diff --git a/submission_thesis/CH2_FMEA/A10_thunderbolt.jpg b/submission_thesis/CH2_FMEA/A10_thunderbolt.jpg new file mode 100644 index 0000000..4451945 Binary files /dev/null and b/submission_thesis/CH2_FMEA/A10_thunderbolt.jpg differ diff --git a/submission_thesis/CH2_FMEA/ad_ford_pinto_mpg_red_3_1975.jpg b/submission_thesis/CH2_FMEA/ad_ford_pinto_mpg_red_3_1975.jpg new file mode 100644 index 0000000..c684d61 Binary files /dev/null and b/submission_thesis/CH2_FMEA/ad_ford_pinto_mpg_red_3_1975.jpg differ diff --git a/submission_thesis/CH2_FMEA/burntoutpinto.png b/submission_thesis/CH2_FMEA/burntoutpinto.png new file mode 100644 index 0000000..b5d0baf Binary files /dev/null and b/submission_thesis/CH2_FMEA/burntoutpinto.png differ diff --git a/submission_thesis/CH2_FMEA/copy.tex b/submission_thesis/CH2_FMEA/copy.tex index 259bbea..fcf5d0d 100644 --- a/submission_thesis/CH2_FMEA/copy.tex +++ b/submission_thesis/CH2_FMEA/copy.tex @@ -1,4 +1,3 @@ -\section{Copy dot tex} EN61508:6\cite{en61508}[B.6.6] @@ -9,27 +8,553 @@ of a system's components and determining the effects of these failures on the behaviour and safety of the system." \end{quotation}. -sample text -sample text -sample text -sample text -sample text -sample text -sample text -sample text -sample text -sample text -sample text -sample text -sample text -sample text -sample text -sample text -sample text -sample text -sample text -sample text -sample text -sample text -sample text -sample text + +\section{F.M.E.A.} + +\subsection{FMEA} +%\tableofcontents[currentsection] + + + + + +\subsection{FMEA} +This talk introduces Failure Mode Effects Analysis, and the different ways it is applied. +These techniques are discussed, and then +a refinement is proposed, which is essentially a modularisation of the FMEA process. +% + +\begin{itemize} + \item Failure + \item Mode + \item Effects + \item Analysis +\end{itemize} + + + +% % \begin{itemize} +% \item Failure +% \item Mode +% \item Effects +% \item Analysis +% \end{itemize} + + +\subsection{FMEA basic concept} + + +\begin{itemize} + \item \textbf{F - Failures of given component} Consider a component in a system + \item \textbf{M - Failure Mode} Look at one of the ways in which it can fail (i.e. determine a component `failure~mode') + \item \textbf{E - Effects} Determine the effects this failure mode will cause to the system we are examining + \item \textbf{A - Analysis} Analyse how much impact this symptom will have on the environment/people/the system itsself +\end{itemize} + + + + + \subsection{ FMEA Example: Milli-volt reader} +Example: Let us consider a system, in this case a milli-volt reader, consisting +of instrumentation amplifiers connected to a micro-processor +that reports its readings via RS-232. +\begin{figure} + \centering + \includegraphics[width=175pt]{./CH2_FMEA/mvamp.png} + % mvamp.png: 561x403 pixel, 72dpi, 19.79x14.22 cm, bb=0 0 561 403 +\end{figure} + + + + + + + \subsection{FMEA Example: Milli-volt reader} +Let us perform an FMEA and consider how one of its resistors failing could affect +it. +For the sake of example let us choose resistor R1 in the OP-AMP gain circuitry. +% \begin{figure} +% \centering +% \includegraphics[width=175pt]{./mvamp.png} +% % mvamp.png: 561x403 pixel, 72dpi, 19.79x14.22 cm, bb=0 0 561 403 +% \end{figure} + + + + + + + + \subsection{FMEA Example: Milli-volt reader} +% \begin{figure} +% \centering +% \includegraphics[width=80pt]{./mvamp.png} +% % mvamp.png: 561x403 pixel, 72dpi, 19.79x14.22 cm, bb=0 0 561 403 +% \end{figure} +\begin{itemize} + \item \textbf{F - Failures of given component} The resistor (R1) could fail by going OPEN or SHORT (EN298 definition). + \item \textbf{M - Failure Mode} Consider the component failure mode SHORT + \item \textbf{E - Effects} This will drive the minus input LOW causing a HIGH OUTPUT/READING + \item \textbf{A - Analysis} The reading will be out of normal range, and we will have an erroneous milli-volt reading +\end{itemize} + + + + + +Note here that we have had to look at the failure~mode +in relation to the entire circuit. +We have used intuition to determine the probable +effect of this failure mode. +We have not examined this failure mode +against every other component in the system. +Perhaps we should.... this would be a more rigorous and complete +approach in looking for system failures. + + + +\subsection{Rigorous FMEA - State Explosion} + + \subsection{Rigorous Single Failure FMEA} +Consider the analysis +where we look at all the failure modes in a system, and then +see how they can affect all other components within it. + + + + +\subsection{Rigorous Single Failure FMEA} +We need to look at a large number of failure scenarios +to do this completely (all failure modes against all components). +This is represented in the equation below. %~\ref{eqn:fmea_state_exp}, +where $N$ is the total number of components in the system, and +$f$ is the number of failure modes per component. + + +\begin{equation} + \label{eqn:fmea_single} + N.(N-1).f % \\ + %(N^2 - N).f +\end{equation} + + + + +\subsection{Rigorous Single Failure FMEA} +This would mean an order of $N^2$ number of checks to perform +to undertake a `rigorous~FMEA'. Even small systems have typically +100 components, and they typically have 3 or more failure modes each. +$100*99*3=29,700$. + + + + + + + \subsection{Rigorous Double Failure FMEA} +For looking at potential double failure scenarios (two components +failing within a given time frame) and the order becomes +$N^3$. + +\begin{equation} + \label{eqn:fmea_double} + N.(N-1).(N-2).f % \\ + %(N^2 - N).f +\end{equation} + +$100*99*98*3=2,910,600$. + + +.\\ + +The European Gas burner standard (EN298:2003), demands the checking of +double failure scenarios (for burner lock-out scenarios). + + + + +\subsection{Four main Variants of FMEA} + \begin{itemize} + \item \textbf{PFMEA - Production} Car Manufacture etc + \item \textbf{FMECA - Criticallity} Military/Space + \item \textbf{FMEDA - Statistical safety} EN61508/IOC1508 Safety Integrity Levels + \item \textbf{DFMEA - Design or static/theoretical} EN298/EN230/UL1998 +\end{itemize} + + + + + +\section{PFMEA - Production FMEA : 1940's to present} + + + \subsection{PFMEA} +Production FMEA (or PFMEA), is FMEA used to prioritise, in terms of +cost, problems to be addressed in product production. + +It focuses on known problems, determines the +frequency they occur and their cost to fix. +This is multiplied together and called an RPN +number. +Fixing problems with the highest RPN number +will return most cost benefit. + + + + + +% benign example of PFMEA in CARS - make something up. +\subsection{PFMEA Example} + + +\begin{table}[ht] +\caption{FMEA Calculations} % title of Table +%\centering % used for centering table +\begin{tabular}{|| l | l | c | c | l ||} \hline + \textbf{Failure Mode} & \textbf{P} & \textbf{Cost} & \textbf{Symptom} & \textbf{RPN} \\ \hline \hline + relay 1 n/c & $1*10^{-5}$ & 38.0 & indicators fail & 0.00038 \\ \hline + relay 2 n/c & $1*10^{-5}$ & 98.0 & doorlocks fail & 0.00098 \\ \hline +% rear end crash & $14.4*10^{-6}$ & 267,700 & fatal fire & 3.855 \\ +% ruptured f.tank & & & & \\ \hline + + +\hline +\end{tabular} +\end{table} + + +%Savings: 180 burn deaths, 180 serious burn injuries, 2,100 burned vehicles. Unit Cost: $200,000 per death, $67,000 per injury, $700 per vehicle. +%Total Benefit: 180 X ($200,000) + 180 X ($67,000) + $2,100 X ($700) = $49.5 million. +%COSTS +%Sales: 11 million cars, 1.5 million light trucks. +%Unit Cost: $11 per car, $11 per truck. +%Total Cost: 11,000,000 X ($11) + 1,500,000 X ($11) = $137 million. + + + + + + + + +%\subsection{Production FMEA : Example Ford Pinto : 1975} + + \subsection{PFMEA Example: Ford Pinto: 1975} + +\begin{figure}[h] + \centering + \includegraphics[width=300pt]{./CH2_FMEA/ad_ford_pinto_mpg_red_3_1975.jpg} + % ad_ford_pinto_mpg_red_3_1975.jpg: 720x933 pixel, 96dpi, 19.05x24.69 cm, bb=0 0 540 700 + \caption{Ford Pinto Advert} + \label{fig:fordpintoad} +\end{figure} + + + + + + \subsection{PFMEA Example: Ford Pinto: 1975} + +\begin{figure}[h] + \centering + \includegraphics[width=300pt]{./CH2_FMEA/burntoutpinto.png} + % burntoutpinto.png: 376x250 pixel, 72dpi, 13.26x8.82 cm, bb=0 0 376 250 + \caption{Burnt Out Pinto} + \label{fig:burntoutpinto} +\end{figure} + + + + + + + \subsection{PFMEA Example: Ford Pinto: 1975} + +\begin{table}[ht] +\caption{FMEA Calculations} % title of Table +%\centering % used for centering table +\begin{tabular}{|| l | l | c | c | l ||} \hline + \textbf{Failure Mode} & \textbf{P} & \textbf{Cost} & \textbf{Symptom} & \textbf{RPN} \\ \hline \hline + relay 1 n/c & $1*10^{-5}$ & 38.0 & indicators fail & 0.00038 \\ \hline + relay 2 n/c & $1*10^{-5}$ & 98.0 & doorlocks fail & 0.00098 \\ \hline + rear end crash & $14.4*10^{-6}$ & 267,700 & fatal fire & 3.855 \\ + ruptured f.tank & & & allow & \\ \hline + + rear end crash & $1$ & $11$ & recall & 11.0 \\ + ruptured f.tank & & & fix tank & \\ \hline + +\hline +\end{tabular} +\end{table} + + + + http://www.youtube.com/watch?v=rcNeorjXMrE + + + + + + +\section{FMECA - Failure Modes Effects and Criticality Analysis} + + + + +\subsection{ FMECA - Failure Modes Effects and Criticallity Analysis} +\begin{figure} + \centering + %\includegraphics[width=100pt]{./military-aircraft-desktop-computer-wallpaper-missile-launch.jpg} + \includegraphics[width=300pt]{./CH2_FMEA/A10_thunderbolt.jpg} + % military-aircraft-desktop-computer-wallpaper-missile-launch.jpg: 1024x768 pixel, 300dpi, 8.67x6.50 cm, bb=0 0 246 184 + \caption{A10 Thunderbolt} + \label{fig:f16missile} +\end{figure} +Emphasis on determining criticality of failure. +Applies some Bayesian statistics (probabilities of component failures and those thereby causing given system level failures). + + + + +\subsection{ FMECA - Failure Modes Effects and Criticality Analysis} +Very similar to PFMEA, but instead of cost, a criticality or +seriousness factor is ascribed to putative top level incidents. +FMECA has three probability factors for component failures. + +\textbf{FMECA ${\lambda}_{p}$ value.} +This is the overall failure rate of a base component. +This will typically be the failure rate per million ($10^6$) or +billion ($10^9$) hours of operation. reference MIL1991. + +\textbf{FMECA $\alpha$ value.} +The failure mode probability, usually denoted by $\alpha$ is the probability of +a particular failure~mode occurring within a component. reference FMD-91. +%, should it fail. +%A component with N failure modes will thus have +%have an $\alpha$ value associated with each of those modes. +%As the $\alpha$ modes are probabilities, the sum of all $\alpha$ modes for a component must equal one. + + + +\subsection{ FMECA - Failure Modes Effects and Criticality Analysis} +\textbf{FMECA $\beta$ value.} +The second probability factor $\beta$, is the probability that the failure mode +will cause a given system failure. +This corresponds to `Bayesian' probability, given a particular +component failure mode, the probability of a given system level failure. + +\textbf{FMECA `t' Value} +The time that a system will be operating for, or the working life time of the product is +represented by the variable $t$. +%for probability of failure on demand studies, +%this can be the number of operating cycles or demands expected. + +\textbf{Severity `s' value} +A weighting factor to indicate the seriousness of the putative system level error. +%Typical classifications are as follows:~\cite{fmd91} + +\begin{equation} + C_m = {\beta} . {\alpha} . {{\lambda}_p} . {t} . {s} +\end{equation} + +Highest $C_m$ values would be at the top of a `to~do' list +for a project manager. + + + + +\section{FMEDA - Failure Modes Effects and Diagnostic Analysis} + + + + +\subsection{ FMEDA - Failure Modes Effects and Diagnostic Analysis} +% \begin{figure} +% \centering +% \includegraphics[width=200pt]{./SIL.png} +% % SIL.jpg: 350x286 pixel, 72dpi, 12.35x10.09 cm, bb=0 0 350 286 +% \caption{SIL requirements} +% \end{figure} + + + + + + + + + +\subsection{ FMEDA - Failure Modes Effects and Diagnostic Analysis} + +\begin{itemize} + \item \textbf{Statistical Safety} Safety Integrity Level (SIL) standards (EN61508/IOC5108). + \item \textbf{Diagnostics} Diagnostic or self checking elements modelled + \item \textbf{Complete Failure Mode Coverage} All failure modes of all components must be in the model + \item \textbf{Guidelines} To system architectures and development processes +\end{itemize} + +FMEDA is the methodology behind statistical (safety integrity level) +type standards (EN61508/IOC5108). +It provides a statistical overall level of safety +and allows diagnostic mitigation for self checking etc. +It provides guidelines for the design and architecture +of computer/software systems for the four levels of +safety Integrity. +%For Hardware +% +FMEDA does force the user to consider all hardware components in a system +by requiring that a MTTF value is assigned for each failure~mode; +the MTTF may be statistically mitigated (improved) +if it can be shown that self-checking will detect failure modes. +For software it provides procedural quality guidelines and constraints (such as forbidding certain +programming languages and/or features. + + + + + + + + +\subsection{ FMEDA - Failure Modes Effects and Diagnostic Analysis} +\textbf{Failure Mode Classifications in FMEDA.} + \begin{itemize} + \item \textbf{Safe or Dangerous} Failure modes are classified SAFE or DANGEROUS + \item \textbf{Detectable failure modes} Failure modes are given the attribute DETECTABLE or UNDETECTABLE + \item \textbf{Four attributes to Failure Modes} All failure modes may thus be Safe Detected(SD), Safe Undetected(SU), Dangerous Detected(DD), Dangerous Undetected(DU) + \item \textbf{Four statistical properties of a system} \\ +$ \sum \lambda_{SD}$, $\sum \lambda_{SU}$, $\sum \lambda_{DD}$, $\sum \lambda_{DU}$ +\end{itemize} + +% Failure modes are classified as Safe or Dangerous according +% to the putative system level failure they will cause. +% The Failure modes are also classified as Detected or +% Undetected. +% This gives us four level failure mode classifications: +% Safe-Detected (SD), Safe-Undetected (SU), Dangerous-Detected (DD) or Dangerous-Undetected (DU), +% and the probabilistic failure rate of each classification +% is represented by lambda variables +% (i.e. $\lambda_{SD}$, $\lambda_{SU}$, $\lambda_{DD}$, $\lambda_{DU}$). + + +\subsection{ FMEDA - Failure Modes Effects and Diagnostic Analysis} +\textbf{Diagnostic Coverage.} +The diagnostic coverage is simply the ratio +of the dangerous detected probabilities +against the probability of all dangerous failures, +and is normally expressed as a percentage. $\Sigma\lambda_{DD}$ represents +the percentage of dangerous detected base component failure modes, and +$\Sigma\lambda_D$ the total number of dangerous base component failure modes. + +$$ DiagnosticCoverage = \Sigma\lambda_{DD} / \Sigma\lambda_D $$ + + + + +\subsection{ FMEDA - Failure Modes Effects and Diagnostic Analysis} +The \textbf{diagnostic coverage} for safe failures, where $\Sigma\lambda_{SD}$ represents the percentage of +safe detected base component failure modes, +and $\Sigma\lambda_S$ the total number of safe base component failure modes, +is given as + +$$ SF = \frac{\Sigma\lambda_{SD}}{\Sigma\lambda_S} $$ + + + +\subsection{ FMEDA - Failure Modes Effects and Diagnostic Analysis} +\textbf{Safe Failure Fraction.} +A key concept in FMEDA is Safe Failure Fraction (SFF). +This is the ratio of safe and dangerous detected failures +against all safe and dangerous failure probabilities. +Again this is usually expressed as a percentage. + +$$ SFF = \big( \Sigma\lambda_S + \Sigma\lambda_{DD} \big) / \big( \Sigma\lambda_S + \Sigma\lambda_D \big) $$ + +SFF determines how proportionately fail-safe a system is, not how reliable it is ! +Weakness in this philosophy; adding extra safe failures (even unused ones) improves the SFF. + + + + +\subsection{ FMEDA - Failure Modes Effects and Diagnostic Analysis} +To achieve SIL levels, diagnostic coverage and SFF levels are prescribed along with +hardware architectures and software techniques. +The overall the aim of SIL is classify the safety of a system, +by statistically determining how frequently it can fail dangerously. + + + + + +\subsection{ FMEDA - Failure Modes Effects and Diagnostic Analysis} +{ +\begin{table}[ht] +\caption{FMEA Calculations} % title of Table +%\centering % used for centering table +\begin{tabular}{|| l | l | c | c | l ||} \hline + \textbf{SIL} & \textbf{Low Demand} & \textbf{Continuous Demand} \\ + & Prob of failing on demand & Prob of failure per hour \\ \hline \hline + 4 & $ 10^{-5}$ to $< 10^{-4}$ & $ 10^{-9}$ to $< 10^{-8}$ \\ \hline + 3 & $ 10^{-4}$ to $< 10^{-3}$ & $ 10^{-8}$ to $< 10^{-7}$ \\ \hline + 2 & $ 10^{-3}$ to $< 10^{-2}$ & $ 10^{-7}$ to $< 10^{-6}$ \\ \hline + 1 & $ 10^{-2}$ to $< 10^{-1}$ & $ 10^{-6}$ to $< 10^{-5}$ \\ \hline + +\hline +\end{tabular} +\end{table} + +Table adapted from EN61508-1:2001 [7.6.2.9 p33] + + + +\subsection{ FMEDA - Failure Modes Effects and Diagnostic Analysis} +FMEDA is a modern extension of FMEA, in that it will allow for +self checking features, and provides detailed recommendations for computer/software architecture. +It has a simple final result, a Safety Integrity Level (SIL) from 1 to 4 (where 4 is safest). + +%FMEA can be used as a term simple to mean Failure Mode Effects Analysis, and is +%part of product approval for many regulated products in the EU and the USA... + + + + + + +\section{FMEA used for Safety Critical Approvals} + + +\subsection{DESIGN FMEA: Safety Critical Approvals FMEA} +\begin{figure}[h] + \centering + \includegraphics[width=300pt,keepaspectratio=true]{./CH2_FMEA/tech_meeting.png} + % tech_meeting.png: 350x299 pixel, 300dpi, 2.97x2.53 cm, bb=0 0 84 72 + \caption{FMEA Meeting} + \label{fig:tech_meeting} +\end{figure} +Static FMEA, Design FMEA, Approvals FMEA + +Experts from Approval House and Equipment Manufacturer +discuss selected component failure modes +judged to be in critical sections of the product. + + + + + + +\subsection{DESIGN FMEA: Safety Critical Approvals FMEA} + +% \begin{figure}[h] +% \centering +% \includegraphics[width=70pt,keepaspectratio=true]{./tech_meeting.png} +% % tech_meeting.png: 350x299 pixel, 300dpi, 2.97x2.53 cm, bb=0 0 84 72 +% \caption{FMEA Meeting} +% \label{fig:tech_meeting} +% \end{figure} + +\begin{itemize} + \item Impossible to look at all component failures let alone apply FMEA rigorously. + \item In practise, failure scenarios for critical sections are contested, and either justified or extra safety measures implemented. + \item Often Meeting notes or minutes only. Unusual for detailed arguments to be documented. +\end{itemize} + diff --git a/submission_thesis/CH2_FMEA/mvamp.png b/submission_thesis/CH2_FMEA/mvamp.png new file mode 100644 index 0000000..be51da7 Binary files /dev/null and b/submission_thesis/CH2_FMEA/mvamp.png differ diff --git a/submission_thesis/CH2_FMEA/tech_meeting.png b/submission_thesis/CH2_FMEA/tech_meeting.png new file mode 100644 index 0000000..c25606b Binary files /dev/null and b/submission_thesis/CH2_FMEA/tech_meeting.png differ diff --git a/submission_thesis/CH3_FMEA_criticism/copy.tex b/submission_thesis/CH3_FMEA_criticism/copy.tex index 2d411cd..9fb37a3 100644 --- a/submission_thesis/CH3_FMEA_criticism/copy.tex +++ b/submission_thesis/CH3_FMEA_criticism/copy.tex @@ -4,3 +4,42 @@ \section{Reasoning Distance} \section{Comparison Complexity} + + +\section{FMEA - General Criticism} + +\subsection{FMEA - General Criticism} + +\begin{itemize} + \item FMEA type methodologies were designed for simple electro-mechanical systems of the 1940's to 1960's. + \item Reasoning Distance - component failure to system level symptom + \item State explosion - impossible to perform rigorously + \item Difficult to re-use previous analysis work + \item Very Difficult to model simultaneous failures. + +\end{itemize} + +% + + + + +\subsection{FMEA - Better Methodology - Wish List} + + +\subsection{FMEA - Better Metodology - Wish List} + +\begin{itemize} + + \item State explosion + \item Rigorous (total coverage) + \item Reasoning Traceable + \item Re-useable + \item Simultaneous failures + % \item +\end{itemize} + +%FMEDA is a modern extension of FMEA, in that it will allow for +%self checking features, and provides detailed recommendations for computer/software architecture, +%but +