robin/Robin_PHD
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
99bc0e4472
Robin_PHD/presentations/System_safety_2011/submission.tex
Your Name f2a9530dab Extracted a sym link to for the new papaers directory 
so it is easier to find the source for
papers submitted.
2012-03-20 14:37:45 +00:00

1296 lines
52 KiB
TeX
Raw Blame History

\documentclass[twocolumn]{article}
%\documentclass[twocolumn,10pt]{report}
\usepackage{graphicx}
\usepackage{fancyhdr}
\usepackage{tikz}
\usepackage{amsfonts,amsmath,amsthm}
\usetikzlibrary{shapes.gates.logic.US,trees,positioning,arrows}
%\input{../style}
\usepackage{ifthen}
\usepackage{lastpage}
\usetikzlibrary{shapes,snakes}
\newcommand{\tickYES}{\checkmark}
\newcommand{\fc}{fault~scenario}
\newcommand{\fcs}{fault~scenarios}
\date{}
%\renewcommand{\encodingdefault}{T1}
%\renewcommand{\rmdefault}{tnr}
%\newboolean{paper}
%\setboolean{paper}{true} % boolvar=true or false
\newcommand{\oc}{\ensuremath{^{o}{C}}}
\newcommand{\adctw}{{${\mathcal{ADC}}_{12}$}}
\newcommand{\adcten}{{${\mathcal{ADC}}_{10}$}}
\newcommand{\ohms}[1]{\ensuremath{#1\Omega}}
\newcommand{\fg}{functional~group}
\newcommand{\fgs}{functional~groups}
\newcommand{\dc}{derived~component}
\newcommand{\dcs}{derived~components}
\newcommand{\bc}{base~component}
\newcommand{\bcs}{base~components}
\newcommand{\irl}{in real life}
\newcommand{\enc}{\ensuremath{\stackrel{enc}{\longrightarrow}}}
\newcommand{\pin}{\ensuremath{\stackrel{pi}{\longleftrightarrow}}}
%\newcommand{\pic}{\em pure~intersection~chain}
\newcommand{\pic}{\em pair-wise~intersection~chain}
\newcommand{\wrt}{\em with~respect~to}
\newcommand{\abslevel}{\ensuremath{\Psi}}
\newcommand{\fmmdgloss}{\glossary{name={FMMD},description={Failure Mode Modular De-Composition, a bottom-up methodolgy for incrementally building failure mode models, using a procedure taking functional groups of components and creating derived components representing them, and in turn using the derived components to create higher level functional groups, and so on, that are used to build a failure mode model of a system}}}
\newcommand{\fmodegloss}{\glossary{name={failure mode},description={The way in which a failure occurs. A component or sub-system may fail in a number of ways, and each of these is a
failure mode of the component or sub-system}}}
\newcommand{\fmeagloss}{\glossary{name={FMEA}, description={Failure Mode and Effects analysis (FMEA) is a process where each potential failure mode within a system, is analysed to determine system level failure modes, and to then classify them {\wrt} perceived severity}}}
\newcommand{\frategloss}{\glossary{name={failure rate}, description={The number of failure within a population (of size N), divided by N over a given time interval}}}
\newcommand{\pecgloss}{\glossary{name={PEC},description={A Programmable Electronic controller, will typically consist of sensors and actuators interfaced electronically, with some firmware/software component in overall control}}}
\newcommand{\bcfm}{base~component~failure~mode}
\def\layersep{1.8cm}
\newboolean{pld}
\setboolean{pld}{false} % boolvar=true or false : draw analysis using propositional logic diagrams
\newboolean{dag}
\setboolean{dag}{true} % boolvar=true or false : draw analysis using directed acylic graphs
\setlength{\topmargin}{0in}
\setlength{\headheight}{0in}
\setlength{\headsep}{0in}
\setlength{\textheight}{22cm}
\setlength{\textwidth}{18cm}
\setlength{\oddsidemargin}{0in}
\setlength{\evensidemargin}{0in}
\setlength{\parindent}{0.0in}
\setlength{\parskip}{6pt}
\begin{document}
%\pagestyle{fancy}
%\fancyhf{}
%\fancyhead[LO]{}
%\fancyhead[RE]{\leftmark}
%\cfoot{Page \thepage\ of \pageref{LastPage}}
%\rfoot{\today}
%\lhead{Developing a rigorous bottom-up modular static failure mode modelling methodology}
%\lhead{Developing a rigorous bottom-up modular static failure modelling methodology}
% numbers at outer edges
\pagenumbering{arabic} % Arabic page numbers hereafter
\author{R.Clark$^\star$ , A.~Fish$^\dagger$ , C.~Garrett$^\dagger$, J.~Howse$^\dagger$ \\
$^\star${\em Energy Technology Control, UK. r.clark@energytechnologycontrol.com} \and $^\dagger${\em University of Brighton, UK}
}
%\title{Developing a rigorous bottom-up modular static failure mode modelling methodology}
\title{Developing a rigorous bottom-up modular static failure modelling methodology}
%\nodate
\maketitle
\paragraph{Keywords:} static failure mode modelling safety-critical
%\small
\abstract{ \em
The certification process of safety critical products for European and
other international standards often demand environmental stress,
endurance and Electro Magnetic Compatibility (EMC) testing. Theoretical, or 'static testing',
is often also required. In general static testing will reveal modifications that must be made to
improve the product safety, or identify theoretical weaknesses in the design.
This paper proposes a new theoretical methodology for creating failure mode models of % safety critical i
systems.
It has a common notation for mechanical, electronic and software domains and is modular and hierarchical.
The method provides advantages in rigour and efficiency when compared to current methodologies.
}
\section{Introduction}
{
This paper describes and appraises four current failure modelling methodologies.
Their advantages and deficiencies are discussed and a desirable criteria list
for an `ideal' static failure mode methodology is developed.
A proposed
methodology is then described. % and discussed.
A worked example is then presented, using the new methodology, which models the failure mode
behaviour of a non-inverting op-amp circuit.
Using the worked example the new methodology is evaluated.
Finally the desirable criteria list is presented as a check box table alongside
four current methodologies.
}
%\paragraph{Current methodologies}
We briefly analyse four current methodologies.
Comprehensive overviews of these methodologies may be found
in ~\cite{safeware,sccs}.
\paragraph{Fault Tree Analysis (FTA).}
FTA~\cite{nasafta,nucfta} is a top down methodology in which a hierarchical diagram is drawn for
each undesirable top level failure/event, presenting the conditions that must arise to cause
the event.
%
It is suitable for large complicated systems with few undesirable top
level failures and focuses on those events considered most important or most catastrophic.
%
Effects of duplication/redundancy of safety systems can be readily assessed.
It uses notations that are readily understood by engineers
(logic symbols borrowed from digital electronics and a fault hierarchy).
However, it cannot guarantee to model all base component failures
or be used to determine system level errors other than those modelled.
%
Each FTA diagram models one top level event.
This creates duplication of modelled elements,
and it is difficult to cross check between diagrams. It has limited
support for environmental and operational states.
\paragraph{Fault Mode Effects Analysis (FMEA)} is used principally to determine system reliability.
It is bottom-up and starts with component failure modes, which
lead to top level failure/events.
Each top level failure is assessed by its cost to repair (or perceived criticality) and its estimated frequency. %, using a
%failure mode ratio.
A list of failures according to their cost to repair~\cite{bfmea}, or effect on system reliability is then calculated.
It is easy to identify single component failure to system failure mappings
and an estimate of product reliability can be calculated.
%This can be viewed as a prioritised `to~fix' list.
%
It cannot focus on complex
component interactions that cause system failure modes or determine potential
problems from simultaneous failures. It does not consider changing environmental
or operational states in sub-systems or components. It cannot model
self-checking safety elements or other in-built safety features or
analyse how particular components may fail.
\paragraph{Failure Mode Effects Criticality Analysis (FMECA)} is a refinement of FMEA, using
extra variables: the probability of a component failure mode occurring,
the probability that this will cause a given top level failure, and the perceived
criticality. It gives better estimations of product reliability/safety and the
occurrence of particular system failure modes than FMEA but has similar deficiencies.
\paragraph{Failure Modes, Effects and Diagnostic Analysis (FMEDA)} is a refinement of
FMEA and FMECA and in addition models self-checking safety elements. It assigns two
attributes to component failure modes: detectable/undetectable and safe/dangerous.
Statistical measures about the system can be made and used to classify a
safety integrity level. It allows designs with in-built safety features to be assessed.
Otherwise, it has similar deficiencies to FMEA.
However, it has limited support
for environmental and operational states in sub-systems or components,
via self checking statistical mitigation. FMEDA is the methodology associated with
the safety integrity standards IOC5108 and EN61508~\cite{en61508}.
\subsection{Summary of Deficiencies in Current Methods}
\paragraph{Top Down approach: FTA} The top down technique FTA, introduces the possibility of missing base component
level failure modes~\cite{faa}[Ch.9]. Since one FTA tree is drawn for each top level
event, this leads to repeated work, with limited ability for cross checking/model validation.
Also, the analysis process can miss top level events that bottom-up techniques
can reveal.
%\subsection{Bottom-up approach: }
\paragraph{State Explosion problem for FMEA, FMECA, FMEDA.}
The bottom-up techniques all suffer from % a problem of
state explosion.
To perform the analysis rigorously, we would need to consider the effect
of a component failure against all other components. Adding environmental
and operational states further increases the state explosion.
Let $N$ be the number of components in our system, and $K$ be the average number of component failure modes
(ways in which a component can fail). The approximate total number of base component failure modes
is $N \times K$.
%
The total number of cases to examine, to determine the effect of all failure modes
on all
components
will be approximately $(N-1) \times N \times K$. %, in effect a very large set cross product.
%
If $E$ is the number of environmental conditions to consider
in a system, and $A$ the number of applied/operational states (or modes of the system),
the bottom-up analyst is presented with two
additional %cross product
factors, yielding approximately
$(N-1) \times N \times K \times E \times A$.
%
If we put some typical very small embedded system numbers\footnote{These figures would
be typical of a very simple temperature controller, with a micro-controller, sensors, an RS485 interface,
supporting circuitry and heater circuitry.}
into this, say $N=100$, $K=2.5$, $A=2$, and $E=10$
we have $99 \times 100 \times 2.5 \times 10 \times 2 = 495000 $ checks to perform.
%
To look in detail at half a million fault~scenarios is obviously impractical.
% Requirements for an improved methodology The deficiencies identified in the
% current methodologies are used to establish criteria for an improved methodology.
% \paragraph{Reasoning distance - complexity and reach-ability.}
% Tracing a component level failure up to a top level event, without the rigour accompanying state explosion, involves
% working heuristically. A base component failure will typically
% be conceptually removed by several stages from a top level event.
% The `reasoning~distance' $R_D$ can be calculated by summing the failure modes in each component, for all components
% that must interact to reach the top level event.
% Where $C$ represents the set of components in a failure mode causation chain,
% $c_i$ represents a component in $C$ and
% the function $fm$ returns the failure modes for a given component, equation
% \ref{eqn:complexity}, returns the `reasoning~distance'.
% \begin{equation}
% R_D = \sum_{i=1}^{|C|} |{fm(c_i)}| %\; where \; c \in C
% \label{eqn:complexity}
% \end{equation}
%
% The reasoning distance is a value representing the number of failure modes
% to consider to rigorously determine the causation chain
% from the base component failure to the system level event.
%
% The reasoning distance serves to show that when the causes of a top level
% event are completely determined, a large amount of work not
% typical of heuristic or intuitive interpretation is required.
% % could have a chapter on this.
% % take a circuit or system and follow all the interactions
% % to the components that cause the system level event.
%\paragraph{Multiple Events from one base component failure mode}
%A base component failure may potentially cause more than one
%system level failure mode.
%It would be possible to identify one top level event associated with
%a {\bcfm} and not investigate other possibilities.
%\section{Requirements for a new static failure mode Analysis methodology}
\section{Desirable Criteria.}
From the deficiencies outlined above, we can form a set of desirable criteria for an enhanced failure mode methodology.
{ %\small
\label{criteria}
\begin{enumerate}
%\begin{itemize}
\label{fmmdreq}
\item Address the state explosion problem. % 1
\item Ensure that all component failure modes are considered in the model. % 2
\item Be easy to integrate mechanical, electronic and software models \cite{sccs}[p.287]. %3
\item Be modular, in that commonly used {\fgs} can be re-used in other designs/projects. %4
\item Have a formal basis, i.e. be able to produce mathematical traceability %5
for its results, such as error causation trees.%, reliability and safety statistics.
%\item It should be easy to use, ideally using a
%graphical syntax (as opposed to a formal symbolic/mathematical text based language).
%\item From the top down, the failure mode model should follow a logical de-composition of the functionality
%to smaller and smaller functional groupings \cite{maikowski}.
\item Be able to model multiple (simultaneous) failure modes.% 6 % from the base component level up.
\end{enumerate}
%\end{itemize}
}
%
% The design process follows this
%rationale, sub-systems are build t%o perform often basic functions from base components.
%We can term these small groups {\fgs}.
%
% Components should be collected
% into small functional groups to enable the examination of the effect of a
% component failure mode on the other components in the group.
% Once we have the failure modes, or symptoms of failure of a {\fg}
% it can now be considered as `derived component' with a known set
% of failure symptoms. We can use this `derived component' to build higher level
% functional groups.
%
% This helps with the reasoning distance problem,
% because we can trace failure modes back through complex interactions and have a structure to
% base our reasoning on, at each stage.
%
%Development of the new methodology
%
% \section{An ontology of failure modes}
% In order to address the state explosion problem, the process must be modular
%and deal with small groups of components at a time. This approach should address the state explosion problem : criteria 1.
% An ontology is now developed of
% failure modes and their relationship to environmental factors,
% applied/operational states and the hierarchical nature inherent in product design,
% defining the relationships between the system as a whole, components,
% failure modes, operational and environmental states.
%
%
% Components have sets of failure modes associated with them.
% Failure modes for common components may be found in
% the literature~\cite{fmd91,mil1991}.
% We can associate a component with its failure modes.
% This is represented in UML in figure \ref{fig:component_concept}.
%
% \begin{figure}[h]
% \centering
% \includegraphics[width=200pt,keepaspectratio=true]{./component.png}
% % component.:wq: 467x76 pixel, 72dpi, 16.47x2.68 cm, bb=0 0 467 76
% \caption{Component with failure modes UML diagram}
% \label{fig:component_concept}
% \end{figure}
%
% \subsection{Modular Design}
%
% When designing a system from the bottom-up, small groups of components are selected to perform
% simple functions. These can be termed {\fgs}.
% When the failure mode behaviour, or symptoms of failure
% of a {\fg} are determined, it can be treated as a component in its own right.
%
% % Functional groups
% % are then brought together to form more complex and higher level {\fgs}.
% Used in this way the {\fg} has become a {\dc}. The symptoms of failure
% of the {\fg} can be considered the failure modes of its {\dc}.
% Derived~Components can be used to create higher level {\fgs}.
% Repeating this process will lead to identify-able higher level
% groups, often referred to as sub-systems. We can call the entire collection/hierarchy
% of sub-systems the system.
\section{The proposed Methodology}
\label{fmmdproc}
% Any new static failure mode methodology must ensure that it
% represents all component failure modes and it therefore should be bottom-up,
% starting with individual component failure modes.
To ensure all component failure modes are represented, the new methodology must be bottom-up.
%
This seems essential to satisfy criterion 2.
The proposed methodology is therefore a bottom-up process
starting with base~components.
%
Since we are only modelling failure modes, which could arise from
mechanical, electronic or software components,
criterion 3 is satisfied.
%
In order to address the state explosion problem, the process should be modular and hierarchical,
dealing with small groups of components at a time; this should address criterion 1.
%\paragraph{Outline of the Failure mode methodology.}
%
A {\em {\fg}}, is defined as a small collection of components
that interact to provide
a function or task within a system.
%
In the proposed methodology components are collected into functional groups
and each component failure (and possibly multiple simultaneous component failures) are considered in the
context of the {\fg}.
%% GARK
%
The component failures are termed {\em{\fcs}}. %`test~cases'.
For each {\fc}
there will be a corresponding resultant failure, or `symptom', from the perspective of the {\fg}.
%
% MAYBE NEED TO DESCRIBE WHAT A SYMPTOM IS HERE
%
%From the perspective of the {\fg} failures of components will be symptoms.
It is conjectured that many symptoms will be common. That is to say
that component failures will often cause the same symptoms of failure
from the perspective of a {\fg}.
%
A common symptom collection stage is now applied. Here common symptoms are collected
from the results of the {\fcs}. Because it is possible to model combinations of failures,
criterion 6 is satisfied.
%
With a collection of the {\fg} failure symptoms, we can create a {\em{\dc}}.
The failure modes of this new {\dc} are the symptoms of the {\fg} it was derived from.
This satisfies criterion 4, as we can now treat {\dcs} as pre-analysed
modules available for re-use.
By using {\dcs} in higher level functional groups, a hierarchy can be built representing
the failure mode behaviour of a system. Because the hierarchy maintains information
linking the symptoms to component failure modes (via {\fcs}), we have traceable
reasoning connections from base component failures to top level failures.
The traceability should satisfy criterion 5.
% ONTOLOGY - NO ROOM IN 6 PAGES OF PAPER
% \paragraph{Environmental Conditions, Operational States.}
%
% Any real world sub-system will exist in a variable environment
% and may have several modes of operation.
% In order to find all possible failures, a sub-system
% must be analysed for each operational state
% and environmental condition that could affect it.
% %
% A question is raised here: which objects should we
% associate the environmental and the operational states with ?
% There are three objects in our model to which these considerations could be applied.
% We could apply these conditions
% to {\fgs}, components, or {\dcs}.
%
% \paragraph {Environmental Conditions.}
%
% Environmental conditions are external to the
% {\fg} and are often things over which the system has no direct control
% ( e.g. ambient temperature, pressure or electrical interference levels).
% %
% Environmental conditions may affect different components in a {\fg}
% in different ways.
%
% For instance, a system may be specified for
% $0\oc$ to $85\oc$ operation, but some components
% may show failure behaviour between $60\oc$ and $85\oc$
% \footnote{Opto-isolators typically show marked performance decrease after
% $60\oc$ \cite{tlp181}, whereas another common component, say a resistor, will be unaffected.}.
% Other components may operate comfortably within that whole temperature range specified.
% Environmental conditions will have an effect on the {\fg} and the {\dc},
% but they will have specific effects on individual components.
%
% It seems obvious that
% environmental conditions should apply to components.
% %A component will hold a set of environmental states that
% %affect it.
%
% \paragraph {Operational States}
%
% Sub-systems may have specific operational states.
% These could be a general health level, such as
% normal operation, graceful degradation or lockout.
% Alternatively they could be self~checking sub-systems that are either in a normal, alarm/lockout or self~check state.
%
% Operational states are conditions that apply to some functional groups, not individual components.
%\section{The Non-Inverting Operational Amplifier}
\section{Non-Inverting Amplifier}
As an example, we consider a standard non-inverting op amp~\cite{aoe}[p.234], shown in figure \ref{fig:noninvamp}.
\begin{figure}[h+]
\centering
%\includegraphics[width=100pt,keepaspectratio=true]{../../noninvopamp/noninv.png}
\includegraphics[width=100pt,keepaspectratio=true]{./noninv.png}
% noninv.jpg: 341x186 pixel, 72dpi, 12.03x6.56 cm, bb=0 0 341 186
\caption{Standard non inverting amplifier configuration}
\label{fig:noninvamp}
\end{figure}
The function of the resistors in this circuit is to set the amplifier gain.
They operate as a potential divider and program the minus input on the op-amp
to balance them against the positive input, giving the voltage gain ($G_v$)
defined by $ G_v = 1 + \frac{R2}{R1} $ at the output.
As the resistors work to provide a specific function, that of a potential divider,
we can treat them as a functional group. This functional group has two members, $R1$ and $R2$.
Using the EN298 specification for resistor failure~\cite{en298}[App.A],
we can assign failure modes of $OPEN$ and $SHORT$ to the resistors.
\ifthenelse {\boolean{dag}}
{
We represent a resistor and its failure modes as a directed acyclic graph (DAG)
(see figure \ref{fig:rdag}).
\begin{figure}[h+]
\centering
\begin{tikzpicture}[shorten >=1pt,->,draw=black!50, node distance=\layersep]
\tikzstyle{every pin edge}=[<-,shorten <=1pt]
\tikzstyle{fmmde}=[circle,fill=black!25,minimum size=30pt,inner sep=0pt]
\tikzstyle{component}=[fmmde, fill=green!50];
\tikzstyle{failure}=[fmmde, fill=red!50];
\tikzstyle{symptom}=[fmmde, fill=blue!50];
\tikzstyle{annot} = [text width=4em, text centered]
\node[component] (R) at (0,-0.8) {$R$};
\node[failure] (RSHORT) at (\layersep,-0) {$R_{SHORT}$};
\node[failure] (ROPEN) at (\layersep,-1.6) {$R_{OPEN}$};
\path (R) edge (RSHORT);
\path (R) edge (ROPEN);
\end{tikzpicture}
\caption{DAG representing a resistor and its failure modes}
\label{fig:rdag}
\end{figure}
}
{
}
Thus $R1$ has failure modes $\{R1\_OPEN, R1\_SHORT\}$ and $R2$ has failure modes $\{R2\_OPEN, R2\_SHORT\}$.
%\clearpage
%\paragraph{Failure Mode Analysis of the Potential Divider}
\ifthenelse {\boolean{pld}}
{
Modelling this as a functional group, we can draw a simple closed curve
to represent each failure mode, taken from the components R1 and R2,
in the potential divider, shown in figure \ref{fig:fg1}.
\begin{figure}[h]
\centering
\includegraphics[width=200pt,keepaspectratio=true]{./noninvopamp/fg1.png}
% fg1.jpg: 430x271 pixel, 72dpi, 15.17x9.56 cm, bb=0 0 430 271
\caption{potential divider `functional group' failure modes}
\label{fig:fg1}
\end{figure}
}
{
}
% \ifthenelse {\boolean{dag}}
% {
% Modelling this as a functional group, we can draw a directed graph
% of failure modes, starting from the components R1 and R2,
% in the potential divider, as shown in figure \ref{fig:fg1dag}.
% \begin{figure}
% \centering
% \begin{tikzpicture}[shorten >=1pt,->,draw=black!50, node distance=\layersep]
% \tikzstyle{every pin edge}=[<-,shorten <=1pt]
% \tikzstyle{fmmde}=[circle,fill=black!25,minimum size=30pt,inner sep=0pt]
% \tikzstyle{component}=[fmmde, fill=green!50];
% \tikzstyle{failure}=[fmmde, fill=red!50];
% \tikzstyle{symptom}=[fmmde, fill=blue!50];
% \tikzstyle{annot} = [text width=4em, text centered]
%
% \node[component] (R1) at (0,-4) {$R_1$};
% \node[component] (R2) at (0,-6) {$R_2$};
%
% \node[failure] (R1SHORT) at (\layersep,-2) {$R1_{SHORT}$};
% \node[failure] (R1OPEN) at (\layersep,-4) {$R1_{OPEN}$};
%
% \node[failure] (R2SHORT) at (\layersep,-6) {$R2_{SHORT}$};
% \node[failure] (R2OPEN) at (\layersep,-8) {$R2_{OPEN}$};
%
% \path (R1) edge (R1SHORT);
% \path (R1) edge (R1OPEN);
%
% \path (R2) edge (R2SHORT);
% \path (R2) edge (R2OPEN);
%
% % Potential divider failure modes
% %
% %\node[symptom] (PDHIGH) at (\layersep*2,-4) {$PD_{HIGH}$};
% %\node[symptom] (PDLOW) at (\layersep*2,-6) {$PD_{LOW}$};
%
% %\path (R1OPEN) edge (PDHIGH);
% %\path (R2SHORT) edge (PDHIGH);
%
% %\path (R2OPEN) edge (PDLOW);
% %\path (R1SHORT) edge (PDLOW);
%
% \end{tikzpicture}
%
% \caption{DAG representing the functional group `Potential Divider'}
% \label{fig:fg1dag}
% \end{figure}
% }
% {
% }
We look at each of these base component failure modes,
and determine how they affect the operation of the potential divider.
%Each failure mode scenario we look at will be given a test case number,
%which is represented on the diagram, with an asterisk marking
%which failure modes is modelling (see figure \ref{fig:fg1a}).
\ifthenelse {\boolean{pld}}
{
Each labelled asterisk in the diagram represents a failure mode scenario.
The failure mode scenarios are given {\fc} numbers, and an example to clarify this follows
in table~\ref{pdfmea}.
\begin{figure}[h+]
\centering
\includegraphics[width=200pt,keepaspectratio=true]{./noninvopamp/fg1a.png}
% fg1a.jpg: 430x271 pixel, 72dpi, 15.17x9.56 cm, bb=0 0 430 271
\caption{potential divider with {\fcs}}
\label{fig:fg1a}
\end{figure}
}
{
}
\ifthenelse {\boolean{dag}}
{
For this example we look at single failure modes only.
For each failure mode in our {\fg} `potential~divider'
we can assign a {\fc} number (see table \ref{pdfmea}).
Each {\fc} is analysed to determine the `symptom'
of the potential dividers' operation. For instance
if resistor $R_1$ was to go open, then the circuit would not be grounded and the
voltage output from it would float high (+ve).
This would mean the symptom of the failed potential divider would be that it
gives a high voltage output.%We can now consider the {\fg}
%as a component in its own right, and its symptoms as its failure modes.
From table \ref{pdfmea} we can see that the resistor
failures modes lead to some common symptoms.
By drawing directed edges, from the failure modes to the symptoms
we can show the relationships between the component failure modes and resultant symptoms.
%The {\fg} can now be considered a derived component.
This is represented in the DAG in figure \ref{fig:fg1adag}.
\begin{figure}[h]
\centering
\begin{tikzpicture}[shorten >=1pt,->,draw=black!50, node distance=\layersep]
\tikzstyle{every pin edge}=[<-,shorten <=1pt]
\tikzstyle{fmmde}=[circle,fill=black!25,minimum size=30pt,inner sep=0pt]
\tikzstyle{component}=[fmmde, fill=green!50];
\tikzstyle{failure}=[fmmde, fill=red!50];
\tikzstyle{symptom}=[fmmde, fill=blue!50];
\tikzstyle{annot} = [text width=4em, text centered]
\node[component] (R1) at (0,-0.7) {$R_1$};
\node[component] (R2) at (0,-1.9) {$R_2$};
\node[failure] (R1SHORT) at (\layersep,-0) {$R1_{Sh}$};
\node[failure] (R1OPEN) at (\layersep,-1.1) {$R1_{Op}$};
\node[failure] (R2SHORT) at (\layersep,-2.4) {$R2_{Sh}$};
\node[failure] (R2OPEN) at (\layersep,-3.7) {$R2_{Op}$};
\path (R1) edge (R1SHORT);
\path (R1) edge (R1OPEN);
\path (R2) edge (R2SHORT);
\path (R2) edge (R2OPEN);
% Potential divider failure modes
%
\node[symptom] (PDHIGH) at (\layersep*2,-0.7) {$PD_{HIGH}$};
\node[symptom] (PDLOW) at (\layersep*2,-2.2) {$PD_{LOW}$};
\path (R1OPEN) edge (PDHIGH);
\path (R2SHORT) edge (PDHIGH);
\path (R2OPEN) edge (PDLOW);
\path (R1SHORT) edge (PDLOW);
\end{tikzpicture}
\caption{Failure symptoms of the `Potential Divider'}
\label{fig:fg1adag}
\end{figure}
}
{
}
{ \small
\begin{table}[ht]
\caption{Potential Divider: Failure Mode Effects Analysis: Single Faults} % title of Table
\centering % used for centering table
\begin{tabular}{||l|c|c|l||}
\hline \hline
\textbf{Fault} & \textbf{Pot.Div} & \textbf{Symptom} \\
\textbf{Scenario} & \textbf{Effect} & \textbf{Description} \\
% R & wire & res + & res - & description
\hline
\hline
FS1: $R_1$ SHORT & LOW & LowPD \\
FS2: $R_1$ OPEN & HIGH & HighPD \\ \hline
FS3: $R_2$ SHORT & HIGH & HighPD \\
FS4: $R_2$ OPEN & LOW & LowPD \\ \hline
\hline
\end{tabular}
\label{pdfmea}
\end{table}
}
\ifthenelse {\boolean{pld}}
{
We can now collect the symptoms of failure. From the four base component failure modes, we now
have two symptoms, where the potential divider will give an incorrect low voltage (which we can term $LowPD$)
or an incorrect high voltage (which we can term $HighPD$).
We can represent the collection of these symptoms by drawing connecting lines between
the {\fcs} and naming them (see figure \ref{fig:fg1b}).
\begin{figure}[h+]
\centering
\includegraphics[width=200pt,keepaspectratio=true]{./noninvopamp/fg1b.png}
% fg1b.jpg: 430x271 pixel, 72dpi, 15.17x9.56 cm, bb=0 0 430 271
\caption{Collection of potential divider failure mode symptoms}
\label{fig:fg1b}
\end{figure}
%\page
We can now make a `derived component' to represent this potential divider.
This can be named \textbf{PD}.
This {\dc} will have two failure modes.
We can use the symbol $\bowtie$ to represent taking the analysed
{\fg} and creating from it, a {\dc}.
%We could represent it algebraically thus: $ \bowtie(PotDiv) =
\begin{figure}[h+]
\centering
\includegraphics[width=200pt,keepaspectratio=true]{./noninvopamp/dc1.png}
% dc1.jpg: 430x619 pixel, 72dpi, 15.17x21.84 cm, bb=0 0 430 619
\caption{From functional group to derived component}
\label{fig:dc1}
\end{figure}
}
{
}
\ifthenelse {\boolean{dag}}
{
We can now represent the potential divider as a {\dc}.
Because we have its symptoms (or failure mode behaviour),
we can treat these as the failure modes of a new {\dc}.
We can represent this as a DAG (see figure \ref{fig:dc1dag}).
\begin{figure}[h+]
\centering
\begin{tikzpicture}[shorten >=1pt,->,draw=black!50, node distance=\layersep]
\tikzstyle{every pin edge}=[<-,shorten <=1pt]
\tikzstyle{fmmde}=[circle,fill=black!25,minimum size=30pt,inner sep=0pt]
\tikzstyle{component}=[fmmde, fill=green!50];
\tikzstyle{failure}=[fmmde, fill=red!50];
\tikzstyle{symptom}=[fmmde, fill=blue!50];
\tikzstyle{annot} = [text width=4em, text centered]
\node[component] (PD) at (0,-0.8) {$PD$};
\node[symptom] (PDHIGH) at (\layersep,-0) {$PD_{HIGH}$};
\node[symptom] (PDLOW) at (\layersep,-1.6) {$PD_{LOW}$};
\path (PD) edge (PDHIGH);
\path (PD) edge (PDLOW);
\end{tikzpicture}
\caption{DAG representing a Potential Divider (PD) its failure symptoms}
\label{fig:dc1dag}
\end{figure}
}
{
}
The derived component is defined by its failure modes and
the functional group used to derive it.
%We can consider this an an orthogonal WHAT???? Group ???? Collection ????
We now have a {\dc} model for a generic potential divider, and can use it
as a building block for other {\fgs} in the same way as we used the base components $R1$ and $R2$.
%\clearpage
%\paragraph{Failure Mode Analysis of the OP-AMP}
Let use now consider the op-amp. According to
FMD-91~\cite{fmd91}[3-116] an op amp may have the following failure modes:
latchup(12.5\%), latchdown(6\%), nooperation(31.3\%), lowslewrate(50\%).
\nocite{mil1991}
\ifthenelse {\boolean{pld}}
{
We can represent these failure modes on a diagram (see figure~\ref{fig:op1}).
\begin{figure}[h+]
\centering
\includegraphics[width=200pt,keepaspectratio=true]{./noninvopamp/op1.png}
% op1.jpg: 406x221 pixel, 72dpi, 14.32x7.80 cm, bb=0 0 406 221
\caption{Op Amp failure modes}
\label{fig:op1}
\end{figure}
}
{
}
\ifthenelse {\boolean{dag}}
{
We can represent these failure modes on a DAG (see figure~\ref{fig:op1dag}).
\begin{figure}
\centering
\begin{tikzpicture}[shorten >=1pt,->,draw=black!50, node distance=\layersep]
\tikzstyle{every pin edge}=[<-,shorten <=1pt]
\tikzstyle{fmmde}=[circle,fill=black!25,minimum size=30pt,inner sep=0pt]
\tikzstyle{component}=[fmmde, fill=green!50];
\tikzstyle{failure}=[fmmde, fill=red!50];
\tikzstyle{symptom}=[fmmde, fill=blue!50];
\tikzstyle{annot} = [text width=4em, text centered]
\node[component] (OPAMP) at (0,-1.8) {$OPAMP$};
\node[failure] (OPAMPLU) at (\layersep,-0) {l-up};
\node[failure] (OPAMPLD) at (\layersep,-1.2) {l-dn};
\node[failure] (OPAMPNP) at (\layersep,-2.4) {noop};
\node[failure] (OPAMPLS) at (\layersep,-3.6) {lowslew};
\path (OPAMP) edge (OPAMPLU);
\path (OPAMP) edge (OPAMPLD);
\path (OPAMP) edge (OPAMPNP);
\path (OPAMP) edge (OPAMPLS);
\end{tikzpicture}
% End of code
\caption{DAG representing failure modes of an Op-amp}
\label{fig:op1dag}
\end{figure}
}
{
}
%\clearpage
%\paragraph{Modelling the OP amp with the potential divider.}
We can now consider merging the OP amp and the potential divider, to
form a {\fg} to represent the non inverting amplifier. We have the failure modes of the {\dc} for the potential divider,
so we do not need to go back and consider the individual resistor failure modes that defined its behaviour.
\ifthenelse {\boolean{pld}}
{
We can make a new functional group to represent the amplifier, by bringing the component \textbf{opamp}
and the component potential divider \textbf{PD} into a new functional group.
This functional group has the failure modes from the op-amp component, and the failure modes
from the potential divider {\dc}, represented by figure~\ref{fig:fgamp}.
\begin{figure}[h+]
\centering
\includegraphics[width=200pt,keepaspectratio=true]{./noninvopamp/fgamp.png}
% fgamp.jpg: 430x330 pixel, 72dpi, 15.17x11.64 cm, bb=0 0 430 330
\caption{Amplifier Functional Group}
\label{fig:fgamp}
\end{figure}
We can now place {\fcs} on this (note this analysis considers single failure modes only
where we want to model multiple failures, we can over lap contours, and place the {\fcs} in overlapping
regions) see figure~\ref{fig:fgampa}.
\begin{figure}[h+]
\centering
\includegraphics[width=200pt,keepaspectratio=true]{./noninvopamp/fgampa.png}
% fgampa.jpg: 430x330 pixel, 72dpi, 15.17x11.64 cm, bb=0 0 430 330 hno
\caption{Amplifier Functional Group with {\fcs}}
\label{fig:fgampa}
\end{figure}
}
{
}
\ifthenelse {\boolean{dag}}
{
We can now create a {\fg} for the non-inverting amplifier
by bringing together the failure modes from \textbf{opamp} and \textbf{PD}.
Each of these failure modes will be given a {\fc} for analysis,
and this is represented in table \ref{ampfmea}.
}
{
}
%\clearpage
{\footnotesize
\begin{table}[h]
\caption{Non Inverting Amplifier: Failure Mode Effects Analysis: Single Faults} % title of Table
\centering % used for centering table
\begin{tabular}{||l|c|c|l||}
\hline \hline
\textbf{Fault} & \textbf{Amplifier} & \textbf{Symptom} \\
\textbf{Scenario} & \textbf{Effect} & \textbf{Description} \\
% R & wire & res + & res - & description
\hline
\hline
FS1: $OPAMP$ & Output & AMPHigh \\
LatchUP & High & \\ \hline
FS2: $OPAMP$ & Output Low& AMPLow \\
LatchDown & Low gain & \\ \hline
FS3: $OPAMP$ & Output Low & AMPLow \\
No Operation & & \\ \hline
FS4: $OPAMP$ & Low pass & LowPass \\
Low Slew & filtering & \\ \hline
FS5: $PD$ & Output High & AMPHigh \\
LowPD & & \\ \hline
FS6: $PD$ & Output Low & AMPLow \\
HighPD & Low Gain & \\ \hline
%TC7: $R_2$ OPEN & LOW & & LowPD \\ \hline
\hline
\end{tabular}
\label{ampfmea}
\end{table}
}
Let us consider, for the sake of the example, that the voltage follower (very low gain of 1.0)
amplification characteristics from FS2 and FS6 can be considered as low output from the OPAMP for the application
in hand (say milli-volt signal amplification).
For this amplifier configuration we have three failure modes; $AMPHigh, AMPLow, LowPass$.%see figure~\ref{fig:fgampb}.
\ifthenelse {\boolean{pld}}
{
We can now derive a `component' to represent this amplifier configuration (see figure ~\ref{fig:noninvampa}).
\begin{figure}[h]
\centering
\includegraphics[width=200pt,keepaspectratio=true]{./noninvopamp/noninvampa.png}
% noninvampa.jpg: 436x720 pixel, 72dpi, 15.38x25.40 cm, bb=0 0 436 720
\caption{Non Inverting Amplifier Derived Component}
\label{fig:noninvampa}
\end{figure}
}
{
}
\ifthenelse {\boolean{dag}}
{
We can now expand the $PD$ {\dc} and have a full FMMD failure %mode
model
drawn as a DAG, which we can use to traverse to determine the possible causes to
the three high level symptoms, i.e. the failure~modes of the non-inverting amplifier.
Figure \ref{fig:noninvdag1} shows a fully expanded DAG, from which we can derive information
to assist in building models for FTA, FMEA, FMECA and FMEDA failure mode analysis methodologies.
}
{
}
\begin{figure}
\centering
\begin{tikzpicture}[shorten >=1pt,->,draw=black!50, node distance=\layersep]
\tikzstyle{every pin edge}=[<-,shorten <=1pt]
\tikzstyle{fmmde}=[circle,fill=black!25,minimum size=30pt,inner sep=0pt]
\tikzstyle{component}=[fmmde, fill=green!50];
\tikzstyle{failure}=[fmmde, fill=red!50];
\tikzstyle{symptom}=[fmmde, fill=blue!50];
\tikzstyle{annot} = [text width=4em, text centered]
% Draw the input layer nodes
%\foreach \name / \y in {1,...,4}
% This is the same as writing \foreach \name / \y in {1/1,2/2,3/3,4/4}
% \node[component, pin=left:Input \#\y] (I-\name) at (0,-\y) {};
\node[component] (OPAMP) at (0,-1.8) {$OPAMP$};
\node[component] (R1) at (0,-6) {$R_1$};
\node[component] (R2) at (0,-7.6) {$R_2$};
%\node[component] (C-3) at (0,-5) {$C^0_3$};
%\node[component] (K-4) at (0,-8) {$K^0_4$};
%\node[component] (C-5) at (0,-10) {$C^0_5$};
%\node[component] (C-6) at (0,-12) {$C^0_6$};
%\node[component] (K-7) at (0,-15) {$K^0_7$};
% Draw the hidden layer nodes
%\foreach \name / \y in {1,...,5}
% \path[yshift=0.5cm]
\node[failure] (OPAMPLU) at (\layersep,-0) {l-up};
\node[failure] (OPAMPLD) at (\layersep,-1.2) {l-dn};
\node[failure] (OPAMPNP) at (\layersep,-2.5) {noop};
\node[failure] (OPAMPLS) at (\layersep,-3.8) {lowslew};
\node[failure] (R1SHORT) at (\layersep,-5.1) {$R1_{Sh}$};
\node[failure] (R1OPEN) at (\layersep,-6.4) {$R1_{Op}$};
\node[failure] (R2SHORT) at (\layersep,-7.7) {$R2_{Sh}$};
\node[failure] (R2OPEN) at (\layersep,-9.0) {$R2_{Op}$};
% Draw the output layer node
% % Connect every node in the input layer with every node in the
% % hidden layer.
% %\foreach \source in {1,...,4}
% % \foreach \dest in {1,...,5}
\path (OPAMP) edge (OPAMPLU);
\path (OPAMP) edge (OPAMPLD);
\path (OPAMP) edge (OPAMPNP);
\path (OPAMP) edge (OPAMPLS);
\path (R1) edge (R1SHORT);
\path (R1) edge (R1OPEN);
\path (R2) edge (R2SHORT);
\path (R2) edge (R2OPEN);
% Potential divider failure modes
%
\node[symptom] (PDHIGH) at (\layersep*2,-6) {$PD_{HIGH}$};
\node[symptom] (PDLOW) at (\layersep*2,-7.6) {$PD_{LOW}$};
\path (R1OPEN) edge (PDHIGH);
\path (R2SHORT) edge (PDHIGH);
\path (R2OPEN) edge (PDLOW);
\path (R1SHORT) edge (PDLOW);
\node[symptom] (AMPHIGH) at (\layersep*3.4,-3) {$AMP_{HIGH}$};
\node[symptom] (AMPLOW) at (\layersep*3.4,-5) {$AMP_{LOW}$};
\node[symptom] (AMPLP) at (\layersep*3.4,-7) {$LOWPASS$};
\path (PDLOW) edge (AMPHIGH);
\path (OPAMPLU) edge (AMPHIGH);
\path (PDHIGH) edge (AMPLOW);
\path (OPAMPNP) edge (AMPLOW);
\path (OPAMPLD) edge (AMPLOW);
\path (OPAMPLS) edge (AMPLP);
% %\node[symptom,pin={[pin edge={->}]right:Output}, right of=C-1a] (O) {};
% \node[symptom, right of=C-1a] (s1) {s1};
% \node[symptom, right of=C-2a] (s2) {s2};
%
%
%
% \path (C-2b) edge (s1);
% \path (C-1a) edge (s1);
%
% \path (C-2a) edge (s2);
% \path (C-1b) edge (s2);
%
% %\node[component, right of=s1] (DC) {$C^1_1$};
%
% %\path (s1) edge (DC);
% %\path (s2) edge (DC);
%
%
%
% % Connect every node in the hidden layer with the output layer
% %\foreach \source in {1,...,5}
% % \path (H-\source) edge (O);
%
% % Annotate the layers
% \node[annot,above of=C-1a, node distance=1cm] (hl) {Failure modes};
% \node[annot,left of=hl] {Base Components};
% \node[annot,right of=hl](s) {Symptoms};
%\node[annot,right of=s](dcl) {Derived Component};
\end{tikzpicture}
% End of code
\caption{Full DAG representing failure modes and symptoms of the Non Inverting Op-amp Circuit}
\label{fig:noninvdag1}
\end{figure}
% \ifthenelse {\boolean{dag}}
% {
%
% %% text for figure below
%
% The non-inverting amplifier can be drawn as a DAG using the
% results from table~\ref{ampfmea} (see~figure~\ref{fig:noninvdag0}).
% Note that the potential divider, $PD$, is treated as a component with a set of failure modes,
% and its error sources and analysis have been hidden in this diagram.
% $PD$ is considered to be a {\dc}.
%
% \begin{figure}
% \centering
% \begin{tikzpicture}[shorten >=1pt,->,draw=black!50, node distance=\layersep]
% \tikzstyle{every pin edge}=[<-,shorten <=1pt]
% \tikzstyle{fmmde}=[circle,fill=black!25,minimum size=30pt,inner sep=0pt]
% \tikzstyle{component}=[fmmde, fill=green!50];
% \tikzstyle{failure}=[fmmde, fill=red!50];
% \tikzstyle{symptom}=[fmmde, fill=blue!50];
% \tikzstyle{annot} = [text width=4em, text centered]
%
% \node[component] (OPAMP) at (0,-4) {$OPAMP$};
% \node[failure] (OPAMPLU) at (\layersep,-0) {latchup};
% \node[failure] (OPAMPLD) at (\layersep,-2) {latchdown};
% \node[failure] (OPAMPNP) at (\layersep,-4) {noop};
% \node[failure] (OPAMPLS) at (\layersep,-6) {lowslew};
% \path (OPAMP) edge (OPAMPLU);
% \path (OPAMP) edge (OPAMPLD);
% \path (OPAMP) edge (OPAMPNP);
% \path (OPAMP) edge (OPAMPLS);
%
%
% \node[component] (PD) at (0,-9) {$PD$};
% \node[symptom] (PDHIGH) at (\layersep,-8) {$PD_{HIGH}$};
% \node[symptom] (PDLOW) at (\layersep,-10) {$PD_{LOW}$};
% \path (PD) edge (PDHIGH);
% \path (PD) edge (PDLOW);
%
% \node[symptom] (AMPHIGH) at (\layersep*4,-3) {$AMP_{HIGH}$};
% \node[symptom] (AMPLOW) at (\layersep*4,-5) {$AMP_{LOW}$};
% \node[symptom] (AMPLP) at (\layersep*4,-7) {$LOWPASS$};
%
% \path (PDLOW) edge (AMPHIGH);
% \path (OPAMPLU) edge (AMPHIGH);
%
% \path (PDHIGH) edge (AMPLOW);
% \path (OPAMPNP) edge (AMPLOW);
% \path (OPAMPLD) edge (AMPLOW);
% \path (OPAMPLS) edge (AMPLP);
% \end{tikzpicture}
% % End of code
% \caption{DAG representing failure modes and symptoms of the Non Inverting Op-amp Circuit}
% \label{fig:noninvdag0}
% \end{figure}
% }
% {
% }
%failure mode contours).
%\clearpage
%\clearpage
%\paragraph{Failure Modes from non inverting amplifier as a Directed Acyclic Graph (DAG)}
\ifthenelse {\boolean{pld}}
{
We can now represent the FMMD analysis as a directed graph, see figure \ref{fig:noninvdag1}.
With the information structured in this way, we can trace the high level failure mode symptoms
back to their potential causes.
}
{
}
%\paragraph{Worked example. Effect on State explosion.}
The potential divider {\dc} reduced the number of failures to consider from four to two.
The op-amp and potential divider modelled together, reduced the number of
base component failures from eight to three failure symptoms.
%
In general,
because symptoms are collected, we can state
the number of failure symptoms for a {\fg} will be less than or equal to the number
of component failures.
% In practise the number of symptoms is usually around half the
%number of component failure modes, for each stage of FMMD analysis.
This methodology has also been applied elsewhere to the inverting amplifier configuration.
One can then use use {\dcs} in more complex circuits where the advantages of FMMD become more obvious,
(such as $8^{th}$ order filters using four bi-quad op-amp stages).
\subsection{Evaluation of FMMD}
%By applying the methodology in section \ref{fmmdproc}, the wishlist can
%now be evaluated for the proposed FMMD methodology.
We evaluate the FMMD method using the criteria in section \ref{fmmdreq}.
Table \ref{tbl:comparison} compares the current methodologies and FMMD using these criteria.
{ %\small
\begin{itemize}
\item{State explosion is reduced,}
%State Explosion is reduced,
because small collections of components are dealt within functional groups
which are used to create derived components which are then used in an hierarchical manner.
\item{All component failure modes must be considered in the model.}
%All component failure modes must be considered in the model.
Since the proposed methodology is bottom-up,
this means that we can ensure/check that all component failure modes are handled.
\item{ It should be straightforward to integrate mechanical, electronic and software models,}
%It should be straight forward to integrate mechanical, electronic and software models,
because FMMD models in terms of failure modes only. % we have a generic failure mode entities to model.
%We can describe a mechanical, electrical or software component in terms of its failure modes.
%
Because of this
we can model and analyse integrated electromechanical systems, controlled by computers,
using a common notation.
\item{ It should be re-usable, in that commonly used modules can be re-used in other designs/projects.}
%It should be re-usable, in that commonly used modules can be re-used in other designs/projects.
The hierarchical nature, taking {\fg}s and deriving components from them, means that
commonly used {\dcs} can be re-used in a design % (for instance self checking digital inputs)
or even in other projects where the same {\dc} is used.
\item{ Formal basis: data should be available to produce mathematical proofs and traceability.}
%It should have a formal basis, data should be available to produce mathematical proofs
%for its results
Because the failure mode model of a system is a hierarchy of {\fg}s and {\dcs},
system level failure modes are traceable back down the fault tree to
component level failure modes.
%
This allows cut sets~\cite{nasafta}[Ch.1p3]
to be determined by traversing the DAG from top level events down to their causes.
% \item{ It should be capable of producing reliability and danger evaluation statistics.}
% The minimal cuts sets for the system level failures can have computed MTTF
% and danger evaluation statistics sourced from the component failure mode statistics~\cite{fmd91,mil1991}.
% \item{ It should be easy to use, ideally
% using a graphical syntax (as opposed to a formal mathematical one).}
% A modified form of constraint diagram (an extension of Euler diagrams) has
% been developed to support the FMMD methodology.
% This uses Euler circles to represent failure modes, and spiders to collect symptoms, to
% advance a {\fg} to a {\dc}.
% \item{ From the top down the failure mode model should follow a logical de-composition of the functionality
% to smaller and smaller functional modules \cite{maikowski}.}
% The bottom-up approach fulfils the logical de-composition requirement, because the {\fg}s
% are built from components performing a given task.
%
\item{ Multiple failure modes (conjunction - where more that one failure mode is active)
may be modelled from the base component level up.}
%Multiple failure modes (conjunction) may be modelled from the base component level up.
By breaking the problem of failure mode analysis into small stages
and building a hierarchy, the problems associated with needing to
analyze all possible combinations of base level components
within a system are reduced.
% by an exponential order.
This is because the multiple failure modes considered
within {\fgs} have fewer failure modes to consider
at each FMMD stage.
Where appropriate, multiple simultaneous failures can be modelled by
introducing {\fcs} %test~cases
where the conjunction of failure modes is considered.
\end{itemize}
}
{ %\tiny
\begin{table}[ht]
\caption{Features of static Failure Mode analysis methodologies} % title of Table
%\centering % used for centering table
\begin{tabular}{||l|c|c|c|c|c||}
\hline \hline
% \textbf{Des.} & \textbf{FTA} & \textbf{FMEA} & \textbf{FMECA} & \textbf{FDEMA} & \textbf{FMMD} \\
\textbf{\tiny Des.} & \textbf{\tiny FTA} & \textbf{\tiny FMEA} & \textbf{\tiny FMECA} & \textbf{\tiny FDEMA} & \textbf{\tiny FMMD} \\
\textbf{\tiny Crit.} & \textbf{} & \textbf{} & \textbf{} & \textbf{} & \textbf{} \\
% R & wire & res + & res - & description
\hline
\hline
C1: % state exp
& partial & & & & $\tickYES$ \\ \hline
C2: % $\forall$ failures
& &$\tickYES$ & $\tickYES$ & $\tickYES$ & $\tickYES$ \\ \hline
C3: %mech,elec,s/w & $\tickYES$
& & & & & $\tickYES$ \\ \hline
C4: %modular
& & & & partial & $\tickYES$ \\ \hline
C5: %formal
& partial & partial & partial & partial & $\tickYES$ \\ \hline
C6: %multiple fm
& $\tickYES$ & & & partial & $\tickYES$ \\ \hline
\hline
\hline
\end{tabular}
\label{tbl:comparison}
\end{table}
}
%\clearpage
\section{Conclusion}
%This new approach is called
Failure Mode Modular De-Composition (FMMD) is designed
to be a more rigorous and `data~complete' model than
the current four approaches.
%
That is,
from an FMMD model, we should be able to
derive outline models that the other four methodologies would have been
able to create. As this approach is modular, many of the results of
analysed components may be re-used in other projects, so
test efficiency is improved.
%Clearly the more complex the original system is the more benefit,
%i.e. less components and derived components, will be produced from decomposing the
%system into functional groups.
FMMD is based on generic failure modes, so it is not constrained to a
particular field. It can be applied to mechanical, electrical or software domains.
It can therefore be used to analyse systems comprised of electrical,
mechanical and software elements in one integrated model.
Furthermore the reasoning path is traceable. By being able to trace a
top level event down through derived components, to base component
failure modes, with each step annotated as {\fcs}, the model is easier to maintain.
The example used here is deliberately small for the purpose
of being presented in a six page paper. FMMD has been applied
to larger systems encompassing mechanical, electrical and software
elements. FMMD represents a new technique in that it
can address all the criteria in table 3, whereas the other methodologies
can only cover some.
\paragraph{Future work}
\begin{itemize}
\item To provide bounds on the size of the state space for the application of the methodology to certain classes of systems.
\item To build a {\dcs} library of common electrical, mechanical and software models (i.e. a collection of worked example {\dcs}).
\item To provide formal generic translations from the constructed model of any given system to the other models.
\end{itemize}
%\today
%
{ %\tiny %\footnotesize
\bibliographystyle{plain}
\bibliography{vmgbibliography,mybib}
}
%\today
\end{document}
Reference in New Issue View Git Blame Copy Permalink