct')
operating state and all its failure modes.
We can consider failure modes as events in the sample space.
%
When dealing with failure modes, we are not interested in
the state where the component is working correctly or `OK' (i.e. operating with no error).
%
We are interested only in ways in which it can fail.
By definition, while all components in a system are `working~correctly',
that system will not exhibit faulty behaviour.
%
%We can say that the OK state corresponds to the empty set.
%
Thus the statistical sample space $\Omega$ for a component or derived~component $C$ is
%$$ \Omega = {OK, failure\_mode_{1},failure\_mode_{2},failure\_mode_{3} ... failure\_mode_{N} $$
$$ \Omega(C) = \{OK, failure\_mode_{1},failure\_mode_{2},failure\_mode_{3}, \ldots ,failure\_mode_{N}\} . $$
The failure mode set $F$ for a given component or derived~component $C$
is therefore
$ fm(C) = \Omega(C) \backslash \{OK\} $
(or expressed as
$ \Omega(C) = fm(C) \cup \{OK\} $).
The $OK$ statistical case is the (usually) largest in probability, and is therefore
of interest when analysing systems from a statistical perspective.
For these examples the OK state is not represented area proportionately, but included
in the diagrams.
This is of interest for the application of conditional probability calculations
such as Bayes theorem~\cite{probstat}.
The current failure modelling methodologies (FMEA, FMECA, FTA, FMEDA) all use Bayesian
statistics to justify their methodologies~\cite{nucfta}\cite{nasafta}.
That is to say, a base component or a sub-system failure
has a probability of causing given system level failures\footnote{FMECA has a $\beta$ value that directly corresponds
to the probability that a given part failure mode will cause a given system level failure/event.}.
Another way to view this is to consider the failure modes of a
component, with the $OK$ state, as a universal set $\Omega$, where
all sets within $\Omega$ are partitioned.
Figure \ref{fig:partitioncfm} shows a partitioned set representing
component failure modes $\{ B_1 ... B_8, OK \}$ : partitioned sets
where the OK or empty set condition is included, obey unitary state conditions.
Because the subsets of $\Omega$ are partitioned, we can say these
failure modes are unitary state.
\begin{figure}[h]
\centering
\includegraphics[width=350pt,keepaspectratio=true]{./CH4_FMMD/partitioncfm.png}
% partition.png: 510x264 pixel, 72dpi, 17.99x9.31 cm, bb=0 0 510 264
\caption{Base Component Failure Modes with OK mode as partitioned set}
\label{fig:partitioncfm}
\end{figure}
\section{Components with Independent failure modes}
Suppose that we have a component that can fail simultaneously
with more than one failure mode.
This would make it seemingly impossible to model as `unitary state'.
\paragraph{De-composition of complex component.}
There are two ways in which we can deal with this.
We could consider the component a composite
of two simpler components, and model their interaction to
create a derived component.
\ifthenelse {\boolean{paper}}
{
This technique is outside the scope of this paper.
}
{
%This technique is dealt in section \ref{sec:symtomabstraction} which shows how derived components may be assembled.
}
\begin{figure}[h]
\centering
\includegraphics[width=200pt,bb=0 0 353 247,keepaspectratio=true]{./CH4_FMMD/compco.png}
% compco.png: 353x247 pixel, 72dpi, 12.45x8.71 cm, bb=0 0 353 247
\caption{Component with three failure modes as partitioned sets}
\label{fig:combco}
\end{figure}
\paragraph{Combinations become new failure modes.}
Alternatively, we could consider the combinations
of the failure modes as new failure modes.
We can model this using an Euler diagram representation of
an example component with three failure modes\footnote{OK is really the empty set, but the term OK is more meaningful in
the context of component failure modes} $\{ B_1, B_2, B_3, OK \}$ see figure \ref{fig:combco}.
For the purpose of example let us consider $\{ B_2, B_3 \}$
to be intrinsically mutually exclusive, but $B_1$ to be independent.
This means the we have the possibility of two new combinations
$ B_1 \cap B_2$ and $ B_1 \cap B_3$.
We can represent these
as shaded sections of figure \ref{fig:combco2}.
\begin{figure}[h]
\centering
\includegraphics[width=200pt,bb=0 0 353 247,keepaspectratio=true]{./CH4_FMMD/compco2.png}
% compco.png: 353x247 pixel, 72dpi, 12.45x8.71 cm, bb=0 0 353 247
\caption{Component with three failure modes where $B_1$ is independent}
\label{fig:combco2}
\end{figure}
We can calculate the probabilities for the shaded areas
assuming the failure modes are statistically independent
by multiplying the probabilities of the members of the intersection.
We can use the function $P$ to return the probability of a
failure mode, or combination thereof.
Thus for $P(B_1 \cap B_2) = P(B_1)P(B_2)$ and $P(B_1 \cap B_3) = P(B_1)P(B_3)$.
\begin{figure}[h]
\centering
\includegraphics[width=200pt,bb=0 0 353 247,keepaspectratio=true]{./CH4_FMMD/compco3.png}
% compco.png: 353x247 pixel, 72dpi, 12.45x8.71 cm, bb=0 0 353 247
\caption{Component with two new failure modes}
\label{fig:combco3}
\end{figure}
We can now consider the shaded areas as new failure modes of the component (see figure \ref{fig:combco3}).
Because of the combinations, the probabilities for the failure modes
$B_1, B_2$ and $B_3$ will now reduce.
We can use the prime character ($\; \prime \;$), to represent the altered value for a failure mode, i.e.
$B_1^\prime$ represents the altered value for $B_1$.
Thus
$$ P(B_1^\prime) = B_1 - P(B_1 \cap B_2) - P(B_1 \cap B_3)\; , $$
$$ P(B_2^\prime) = B_2 - P(B_1 \cap B_2) \; and $$
$$ P(B_3^\prime) = B_3 - P(B_1 \cap B_3) \; . $$
We now have two new component failure mode $B_4$ and $B_5$, shown in figure \ref{fig:combco3}.
We can express their probabilities as $P(B_4) = P(B_1 \cap B_3)$ and $P(B_5) = P(B_1 \cap B_2)$.
\section{Critiques}
\subsection{Problems in choosing membership of functional groups}
\subsubsection{Side Effects: A Problem for FMMD analysis}
\label{sec:sideeffects}
A problem with modularising according to functionality is that we can have component failures that would % poss split infinitive
intuitively be associated with one {\fg} that may cause unintended side effects in other
{\fgs}.
For instance were we to have a component that on failing $SHORT$ could bring down
a voltage supply rail, this could have drastic consequences for other
functional groups in the system we are examining.
\pagebreak[3]
\subsubsection{Example de-coupling capacitors in logic circuits}
A good example of a component failure that can
induce side effects in other components, are de-coupling capacitors, often used
over the power supply pins of all chips in a digital logic circuit.
Were any of these capacitors to fail $SHORT$, they could bring down
the supply voltage to the other logic chips.
%
To a power-supply, shorted capacitors on the supply rails
are a potential source of the symptom, $SUPPLY\_SHORT$.
In a logic chip/digital circuit {\fg} open capacitors are a potential
source of symptoms caused by the failure mode $INTERFERENCE$.
So we have a `symptom' of the power-supply, and a `failure~mode' of
the logic chip to consider.
%
A possible solution to this is to include the de-coupling capacitors
in the power-supply {\fg}.
% decision, could they be included in both places ????
% I think so
Because the capacitor has two potential failure modes (EN298),
this raises another issue for FMMD. A de-coupling capacitor going $OPEN$ might not be considered relevant to
a power-supply module (but there might be additional noise on its output rails).
But in {\fg} terms the power supply, now has a new symptom that of $INTERFERENCE$.
%
Some logic chips are more susceptible to $INTERFERENCE$ than others.
A logic chip with de-coupling capacitor failing, may operate correctly
but interfere with other chips in the circuit.
%
There is no reason why the de-coupling capacitors
could not be included {\em in the {\fg} they would intuitively be associated with as well}.% poss split infinitive
%
This allows for the general principle of a component failure affecting more than one {\fg} in a circuit.
This allows functional groups to share components where necessary.
This does not break the modularity of the FMMD technique, because, as {\irl},
one component failure may affect more than one sub-system.
It does uncover a weakness in the FMMD methodology though.
It could be very easy to miss the side effect and include
the component causing the side effect into the wrong {\fg}, or only one germane {\fg}.
\section{Evaluation}
TO DO
Reference in New Issue View Git Blame Copy Permalink