- Email: [email protected]
Failure modes and effects analysis of complex engineering systems using functional models
PII: S 0 9 5 4 - 1 8 1 0 ( 9 7 ) 1 0 0 1 1 - 5
Artificial Intelligence in Engineering 12 (1998) 375–397 q 1998 Elsevier Science Limited All rights reserved. Printed in Great Britain 0954-1810/98/$19.00
Failure modes and effects analysis of complex engineering systems using functional models P. G. Hawkins & D. J. Woollons University of Exeter, School of Engineering, North Park Road, Exeter, EX4 4QF, UK A set of models developed by Chittaro for fault diagnosis is extended to represent more complex engineering systems. A novel methodology for qualitative reasoning about behaviour change has been developed for the purpose of failure modes and effects analysis to cope with complete and partial failure modes. The method is demonstrated on an electrically driven gear pump. A further extension is the ability to cope with control systems by distinguishing the function of two closed loop control schemes. Different types of failure of the control scheme can be identified by analysing three different responses of the faulty plant. This method is demonstrated on a manufactured aerospace component called a fuel-metering unit controlled by a negative feedback control scheme. q 1998 Elsevier Science Limited. All rights reserved. Key words: failure analysis, qualitative reasoning, causal reasoning, functional modeling, FMEA, QRED.
represented in the model and lists the steps in the algorithm for determining qualitative differences in system behaviour. This procedure is demonstrated on an electrically driven gear pump. Section 6 demonstrates the procedure on a complex dynamic component and, finally, Section 7 presents the contributions of this paper and its limitations of failure analysis.
1 INTRODUCTION Reliability assessment is becoming established as an integral part of the design process of complex systems in high capital cost and high risk applications, such as aircraft subsystems. The purpose is to provide insight into the key areas of a system and to highlight potential problem areas so that they can be dealt with at the design stage of the project. This type of assessment allows comparisons to be made between competing system designs and provides a deeper understanding of their construction and operation, all of which helps to improve system safety. This information can be utilized to formulate detailed operational and maintenance manuals and procedures, as well as being fedforward to improve the safety and reliability of subsequent designs. An analysis of current failure modes and effects analysis (FMEA) practice has shown that the greatest criticism is the inability of FMEA to influence design because the timescale of the analysis often exceeds the design/development phase. It is, therefore, often the case that FMEA is seen not as a design tool but solely as a deliverable to the customer. To reduce the total time for an FMEA, an automated approach is sought. Section 2 describes the FMEA process with reference to related work. Section 3 describes some existing knowledge representation schemes. Section 4 illustrates the set of functional models developed by Chittaro and the modifications made for FMEA use. Section 5 describes how faults are
2 BACKGROUND Failure modes and effects analysis is the task of finding possible faults in a system and evaluating the consequence of the fault on the operational status of the system. One definition given in the British Standards 1 is a method of reliability analysis intended to identify failures which have consequences affecting the functioning of a system. The analysis is carried out during the initial conception and design phases. It requires a deep understanding of the engineering system and often involves the development of functional diagrams and system schematic drawings. Failure modes and effects analysis has been tried and tested for many years in industry, especially the aeronautical industry. It requires a deep understanding of the engineering system. The analysis involves identifying potential component failure modes and evaluating the consequences of these on a system’s performance as a whole. A large system can be composed of subsystems which are 375
376
P. G. Hawkins, D. J. Woollons
themselves made up of smaller subsystems which can eventually be reduced to the smallest replaceable unit or part such as a bolt, pipe or seal. The highest level of detail is often referred to as the part level, with increasing levels of abstraction known as sub-assembly, component, subsystem and system levels. Each stage of the analysis starts with known failure modes at one level, and describes the effect on the next level up. The collection of these failure effects are then used as the failure modes for one device in a larger system. A complete analysis must span all these levels, indicating, for example how a leaky pipe could affect the aircraft velocity. The approach taken in this paper will concentrate on one stage in the whole of the FMEA process. This step is the functional part where failure modes are identified on a number of sub-assemblies and the failure effect is described as the consequence on the overall operation of the component made up from these sub-assemblies. The type of sub-assembly could be any electrical, mechanical or hydraulic device which operates on the energy variables in these domains. The component itself could be feedback controlled and be made up of any number of smaller connected sub-assemblies. 2.1 Approach: hardware or functional According to the Aerospace Recommended Practice 2 there are two main approaches to a design FMEA. The hardware approach and the functional approach. The two approaches complement one another because they provide a different amount of detail and are done at different times during the development of a system. The hardware approach is evaluated by considering the changes that occur in each hardware item in terms of behaviour changes. This would be done by considering the consequent effects of that failure on neighbouring component hardware. These changes would then be propagated to the next level up by relating the changes to the subsystem function. This process is repeated for each subsequent layer. Since a hardware FMEA requires specific information about the type of components in the system and their individual properties, the analysis can only be done when the design has been adequately realized. However, the functional approach can be undertaken in the initial stages of the design process. The analysis is usually carried out during the initial conception and design phases and often involves the development of functional diagrams and system schematic drawings. This approach relies on the specification of the purposes and functions of each piece of equipment. The results of this approach are usually not as detailed as the hardware approach. 2.2 Related work Research at the Knowledge Based Systems Group at Exeter University and the Fluid Power Centre at Bath University resulted in a software tool for simulating hydraulic circuits.3,4 The diagnostic system for hydraulic circuits (DESHC) comprised a database of hydraulic and electrical
components written in an object-oriented expert system. However, behaviour inconsistencies arose between individual component models which initialized the research for a generalized model and technique which could be applied to encapsulate behaviour for engineering components. This paper presents the generalized model and qualitative algorithm. Other tools available today include FLAME,5 which can reason about electrical digital circuits and an integrated reliability analysis system (IRAS) which uses existing reliability models with detailed numerical information to generate fault trees and failure modes and effects analysis.6 2.3 Failure modes Each failure mode is a fault that is to be considered for analysis. An FMEA examines the effect of many different failure modes in as many locations as possible. Failure modes occur at different levels of system aggregation. According to Dhillon7 (p. 137) there are five basic failure modes associated with mechanical equipment. The failure modes are categorized according to the type of equipment and energy: (1) fluid flow equipment (leakage and distorted flow); (2) structural systems (fracture and excessive deflection); (3) thermodynamic systems (overheating and reduction of efficiency); (4) kinematic systems (bearing seizure and reduced accuracy of relative movement); (5) material properties (incorrect material or geometry). These failure modes originate at the lowest level of aggregation where faults are considered on individual parts. Failure modes are not normally considered below this level. Instead the cause of the failure mode may be identified such as environmental effects including temperature, contamination and fatigue. The work in this paper begins the failure analysis at the next level of aggregation, where failure modes are considered on sub-assemblies. Typical failure modes at this level in the electrical domain include short circuits, open circuits, partial short circuits and partial open circuits, and their equivalent in the hydraulic domain are blockage and leakage. 2.4 Failure effects The failure effect is a description of failure at the next level up on the scale of abstraction, for example, failure modes at the part level will be reviewed at the sub-assembly. To do this, the engineer must put each observable phenomenon in context with the functions that contribute to the workings of a larger system. Since an FMEA spans several levels of abstraction, the engineer must have knowledge that spans these layers. The information used in each part of the scale is different. Failure effects can be classified, to a large extent, even
Analysis of complex engineering systems before an FMEA is carried out. Knowing the types of undesired failure effects which may occur helps to limit the search and bound the FMEA problem. Sometimes failure effects may be revealed or enhanced during the analysis itself. The definition of the failure effect must not be ambiguous. Rolls Royce plc have a predefined table of failure effects for each device. For example, a valve can have up to 15 failure effects ranging from failed open or closed to seized part open or instability.
3 KNOWLEDGE REPRESENTATION If it were possible to represent and manipulate all the knowledge that reliability engineers use when they carry out FMEAs, the task of automating an FMEA would be more straightforward. The problem, therefore, is to discover the best representation for this task and to establish how best it can be used. A distinction between types of knowledge has been made in the field of Artificial Intelligence. According to Johnson8 in Ref. 9 and Crowther et al.10 there are two main types of knowledge, declarative and procedural. Declarative knowledge is information about objects (structure and behaviour) and procedural knowledge is information about performing tasks (how knowledge is used for a particular task). There are a number of functional knowledge representation schemes that are declarative in nature that have been developed in the last 15 years. The first was the multilevel flow modelling (MFM).11 Any system is represented by three levels which form a means to an end. The components realize the functions which in turn attain the goals. The component level consists of physical parts and natural laws. The function is the description of activity using a range of concepts such as mass transfer, energy flow, information and transition. Finally, goals are achieved by grouping activity from the function level. An alternative to MFM is the goal tree–success tree (GT–ST) method.12 The incentive for this representation was a method that could represent the function of any device by dividing its purpose into small observable and recognized parts. Each part of the representation structure would describe the function of a physical object in plain English. Groups of these goals are then logically related using AND and OR gates to form goals of systems containing these parts. This representation makes a powerful knowledge base for each part in the system and explains the consequence of a part failure on subsystems that are dependent on them. The initial effort in developing the GT–ST is dependent on the skill of the engineer, because a thorough knowledge of the system is required before the functional tree can be realized. There is also little re-usability because the representation only describes the function without any underlying model and the same device may serve different roles in different systems. Some of the best elements of the previous methods are combined to form a functional representation.13 The definition of function is supported by a number of physical models
377
and a teleological model of the system much the same as the MFM approach. The physical models represent energy flow information, in much the same way as the function level in the MFM model. The physical models are developed from structural information and natural laws governing the behaviour. The teleological model expresses the purpose of the device in a similar way to the GT–ST, but is more rigid and limited. In combination, the two models highlight how the action of a device achieves a purpose. The series of complementary models developed by Chittaro make it possible to represent the declarative knowledge for a wide range of complex engineering systems. The procedural knowledge can be represented by creating a unique set of algorithms or propagation rules that manipulate these models for FMEA.
4 DECLARATIVE KNOWLEDGE This section will describe the set of functional models developed by Chittaro.13 It is possible to represent a wide range of engineering systems with the models. 4.1 Overview The function of a system is defined as the relation between its behaviour and the goals assigned to it by the designer. A functional model in Chittaro’s work includes a hierarchy of models consisting of: •
• • •
the functional role model (the system structure interpreted in terms of networks of operators acting on substances flowing through the system; e.g. electrons, heat, liquids); the functional process model (interprets how functional roles participate in physical processes); the phenomenon model (describe how inter-related functional process networks enable the occurrence of phenomena, such as oscillation); the teleological model (the system goals).
Each model encapsulates specific functional information and builds on the concepts from the previous one. The role model is derived by analysing the structure of a device and represents it in similar form to a resistive network. The process model is a description of activity using similar structures defined in Process Theory by Forbus.14 The elements from the role model form the individuals for each process. The process model is enhanced by adding further conditions on the variables in the process that specify when the process is active and the relations that are true under these conditions. The phenomenon model is a further abstraction by linking processes together to form more complex behaviour patterns. The final model is a goal tree that forms the intended behaviour of the system in terms of processes and phenomena that should exist to achieve the system design. Chittaro uses these models with the intention of aiding fault diagnosis called functional diagnosis using effort and
378
P. G. Hawkins, D. J. Woollons
flow (FDef).15 The task of FMEA requires different information. The method proposed in this paper specifically makes use of the role and teleological models to perform hardware FMEA. These models are explained in more detail in the following subsections, followed by some amendments and additional features that suit the purpose of fault analysis. Although the process and phenomenon model are not used at this stage, they may provide useful in later developments. 4.2 Example Throughout the next two sections, a simple electronic circuit shown in Fig. 1 will be used to demonstrate the modelling concepts. 4.3 Role model The role model represents structural information much like a circuit diagram. However, it has the benefit of being capable of representing different energy domains with the same concepts. A hydraulic restrictor in a pipe or electrical resistor in a circuit can be represented with the same notation. This type of representation is very similar to that used in bond graphs in Karnopp,16 where physical (power) variables called effort and flow are used as general terms to describe the system behaviour. The term function is applied because each element in the model is described functionally. Instead of resistance, the terms conduit and barrier are used to express the idea of transport and the term generator is used to express input. The role model represents the type of connection (serial or parallel), the number of resistors, the number of storage devices and the causality. Each role element is identified with a number. The generators (ge,gf) indicate which physical variable is constant or influenced by another process. The conduit roles (cc,cf,ce,bf,be) are representations of resistance according to their structural relation and qualitative magnitude. The structural relation of the role to other roles is represented in the role itself. For example, the ce element is used to represent a conduit that is in parallel with another conduit and the cf element is used to represent a conduit in series with another. The magnitude of the resistance is either (zero, finite, infinity). The two roles that indicate zero resistance are cc and be. The two roles that indicate finite resistance are cf and ce and, finally, the role that indicates infinite resistance is the bf role. The reservoir roles (rq,rp) introduce the state variables of
Fig. 1. Electronic circuit diagram.
a device. There are two possible Newtonian mechanisms to store energy, potential and kinetic. When potential energy (rq) is stored, the effort variable is gradually converted to displacement, determined by a capacitive parameter. When kinetic energy (rp) is stored, the flow variable is gradually converted to impulse, determined by an inductive parameter. There are two relations in the role model (mutual dependency and influence). Mutual dependency exists between roles that share the same physical variable. For example, two serial resistive roles are mutually dependent because, according to Ohm’s law, the current flowing through each resistor is the same. This definition would make each resistor in series or parallel, mutually dependent with every other, which could result in a complex network. For simplicity, only one mutual dependent relation is shown between each resistor. When engineering systems cross domains, the role model expresses the connection by linking two elements from either domain. The influence relation expresses the concept of energy transfer between domains. For example, when the speed of a pump produces flow rate or the armature of a motor receives torque from a current in a magnetic field. The role model for the circuit in Fig. 1 is shown in Fig. 2. The role model encapsulates information about components in a general form. The model represents physical connections in each component which are reusable. Since these components can be joined with relations according to their connectivity in the system, the role model makes a powerful object-oriented representation. 4.4 Teleological model The teleological model represents the designers intentions of the engineering system. It represents the purpose of the device by describing the expected tasks or goals that it should perform under fault-free conditions. The model assumes the structure of a success tree which describes the system goal as sub-goals of its constituent components using Boolean logic. Chittaro identifies several general goals (TRANSFER, ACCUMULATE, SENSE-RATE-OF, TRADUCE, CONTROL, KEEP) that can be reused for a wide range of applications. Some goals are simple expectations of movement such as the TRANSFER goal. Others are more complex involving feedback loops, as is the case of the KEEP goal. For each goal, there is an expected behaviour in the system. Chittaro associates a set of processes (phenomena)
Fig. 2. Role model for electronic circuit using Chittaro’s original representation.
Analysis of complex engineering systems
379
with each goal. For example, a TRANSFER goal can be fulfilled by a single transport process. A TRADUCE goal is associated with a charging process which regulates a transport process. Each goal is matched with its associated behaviour from the process and phenomenon model. This has been adapted in Section 4.5.4 so that each goal is linked to activity in the role model. This transfers the emphasis of behaviour from processes to specific roles. Fig. 4. Relations on a role model.
4.5 Alterations 4.5.1 Roles A major revision of the role model has been made to aid the fault propagation procedure. Instead of using cf and ce roles linked with mutual dependency to represent resistors in serial and parallel, the notation of c is used to represent a conduit of finite resistance. Instead of an ideal conduit (cc or be), the letter o is used to represent a conduit of zero resistance and instead of a barrier (bf), the letter b is used to represent a conduit of infinite resistance. Each conduit is then linked with other conduits using two specific cases of the mutual dependency relation. Conduits that share the flow variable are linked by putting them in a serial set and conduits that share the effort variable are linked by putting them into a parallel set (Fig. 3). A serial set has order between its conduit members and has a default flow direction (usually left to right). A parallel set is equivalent to a junction. The direction of influence from each generator needs to be added to the role model. Chittaro et al.13 identified that a generator can either push or pull. A generator of magnitude above zero, will push and a generator of magnitude below zero will pull. Pushing generators are indicated by ge . , gf . , , ge or , gf and pulling generators are indicated by . ge, . gf, ge , or gf , . 4.5.2 Relations Chittaro identifies two types of influence relations.17 A transduction influence which indicates energy transfer and a regulation influence which indicates a change of resistance. The transduction influence has been expanded by adding an extra relation. The standard transduction influence has been modified so that it links only between two generators. This indicates the energy transfer between domains in both directions, more clearly (see Fig. 4). The causality is important during the fault reasoning. In bond graph notation, the link between domains is identified as a transformer (TF) or a gyrator (GY). A transformer links two of the same variables from either domain (effort–effort,
Fig. 3. Serial and parallel sets.
flow–flow) and a gyrator likes opposite variables from either domain (flow–effort, effort–flow). For example, a pump transfers mechanical energy to hydraulic energy. The equation of flow generation for a pump (Pinches and Ashby18 pp. 16) is proportional to the pump speed (Q ~ q). This is a flow-to-flow relationship and would be represented by an effort generator linked to a flow generator by an influence relation pointing from the mechanical domain to the hydraulic domain. The causality for a change in the opposite direction is quite different. When, there is a blockage, for example, in the hydraulic domain, such that the pressure drop across the pump increases, an equivalent increase in torque is experienced in the mechanical domain. This ‘back effect’ is an effort to effort relationship. The four possible relations are: •
effort–effort, e.g. pressure to force transfer in an actuator
(Bond graph ¼ –TR–, Role model ¼ , gf → ge . ). •
flow–flow, e.g. speed to flow rate transfer in a gear pump
(Bond graph ¼ –TR–, Role model ¼ , ge → gf . ). •
effort–flow, e.g. force to velocity transfer in a gyroscope
(Bond graph ¼ –GY–, Role model ¼ , gf → gf . ). •
flow–effort, e.g. current to force transfer in an electric motor
(Bond graph ¼ –GY–, Role model ¼ , ge → ge . ). In addition to the transduction influence, an extra relation called a signal has been added for completeness, in accordance with signals in bond graphs. The signal relation expresses the concept of a low power link between domains where information about an energy state is exchanged but little or no energy is transferred. An example of this could be a sensor. The signal relation can link a conduit to a generator. However, because there is no influencing generator, the signal relation does not indicate the variable that causes the energy change or which direction the energy will change. This is expressed with a 6 f (flow variable) or 6 e (effort variable) next to the signal. The sign indicates
380
P. G. Hawkins, D. J. Woollons
the direction of the energy change if the influencing conduit increases in energy. The regulation influence has also been expanded. Chittaro defines the regulation influence as a relation which indicates that a position and momentum from one domain can cause a change of resistance. This is expressed as a relation from a reservoir to a conduit. A reservoir expresses the notion of energy storage, for example, where force is proportional to position due to a capacitive parameter (F ¼ ¹ kx), as with a sprung valve, or where velocity is proportional to momentum due to an inductive parameter. There are some cases where energy is not stored. In these cases, position is not proportional to force. Instead, there is a dynamic integral relationship. For example, when a force is applied to an actuator, it causes a change in momentum. To obtain the position of the valve, the integral of the momentum is taken. For this reason, two integral relations are added. A position (q) and momentum (p) relation. All regulation influences act on a conduit, barrier or ideal conduit. The sign ( 6 ) expresses how the resistance changes with energy or state. A positive relation will increase/decrease the resistance of the conduit as one of the power variables increases/decrease and a negative relation decreases/increases the resistance of the conduit when the power increases/decreases, respectively. 4.5.3 Aggregation Logically, a number of resistors in parallel or series are equivalent to one. For example, in Fig. 1 the two parallel resistors R2 and R3 can be aggregated to form one resistor in serial with R1. Aggregations of resistors in parallel or serial are formed to make aggregate conduits to aid the propagation of variables in the fault propagation procedure. Aggregation can occur for both serial and parallel conduits. Therefore, two aggregate conduits exist where a serial and parallel set intersect, and are written one on top of the other. One aggregate conduit (top) indicates the combined resistance of all the conduits in the parallel set and the other aggregate conduit (bottom) indicates the combined resistance of all the conduits in the serial set (obviously not including itself). This aids the fault reasoning process since it is possible for the flow variable to flow in both directions for each serial set. Aggregation is shown in Fig. 5 for the electronic circuit example, where the aggregate conduit is represented as cc3. The bottom c is the resistance of R1 and the top c is the combined resistance of R2 and R3. Two separate terms are
Fig. 5. Role model for electronic circuit.
useful when the flow direction has not been resolved. For example, when the current flows from left to right in R1, as shown in the diagram, the resistance changes of the top conduit are used to estimate how the effort is shared between R1 and the combination of R2 and R3. If, however, ge1 was connected differently and the source of flow originated from R2 and R3, the current would be summed at the junction and flow through R1 from right to left, the changes in the bottom conduit are used to estimate the change of effort. The use of aggregate conduits mimics the way humans summarize sections of engineering systems. Although star and mesh topologies cannot be reduced, the effect on variables can be identified once the flow direction has been resolved. To find the aggregate resistance of a set, see Table 1. Untrue sets. Sets may be created that do not share flow or effort. If a parallel set contains only one conduit (and any number of barriers), it is not a true parallel set, since there is only one flow path. If a serial set contains only one conduit (and any number of ideal conduits) it is also not a true set, since the effort is not shared with other conduits. 4.5.4 Goals Instead of mapping goals to processes, each goal is mapped to activity in the role model. The advantage of this is that goals can be associated more closely with hardware activity for the purpose of hardware FMEA. A functional FMEA can also be performed by associating goals to components, but the role models will inevitably be less elaborate. Therefore, for a steady-state system, each goal indicates the expected activity in a conduit under each operating mode. For example, one operation may expect the goal, ‘extension of actuator’ and another operating mode may expect the goal ‘retraction of the actuator’, which both indicate velocity for the linear mechanical actuator conduit. Feedback systems. The KEEP goal is divided into two specific goals to describe two common uses, the LIMIT and the MAINTAIN/TRACK function. Each of these goals are specifications of a control scheme. An example of a tracking control scheme is a negative feedback control system (see
Table 1. Forming aggregate conduits from sets Condition
1 2 3 4 5 6
All conduits are ideal All conduits are barriers At least one conduit is barrier At least one conduit is ideal No conduits are barriers including at least one conduit No conduits are ideal including at least one conduit
Aggregate set Series
Parallel
o b b unknown c unknown
o b unknown o unknown c
Analysis of complex engineering systems
381
Fig. 6. Block diagram for a negative feedback control system.
Fig. 6), and an example of a limiting control scheme is a relief valve. A closed loop system consists of two main elements. An error derived between a desired reference value and the sensed value of the plant output (see equation comparison) and the plant itself. A controller may exist between the error and the plant to change the plant dynamics. reference ¹ feedback ¼ error
(1)
The determination of the error is conditional on knowing the absolute reference signal and feedback signal. If the reference signal is assumed to be variable during the lifetime of the component, then it is assumed the derived error could be positive, zero or negative. The expected response of the plant for each error determines the function of the control system. The response of the plant is described by indicating the change of state that would have occrured after an infinite time period if the feedback loop was broken. For a negative feedback track function, the plant output is expected to be • • •
minimum (0) for a negative error unchanged (d ¼ 0) for a zero error maximum (max) for a positive error
For an upper limiting function, the plant output is expected to follow that of a tracking function except that the plant output will be unchanged for a negative error. The plant output for a lower limiting function is expected to follow that of a tracking function but will be left unchanged for positive errors. These responses are mapped on to state transition diagrams for the control system in Fig. 7. Some control systems may not be unbounded for each error. In this case, positive and negative errors, will lead to an increase (d ¼ þ ) or decrease (d ¼ ¹ ) in plant state.
5 PROCEDURAL KNOWLEDGE The following section describes a method for determining the effect of a fault or failure mode using the declarative models described in Section 4.
Fig. 7. State transition diagrams for three different control schemes.
relies on identifying qualitative differences in the magnitudes of the power variables between one steady state and another. The set of possible differences are; a decrease in value (d ¼ ¹ ), an increase in value (d ¼ þ ) or no change in value (d ¼ 0). If the change is extreme, the absolute magnitude of the variable is used (zero or max). This procedure is referred to as qualitative reasoning using extreme and difference values (QRED). The analysis has been divided into four phases: (1) introduce and represent a fault or change; (2) update all aggregate conduits (aggregation); (3) examine the effect of the fault on the dependent physical variables (backward propagation); (4) consider the effect of the fault on influenced physical variables (forward propagation). 5.1.1 Insert fault A fault can be introduced by changing one of the resistive elements in the role model or by changing the system input. To change the resistance, new conduits are introduced. A c þ means the conduit has increased in resistance and a c ¹ means the resistance has decreased. The possible faults that can be inserted are: •
5.1 Behaviour analysis for steady state changes
•
A fault propagation algorithm has been devised to identify changes in behaviour using the role model. The algorithm
• •
complete blockage, seizure, open circuit, etc. (change c or o to b); partial blockage, partial seizure, etc. (change c or o to c þ ); complete short circuit, etc. (change c or b to o); partial short circuit, etc. (change c or b to c ¹ ).
382
P. G. Hawkins, D. J. Woollons Table 2. Change of aggregate conduit based on the change of one conduit in a set Conduit change 1 2 3 4 5 6
Increase resistance Decrease resistance Change c or o to b Change c or b to o Change o to c Change b to c
New aggregate conduit Serial
Parallel
cþ c¹ b c¹ cþ c¹
cþ c¹ cþ o cþ c¹
For cases where a conduit is added in a particular set and that set is not present in the role model, a separate set is added by creating an aggregate conduit at that point which forms the aggregate resistance of the original conduit and the additional faulty conduit. Short circuits to ground are inserted by changing conduits in the highest aggregate set. When external leakages are important, the role model will have multiple unconnected systems, representing separate locations. For example, one system may represent a closed hydraulic circuit while an isolated displacement reservoir (rq) may represent the floor or circuit container like an engine compartment. If the destination is sensitive to leaks, as in the case of an ignition chamber, a goal exists in the teleological model that specifically requires no power input. If, during a fault, the reservoir becomes connected to a generator, the teleological model will flag a contradiction of its goal. A fault connecting two systems must indicate where the substance leaves the system and its destination by linking the two systems with a new conduit. If external destinations are not in the role model, an extra sink (reservoir) can be added. Once the systems have been connected, the analysis continues. The exchange of mass from one system to another is not represented in the model. The consequence of this omission is important for systems with limited resources. For example, a leak in a closed loop hydraulic transmission circuit will eventually run out of oil and cause the system to fail. Changes of input are represented by a change in magnitude of a generator. This has the same effect as a transduction influence (see 4f). Faults that cannot be represented with this scheme are changes of parameter values such as pump capacitance, magnetic field strength or piston area. The consequence of this simplification is explained in Section 5.2.5.
5.1.2 Aggregation Each aggregate conduit has two parts (i.e. top and bottom). The aggregate conduit updated depends on the flow direction of the intersecting serial sets. Serial sets. If the resistance of a serial set changes (the top aggregate conduit), all aggregate conduits representing the set will have the bottom conduit amended. Parallel sets. If the resistance of one of the paths flowing out of a parallel set change, all aggregate conduits flowing into the junction are amended (top aggregate conduit) and the others are left unchanged. If the resistance of one of the paths flowing into a parallel set changes, all aggregate conduits that flow out of the set (top aggregate conduit) are updated and the others are left unchanged. Each set is parsed only once. For example, if the aggregate conduit of a parallel set is updated, it cannot then be used to update other aggregate conduits in the same parallel set. There are four main changes that can occur (see Table 2). An increase of resistance (rule 1), addition of a conduit in series (rule 5) or removal of a conduit in parallel (rule 3) will increase the resistance of the aggregate conduit (c þ ). A decrease of resistance (rule 2), removal of a conduit in series (rule 4) or addition of a conduit in parallel (rule 6) will decrease the resistance of the aggregate conduit (c ¹ ). The top aggregate conduit may change to an ideal conduit if an ideal conduit occurs in a parallel set and the bottom aggregate conduit may change to a barrier if a conduit changes to a barrier in a serial set. The effect is sometimes dependent on the remaining conduits when sets in the model are not truly parallel or serial. For example, a serial set may contain several barriers or a parallel set may contain several ideal conduits, in which case, the removal of one will not affect the aggregate resistance of the set. In these cases, the set will have to be resolved again from Table 1. If after resolving the resistance, the aggregate resistance is a conduit, then the change to that conduit can be added. As with FDef,5 generators are considered to be conduits during this phase.
Table 3. Effect of resistance change on a power variable
5.1.3 Back propagation This procedure finds changes in the power variables for all domains, propagating up aggregate links and to components physically located before the fault. Generalized terms effort (e) and flow (f) are used. Changes can be absolute and are set to 0 or maximum or can indicate a qualitative difference from their last value (de ¼ þ (effort increase), df ¼ þ (flow increase), de ¼ ¹ (effort decrease), df ¼ ¹ (flow
Conduit change
o c¹ cþ b
Effect on variable Serial
Parallel
e¼0 de ¼ ¹ de ¼ þ e ¼ max
f ¼ max df ¼ þ df ¼ ¹ f¼0
Analysis of complex engineering systems Table 4. Back propagation in a set Variable change
Back effect on set
0 (d ¼ ¹ ) (d ¼ ¹ ) (d ¼ þ ) (max)
(d ¼ ¹ (d ¼ ¹ (d ¼ ¹ (d ¼ þ (max)
) limited) ) )
decrease), de ¼ 0 (effort remains unchanged), df ¼ 0 (flow remains unchanged)). (a) Go back to the faulty conduit and find the effect of the resistance change on the correct power variable for the set containing that conduit. Find the effort variable for a serial set and the flow variable for a parallel set (see Table 3). (b) Set propagation. Propagate the effect from the current conduit to all aggregate conduits or influenced generators flowing in the opposite direction in the set. Effort is propagated in a serial set and flow is propagated in a parallel set (see Table 4). There are two special cases that can be demonstrated with an electric circuit. If the voltage drop across a resistor in a serial set decreases (because of a change in resistance or load change), there will be a point where the change is insignificant with respect to the other resistors. Any further changes will not affect the current in the serial set. The significance of a parallel path is also insignificant when its current becomes very small. The change of voltage drop across the parallel set will not change. These observations are summarized in italics in Table 4. (i) For untrue sets (see Section 4.5.3), the change of effort or flow can be back propagated directly without referring to Table 4. (ii) If a serial set has a barrier or a parallel set has an ideal path (short), which was not introduced for the fault, the back effect is cancelled. (c) Aggregate propagation. If the conduit is an aggregate conduit, and the set it contributes is a true set (see Section 4.5.3), the variable used for back propagation is swapped. For example a flow change will need to be expressed as an effort change. The change of one variable is reversed in the other because of the relationship e ¼ f =r. Therefore, zero changes to max and an increase to decrease and vice versa. Go to step 3b. (d) Transduction propagation. Once the effect has been found on the main generator of a domain, changes may propagate to influencing subsystems by following the influence links or if there are no influencing systems in a domain, the generator is the system input. Go to step 4b. If there are two generators in a domain, the generator that has the largest power is selected as the source generator. The effect from this subsystem must be propagated to its influencing subsystem. The type of generators determine which variable is propagated from the current subsystem. An effort generator
383
propagates its flow change and a flow generator propagates its effort change. The influencing generator indicates the type of back effect received. An influencing effort generator will receive an effort back effect and an influencing flow generator will receive a flow back effect. (e) Estimate effect. It may be the case that the effect on the variable required for back propagation to influencing subsystems is not known (only the effect on the other power variable is known). In this case, it is assumed the other variable will change in the opposite direction as with aggregate propagation. Goto step 3c. This case will arise when a dynamic effect is not represented in the model. The estimated effect will be qualified during forward propagation. For example, the effect may only be a limited change. 5.1.4 Forward propagation This procedure finds changes in the power variables for all domains, propagating down aggregate links and to components physically located after the system input and after the inserted fault. All the changes in one energy domain are found before moving to the next. (a) Multiple inputs. Propagate constant variables from generators by copying the unchanged effort variable to all conduits in connected parallel sets and untrue serial sets or the unchanged flow variable to all conduits in connected serial sets and untrue parallel sets. If any of these conduits have a back effect associated with them, propagate this change instead of the unchanged variable (d ¼ 0). (b) Effect on power supply. Find the consequence of the back effect on the source generator (see Table 5). (c) Mutual variable propagation. The supply effect on the power supply affects the same variable as the mutual variable for the set (flow for serial, effort for parallel), propagate this to all other conduits. (d) Dependent variable. The dependent variable of a serial conduit is the effort variable and the dependent variable of a parallel conduit is the flow variable. The flow variable of an influencing flow generator or the effort variable of an influencing effort generator cannot Table 5. Effect of back effect on mutual variable of generator Back effect
(e ¼ 0) (de ¼ ¹ ) (de ¼ ¹ limited) (de ¼ þ ) (e ¼ max) (f ¼ 0) (df ¼ ¹ ) (df ¼ ¹ limited) (df ¼ þ ) (f ¼ max)
Effect on mutual variable Effort (Ge)
Flow (Gf)
(f ¼ `) (df ¼ þ ) (df ¼ þ limited) (df ¼ ¹ ) (f ¼ 0) (e ¼ max) (de ¼ 0) (de ¼ 0) (de ¼ 0) (e ¼ 0)
(f ¼ max) (df ¼ 0) (df ¼ 0) (df ¼ 0) (f ¼ 0) (e ¼ `) (de ¼ þ ) (de ¼ þ limited) (de ¼ ¹ ) (e ¼ 0)
384
P. G. Hawkins, D. J. Woollons variable of the current conduit is propagated to the conduit in the new set.
be set because it is dependent on the subsystem it influences. (i) Other conduits. Find the effect on the dependent variable of any conduit in the set that does not have a back effect associated with it. A barrier in a parallel set will have zero flow (f ¼ 0) and an ideal conduit in a serial set will have zero effort (e ¼ 0). An ideal conduit in a parallel set will take all the flow (f ¼ max) and a barrier in a serial set will take all the effort (e ¼ max)If the conduit is not an ideal conduit or a barrier the change of the dependent variable is identical to the change of the mutual variable of the set. (ii) Subject of fault. If the conduit has a back effect associated with it, it is regarded as the subject of the fault in that set. A barrier in a parallel set will have zero flow (f ¼ 0) and an ideal conduit in a serial set will have zero effort (e ¼ 0). Otherwise, the effect on the dependent variable of the subject conduit can be found from the effects on the other conduits in the group. The method for calculating the change is derived from the general rules for sharing effort in a serial set (esupply ¼ e1 þ e2 þ e3) or flow in a parallel set (fsupply ¼ f1 þ f2 þ f3). The effect on one of the conduits will, therefore, be 1 ¼ supply ¹ (2 þ 3) (see Table 6). There is a special case that can be demonstrated with an electric circuit. If the resistance of a conduit in series increases, the changing conduit will take a greater share of the supply voltage. If the resistance is increased higher, the other resistor will eventually become negligible and the changing conduit will take all of the supply voltage. This is reflected in italics in Table 6.
(f) Transduction propagation. (i) Influence relation. Propagate the variable of an influencing generator to another subsystem. The type of influencing generator indicates the opposite variable that is to be propagated. The influenced generator indicates the variable that is affected. For example, an effort-to-effort generator would cause the change of the flow variable to be propagated to the same change of the effort variable in the influenced subsystem.If the influenced variable is the mutual variable of the set (i.e. a flow generator in a serial set or an effort generator in a parallel set), the dependent variable will be unknown. If the generator has a back effect, the dependent variable will remain unchanged (d ¼ 0). If the generator has no back effect, the dependent variable on the generator has the same change as each of the dependent variables of the conduits in the set. If the influenced variable is not the mutual variable of the set (i.e. a flow generator in parallel set or an effort generator in serial set), the back effect (if any) and the influencing effect on the dependent variable of the generator is resolved to find the resultant back effect on the generator using Table 6, e.g. back effect ¹ supply effect ¼ resultant back effect on generator. The resultant back effect is then used to find the effect on the mutual variable of the generator using Table 5. (ii) Signal relation. Propagate the variable indicated on the influence signal to the both variables of the generator in the new domain and restart the algorithm for the new subsystem.
(e) Aggregate propagation. If the conduit is an aggregate conduit of another set, and the set is a true set the dependent variable of the conduit is propagated to the new set as it will be the mutual variable of the new set. If the set is untrue (see Section 4.5.3) the mutual
(g) Regulation propagation. Propagate any resistance regulation influences. The relation indicates whether the resistance increases or decreases for a positive or negative change in the influencing conduit.
Table 6. Qualitative subtraction Supply
¹
Conduits
¼
Subject
Back effect
¹
Supply
¼
Resultant back effect
(d ¼ 0) (d ¼ 0) (d ¼ 0) (d ¼ 0) (d ¼ ¹ (d ¼ ¹ (d ¼ ¹ (d ¼ ¹ (d ¼ þ (d ¼ þ (d ¼ þ (d ¼ þ (max) (any) (any)
¹ ¹ ¹ ¹ ¹ ¹ ¹ ¹ ¹ ¹ ¹ ¹ ¹ ¹ ¹
(d ¼ 0) (d ¼ þ (d ¼ þ (d ¼ ¹ (d ¼ 0) (d ¼ þ (d ¼ ¹ (d ¼ ¹ (d ¼ 0) (d ¼ ¹ (d ¼ þ (d ¼ þ (d ¼ 0) (max) (d ¼ ¹
¼ ¼ ¼ ¼ ¼ ¼ ¼ ¼ ¼ ¼ ¼ ¼ ¼ ¼ ¼
(d ¼ 0) (d ¼ ¹ (d ¼ ¹ (d ¼ þ (d ¼ ¹ (d ¼ ¹ (d ¼ ¹ (d ¼ ¹ (d ¼ þ (d ¼ þ (d ¼ þ (d ¼ þ (max) 0 0
) ) ) ) ) ) ) )
* Only if back effect on subject ¼ 0.
) limited) ) ) limited) ) ) limited) ) )*
) limited) limited) ) ) ) limited) ) ) ) limited)
Analysis of complex engineering systems (i) Integral relation. An integral relation will indicate the conduit changes from c, o or b to an o or b. For example, if the initial conditions for the position of a valve is closed (b), a velocity increase in the valve will eventually cause the valve to open completely (o). (ii) Standard regulation. A standard regulation influence indicates the conduit will change from a c, o or b to a cþ or c¹. For example, a force applied to a sprung valve will cause the valve position to change proportionally to the applied force and, therefore, will only increase the valve position by a finite amount. Once a change of resistance has occured, the fault procedure is repeated for the resistance change in the new subsystem. 5.2 Electric gear pump example A gear pump driven by an electric prime mover will be used to demonstrate this procedure. The example circuit shown in Fig. 8 consists of a direct current motor where the field and rotor coils are connected in series (see Cotton19 for details), connected to a gear pump by a drive shaft. The supply source for the motor is a constant voltage source. Ignoring inductor and momentum effects, the equations that describe the electrical motor system are e ~ Fq i¼
v¹e R
(2)
(4)
T ~ Fi
(5)
T ~ i2
(6)
where e ¼ induced e.m.f., F ¼ magnetic flux, q ¼ rotor speed, i ¼ current through field and rotor windings, v ¼ supply voltage, R ¼ combined resistance of coils and T ¼ torque on rotor. Proportionality is used here because there are additional constant parameters for the relationship between torque and current and back e.m.f. and speed that are determined by the machine structure (e.g. number of turnings). It is assumed that F ~ i in the linear magnetization region. Role model. The role model for this component is shown in Fig. 9. Each role can be explained: ge1 indicates the voltage source;
Fig. 8. Series electric motor driving a gear pump.
Fig. 9. The role model for an electric gear pump.
• • • • • • • •
c2 indicates the resistance of the field and rotor coil ge3 indicates the back e.m.f. of the rotor coil; ge4 indicates the generation of torque; c5 indicates the friction resistance of the motor and pump bearings; ge6 indicates the load (back torque) on the pump; gf7 indicates the generation of flow rate; c8 indicates the resistance of the pump outlet; c9 indicates the resistance in the hydraulic circuit.
The influence relation from ge3 to ge4 indicates that current generates torque and the influence relation from ge6 to gf7 indicates that speed generates flow rate. Teleological model. The teleological model for this primitive component would be one goal which expects flow rate from c8. To demonstrate how a failure effect can be derived, each of the four major failure modes are considered. Generalized effort and flow variable changes will be replaced by voltage and current, torque and speed and pressure and flow rate, respectively.
(3)
F~i
•
385
5.2.1 Partial blockage in pump outlet The effect of a fault of a partial blockage in the pump outlet will be deduced using the method in Section 5. • • •
Insert fault. A partial blockage is inserted by changing c8 to (c þ )8. Aggregation. There are no aggregate conduits. Back propagation. See Fig. 10.
(1) The effect on (c þ )8 in a serial set is an increase in pressure (de ¼ þ ) (see Table 3). (2) Propagate pressure increase (de ¼ þ ) on (c þ )8 to pressure increase (de ¼ þ ) on gf7 (see Table 4). (3) Propagate pressure increase (de ¼ þ ) on gf7 to torque increase (de ¼ þ ) on ge6 (see Section 5.1 Number 3d). (4) Propagate torque increase (de ¼ þ ) on ge6 to ge4 (see Table 4). (5) Estimate an increase in torque (de ¼ þ ) will cause a decrease in speed (df ¼ ¹) on ge4 (see Section 5.1
Fig. 10. Back propagation shown on the role model.
386
P. G. Hawkins, D. J. Woollons 5.2.2 Partial by-pass of hydraulic load •
•
Fig. 11. Forward propagation shown on the role model.
• Number 3e). (6) Propagate speed decrease (df ¼ ¹) on ge4 to induced e.m.f. decrease (de ¼ ¹) on ge3 (see Section 5.1 Number 3d). (7) Propagate induced e.m.f. decrease (de ¼ ¹) on ge3 to limited e.m.f. decrease (de ¼ ¹ limited) on ge1 (see Table 4). •
Forward propagation. See Fig. 11.
(8) Power supply is affected by induced e.m.f. limited decrease (de ¼ ¹ limited) so that current increases to a limit (df ¼ þ limited) (see Table 5). (9) A limited increase of current (df ¼ þ limited) at ge1 is propagated to c2 and ge3 (see Section 5.1 Number 4f). There is also a limited increase of voltage drop (de ¼ þ limited) on c2 (see Section 5.1 Number 4.d.i). (10) Traduce limited current increase (df ¼ þ limited) on ge3 to a limited increase of torque (de ¼ þ limited) on ge4 (see Section 5.1 Number 4f). (11) Resolve ge4 (back effect (ge4)(de ¼ þ ) ¹ limited torque increase (ge4) (de ¼ þ limited) ¼ torque decrease (de ¼ ¹)) (see Section 5.1 Number 4f and Table 6). (12) Effect on generator of torque decrease (de ¼ ¹) is speed decrease (df ¼ ¹). (13) Propagate speed decrease (df ¼ ¹) from ge4 to c5 and ge6 (see Section 5.1 Number 4c). There is also a decrease of friction torque (de ¼ ¹) on c5. (14) Traduce speed decrease (df ¼ ¹) from ge6 to flow rate decrease (df ¼ ¹) and unchanged pressure (de ¼ 0) at gf7 (see Section 5.1 Number 4f). (15) Propagate flow rate decrease (df ¼ ¹ ) of gf7 to (cþ)8 and c9. There is also a pressure decrease (de ¼ ¹) across c9. (16) Resolve (c þ )8 (same supply pressure (gf7) (de ¼ 0) ¹ pressure decrease (c9) (de ¼ ¹) ¼ pressure increase (de ¼ þ)) (see Section 5.1 Number 4.d.ii and Table 6). The goal of the component is to produce flow rate from c8. This goal has been compromised since flow rate has decreased at c8. In summary, the effect of a partial pump blockage will decrease the speed of the electric motor and hence decrease the flow rate from the pump.
Insert fault. Create a new path (c ¹ )9.1 in parallel with c9 and insert an aggregate conduit (9.2) representing the combined resistance of c9 and the new path (c ¹ 9.1) in parallel. Aggregation. The addition of c9.1 in parallel is equivalent to a change from a barrier to a conduit. Therefore, the top aggregate conduit representing the parallel resistance is c ¹ . The bottom aggregate conduit remains c, since it represents the resistance of c8. Therefore, aggregation results in c c¹ 9:2 (see Fig. 12). Back propagation.
(1) (c ¹ )9.1 in parallel is a flow rate increase (df ¼ þ ). (2) Propagate flow rate increase (df ¼ þ ) to c c¹ 9:2. (3) Change flow rate increase to pressure decrease at c¹ c 9:2. (4) Propagate pressure decrease (df ¼ ¹ ) from c c¹ 9:2 to limited pressure decrease (de ¼ ¹ limited) at gf7. (5) Domain propagate limited pressure decrease from gf7 to limited torque decrease on ge6. (6) Propagate limited torque decrease (de ¼ ¹ limited) on ge6 to ge4. (7) Assume torque decrease causes speed increase at ge4. (8) Propagate speed increase from ge4 to increase in induced e.m.f. at ge3. (9) Propagate increase in induced e.m.f. at ge3 to ge1. •
Forward propagation.
(10) Effect of increase of e.m.f. on generator causes current decrease. (11) Propagate current decrease from ge1 to c2 and ge3 and decrease voltage drop across c2. (12) Traduce current decrease from ge3 to torque decrease (de ¼ ¹) on ge4. (13) Resolve ge4 (limited decrease (ge4) (de ¼ ¹ limited) ¹ supply torque decrease (de ¼ ¹) ¼ limited torque decrease (de ¼ ¹ limited)). (14) Effect of limited torque decrease (de ¼ ¹ limited) on generator g4 is limited speed increase (df ¼ þ limited). (15) Propagate limited speed increase from ge4 to c5
Fig. 12. Role model for partial by-pass of hydraulic load.
Analysis of complex engineering systems
(16)
(17)
(18)
(19)
and ge6. Set friction torque to limited increase (de ¼ þ limited) at c5. Traduce limited speed increase (df ¼ þ) from ge6 to limited flow rate increase (df ¼ þ) and unchanged pressure (de ¼ 0) on gf7 (see Section 5.1 Number 4f). Propagate limited flow rate increase (df ¼ þ) from gf7 to c8 and c9.2. Set limited increase of pressure drop (de ¼ þ limited) across c8. Resolve (same supply pressure gf7 (de ¼ 0) ¹ limited pressure increase c8 (de ¼ þ limited) ¼ limited pressure decrease (de ¼ ¹ limited) on c c¹ 9:2). Propagate limited pressure decrease from c c¹ 9:2 to c9.1 and c9. Set limited decrease of flow rate at c9.
In summary, the effect of a partial by-pass of the hydraulic load, will increase the speed to a maximum limit point which will, therefore, increase the flow rate to a limit point. 5.2.3 Seized motor • • •
Insert fault. Change c5 to a barrier (b5). Aggregation. No aggregate resistors. Back propagation.
(1) (2) (3) (4)
Barrier in series causes torque to increase to max. Propagate max torque from b5 to ge4. Assume, if torque goes to max, speed will go to zero. Propagate zero speed from ge4 to zero induced e.m.f. at ge3. (5) Propagate zero e.m.f. from ge3 to decrease of e.m.f at ge1. •
Forward propagation.
(6) Effect of induced e.m.f. decrease on supply is current increase at ge1. (7) Propagate increase current from ge1 to c2 and ge3. Set increase of e.m.f. across c2. (8) Traduce current increase from ge3 to torque increase on ge4. (9) Resolve (back effect torque(max) ¹ supply torque increase (de ¼ þ ) ¼ resultant torque (max) (see Section 5.1 Number 4f). (10) Back effect of max torque on generator ge4 is zero flow rate (f ¼ 0). (11) Propagate zero speed from ge4 to b5 and ge6. (12) Cannot set torque on ge6 (see Section 5.1 Number 4.d.i). (13) Resolve b5 (supply torque (max) ¹ ge6(de ¼ ?) ¼ max torque at b5). (14) Traduce zero speed from ge6 to zero flow rate on gf7. (15) Propagate zero flow rate from gf7 to c8 and c9. Set pressure on c8 and c9 to zero. (16) Copy dependent variable on generator from conduits gf7 (e ¼ 0) (see Section 5.1 Number 4f). The effect of a jammed motor will result in no flow rate from the pump because the pump speed is zero.
387
5.2.4 Broken drive shaft This fault demonstrates what happens for an extreme case where the coupling between the motor and the pump has sheared, which causes a short circuit in the mechanical rotation domain. •
•
•
Insert fault. Create an extra path o6.1 and place in parallel with ge6. Create an aggregate conduit (6.2) which represents the pump load (ge6) and the ideal conduit (o6.1) (representing the sheared shaft) in parallel. Aggregation. The top aggregate conduit representing the parallel set is set to ideal and the bottom conduit representing the serial set with c5 is set to c.( oc6:2) (see Fig. 13). Back propagation.
(1) Starting at o6.1 which is the new fault, set speed to max. (2) Propagate maximum speed to the aggregate conduit o c 6:2. (3) Change speed ¼ max to torque ¼ 0. (4) Propagate torque ¼ 0 from oc6:2 to torque decrease (de ¼ ¹ ) on ge4. (5) Estimate torque decrease is a speed increase on ge4. (6) Propagate speed increase on ge4 to induced e.m.f. increase on ge3. (7) Propagate induced e.m.f. increase on ge3 to back e.m.f. increase on ge1. •
Forward propagation.
(8) Power supply is affected by back e.m.f. increase to produce current decrease (df ¼ ¹). (9) Propagate current decrease on ge1 to c2 and ge3. Set voltage drop decreases across c2. (10) Traduce current decrease from ge3 (df ¼ ¹) to torque decrease (de ¼ ¹) on ge4. (11) Resolve (back effect torque decrease (de ¼ ¹) ¹ supply torque decrease (de ¼ ¹ ) ¼ limited torque decrease (de ¼ ¹ limited) on ge4. (12) Effect of limited torque decrease on ge4 is limited speed increase (df ¼ þ limited). (13) Propagate limited speed increase on ge4 to c5 and o c 6:2. Set limited torque increase (de ¼ þ limited) on c5 (caused by friction at higher speeds). (14) The torque at oc6:2 is zero because it is an ideal conduit (see Section 5.1 Number 4.d.ii).
Fig. 13. Role model for broken drive shaft.
388
P. G. Hawkins, D. J. Woollons
(15) Propagate torque ¼ 0 from oc6:2 to o6.1 and set speed ¼ 0 on ge6. (16) Resolve o6.1 (limited speed increase ( oc6:2) ¹ 0(ge6) ¼ limited speed increase(df ¼ þ limited). (17) Traduce speed ¼ 0 from ge6 to flow rate ¼ 0 on gf7. (18) Propagate zero flow rate from gf7 to c8 and c9. Set pressure on c8 and c9 to zero. (19) Copy dependent variable on generator from conduits gf7 (e ¼ 0). The goal of the component is to produce flow rate from c8. This goal has been compromised since f is zero at c8. In summary, a broken drive shaft will cause the speed of the electric motor to increase but the pump will have no speed, producing no flow rate or pressure. As a side effect, the current in the electric circuit decreases because of the greater induced e.m.f. However, the induced e.m.f. will limit the maximum speed. 5.2.5 Limitations Roles c2 and c5 are probably negligible. If these are removed from the role model, it can be demonstrated that the variables that changed by limited increases or decreases from the qualitative reasoning would be different. The role model indicates influence relationships between domains as constant parameter relationships (linear). In particular, the back e.m.f. is proportional to the rotor speed according to the magnetic flux parameter F. In this example, the magnetic flux varies with current, resulting in the square relationship between torque and current which is not represented in the role model in Fig. 9. This leads to an interesting effect of load changes which cannot be deduced about the series motor. When the motor load is low or zero (as in example Section 5.2.4) the rotor speed becomes higher, the induced e.m.f. becomes higher which reduces the current and, hence, reduces the field strength, thus reducing the induced e.m.f. which allows the rotor speed to increase to dangerously high speeds. When the load on the motor is high (as in example Section 5.2.1) the rotor speed decreases, the induced e.m.f. becomes smaller and the current becomes greater. This has the effect of increasing the field strength, allowing higher torques to be produced and thus maintaining a reasonable speed at higher torques. In the example failure analysis, this behaviour is not found because the simplification of the system has resulted in a linear relationship between torque and current. The resultant behaviour is analogous to a shunt motor where the coils are connected in parallel. However, the failure analysis would identify the incorrect use of a current generator as a source of electrical power which would result in an increase of speed (not limited increase in speed as indicated in example Section 5.2.2 and Section 5.2.4) as a consequence of a load decrease.
inside a closed loop system by finding the change of state of the plant. The ability to change the plant input makes the failure analysis more complex. For analysis, the feedback loop is broken and the state changes are represented on a state transition diagram. The role model of the plant must indicate the state of the system for an initial condition that produces a steady state output (d ¼ 0). For tracking systems, the initial condition should be for a zero error. For limiting control schemes, the role model should indicate the system in a steady state below the limit value. When reasoning about failure inside a closed loop, the plant output is found for each plant input error for the faultfree system first. For tracking systems, the response from a positive and negative error are found. For upper limit control schemes, the response of the plant is found for a positive error above the limit and for lower limit control schemes, the response of the plant is found for a negative error above the limit. The state of the conduits in the role model may change for each error because the conduits may be affected by regulation influences. A failure mode is then inserted in the role model. The response of the plant is tested for each error signal. If the failure mode is inserted in a subsystem where the back propagation procedure will not reach the plant input because of regulation influences, the state of the conduits are set according to the normal behaviour for each error signal. The plant output will indicate how the plant has changed from the expected output for the initial steady-state error (zero in tracking systems). The combination of the responses indicates how the state of the system will be affected. Specific steady-state failure effects have been identified from the change in the state transition diagram. General failures for closed loop systems can be identified, but the position of a valve is used as an example in Table 7 to demonstrate the principle. For the normal case, a positive error and a max negative feedback signal should send the valve down to reduce the error (ref ¹ max ¼ ¹). A negative error and a zero negative feedback signal should send the valve up to reduce the error(ref ¹ 0 ¼ þ). Therefore, a max signal indicates the valve closes and a zero signal indicates the valve opens and a d ¼ 0 signal indicates no movement when 0 , ref , max. The failure effect of the component is described by indicating the condition of the state transition diagram using predefined descriptions which corresponds to the procedure by Rolls Royce (see Section 2.4). For example, a state transition diagram which illustrates that any error signal maps to a maximum reading from the sensor, will indicate that the component has failed in the closed position. For limiting control schemes, the failure effect descriptions will differ. 5.4 Functional change using teleological model
5.3 Feedback fault procedure This section describes how to determine the failure effect
When component activation changes, the truth of the goal tree can be updated using simple Boolean algebra.
Analysis of complex engineering systems
389
Table 7. Steady-state failure effects of tracking control schemes Error response þ max 0 max d¼0 max d¼0 max max
Failure effect 0 d¼0 0 max d¼0 d¼0 d¼0 0 max
¹ 0 0 max 0 d¼0 d¼0 0 0
6 CASE STUDY This project was funded by the SERC and included the participation of Lucas Aerospace Ltd as an industrial collaborator. The method for automating FMEA must provide suitable failure effect descriptions for current engineering products if industrial interest is to be sustained. Therefore, a fuel-metering unit, which is currently in production, was suggested by Lucas Aerospace Ltd as a means of testing the method against a suitably complex component. The FMU comprises part of the fuel-metering system for the Rolls Royce RB211 family of jet engine. The purpose of the unit is to convert a thrust demand from the pilot into a measured fuel flow rate to the engine. This is accomplished using a feedback loop, where the pilots demand is the reference input signal and the valve position is sensed and fed back into the controller. The flow rate is, therefore, not actually measured. The device relies on a constant pressure drop across the valve and precision engineering of the valve to generate the actual fuel flow rate. The component consists of five main sub-assemblies. A torque motor, a pressure regulator, an actuator, a pressure drop valve and a position sensor. The torque motor translates an electrical signal into mechanical displacement of a hydraulic flapper. The servo pressure regulator is assumed to provide a constant pressure source for this study; servo regulated pressure (SVP). The displacement of the torque motor flapper regulates the control pressure at the bottom of the valve (piston side of the actuator). The pressure at the annulus is kept constant using both the constant SVP which acts on a small area at the top of the valve (annulus of the actuator) and a low pressure source (LP) which also acts on another small area at the top of the valve (annulus side of the actuator). The pressure regulation is achieved like that of a spill valve, which allows a SVP to flow back to a constant LP according to the size of the controlled flapper orifice. The larger the orifice, the more pressure is by-passed back to LP, the lower the pressure at the piston side of the actuator, causing the actuator to retract and close the valve. A smaller orifice allows less fluid to escape from the system, causing a higher pressure at the piston side of the actuator, extending the actuator and opening the valve. The valve itself, is a hydraulic actuator with a specially cut orifice, allowing a known amount of fuel flow rate
Normal Stuck in Open position Stuck in Closed position Failed Open (Once opened) Failed Closed (Once closed) Stuck in Intermediate position Failure Compensated (requires smaller input) Failure Compensated (requires larger input)
through the valve for a particular displacement of the valve. The pressure drop across the fuel valve is kept constant using a pressure drop and spill valve. The position sensor consists of a rack and pinion, connected to the piston of the valve, converting linear to rotational energy and a position resolver, which converts the linear mechanical position into electrical energy. 6.1 Role model The complete role model for the valve section of the FMU is shown in Fig. 14. There are three state variables of the system determined by the regulated conduits. c8 is the status of the flapper, the status of the valve position and the status of the sensor resistor. The figure illustrates the role model in one particular state where the torque motor flapper is half open (c8) causing a balance of forces on the actuator, the valve is half open (c) and the sensor resistor is set at half of its maximum resistance (c). • • • • • • • • • • • • • • •
ge1 is the source of the servo regulated pressure (SVP). c c2 is the combined resistance through the fixed orifice (c4) and (c5). gf3 is the flow generated from the movement of the annulus side of the actuator. c4 is the fixed orifice. c c5 is the combined resistance of the piston side of actuator and cc6. c c6 is the combined resistance of the flapper orifice (c8) and cc9. gf7 is the flow rate moving into the piston as a result of the valve movement. c8 is the flapper orifice. c c9 is the combined resistance of the annulus and LP. ge10 is the LP. gf11 is the flow generated from the movement of the annulus side of the actuator. ge12 is the force on the piston side of the actuator. ge13 is the load on the actuator. ge14 is the force on the annulus side of the actuator. gf15 is the angular velocity generated on the pinion wheel of the position resolver.
390
P. G. Hawkins, D. J. Woollons are the torque motor, the hydraulic actuator and the position sensor and the component is the fuel-metering valve. The intention of the control system is to control the position of the valve. Therefore, failure effects are described in terms of the valve position. The valve position is obtained from the status of the valve conduit in the role model. The goal relating to the control of the fuel flow rate occurs at a higher level of abstraction where the context of the whole fuel-metering subsystem is considered. The control action is classed as a TRACKING goal because action is taken for positive and negative errors between the reference position and sensed feedback position signal. The feedback loop is broken to allow failure analysis to be conducted at different operating points. A plant output is expected for three different error signals. One for an increase in the valve position for negative errors, one for a decrease in the valve position for positive errors and one for no change in the valve position for zero errors. 6.3 Failure analysis of partial leakage from servo pressure line to actuator control line To demonstrate the failure analysis in a feedback system, one failure mode will be considered: a partial leakage of fluid that by-passes the restrictor in the torque motor. The partial leakage fault is inserted in the third subsystem.
Fig. 14. Role model for the torque motor, valve and position sensor of the FMU.
The system can be broken into six subsystems by separating the system for each different energy domain. (1) The electrical part of the torque motor (coils). (2) The mechanical part of the torque motor (flapper). (3) The hydraulic part of the FMU including the torque motor (orifice). (4) The mechanical piston and the pinion wheel. (5) The electrical sensor which sends a signal to the controller. (6) The hydraulic fuel orifice for the valve which supplies the jet turbine with fuel. 6.2 Teleological model One stage of an FMEA considers failure effects from subassemblies to components. In this case, the sub-assemblies
6.3.1 Normal behaviour The system structure and state is captured in the role model. However, only one state is represented for the FMU, where the valve and flapper are half open and the sensor reading is set at half. This occurs when the demand is set to half and there is zero error. The state of the system must be updated for the two additional error signals. A zero positional error will establish equal currents on the left and right coils. The role model has been written for this case where electromotive forces balance. To find how the behaviour changes for positive and negative errors, the generator for each coil is altered. A positive error signal will increase current (df ¼ þ ) on the right coil in the torque motor and a negative error signal will increase the current (df ¼ þ ) on the left coil in the torque motor. The behaviour changes for each subsystem are listed in Table 8, Table 9, Table 10, Table 11 and Table 12. The limited increases and decreases of the variable values have been ignored for simplicity. 6.3.1.1 Controller transition. In summary, a positive error will increase the sensor current reading to max and a negative error will cause the sensor reading to reduce to zero. 6.3.2 Faulty behaviour The failure mode is inserted in the hydraulic section; subsystem 3. Zero error. •
Subsystem 3: failure analysis in hydraulic and mechanical domain
Analysis of complex engineering systems
391
Table 8. Change in state of torque motor coils for positive negative error signals Input on right coil ( þ error) Forward propagation
From
Propagate current on left coil Traduce left coil current signal Propagate current on right coil Traduce right coil current signal
gf(df ¼ 0) c(df ¼ 0) gf(df ¼ þ ) c(df ¼ þ )
→ → → →
—Insert fault. This fault can be inserted by creating an extra path using one of two methods. Either by creating an extra serial set that links parallel sets A and C (c replaces the b) or by creating an extra parallel set which replaces c4. Opting for the latter, Create an extra flow path 4.1 in a parallel set with c4 and create an aggregate conduit 4.2 representing the fixed orifice c4 and the extra flow path c ¹ 4.1. This is effectively a change from a barrier in parallel to a conduit (c ¹ ) (see Fig. 15). —Aggregation. The top aggregate conduit for 4.2 will be c ¹ and the bottom aggregate conduit will be c( c c¹ 4:2). This will affect aggregate conduits in order of reasoning; c c¹ 2, c c¹ 5, c c¹ 6, c c¹ 9. —Back propagation. (1) The effect of (c ¹ )4.1 on the new parallel set B2 is a flow rate increase (df ¼ þ ). (2) Propagate flow rate increase to c c¹ 4:2. (3) Swap variable from flow rate increase to pressure decrease (de ¼ ¹) at c c¹ 4:2. (4) Propagate pressure decrease (de ¼ ¹ ) from c c¹ 4:2 to aggregate conduit c c¹ 2. (5) Swap variable from pressure decrease (de ¼ ¹) to flow rate increase (df ¼ þ ) at c c¹ 2. (6) Propagate flow rate increase from c c¹ 2 to ge1. —Forward propagation. (7) Propagate unchanged pressure (de ¼ 0) from ge10 to c c ¹ 9 and gf11. (8) Power supply effect of back effect flow rate increase (df ¼ þ ) on ge1 is pressure remains unchanged (de ¼ 0). (9) Propagate unchanged pressure (de ¼ 0) from ge1 to c c ¹ 2 and gf3. (10) Cannot set flow rate on gf3. (11) Resolve (ge1(df ¼ þ ) ¹ gf3(?) ¼ c c¹ 2(df ¼ þ )). (12) Propagate flow rate increase (df ¼ þ ) from c c¹ c c ¹ 2 to c 4:2 and c ¹ 5. (13) Set pressure increase (de ¼ þ ) on c c¹ 5.
Input on left coil ( ¹ error) To
From
c(df ¼ 0) ge(de ¼ 0) c(df ¼ þ ) ge(de ¼ þ )
gf(df ¼ þ ) c(df ¼ þ ) gf(df ¼ 0) c(df ¼ 0)
To → → → →
c(df ¼ þ ) ge(de ¼ þ ) c(df ¼ 0) ge(de ¼ 0)
(14) Resolve ( c c¹ 2(de ¼ 0) ¹ c c¹ 4:2(de ¼ þ ) ¼ c¹ c 4:2 decrease (de ¼ ¹ )). (15) Propagate pressure decrease (de ¼ ¹) from c c¹ 4:2 to c4 and c4.1. (16) Set flow rate increase (df ¼ ¹) at c4. (17) Resolve ( c c¹ 4:2(df ¼ þ ) ¹ c4(df ¼ ¹ ) ¼ c4:1 flow rate increase (df ¼ þ)). (18) Propagate pressure increase (de ¼ þ) from c c¹ c ¹ 5 to c 6 and gf7. (19) Set flow rate increase (df ¼ þ) at c c¹ 6. (20) Cannot set flow rate at gf7. (21) Propagate flow rate increase (df ¼ þ) from c¹ c c 6 to c8 and c ¹ 9. (22) Set pressure increase (de ¼ þ) on c8. (23) Traduce unchanged pressure (de ¼ 0) from gf3 and gf11 to unchanged force (de ¼ 0) at ge14. (24) Traduce pressure increase (de ¼ þ) from gf7 to force increase (de ¼ þ) on ge12. •
Subsystem 4: the mechanical actuator and pinion wheel
—Forward propagation. (25) Resolve back effect (back effect ge12 (de ¼ 0) ¹ supply ge12 (de ¼ þ ) ¼ ge12 (de ¼ ¹). (26) Effect of back effect force decrease (de ¼ ¹) on ge12 is a velocity increase. (27) Propagate velocity increase (df ¼ þ) from ge12 to ge13 and ge14. (28) Traduce velocity increase (df ¼ þ) from ge12 to flow rate increase at gf7. (29) Traduce velocity increase (df ¼ þ) from ge14 to flow rate decrease at gf3 and gf11. (30) Traduce velocity increase (df ¼ þ) from ge13 to angular velocity increase (df ¼ þ) at gf15. (31) Copy torque from dependent variable of conduits ge (e ¼ 0). (32) Traduce torque ¼ 0 from gf15 to friction ¼ 0 on ge13. (33) Regulate position resolver resistor from angular
Table 9. Change in state of torque motor flapper for negative and positive electro-motive forces Negative flapper force ( þ error) Resolve back force on flapper (result) Back effect of force on flapper Propagate velocity to flapper Integral regulation to flapper
(de ¼ 0) ¼ ge(de ¼ þ ) ge(de ¼ þ ) ge(df ¼ ¹ ) c(df ¼ ¹ )
Positive flapper force ( ¹ error)
¹
ge(de ¼ ¹ )
→ → →
ge(df ¼ ¹ ) c(df ¼ ¹ ) c8 → o8
(de ¼ 0) ¼ ge(de ¼ ¹ ) ge(de ¼ ¹ ) ge(df ¼ þ ) c(df ¼ þ )
¹
ge(de ¼ þ )
→ → →
ge(df ¼ þ ) c(df ¼ þ ) c8 → b8
392
P. G. Hawkins, D. J. Woollons Table 10. Change in state of hydraulic subsystem for different flapper positions Open flapper (þerror)
Closed flapper (¹error)
Insert change Flapper resistance
c8 changes to o8
c8 changes to b8
Aggregation
c c¹ c c c ¹ 2, c 5, c ¹ 6, c ¹ 9
c cþ c c c þ 2, c 5, b6, b9
Backward propagation
From
Effect of resistance change Propagate effort in serial set Swap variable to flow Propagate flow in parallel set Swap variable to effort Propagate effort in parallel set Swap variable to flow Propagate flow in parallel set
o8(e ¼ 0) o8(e ¼ 0) c c ¹ 6(de ¼ ¹ ) c c ¹ 6(df ¼ þ ) c¹ c 5(df ¼ þ ) c¹ c 5(de ¼ ¹ ) c c ¹ 2(de ¼ ¹ ) c c ¹ 2(df ¼ þ )
Forward propagation Propagate unchanged pressures (parallel set) (untrue serial set with back effect) (parallel set) (parallel set) Effect on generator Propagate pressure in parallel set (second conduit) (unable to set flow rate on gf) Resolve subject flow rate (result) Propagate flow rate in serial set (second conduit) Set dependent variable to same Resolve subject pressure (result) Propagate pressure in parallel set (second conduit) (unable to set flow rate on gf) Resolve subject (barrier) Propagate flow rate in serial set (second conduit) Traduce pressure to force Traduce pressure to force Traduce pressure to force
To
From
c c ¹ 6(de ¼ c c ¹ 6(df ¼ c¹ c 5(df ¼ c¹ c 5(de ¼ c c ¹ 2(de ¼ c c ¹ 2(df ¼
¹) þ) þ) ¹) ¹) þ) ge1(df ¼ þ)
b8(e ¼ max) b8(e ¼ max) c b6(e ¼ max) c b6(f ¼ 0) cþ c 5(df ¼ ¹ ) cþ c 5(de ¼ þ ) c c þ 2(de ¼ þ ) c c þ 2(df ¼ ¹ )
From
To
From
ge10(de ¼ 0) → ge10(de ¼ 0) → c → c ¹ 9(de ¼ 0) c → c ¹ 6(de ¼ ¹ ) c → c ¹ 6(de ¼ ¹ ) ge1(df ¼ þ) → ge1(de ¼ 0) → ge1(de ¼ 0) → gf3(df ¼ ?) ge1(df ¼ þ) ¹ ¼ c c¹ 2(df ¼ þ ) c → c ¹ 2(df ¼ þ ) c → c ¹ 2(df ¼ þ ) c4(de ¼ þ)
gf11(de ¼ 0) c c ¹ 9(de ¼ 0) c c ¹ 6(de ¼ ¹ ) gf7(de ¼ ¹) c¹ c 5(de ¼ ¹ ) ge1(de ¼ 0) c c ¹ 2(de ¼ 0) gf3(de ¼ 0)
ge10(de ¼ 0) ge10(de ¼ 0)
gf7(de ¼ ¹) gf3(de ¼ 0) gf11(de ¼ 0)
→ → → → → → →
→ → →
gf3(df ¼ ?) c4(df ¼ þ) c¹ c 5(df ¼ þ )
ge12(de ¼ ¹) ge14(de ¼ 0) ge14(de ¼ 0)
To → → → → → → →
c b6(e ¼ max) c b6(f ¼ 0) cþ c 5(df ¼ ¹ ) cþ c 5(de ¼ þ ) c c þ 2(de ¼ þ ) c c þ 2(df ¼ ¹ )
ge1(df ¼ ¹) To
→ →
ge1(df ¼ ¹) → ge1(de ¼ 0) → ge1(de ¼ 0) → gf3(df ¼ ?) ge1(df ¼ ¹) ¹ ¼ c cþ 2(df ¼ ¹ ) c → c þ 2(df ¼ ¹ ) c → c þ 2(df ¼ ¹ ) c4(de ¼ ¹) c ¹ c þ 2(de ¼ 0) ¼ c cþ 5(de ¼ þ ) cþ → c 5(de ¼ þ ) cþ 5(de ¼ þ ) → c gf7(df ¼ ?) c b6(df ¼ 0) c → b6(df ¼ 0) c 6(df ¼ 0) → b gf7(de ¼ þ) → gf3(de ¼ 0) → gf11(de ¼ 0) →
gf11(de ¼ 0) c b9(de ¼ 0)
ge1(de ¼ 0) c c þ 2(de ¼ 0) gf3(de ¼ 0) gf3(df ¼ ?) c4(df ¼ ¹) cþ c 5(df ¼ ¹ ) c4(de ¼ ¹) þ) gf7(de ¼ þ) c b6(de ¼
b8(df ¼ 0) c b9(df ¼ 0) ge12(de ¼ þ) ge14(de ¼ 0) ge14(de ¼ 0)
Table 11. Change in state of the actuator for different force Negative force (þerror)
Positive force (¹error)
Forward propagation
From
To
From
To
Resolve back force on actuator (result) Effect of back force on actuator Propagate velocity in serial set (second conduit) Traduce velocity to flow rate Traduce velocity to flow rate Traduce velocity to flow rate Traduce velocity to angular velocity Copy torque from conduits Traduce torque to pressure Integral regulation propagate
(de ¼ 0) ¹ ¼ ge12(de ¼ þ) ge12(de ¼ þ) → ge12(df ¼ ¹) → ge12(df ¼ ¹) → ge12(df ¼ ¹) → ge14(df ¼ ¹) → ge14(df ¼ ¹) → ge13(df ¼ ¹) → ge(e ¼ 0) ge(e ¼ 0) → gf15(df ¼ ¹) →
ge12(de ¼ ¹)
(de ¼ 0) ¹ ¼ ge12(de ¼ ¹) ge12(de ¼ ¹) → ge12(df ¼ þ) → ge12(df ¼ þ) → ge12(df ¼ þ) → ge14(df ¼ þ) → ge14(df ¼ þ) → ge13(df ¼ þ) → ge(e ¼ 0) ge(e ¼ 0) → gf15(df ¼ þ) →
ge12(de ¼ þ)
ge12(df ¼ ¹) ge13(df ¼ ¹) ge14(df ¼ ¹) gf7(df ¼ ¹) gf3(df ¼ þ) gf11(df ¼ þ) gf15(df ¼ ¹) ge13(e ¼ 0) c→o
ge12(df ¼ þ) ge13(df ¼ þ) ge14(df ¼ þ) gf7(df ¼ þ) gf3(df ¼ ¹) gf11(df ¼ ¹) gf15(df ¼ þ) ge13(e ¼ 0) c→b
Analysis of complex engineering systems
393
Table 12. Change in state of sensor output for electrical resistance changes
Insert change Sensor electrical resistance
No sensor resistance (þerror)
Maximum sensor resistance (¹error)
c changes to o
c changes to b
Aggregation Backward propagation
From
Effect of resistance change Propagate voltage in untrue set
o(e ¼ 0) o(e ¼ 0)
Forward propagation
From
Effect of voltage change on generator Propagate current in serial set
ge(e ¼ 0) ge(f ¼ max)
→ → →
velocity increase at gf15 (df ¼ þ) to electrical resistance increase (b) ( þ ve flow integral regulation). Enter sub-system 4. •
Subsystem 5: the electrical sensor reading
—Insert fault. Resistance increase in conduit changes c to b. —Aggregation. No aggregate resistors. —Back propagation. (34) Effect of b on serial set is max voltage (e ¼ max). (35) Propagate max voltage (e ¼ max) to ge. —Forward propagation. (36) Effect of max voltage (e ¼ max) on ge is current ¼ 0 (f ¼ 0) at c. (37) Resolve voltage drop (ge(max) ¹ (de ¼ 0) ¼ c(e ¼ 0)). A zero error will produce a current reading of zero from the sensor. Positive error. •
Subsystem 3: failure analysis in hydraulic and mechanical domain
Fig. 15. Role model for servo controlled valve.
To
From
ge(e ¼ 0)
b(e ¼ max) b(e ¼ max)
To
From
ge(f ¼ max) c(f ¼ max)
ge(e ¼ max) ge(f ¼ 0)
To →
ge(e ¼ max) To
→ →
ge(f ¼ 0) c(f ¼ 0)
—Insert fault. The fault is inserted in the same way as previously mentioned with a zero error. —Aggregation. Aggregate conduits are the same for zero error. ( c c¹ 2, c c¹ 4:2, c c¹ 5, c c¹ 6, c c¹ 9. —Back propagation. (1) The effect of (c ¹ )4.1 on the new parallel set B2 is a flow rate increase (df ¼ þ). (2) Propagate flow rate increase to c c¹ 4:2. (3) Swap variable from flow rate increase to pressure decrease (de ¼ ¹) at c c¹ 4:2. (4) Propagate pressure decrease (de ¼ ¹) from c c¹ 4:2 to aggregate conduit c c¹ 2. (5) Swap variable from pressure decrease (de ¼ ¹) to flow rate increase (df ¼ þ) at c c¹ 2. (6) Propagate flow rate increase from c c¹ 2 to ge1. —Forward propagation. (7) Propagate unchanged pressure supply (de ¼ 0) from ge10 to c c¹ 9 and gf11. (8) Since set D is an untrue set, propagate unchanged pressure supply (de ¼ 0) from c c¹ 9 to c c¹ 6. (9) Propagate unchanged pressure supply (de ¼ 0) from c¹ c c 6 to c ¹ 5 and gf7. (10) Power supply effect of flow rate increase (df ¼ þ) on ge1 is pressure remains unchanged (de ¼ 0). (11) Propagate unchanged pressure (de ¼ 0) from ge1 to c c ¹ 2 and gf3. (12) Cannot resolve flow rate at gf3. (13) Resolve (ge1(df ¼ þ) ¹ gf3(?) ¼ c c¹ 2 flow increase (df ¼ þ)). (14) Propagate flow rate increase (df ¼ þ) from c c¹ c c ¹ 2 to c 4:2 and c ¹ 5. (15) Set pressure increase (de ¼ þ ) on c c¹ 5. (16) Resolve ( c c¹ 2(de ¼ 0) ¹ c c¹ 5(de ¼ þ ) ¼ c c¹ 4:2 limited pressure decrease(de ¼ ¹). (17) Propagate pressure decrease (de ¼ ¹) from c c¹ 4:2 to c4 and (c ¹ )4.1. (18) Set flow rate increase (df ¼ ¹) at c4. (19) Resolve ( c c¹ 4:2(df ¼ þ) ¹ c4(df ¼ ¹) ¼ c4.1 flow rate increase (df ¼ þ). (20) Traduce unchanged pressure (de ¼ 0) from gf3, gf11 to ge14. (21) Traduce unchanged pressure (de ¼ 0) from gf7 to ge12.
394
P. G. Hawkins, D. J. Woollons •
Subsystem 4: the actuator and pinion wheel
—Forward propagation. (22) Resolve back effect (back effect ge12(de ¼ 0) ¹ supply ge12(de ¼ 0) ¼ resultant back effect ge12(de ¼ 0)). (23) Effect of back force unchanged (de ¼ 0) on ge12 is no change in velocity ge12 (df ¼ 0). (24) Propagate velocity unchanged (df ¼ 0) from ge12 to ge13 and ge14. (25) Traduce velocity unchanged (df ¼ 0) from ge12 to flow rate unchanged (df ¼ 0) at gf7. (26) Traduce velocity unchanged (df ¼ 0) from ge14 to flow rate unchanged (df ¼ 0) at gf7. (27) Traduce velocity unchanged (df ¼ 0) from ge13 to angular velocity unchanged (df ¼ 0) at gf15. (28) Copy torque from dependent variable of conduits ge (e ¼ 0). (29) Traduce torque ¼ 0 from gf15 to friction ¼ 0 on ge13. (30) Regulate position resolver resistor from angular velocity unchanged gf15 (df ¼ 0) to electrical resistance unchanged from normal positive error (b). Enter sub-system 3. •
Subsystem 5: the electrical sensor reading
—Insert fault. Resistance unchanged (b). —Aggregation. No aggregate resistors. —Back propagation. (31) Effect of b on serial set is max voltage (e ¼ max). (32) Propagate max voltage(e ¼ max) to ge. —Forward propagation. (33) Effect of max voltage (e ¼ max) on ge is current ¼ 0 (f ¼ 0) at c. (34) Resolve voltage drop (ge(max) ¹ (de ¼ 0) ¼ c(e ¼ 0)). A positive error will change the sensor reading to max. Negative error. •
Subsystem 3: failure analysis in hydraulic and mechanical domain
—Insert fault. The fault is inserted in the same way as before. —Aggregation. When the flapper is closed (b8) aggregate conduits are: c c¹ 2, c c¹ 4:2, c c¹ 5, c b¹ 6, bc9. —Back propagation. (1) The effect of (c ¹ )4.1 on the new parallel set B2 is a flow rate increase (df ¼ þ). (2) Propagate flow rate increase to c c¹ 4:2. (3) Swap variable from flow rate increase to pressure decrease (de ¼ ¹) at c c¹ 4:2. (4) Propagate pressure decrease (de ¼ ¹) from c c¹ 4:2 to aggregate conduit c c¹ 2. (5) Swap variable from pressure decrease (de ¼ ¹) to flow rate increase (df ¼ þ) at c c¹ 2.
(6) Propagate flow rate increase from
c c¹2
to ge1.
—Forward propagation. (7) Propagate unchanged pressure (de ¼ 0) from ge10 to gf11. (8) Power supply effect of back flow rate increase (df ¼ þ ) on ge1 is pressure remains unchanged (de ¼ 0). (9) Propagate unchanged pressure (de ¼ 0) from ge1 to c c ¹ 2 and gf3. (10) Cannot set flow rate on gf3. (11) Resolve (ge1(df ¼ þ) ¹ gf3(?) ¼ c c¹ 2(df ¼ þ)). (12) Propagate flow rate increase (df ¼ þ ) from c c¹ c c ¹ 2 to c 4:2 and c ¹ 5. (13) Set pressure increase (de ¼ þ) on c c¹ 5. (14) Resolve ( c c¹ 2(de ¼ 0) ¹ c c¹ 5(de þ ) ¼ c c¹ 4:2 pressure decrease(de ¼ ¹)). (15) Propagate pressure decrease (de ¼ ¹) from c c¹ 4:2 to c4 and c4.1. (16) Set flow rate increase (df ¼ ¹) at c4. (17) Resolve ( c c¹ 4:2(df ¼ þ) ¹ c4(df ¼ ¹) ¼ c4.1(df ¼ þ)). (18) Propagate pressure increase (de ¼ þ ) from c c¹ 5 to gf7 and c b¹ 6. (19) Cannot set flow rate at gf7. (20) Resolve subject which is a barrier c b¹ 6(f ¼ 0). (21) Propagate zero flow rate (f ¼ 0) from c c¹ 6 to b8 and bc9. (22) Set pressure max on b8. (23) Traduce unchanged pressure (de ¼ 0) from gf3 and gf11 to unchanged force (de ¼ 0) at ge14. (24) Traduce pressure increase (de ¼ þ) from gf7 to force increase (de ¼ þ) on ge12. •
Subsystem 4: the actuator and pinion wheel
—Forward propagation. (25) Resolve back effect (back effect ge12(de ¼ 0) ¹ supply ge12(de ¼ þ) ¼ resultant back effect ge12 (de ¼ ¹)). (26) Effect of back force increase (de ¼ ¹) on ge12 is a velocity increase (up). (27) Propagate velocity increase (df ¼ þ) from ge12 to ge13 and ge14. (28) Traduce velocity increase (df ¼ þ) from ge12 to flow rate increase at gf7. (29) Traduce velocity increase (df ¼ þ) from ge14 to flow rate decrease at gf3 and gf11. (30) Traduce velocity increase (df ¼ þ ) from ge13 to angular velocity increase (df ¼ þ) at gf15. (31) Copy torque from dependent variable of conduits ge (e ¼ 0). (32) Traduce torque ¼ 0 from gf15 to friction ¼ 0 on ge13. (33) Regulate position resolver resistor from angular velocity increase at gf15 (df ¼ þ ) to electrical resistance increase (b) ( þ ve flow integral regulation). Enter sub-system 3. •
Subsystem 5: the electrical sensor reading
Analysis of complex engineering systems —Insert fault. Resistance increase in conduit changes c to b. —Aggregation. No aggregate resistors. —Back propagation. (34) Effect of b on serial set is max voltage (e ¼ max). (35) Propagate max voltage (e ¼ max) to ge. —Forward propagation. (36) Effect of max voltage (e ¼ max) on ge is current ¼ 0 (f ¼ 0) at c. (37) Resolve voltage drop (ge(max) ¹ (de ¼ 0) ¼ c(e ¼ 0)). A negative error will set the current reading to zero for the sensor. Combination of outputs. Therefore the output from the plant for the three errors is • • •
positive error produces a max sensor reading (valve closes); zero error produces a minimum sensor reading (valve opens); negative error produces a minimum sensor reading (valve opens).
In this case, the failure effect from Table 7 is that the control system remains operational but requires less input (power) to compensate for the fault. The input for the FMU is the electrical power to the torque motor. This type of fault can be identified from the cockpit because of the on-board diagnostic capability for identifying unexpected power changes in the electrical control system.
7 CONCLUSIONS This paper has presented a formal method for representing complex physical systems using a modified set of models developed by Chittaro13 and reasoning about changes in steady-state behaviour of open and closed loop systems using a unique qualitative algorithm (QRED). By finding differences between calculated behaviour and expected behaviour, failure descriptions can be derived for the purpose of functional and hardware FMEA. Failure effects of closed loop systems are found from the open loop response of the plant for three separate input signals. The combination of the difference in plant output and expected plant output for each input, indicates a state transition for the control system. The state transitions of the control system can be interpreted to give a general description of the final steady state of the plant. The technique has been shown to work on two different engineering systems. Four different types of failure mode were used to test the behaviour differences of an electrically driven gear pump. The resultant behaviour demonstrated that differences between normal and faulty behaviour can be identified. Subtle differences between variable changes (limited increase, limited decrease) can also be identified by extrapolating variable changes until they become
395
insignificant or negligible. The case study in this paper illustrated how a complex closed loop component suggested by Lucas Aerospace Ltd was analysed for a single failure mode. A single model of the system (representing one operating mode) was used to derive behaviour for two different error signals representing two different operating modes for the normal working system. After inserting a failure mode, the change of behaviour for each operating mode was identified. The combination of the three responses could be interpreted from a table to identify the failure effect. The number of systems and type of failure mode that can be represented with the model is numerous. Even bridge networks can be modelled, if the flow direction through each conduit is initially known. However, there is a limitation in the representation, which does not allow parameter values to be changed. The current model expresses all relations between influencing domains as a proportional relationship. The consequence of this assumption is a simplification of behaviour for systems that have changing parameter relationships. This has been demonstrated with the electric motor where the field and rotor coil are connected in series. Another drawback of this limitation is that failure modes which affect this parameter cannot be represented. For example, a typical fault in a mechanical system is the irreversible damage to a spring during plastic deformation. The change of resultant force for the same extension cannot be specified. Another common system that cannot be represented is an alternating current power supply or modulating parameter relationship. All input generators are assumed to have one constant power variable. The change in mass or substance between systems is also not represented in the model. The consequence of this omission plays a role for closed systems or with systems with limited resources. Another limitation of the possible types of failure mode that can be considered is due to the causal approach of the reasoning method. Only single failure modes can be inserted at any one time. This includes single failure modes that change the resistance at separate points in the network. For example, the shifting of a hydraulic control valve will change two separate resistive paths. One possible method to cope with this limitation would be to derive separate models for each operating mode (valve position). Although the qualitative reasoning method can realize the steady- state changes of feedback systems, dynamic failure effects are not considered here. Therefore, failure effects that occur during state transitions are not revealed. The implication of this on FMEA is not severe. An FMEA usually considers changes in state only. For dynamic analysis, detailed quantitative models are usually employed to fine tune the response of the control system. The role model does not contain any method for checking if the model is physically correct. The rules of causality assignment (explained in Karnopp16 p. 129) on a bond graph indicates if the model has omitted a dynamic parameter. However, the qualitative reasoning method can cope with models which are not adequately causally assigned.
396
P. G. Hawkins, D. J. Woollons
This is explained in Section 5 in the back propagation at step estimate and the forward propagation procedure at step influence. 7.1 Further work A framework for behaviour reasoning has been presented which operates on generalized engineering functional concepts. The method has not been implemented in any computer language but the modelling concepts have been structured with an object-oriented design methodology in mind. An ideal language for this implementation would be Cþþ. For example, an abstract role class would exist which would contain an effort and flow variable for the change in activity. A relation influencing which points to a influence object and a belongTo variable which indicates the set the role is contained in. A further three abstract role classeses would be sub-classed from this class, one each for the generator, conduit and reservoir. The generator class would have a pointer to a relation that influences it, influences. Each generator could be subclassed into an effort (ge) or flow (gf) generator. Each conduit could be sub-classed into either an ideal conduit (o), a conduit of decreased resistance (c¹), a normal conduit (c), a conduit of increased resistance (cþ) and a blocked conduit (barrier) (b). The conduit would also contain a link to a set at a lower aggregate level. A reservoir could be sub-classed to one of two types depending on the energy storage type, either potential (rq) or kinetic (rp). An influence class captures the information necessary for each relation in the model. An influence would point to the two roles it connects from and to. Two abstract subclasses could also exist, a transduction and a regulation class. The transduction class could exist for relations influencing generators and could be sub-classed into a high power influence relation and a low power signal relation. The regulation class would exist for relations influencing conduits and would contain the sign of the relation ( 6 ). It could be sub-classed into a standard regulation relation and an integral regulation relation. The standard relation could be further sub-classed into an effort (e) or flow (e) influencing relation. The integral relation could be sub-classed into a position (q) or momentum (p) influencing regulation relation. A set object would consist of an ordered collection of role objects and the set would be linked to a conduit at a higher aggregate level. The set could be sub-classed into serial and parallel classes to separate each of the different behaviours. All models presented in this paper have been created from scratch. However, further work on building common engineering components would benefit from the declarative nature of the model and would aid the development of system models through the use of a component library. A component object could be a collection of related instances of roles, influences and sets. Component input and output ports could be distinguished by identifying specific roles in the model that can be connected to other component objects.
Component models could then be plugged together with other component models through input and output roles to form more complex subsystems, and eventually system models. To overcome the single failure mode problem, further work might include investigation of the combination of two different behaviour effects from two separate failure analysises of the same system. In practice, multiple failure modes always occur in a particular order. The approach in this paper would ideally suit this type of ordered analysis since the effect of the first failure mode may change the state of conduits as a result of a change of power in conduits that regulate other conduits. These altered conduits could then be used as the starting state for a second failure mode to produce a behaviour description. If the order of the two failure modes is reversed, the result may identify different behaviour. This area of research could help improve the quality of existing FMEAs by identifying specific failure modes that, individually may be trivial, but in combination could be critical. Another interesting extension to the work would be to find common phenomena that cause problems in engineering systems for each specific domain. For example, in hydraulics, cavitation can occur in pumps which is a specific phenomena in hydraulics attributable to low pressure.
ACKNOWLEDGEMENTS The authors wish to acknowledge the useful discussions that took place with Professor C. R. Burrows, Professor K. A. Edge and Dr D. R. Bull at the Fluid Power Centre at the University of Bath. Thanks also to P. Britton, R. Jackson and D. Russell at Lucas Aerospace Ltd for their time, discussing and illustrating the functions of the fuel-metering unit. Thanks also to D. Neuffer at Exeter University for his patience and the lengthy discussions on control systems and G. Weiss for sharing his expert knowledge of electric motors.
REFERENCES 1. British Standards, BS5760, 1991. 2. Aerospace Recommended Practice (ARP926A), 1979. 3. Atkinson, R. M., Montakhab, M. R., Pillay, K. D. A., Woollons, D. J., Hogan, P. A., Burrows, C. R. and Edge, K. A. Automated fault analysis of hydraulic circuits: Part 1—Fundamentals. IMechE Proceedings, 1993, 206, 207–214. 4. Hogan, P. A., Burrows, C. R., Edge, K. A., Woollons, D. J., Atkinson, R. M. and Montakhab, M. R. Automated fault analysis of hydraulic circuits: Part 2—Applications. IMechE Proceedings, 1993, 206, 215–224. 5. Price, C. J., Pugh, D. R., Wilson, M. S. & Snooke, N., The flame system: automating electrical failure modes and effects analysis (FMEA). In Proceedings of the Ann. Reliability and Maintainability Symposium. IEE Press, New York, 1995, pp. 90–5. 6. Kocza, G. and Bossche, A. Integrated reliability analysis system (IRAS). Quality and Reliability Engineering International, 1996, 12, 371–381.
Analysis of complex engineering systems 7. Dhillon, B. S. & Singh, C., Engineering Reliability: New Techniques and Applications. John Wiley, New York, 1981. 8. Johnson, N. E., Mediating representations in knowledge elicitation. In Knowledge Elicitation: Principles, Techniques and Applications, ed. D. Diaper, Chap. 4. Ellis Horwood, Chichester, 1989, pp. 179–94. 9. Diaper, D. (ed.), Knowledge Elicitation: Principles, Techniques and Applications. Ellis Horwood, Chichester, 1989. 10. Crowther, W. J., Bull, D. R., Burrows, C. R., Edge, K. A., Atkinson, R. M., Hawkins, P. G. & Woollons, D. J., Knowledge acquisition for engineering systems using bond graphs. British Computer Society ES95, Cambridge, U.K., 1995. 11. Lind, M. Modelling goals and functions of complex industrial plants. Applied Artificial Intelligence, 1994, 8(2), 259– 283. 12. Kim, I. S. and Modarres, M. Application of goal tree–success tree model as the knowledge-base of operator advisory systems. Nuclear Engineering and Design, 1987, 104, 67–81. 13. Chittaro, L., Guida, G., Tasso, C. and Toppano, E. Functional and teleological knowledge in the multimodeling approach
14. 15. 16. 17.
18. 19.
397
for reasoning about physical systems: A case study in diagnosis. IEEE Transactions on Systems Man and Cybernetics, 1993, 23, 1718–1751. Forbus, K. D. Qualitative process theory. Artificial Intelligence, 1984, 24, 85–168. Chittaro, L., Tasso, C. & Toppano, E., Putting functional knowledge on firmer ground. In Applied Artificial Intelligence. Taylor & Francis, New York, 1994, pp. 239–58. Karnopp, D. C., Margolis, D. L. & Rosenberg, R. C., System Dynamics—A Unified Approach, 2nd edn. John Wiley, New York, 1990. Chittaro, L. & Ranon, R., Augmenting the diagnostic power of flow-based approaches to functional reasoning. In AAAI96 Proceedings, Vol. 2. American Association of Artificial Intelligence, MIT Press, Cambridge, MA, 1996, pp. 1010– 15. Pinches, M. J. & Ashby, J. J., Power Hydraulics. Prentice Hall, Englewood Cliffs, NJ, 1988. Cotton, H., Applied Electricity, 4th edn. Cleaver-Hume Press Ltd, 1955.
Artificial Intelligence in Engineering 12 (1998) 375–397 q 1998 Elsevier Science Limited All rights reserved. Printed in Great Britain 0954-1810/98/$19.00
Failure modes and effects analysis of complex engineering systems using functional models P. G. Hawkins & D. J. Woollons University of Exeter, School of Engineering, North Park Road, Exeter, EX4 4QF, UK A set of models developed by Chittaro for fault diagnosis is extended to represent more complex engineering systems. A novel methodology for qualitative reasoning about behaviour change has been developed for the purpose of failure modes and effects analysis to cope with complete and partial failure modes. The method is demonstrated on an electrically driven gear pump. A further extension is the ability to cope with control systems by distinguishing the function of two closed loop control schemes. Different types of failure of the control scheme can be identified by analysing three different responses of the faulty plant. This method is demonstrated on a manufactured aerospace component called a fuel-metering unit controlled by a negative feedback control scheme. q 1998 Elsevier Science Limited. All rights reserved. Key words: failure analysis, qualitative reasoning, causal reasoning, functional modeling, FMEA, QRED.
represented in the model and lists the steps in the algorithm for determining qualitative differences in system behaviour. This procedure is demonstrated on an electrically driven gear pump. Section 6 demonstrates the procedure on a complex dynamic component and, finally, Section 7 presents the contributions of this paper and its limitations of failure analysis.
1 INTRODUCTION Reliability assessment is becoming established as an integral part of the design process of complex systems in high capital cost and high risk applications, such as aircraft subsystems. The purpose is to provide insight into the key areas of a system and to highlight potential problem areas so that they can be dealt with at the design stage of the project. This type of assessment allows comparisons to be made between competing system designs and provides a deeper understanding of their construction and operation, all of which helps to improve system safety. This information can be utilized to formulate detailed operational and maintenance manuals and procedures, as well as being fedforward to improve the safety and reliability of subsequent designs. An analysis of current failure modes and effects analysis (FMEA) practice has shown that the greatest criticism is the inability of FMEA to influence design because the timescale of the analysis often exceeds the design/development phase. It is, therefore, often the case that FMEA is seen not as a design tool but solely as a deliverable to the customer. To reduce the total time for an FMEA, an automated approach is sought. Section 2 describes the FMEA process with reference to related work. Section 3 describes some existing knowledge representation schemes. Section 4 illustrates the set of functional models developed by Chittaro and the modifications made for FMEA use. Section 5 describes how faults are
2 BACKGROUND Failure modes and effects analysis is the task of finding possible faults in a system and evaluating the consequence of the fault on the operational status of the system. One definition given in the British Standards 1 is a method of reliability analysis intended to identify failures which have consequences affecting the functioning of a system. The analysis is carried out during the initial conception and design phases. It requires a deep understanding of the engineering system and often involves the development of functional diagrams and system schematic drawings. Failure modes and effects analysis has been tried and tested for many years in industry, especially the aeronautical industry. It requires a deep understanding of the engineering system. The analysis involves identifying potential component failure modes and evaluating the consequences of these on a system’s performance as a whole. A large system can be composed of subsystems which are 375
376
P. G. Hawkins, D. J. Woollons
themselves made up of smaller subsystems which can eventually be reduced to the smallest replaceable unit or part such as a bolt, pipe or seal. The highest level of detail is often referred to as the part level, with increasing levels of abstraction known as sub-assembly, component, subsystem and system levels. Each stage of the analysis starts with known failure modes at one level, and describes the effect on the next level up. The collection of these failure effects are then used as the failure modes for one device in a larger system. A complete analysis must span all these levels, indicating, for example how a leaky pipe could affect the aircraft velocity. The approach taken in this paper will concentrate on one stage in the whole of the FMEA process. This step is the functional part where failure modes are identified on a number of sub-assemblies and the failure effect is described as the consequence on the overall operation of the component made up from these sub-assemblies. The type of sub-assembly could be any electrical, mechanical or hydraulic device which operates on the energy variables in these domains. The component itself could be feedback controlled and be made up of any number of smaller connected sub-assemblies. 2.1 Approach: hardware or functional According to the Aerospace Recommended Practice 2 there are two main approaches to a design FMEA. The hardware approach and the functional approach. The two approaches complement one another because they provide a different amount of detail and are done at different times during the development of a system. The hardware approach is evaluated by considering the changes that occur in each hardware item in terms of behaviour changes. This would be done by considering the consequent effects of that failure on neighbouring component hardware. These changes would then be propagated to the next level up by relating the changes to the subsystem function. This process is repeated for each subsequent layer. Since a hardware FMEA requires specific information about the type of components in the system and their individual properties, the analysis can only be done when the design has been adequately realized. However, the functional approach can be undertaken in the initial stages of the design process. The analysis is usually carried out during the initial conception and design phases and often involves the development of functional diagrams and system schematic drawings. This approach relies on the specification of the purposes and functions of each piece of equipment. The results of this approach are usually not as detailed as the hardware approach. 2.2 Related work Research at the Knowledge Based Systems Group at Exeter University and the Fluid Power Centre at Bath University resulted in a software tool for simulating hydraulic circuits.3,4 The diagnostic system for hydraulic circuits (DESHC) comprised a database of hydraulic and electrical
components written in an object-oriented expert system. However, behaviour inconsistencies arose between individual component models which initialized the research for a generalized model and technique which could be applied to encapsulate behaviour for engineering components. This paper presents the generalized model and qualitative algorithm. Other tools available today include FLAME,5 which can reason about electrical digital circuits and an integrated reliability analysis system (IRAS) which uses existing reliability models with detailed numerical information to generate fault trees and failure modes and effects analysis.6 2.3 Failure modes Each failure mode is a fault that is to be considered for analysis. An FMEA examines the effect of many different failure modes in as many locations as possible. Failure modes occur at different levels of system aggregation. According to Dhillon7 (p. 137) there are five basic failure modes associated with mechanical equipment. The failure modes are categorized according to the type of equipment and energy: (1) fluid flow equipment (leakage and distorted flow); (2) structural systems (fracture and excessive deflection); (3) thermodynamic systems (overheating and reduction of efficiency); (4) kinematic systems (bearing seizure and reduced accuracy of relative movement); (5) material properties (incorrect material or geometry). These failure modes originate at the lowest level of aggregation where faults are considered on individual parts. Failure modes are not normally considered below this level. Instead the cause of the failure mode may be identified such as environmental effects including temperature, contamination and fatigue. The work in this paper begins the failure analysis at the next level of aggregation, where failure modes are considered on sub-assemblies. Typical failure modes at this level in the electrical domain include short circuits, open circuits, partial short circuits and partial open circuits, and their equivalent in the hydraulic domain are blockage and leakage. 2.4 Failure effects The failure effect is a description of failure at the next level up on the scale of abstraction, for example, failure modes at the part level will be reviewed at the sub-assembly. To do this, the engineer must put each observable phenomenon in context with the functions that contribute to the workings of a larger system. Since an FMEA spans several levels of abstraction, the engineer must have knowledge that spans these layers. The information used in each part of the scale is different. Failure effects can be classified, to a large extent, even
Analysis of complex engineering systems before an FMEA is carried out. Knowing the types of undesired failure effects which may occur helps to limit the search and bound the FMEA problem. Sometimes failure effects may be revealed or enhanced during the analysis itself. The definition of the failure effect must not be ambiguous. Rolls Royce plc have a predefined table of failure effects for each device. For example, a valve can have up to 15 failure effects ranging from failed open or closed to seized part open or instability.
3 KNOWLEDGE REPRESENTATION If it were possible to represent and manipulate all the knowledge that reliability engineers use when they carry out FMEAs, the task of automating an FMEA would be more straightforward. The problem, therefore, is to discover the best representation for this task and to establish how best it can be used. A distinction between types of knowledge has been made in the field of Artificial Intelligence. According to Johnson8 in Ref. 9 and Crowther et al.10 there are two main types of knowledge, declarative and procedural. Declarative knowledge is information about objects (structure and behaviour) and procedural knowledge is information about performing tasks (how knowledge is used for a particular task). There are a number of functional knowledge representation schemes that are declarative in nature that have been developed in the last 15 years. The first was the multilevel flow modelling (MFM).11 Any system is represented by three levels which form a means to an end. The components realize the functions which in turn attain the goals. The component level consists of physical parts and natural laws. The function is the description of activity using a range of concepts such as mass transfer, energy flow, information and transition. Finally, goals are achieved by grouping activity from the function level. An alternative to MFM is the goal tree–success tree (GT–ST) method.12 The incentive for this representation was a method that could represent the function of any device by dividing its purpose into small observable and recognized parts. Each part of the representation structure would describe the function of a physical object in plain English. Groups of these goals are then logically related using AND and OR gates to form goals of systems containing these parts. This representation makes a powerful knowledge base for each part in the system and explains the consequence of a part failure on subsystems that are dependent on them. The initial effort in developing the GT–ST is dependent on the skill of the engineer, because a thorough knowledge of the system is required before the functional tree can be realized. There is also little re-usability because the representation only describes the function without any underlying model and the same device may serve different roles in different systems. Some of the best elements of the previous methods are combined to form a functional representation.13 The definition of function is supported by a number of physical models
377
and a teleological model of the system much the same as the MFM approach. The physical models represent energy flow information, in much the same way as the function level in the MFM model. The physical models are developed from structural information and natural laws governing the behaviour. The teleological model expresses the purpose of the device in a similar way to the GT–ST, but is more rigid and limited. In combination, the two models highlight how the action of a device achieves a purpose. The series of complementary models developed by Chittaro make it possible to represent the declarative knowledge for a wide range of complex engineering systems. The procedural knowledge can be represented by creating a unique set of algorithms or propagation rules that manipulate these models for FMEA.
4 DECLARATIVE KNOWLEDGE This section will describe the set of functional models developed by Chittaro.13 It is possible to represent a wide range of engineering systems with the models. 4.1 Overview The function of a system is defined as the relation between its behaviour and the goals assigned to it by the designer. A functional model in Chittaro’s work includes a hierarchy of models consisting of: •
• • •
the functional role model (the system structure interpreted in terms of networks of operators acting on substances flowing through the system; e.g. electrons, heat, liquids); the functional process model (interprets how functional roles participate in physical processes); the phenomenon model (describe how inter-related functional process networks enable the occurrence of phenomena, such as oscillation); the teleological model (the system goals).
Each model encapsulates specific functional information and builds on the concepts from the previous one. The role model is derived by analysing the structure of a device and represents it in similar form to a resistive network. The process model is a description of activity using similar structures defined in Process Theory by Forbus.14 The elements from the role model form the individuals for each process. The process model is enhanced by adding further conditions on the variables in the process that specify when the process is active and the relations that are true under these conditions. The phenomenon model is a further abstraction by linking processes together to form more complex behaviour patterns. The final model is a goal tree that forms the intended behaviour of the system in terms of processes and phenomena that should exist to achieve the system design. Chittaro uses these models with the intention of aiding fault diagnosis called functional diagnosis using effort and
378
P. G. Hawkins, D. J. Woollons
flow (FDef).15 The task of FMEA requires different information. The method proposed in this paper specifically makes use of the role and teleological models to perform hardware FMEA. These models are explained in more detail in the following subsections, followed by some amendments and additional features that suit the purpose of fault analysis. Although the process and phenomenon model are not used at this stage, they may provide useful in later developments. 4.2 Example Throughout the next two sections, a simple electronic circuit shown in Fig. 1 will be used to demonstrate the modelling concepts. 4.3 Role model The role model represents structural information much like a circuit diagram. However, it has the benefit of being capable of representing different energy domains with the same concepts. A hydraulic restrictor in a pipe or electrical resistor in a circuit can be represented with the same notation. This type of representation is very similar to that used in bond graphs in Karnopp,16 where physical (power) variables called effort and flow are used as general terms to describe the system behaviour. The term function is applied because each element in the model is described functionally. Instead of resistance, the terms conduit and barrier are used to express the idea of transport and the term generator is used to express input. The role model represents the type of connection (serial or parallel), the number of resistors, the number of storage devices and the causality. Each role element is identified with a number. The generators (ge,gf) indicate which physical variable is constant or influenced by another process. The conduit roles (cc,cf,ce,bf,be) are representations of resistance according to their structural relation and qualitative magnitude. The structural relation of the role to other roles is represented in the role itself. For example, the ce element is used to represent a conduit that is in parallel with another conduit and the cf element is used to represent a conduit in series with another. The magnitude of the resistance is either (zero, finite, infinity). The two roles that indicate zero resistance are cc and be. The two roles that indicate finite resistance are cf and ce and, finally, the role that indicates infinite resistance is the bf role. The reservoir roles (rq,rp) introduce the state variables of
Fig. 1. Electronic circuit diagram.
a device. There are two possible Newtonian mechanisms to store energy, potential and kinetic. When potential energy (rq) is stored, the effort variable is gradually converted to displacement, determined by a capacitive parameter. When kinetic energy (rp) is stored, the flow variable is gradually converted to impulse, determined by an inductive parameter. There are two relations in the role model (mutual dependency and influence). Mutual dependency exists between roles that share the same physical variable. For example, two serial resistive roles are mutually dependent because, according to Ohm’s law, the current flowing through each resistor is the same. This definition would make each resistor in series or parallel, mutually dependent with every other, which could result in a complex network. For simplicity, only one mutual dependent relation is shown between each resistor. When engineering systems cross domains, the role model expresses the connection by linking two elements from either domain. The influence relation expresses the concept of energy transfer between domains. For example, when the speed of a pump produces flow rate or the armature of a motor receives torque from a current in a magnetic field. The role model for the circuit in Fig. 1 is shown in Fig. 2. The role model encapsulates information about components in a general form. The model represents physical connections in each component which are reusable. Since these components can be joined with relations according to their connectivity in the system, the role model makes a powerful object-oriented representation. 4.4 Teleological model The teleological model represents the designers intentions of the engineering system. It represents the purpose of the device by describing the expected tasks or goals that it should perform under fault-free conditions. The model assumes the structure of a success tree which describes the system goal as sub-goals of its constituent components using Boolean logic. Chittaro identifies several general goals (TRANSFER, ACCUMULATE, SENSE-RATE-OF, TRADUCE, CONTROL, KEEP) that can be reused for a wide range of applications. Some goals are simple expectations of movement such as the TRANSFER goal. Others are more complex involving feedback loops, as is the case of the KEEP goal. For each goal, there is an expected behaviour in the system. Chittaro associates a set of processes (phenomena)
Fig. 2. Role model for electronic circuit using Chittaro’s original representation.
Analysis of complex engineering systems
379
with each goal. For example, a TRANSFER goal can be fulfilled by a single transport process. A TRADUCE goal is associated with a charging process which regulates a transport process. Each goal is matched with its associated behaviour from the process and phenomenon model. This has been adapted in Section 4.5.4 so that each goal is linked to activity in the role model. This transfers the emphasis of behaviour from processes to specific roles. Fig. 4. Relations on a role model.
4.5 Alterations 4.5.1 Roles A major revision of the role model has been made to aid the fault propagation procedure. Instead of using cf and ce roles linked with mutual dependency to represent resistors in serial and parallel, the notation of c is used to represent a conduit of finite resistance. Instead of an ideal conduit (cc or be), the letter o is used to represent a conduit of zero resistance and instead of a barrier (bf), the letter b is used to represent a conduit of infinite resistance. Each conduit is then linked with other conduits using two specific cases of the mutual dependency relation. Conduits that share the flow variable are linked by putting them in a serial set and conduits that share the effort variable are linked by putting them into a parallel set (Fig. 3). A serial set has order between its conduit members and has a default flow direction (usually left to right). A parallel set is equivalent to a junction. The direction of influence from each generator needs to be added to the role model. Chittaro et al.13 identified that a generator can either push or pull. A generator of magnitude above zero, will push and a generator of magnitude below zero will pull. Pushing generators are indicated by ge . , gf . , , ge or , gf and pulling generators are indicated by . ge, . gf, ge , or gf , . 4.5.2 Relations Chittaro identifies two types of influence relations.17 A transduction influence which indicates energy transfer and a regulation influence which indicates a change of resistance. The transduction influence has been expanded by adding an extra relation. The standard transduction influence has been modified so that it links only between two generators. This indicates the energy transfer between domains in both directions, more clearly (see Fig. 4). The causality is important during the fault reasoning. In bond graph notation, the link between domains is identified as a transformer (TF) or a gyrator (GY). A transformer links two of the same variables from either domain (effort–effort,
Fig. 3. Serial and parallel sets.
flow–flow) and a gyrator likes opposite variables from either domain (flow–effort, effort–flow). For example, a pump transfers mechanical energy to hydraulic energy. The equation of flow generation for a pump (Pinches and Ashby18 pp. 16) is proportional to the pump speed (Q ~ q). This is a flow-to-flow relationship and would be represented by an effort generator linked to a flow generator by an influence relation pointing from the mechanical domain to the hydraulic domain. The causality for a change in the opposite direction is quite different. When, there is a blockage, for example, in the hydraulic domain, such that the pressure drop across the pump increases, an equivalent increase in torque is experienced in the mechanical domain. This ‘back effect’ is an effort to effort relationship. The four possible relations are: •
effort–effort, e.g. pressure to force transfer in an actuator
(Bond graph ¼ –TR–, Role model ¼ , gf → ge . ). •
flow–flow, e.g. speed to flow rate transfer in a gear pump
(Bond graph ¼ –TR–, Role model ¼ , ge → gf . ). •
effort–flow, e.g. force to velocity transfer in a gyroscope
(Bond graph ¼ –GY–, Role model ¼ , gf → gf . ). •
flow–effort, e.g. current to force transfer in an electric motor
(Bond graph ¼ –GY–, Role model ¼ , ge → ge . ). In addition to the transduction influence, an extra relation called a signal has been added for completeness, in accordance with signals in bond graphs. The signal relation expresses the concept of a low power link between domains where information about an energy state is exchanged but little or no energy is transferred. An example of this could be a sensor. The signal relation can link a conduit to a generator. However, because there is no influencing generator, the signal relation does not indicate the variable that causes the energy change or which direction the energy will change. This is expressed with a 6 f (flow variable) or 6 e (effort variable) next to the signal. The sign indicates
380
P. G. Hawkins, D. J. Woollons
the direction of the energy change if the influencing conduit increases in energy. The regulation influence has also been expanded. Chittaro defines the regulation influence as a relation which indicates that a position and momentum from one domain can cause a change of resistance. This is expressed as a relation from a reservoir to a conduit. A reservoir expresses the notion of energy storage, for example, where force is proportional to position due to a capacitive parameter (F ¼ ¹ kx), as with a sprung valve, or where velocity is proportional to momentum due to an inductive parameter. There are some cases where energy is not stored. In these cases, position is not proportional to force. Instead, there is a dynamic integral relationship. For example, when a force is applied to an actuator, it causes a change in momentum. To obtain the position of the valve, the integral of the momentum is taken. For this reason, two integral relations are added. A position (q) and momentum (p) relation. All regulation influences act on a conduit, barrier or ideal conduit. The sign ( 6 ) expresses how the resistance changes with energy or state. A positive relation will increase/decrease the resistance of the conduit as one of the power variables increases/decrease and a negative relation decreases/increases the resistance of the conduit when the power increases/decreases, respectively. 4.5.3 Aggregation Logically, a number of resistors in parallel or series are equivalent to one. For example, in Fig. 1 the two parallel resistors R2 and R3 can be aggregated to form one resistor in serial with R1. Aggregations of resistors in parallel or serial are formed to make aggregate conduits to aid the propagation of variables in the fault propagation procedure. Aggregation can occur for both serial and parallel conduits. Therefore, two aggregate conduits exist where a serial and parallel set intersect, and are written one on top of the other. One aggregate conduit (top) indicates the combined resistance of all the conduits in the parallel set and the other aggregate conduit (bottom) indicates the combined resistance of all the conduits in the serial set (obviously not including itself). This aids the fault reasoning process since it is possible for the flow variable to flow in both directions for each serial set. Aggregation is shown in Fig. 5 for the electronic circuit example, where the aggregate conduit is represented as cc3. The bottom c is the resistance of R1 and the top c is the combined resistance of R2 and R3. Two separate terms are
Fig. 5. Role model for electronic circuit.
useful when the flow direction has not been resolved. For example, when the current flows from left to right in R1, as shown in the diagram, the resistance changes of the top conduit are used to estimate how the effort is shared between R1 and the combination of R2 and R3. If, however, ge1 was connected differently and the source of flow originated from R2 and R3, the current would be summed at the junction and flow through R1 from right to left, the changes in the bottom conduit are used to estimate the change of effort. The use of aggregate conduits mimics the way humans summarize sections of engineering systems. Although star and mesh topologies cannot be reduced, the effect on variables can be identified once the flow direction has been resolved. To find the aggregate resistance of a set, see Table 1. Untrue sets. Sets may be created that do not share flow or effort. If a parallel set contains only one conduit (and any number of barriers), it is not a true parallel set, since there is only one flow path. If a serial set contains only one conduit (and any number of ideal conduits) it is also not a true set, since the effort is not shared with other conduits. 4.5.4 Goals Instead of mapping goals to processes, each goal is mapped to activity in the role model. The advantage of this is that goals can be associated more closely with hardware activity for the purpose of hardware FMEA. A functional FMEA can also be performed by associating goals to components, but the role models will inevitably be less elaborate. Therefore, for a steady-state system, each goal indicates the expected activity in a conduit under each operating mode. For example, one operation may expect the goal, ‘extension of actuator’ and another operating mode may expect the goal ‘retraction of the actuator’, which both indicate velocity for the linear mechanical actuator conduit. Feedback systems. The KEEP goal is divided into two specific goals to describe two common uses, the LIMIT and the MAINTAIN/TRACK function. Each of these goals are specifications of a control scheme. An example of a tracking control scheme is a negative feedback control system (see
Table 1. Forming aggregate conduits from sets Condition
1 2 3 4 5 6
All conduits are ideal All conduits are barriers At least one conduit is barrier At least one conduit is ideal No conduits are barriers including at least one conduit No conduits are ideal including at least one conduit
Aggregate set Series
Parallel
o b b unknown c unknown
o b unknown o unknown c
Analysis of complex engineering systems
381
Fig. 6. Block diagram for a negative feedback control system.
Fig. 6), and an example of a limiting control scheme is a relief valve. A closed loop system consists of two main elements. An error derived between a desired reference value and the sensed value of the plant output (see equation comparison) and the plant itself. A controller may exist between the error and the plant to change the plant dynamics. reference ¹ feedback ¼ error
(1)
The determination of the error is conditional on knowing the absolute reference signal and feedback signal. If the reference signal is assumed to be variable during the lifetime of the component, then it is assumed the derived error could be positive, zero or negative. The expected response of the plant for each error determines the function of the control system. The response of the plant is described by indicating the change of state that would have occrured after an infinite time period if the feedback loop was broken. For a negative feedback track function, the plant output is expected to be • • •
minimum (0) for a negative error unchanged (d ¼ 0) for a zero error maximum (max) for a positive error
For an upper limiting function, the plant output is expected to follow that of a tracking function except that the plant output will be unchanged for a negative error. The plant output for a lower limiting function is expected to follow that of a tracking function but will be left unchanged for positive errors. These responses are mapped on to state transition diagrams for the control system in Fig. 7. Some control systems may not be unbounded for each error. In this case, positive and negative errors, will lead to an increase (d ¼ þ ) or decrease (d ¼ ¹ ) in plant state.
5 PROCEDURAL KNOWLEDGE The following section describes a method for determining the effect of a fault or failure mode using the declarative models described in Section 4.
Fig. 7. State transition diagrams for three different control schemes.
relies on identifying qualitative differences in the magnitudes of the power variables between one steady state and another. The set of possible differences are; a decrease in value (d ¼ ¹ ), an increase in value (d ¼ þ ) or no change in value (d ¼ 0). If the change is extreme, the absolute magnitude of the variable is used (zero or max). This procedure is referred to as qualitative reasoning using extreme and difference values (QRED). The analysis has been divided into four phases: (1) introduce and represent a fault or change; (2) update all aggregate conduits (aggregation); (3) examine the effect of the fault on the dependent physical variables (backward propagation); (4) consider the effect of the fault on influenced physical variables (forward propagation). 5.1.1 Insert fault A fault can be introduced by changing one of the resistive elements in the role model or by changing the system input. To change the resistance, new conduits are introduced. A c þ means the conduit has increased in resistance and a c ¹ means the resistance has decreased. The possible faults that can be inserted are: •
5.1 Behaviour analysis for steady state changes
•
A fault propagation algorithm has been devised to identify changes in behaviour using the role model. The algorithm
• •
complete blockage, seizure, open circuit, etc. (change c or o to b); partial blockage, partial seizure, etc. (change c or o to c þ ); complete short circuit, etc. (change c or b to o); partial short circuit, etc. (change c or b to c ¹ ).
382
P. G. Hawkins, D. J. Woollons Table 2. Change of aggregate conduit based on the change of one conduit in a set Conduit change 1 2 3 4 5 6
Increase resistance Decrease resistance Change c or o to b Change c or b to o Change o to c Change b to c
New aggregate conduit Serial
Parallel
cþ c¹ b c¹ cþ c¹
cþ c¹ cþ o cþ c¹
For cases where a conduit is added in a particular set and that set is not present in the role model, a separate set is added by creating an aggregate conduit at that point which forms the aggregate resistance of the original conduit and the additional faulty conduit. Short circuits to ground are inserted by changing conduits in the highest aggregate set. When external leakages are important, the role model will have multiple unconnected systems, representing separate locations. For example, one system may represent a closed hydraulic circuit while an isolated displacement reservoir (rq) may represent the floor or circuit container like an engine compartment. If the destination is sensitive to leaks, as in the case of an ignition chamber, a goal exists in the teleological model that specifically requires no power input. If, during a fault, the reservoir becomes connected to a generator, the teleological model will flag a contradiction of its goal. A fault connecting two systems must indicate where the substance leaves the system and its destination by linking the two systems with a new conduit. If external destinations are not in the role model, an extra sink (reservoir) can be added. Once the systems have been connected, the analysis continues. The exchange of mass from one system to another is not represented in the model. The consequence of this omission is important for systems with limited resources. For example, a leak in a closed loop hydraulic transmission circuit will eventually run out of oil and cause the system to fail. Changes of input are represented by a change in magnitude of a generator. This has the same effect as a transduction influence (see 4f). Faults that cannot be represented with this scheme are changes of parameter values such as pump capacitance, magnetic field strength or piston area. The consequence of this simplification is explained in Section 5.2.5.
5.1.2 Aggregation Each aggregate conduit has two parts (i.e. top and bottom). The aggregate conduit updated depends on the flow direction of the intersecting serial sets. Serial sets. If the resistance of a serial set changes (the top aggregate conduit), all aggregate conduits representing the set will have the bottom conduit amended. Parallel sets. If the resistance of one of the paths flowing out of a parallel set change, all aggregate conduits flowing into the junction are amended (top aggregate conduit) and the others are left unchanged. If the resistance of one of the paths flowing into a parallel set changes, all aggregate conduits that flow out of the set (top aggregate conduit) are updated and the others are left unchanged. Each set is parsed only once. For example, if the aggregate conduit of a parallel set is updated, it cannot then be used to update other aggregate conduits in the same parallel set. There are four main changes that can occur (see Table 2). An increase of resistance (rule 1), addition of a conduit in series (rule 5) or removal of a conduit in parallel (rule 3) will increase the resistance of the aggregate conduit (c þ ). A decrease of resistance (rule 2), removal of a conduit in series (rule 4) or addition of a conduit in parallel (rule 6) will decrease the resistance of the aggregate conduit (c ¹ ). The top aggregate conduit may change to an ideal conduit if an ideal conduit occurs in a parallel set and the bottom aggregate conduit may change to a barrier if a conduit changes to a barrier in a serial set. The effect is sometimes dependent on the remaining conduits when sets in the model are not truly parallel or serial. For example, a serial set may contain several barriers or a parallel set may contain several ideal conduits, in which case, the removal of one will not affect the aggregate resistance of the set. In these cases, the set will have to be resolved again from Table 1. If after resolving the resistance, the aggregate resistance is a conduit, then the change to that conduit can be added. As with FDef,5 generators are considered to be conduits during this phase.
Table 3. Effect of resistance change on a power variable
5.1.3 Back propagation This procedure finds changes in the power variables for all domains, propagating up aggregate links and to components physically located before the fault. Generalized terms effort (e) and flow (f) are used. Changes can be absolute and are set to 0 or maximum or can indicate a qualitative difference from their last value (de ¼ þ (effort increase), df ¼ þ (flow increase), de ¼ ¹ (effort decrease), df ¼ ¹ (flow
Conduit change
o c¹ cþ b
Effect on variable Serial
Parallel
e¼0 de ¼ ¹ de ¼ þ e ¼ max
f ¼ max df ¼ þ df ¼ ¹ f¼0
Analysis of complex engineering systems Table 4. Back propagation in a set Variable change
Back effect on set
0 (d ¼ ¹ ) (d ¼ ¹ ) (d ¼ þ ) (max)
(d ¼ ¹ (d ¼ ¹ (d ¼ ¹ (d ¼ þ (max)
) limited) ) )
decrease), de ¼ 0 (effort remains unchanged), df ¼ 0 (flow remains unchanged)). (a) Go back to the faulty conduit and find the effect of the resistance change on the correct power variable for the set containing that conduit. Find the effort variable for a serial set and the flow variable for a parallel set (see Table 3). (b) Set propagation. Propagate the effect from the current conduit to all aggregate conduits or influenced generators flowing in the opposite direction in the set. Effort is propagated in a serial set and flow is propagated in a parallel set (see Table 4). There are two special cases that can be demonstrated with an electric circuit. If the voltage drop across a resistor in a serial set decreases (because of a change in resistance or load change), there will be a point where the change is insignificant with respect to the other resistors. Any further changes will not affect the current in the serial set. The significance of a parallel path is also insignificant when its current becomes very small. The change of voltage drop across the parallel set will not change. These observations are summarized in italics in Table 4. (i) For untrue sets (see Section 4.5.3), the change of effort or flow can be back propagated directly without referring to Table 4. (ii) If a serial set has a barrier or a parallel set has an ideal path (short), which was not introduced for the fault, the back effect is cancelled. (c) Aggregate propagation. If the conduit is an aggregate conduit, and the set it contributes is a true set (see Section 4.5.3), the variable used for back propagation is swapped. For example a flow change will need to be expressed as an effort change. The change of one variable is reversed in the other because of the relationship e ¼ f =r. Therefore, zero changes to max and an increase to decrease and vice versa. Go to step 3b. (d) Transduction propagation. Once the effect has been found on the main generator of a domain, changes may propagate to influencing subsystems by following the influence links or if there are no influencing systems in a domain, the generator is the system input. Go to step 4b. If there are two generators in a domain, the generator that has the largest power is selected as the source generator. The effect from this subsystem must be propagated to its influencing subsystem. The type of generators determine which variable is propagated from the current subsystem. An effort generator
383
propagates its flow change and a flow generator propagates its effort change. The influencing generator indicates the type of back effect received. An influencing effort generator will receive an effort back effect and an influencing flow generator will receive a flow back effect. (e) Estimate effect. It may be the case that the effect on the variable required for back propagation to influencing subsystems is not known (only the effect on the other power variable is known). In this case, it is assumed the other variable will change in the opposite direction as with aggregate propagation. Goto step 3c. This case will arise when a dynamic effect is not represented in the model. The estimated effect will be qualified during forward propagation. For example, the effect may only be a limited change. 5.1.4 Forward propagation This procedure finds changes in the power variables for all domains, propagating down aggregate links and to components physically located after the system input and after the inserted fault. All the changes in one energy domain are found before moving to the next. (a) Multiple inputs. Propagate constant variables from generators by copying the unchanged effort variable to all conduits in connected parallel sets and untrue serial sets or the unchanged flow variable to all conduits in connected serial sets and untrue parallel sets. If any of these conduits have a back effect associated with them, propagate this change instead of the unchanged variable (d ¼ 0). (b) Effect on power supply. Find the consequence of the back effect on the source generator (see Table 5). (c) Mutual variable propagation. The supply effect on the power supply affects the same variable as the mutual variable for the set (flow for serial, effort for parallel), propagate this to all other conduits. (d) Dependent variable. The dependent variable of a serial conduit is the effort variable and the dependent variable of a parallel conduit is the flow variable. The flow variable of an influencing flow generator or the effort variable of an influencing effort generator cannot Table 5. Effect of back effect on mutual variable of generator Back effect
(e ¼ 0) (de ¼ ¹ ) (de ¼ ¹ limited) (de ¼ þ ) (e ¼ max) (f ¼ 0) (df ¼ ¹ ) (df ¼ ¹ limited) (df ¼ þ ) (f ¼ max)
Effect on mutual variable Effort (Ge)
Flow (Gf)
(f ¼ `) (df ¼ þ ) (df ¼ þ limited) (df ¼ ¹ ) (f ¼ 0) (e ¼ max) (de ¼ 0) (de ¼ 0) (de ¼ 0) (e ¼ 0)
(f ¼ max) (df ¼ 0) (df ¼ 0) (df ¼ 0) (f ¼ 0) (e ¼ `) (de ¼ þ ) (de ¼ þ limited) (de ¼ ¹ ) (e ¼ 0)
384
P. G. Hawkins, D. J. Woollons variable of the current conduit is propagated to the conduit in the new set.
be set because it is dependent on the subsystem it influences. (i) Other conduits. Find the effect on the dependent variable of any conduit in the set that does not have a back effect associated with it. A barrier in a parallel set will have zero flow (f ¼ 0) and an ideal conduit in a serial set will have zero effort (e ¼ 0). An ideal conduit in a parallel set will take all the flow (f ¼ max) and a barrier in a serial set will take all the effort (e ¼ max)If the conduit is not an ideal conduit or a barrier the change of the dependent variable is identical to the change of the mutual variable of the set. (ii) Subject of fault. If the conduit has a back effect associated with it, it is regarded as the subject of the fault in that set. A barrier in a parallel set will have zero flow (f ¼ 0) and an ideal conduit in a serial set will have zero effort (e ¼ 0). Otherwise, the effect on the dependent variable of the subject conduit can be found from the effects on the other conduits in the group. The method for calculating the change is derived from the general rules for sharing effort in a serial set (esupply ¼ e1 þ e2 þ e3) or flow in a parallel set (fsupply ¼ f1 þ f2 þ f3). The effect on one of the conduits will, therefore, be 1 ¼ supply ¹ (2 þ 3) (see Table 6). There is a special case that can be demonstrated with an electric circuit. If the resistance of a conduit in series increases, the changing conduit will take a greater share of the supply voltage. If the resistance is increased higher, the other resistor will eventually become negligible and the changing conduit will take all of the supply voltage. This is reflected in italics in Table 6.
(f) Transduction propagation. (i) Influence relation. Propagate the variable of an influencing generator to another subsystem. The type of influencing generator indicates the opposite variable that is to be propagated. The influenced generator indicates the variable that is affected. For example, an effort-to-effort generator would cause the change of the flow variable to be propagated to the same change of the effort variable in the influenced subsystem.If the influenced variable is the mutual variable of the set (i.e. a flow generator in a serial set or an effort generator in a parallel set), the dependent variable will be unknown. If the generator has a back effect, the dependent variable will remain unchanged (d ¼ 0). If the generator has no back effect, the dependent variable on the generator has the same change as each of the dependent variables of the conduits in the set. If the influenced variable is not the mutual variable of the set (i.e. a flow generator in parallel set or an effort generator in serial set), the back effect (if any) and the influencing effect on the dependent variable of the generator is resolved to find the resultant back effect on the generator using Table 6, e.g. back effect ¹ supply effect ¼ resultant back effect on generator. The resultant back effect is then used to find the effect on the mutual variable of the generator using Table 5. (ii) Signal relation. Propagate the variable indicated on the influence signal to the both variables of the generator in the new domain and restart the algorithm for the new subsystem.
(e) Aggregate propagation. If the conduit is an aggregate conduit of another set, and the set is a true set the dependent variable of the conduit is propagated to the new set as it will be the mutual variable of the new set. If the set is untrue (see Section 4.5.3) the mutual
(g) Regulation propagation. Propagate any resistance regulation influences. The relation indicates whether the resistance increases or decreases for a positive or negative change in the influencing conduit.
Table 6. Qualitative subtraction Supply
¹
Conduits
¼
Subject
Back effect
¹
Supply
¼
Resultant back effect
(d ¼ 0) (d ¼ 0) (d ¼ 0) (d ¼ 0) (d ¼ ¹ (d ¼ ¹ (d ¼ ¹ (d ¼ ¹ (d ¼ þ (d ¼ þ (d ¼ þ (d ¼ þ (max) (any) (any)
¹ ¹ ¹ ¹ ¹ ¹ ¹ ¹ ¹ ¹ ¹ ¹ ¹ ¹ ¹
(d ¼ 0) (d ¼ þ (d ¼ þ (d ¼ ¹ (d ¼ 0) (d ¼ þ (d ¼ ¹ (d ¼ ¹ (d ¼ 0) (d ¼ ¹ (d ¼ þ (d ¼ þ (d ¼ 0) (max) (d ¼ ¹
¼ ¼ ¼ ¼ ¼ ¼ ¼ ¼ ¼ ¼ ¼ ¼ ¼ ¼ ¼
(d ¼ 0) (d ¼ ¹ (d ¼ ¹ (d ¼ þ (d ¼ ¹ (d ¼ ¹ (d ¼ ¹ (d ¼ ¹ (d ¼ þ (d ¼ þ (d ¼ þ (d ¼ þ (max) 0 0
) ) ) ) ) ) ) )
* Only if back effect on subject ¼ 0.
) limited) ) ) limited) ) ) limited) ) )*
) limited) limited) ) ) ) limited) ) ) ) limited)
Analysis of complex engineering systems (i) Integral relation. An integral relation will indicate the conduit changes from c, o or b to an o or b. For example, if the initial conditions for the position of a valve is closed (b), a velocity increase in the valve will eventually cause the valve to open completely (o). (ii) Standard regulation. A standard regulation influence indicates the conduit will change from a c, o or b to a cþ or c¹. For example, a force applied to a sprung valve will cause the valve position to change proportionally to the applied force and, therefore, will only increase the valve position by a finite amount. Once a change of resistance has occured, the fault procedure is repeated for the resistance change in the new subsystem. 5.2 Electric gear pump example A gear pump driven by an electric prime mover will be used to demonstrate this procedure. The example circuit shown in Fig. 8 consists of a direct current motor where the field and rotor coils are connected in series (see Cotton19 for details), connected to a gear pump by a drive shaft. The supply source for the motor is a constant voltage source. Ignoring inductor and momentum effects, the equations that describe the electrical motor system are e ~ Fq i¼
v¹e R
(2)
(4)
T ~ Fi
(5)
T ~ i2
(6)
where e ¼ induced e.m.f., F ¼ magnetic flux, q ¼ rotor speed, i ¼ current through field and rotor windings, v ¼ supply voltage, R ¼ combined resistance of coils and T ¼ torque on rotor. Proportionality is used here because there are additional constant parameters for the relationship between torque and current and back e.m.f. and speed that are determined by the machine structure (e.g. number of turnings). It is assumed that F ~ i in the linear magnetization region. Role model. The role model for this component is shown in Fig. 9. Each role can be explained: ge1 indicates the voltage source;
Fig. 8. Series electric motor driving a gear pump.
Fig. 9. The role model for an electric gear pump.
• • • • • • • •
c2 indicates the resistance of the field and rotor coil ge3 indicates the back e.m.f. of the rotor coil; ge4 indicates the generation of torque; c5 indicates the friction resistance of the motor and pump bearings; ge6 indicates the load (back torque) on the pump; gf7 indicates the generation of flow rate; c8 indicates the resistance of the pump outlet; c9 indicates the resistance in the hydraulic circuit.
The influence relation from ge3 to ge4 indicates that current generates torque and the influence relation from ge6 to gf7 indicates that speed generates flow rate. Teleological model. The teleological model for this primitive component would be one goal which expects flow rate from c8. To demonstrate how a failure effect can be derived, each of the four major failure modes are considered. Generalized effort and flow variable changes will be replaced by voltage and current, torque and speed and pressure and flow rate, respectively.
(3)
F~i
•
385
5.2.1 Partial blockage in pump outlet The effect of a fault of a partial blockage in the pump outlet will be deduced using the method in Section 5. • • •
Insert fault. A partial blockage is inserted by changing c8 to (c þ )8. Aggregation. There are no aggregate conduits. Back propagation. See Fig. 10.
(1) The effect on (c þ )8 in a serial set is an increase in pressure (de ¼ þ ) (see Table 3). (2) Propagate pressure increase (de ¼ þ ) on (c þ )8 to pressure increase (de ¼ þ ) on gf7 (see Table 4). (3) Propagate pressure increase (de ¼ þ ) on gf7 to torque increase (de ¼ þ ) on ge6 (see Section 5.1 Number 3d). (4) Propagate torque increase (de ¼ þ ) on ge6 to ge4 (see Table 4). (5) Estimate an increase in torque (de ¼ þ ) will cause a decrease in speed (df ¼ ¹) on ge4 (see Section 5.1
Fig. 10. Back propagation shown on the role model.
386
P. G. Hawkins, D. J. Woollons 5.2.2 Partial by-pass of hydraulic load •
•
Fig. 11. Forward propagation shown on the role model.
• Number 3e). (6) Propagate speed decrease (df ¼ ¹) on ge4 to induced e.m.f. decrease (de ¼ ¹) on ge3 (see Section 5.1 Number 3d). (7) Propagate induced e.m.f. decrease (de ¼ ¹) on ge3 to limited e.m.f. decrease (de ¼ ¹ limited) on ge1 (see Table 4). •
Forward propagation. See Fig. 11.
(8) Power supply is affected by induced e.m.f. limited decrease (de ¼ ¹ limited) so that current increases to a limit (df ¼ þ limited) (see Table 5). (9) A limited increase of current (df ¼ þ limited) at ge1 is propagated to c2 and ge3 (see Section 5.1 Number 4f). There is also a limited increase of voltage drop (de ¼ þ limited) on c2 (see Section 5.1 Number 4.d.i). (10) Traduce limited current increase (df ¼ þ limited) on ge3 to a limited increase of torque (de ¼ þ limited) on ge4 (see Section 5.1 Number 4f). (11) Resolve ge4 (back effect (ge4)(de ¼ þ ) ¹ limited torque increase (ge4) (de ¼ þ limited) ¼ torque decrease (de ¼ ¹)) (see Section 5.1 Number 4f and Table 6). (12) Effect on generator of torque decrease (de ¼ ¹) is speed decrease (df ¼ ¹). (13) Propagate speed decrease (df ¼ ¹) from ge4 to c5 and ge6 (see Section 5.1 Number 4c). There is also a decrease of friction torque (de ¼ ¹) on c5. (14) Traduce speed decrease (df ¼ ¹) from ge6 to flow rate decrease (df ¼ ¹) and unchanged pressure (de ¼ 0) at gf7 (see Section 5.1 Number 4f). (15) Propagate flow rate decrease (df ¼ ¹ ) of gf7 to (cþ)8 and c9. There is also a pressure decrease (de ¼ ¹) across c9. (16) Resolve (c þ )8 (same supply pressure (gf7) (de ¼ 0) ¹ pressure decrease (c9) (de ¼ ¹) ¼ pressure increase (de ¼ þ)) (see Section 5.1 Number 4.d.ii and Table 6). The goal of the component is to produce flow rate from c8. This goal has been compromised since flow rate has decreased at c8. In summary, the effect of a partial pump blockage will decrease the speed of the electric motor and hence decrease the flow rate from the pump.
Insert fault. Create a new path (c ¹ )9.1 in parallel with c9 and insert an aggregate conduit (9.2) representing the combined resistance of c9 and the new path (c ¹ 9.1) in parallel. Aggregation. The addition of c9.1 in parallel is equivalent to a change from a barrier to a conduit. Therefore, the top aggregate conduit representing the parallel resistance is c ¹ . The bottom aggregate conduit remains c, since it represents the resistance of c8. Therefore, aggregation results in c c¹ 9:2 (see Fig. 12). Back propagation.
(1) (c ¹ )9.1 in parallel is a flow rate increase (df ¼ þ ). (2) Propagate flow rate increase (df ¼ þ ) to c c¹ 9:2. (3) Change flow rate increase to pressure decrease at c¹ c 9:2. (4) Propagate pressure decrease (df ¼ ¹ ) from c c¹ 9:2 to limited pressure decrease (de ¼ ¹ limited) at gf7. (5) Domain propagate limited pressure decrease from gf7 to limited torque decrease on ge6. (6) Propagate limited torque decrease (de ¼ ¹ limited) on ge6 to ge4. (7) Assume torque decrease causes speed increase at ge4. (8) Propagate speed increase from ge4 to increase in induced e.m.f. at ge3. (9) Propagate increase in induced e.m.f. at ge3 to ge1. •
Forward propagation.
(10) Effect of increase of e.m.f. on generator causes current decrease. (11) Propagate current decrease from ge1 to c2 and ge3 and decrease voltage drop across c2. (12) Traduce current decrease from ge3 to torque decrease (de ¼ ¹) on ge4. (13) Resolve ge4 (limited decrease (ge4) (de ¼ ¹ limited) ¹ supply torque decrease (de ¼ ¹) ¼ limited torque decrease (de ¼ ¹ limited)). (14) Effect of limited torque decrease (de ¼ ¹ limited) on generator g4 is limited speed increase (df ¼ þ limited). (15) Propagate limited speed increase from ge4 to c5
Fig. 12. Role model for partial by-pass of hydraulic load.
Analysis of complex engineering systems
(16)
(17)
(18)
(19)
and ge6. Set friction torque to limited increase (de ¼ þ limited) at c5. Traduce limited speed increase (df ¼ þ) from ge6 to limited flow rate increase (df ¼ þ) and unchanged pressure (de ¼ 0) on gf7 (see Section 5.1 Number 4f). Propagate limited flow rate increase (df ¼ þ) from gf7 to c8 and c9.2. Set limited increase of pressure drop (de ¼ þ limited) across c8. Resolve (same supply pressure gf7 (de ¼ 0) ¹ limited pressure increase c8 (de ¼ þ limited) ¼ limited pressure decrease (de ¼ ¹ limited) on c c¹ 9:2). Propagate limited pressure decrease from c c¹ 9:2 to c9.1 and c9. Set limited decrease of flow rate at c9.
In summary, the effect of a partial by-pass of the hydraulic load, will increase the speed to a maximum limit point which will, therefore, increase the flow rate to a limit point. 5.2.3 Seized motor • • •
Insert fault. Change c5 to a barrier (b5). Aggregation. No aggregate resistors. Back propagation.
(1) (2) (3) (4)
Barrier in series causes torque to increase to max. Propagate max torque from b5 to ge4. Assume, if torque goes to max, speed will go to zero. Propagate zero speed from ge4 to zero induced e.m.f. at ge3. (5) Propagate zero e.m.f. from ge3 to decrease of e.m.f at ge1. •
Forward propagation.
(6) Effect of induced e.m.f. decrease on supply is current increase at ge1. (7) Propagate increase current from ge1 to c2 and ge3. Set increase of e.m.f. across c2. (8) Traduce current increase from ge3 to torque increase on ge4. (9) Resolve (back effect torque(max) ¹ supply torque increase (de ¼ þ ) ¼ resultant torque (max) (see Section 5.1 Number 4f). (10) Back effect of max torque on generator ge4 is zero flow rate (f ¼ 0). (11) Propagate zero speed from ge4 to b5 and ge6. (12) Cannot set torque on ge6 (see Section 5.1 Number 4.d.i). (13) Resolve b5 (supply torque (max) ¹ ge6(de ¼ ?) ¼ max torque at b5). (14) Traduce zero speed from ge6 to zero flow rate on gf7. (15) Propagate zero flow rate from gf7 to c8 and c9. Set pressure on c8 and c9 to zero. (16) Copy dependent variable on generator from conduits gf7 (e ¼ 0) (see Section 5.1 Number 4f). The effect of a jammed motor will result in no flow rate from the pump because the pump speed is zero.
387
5.2.4 Broken drive shaft This fault demonstrates what happens for an extreme case where the coupling between the motor and the pump has sheared, which causes a short circuit in the mechanical rotation domain. •
•
•
Insert fault. Create an extra path o6.1 and place in parallel with ge6. Create an aggregate conduit (6.2) which represents the pump load (ge6) and the ideal conduit (o6.1) (representing the sheared shaft) in parallel. Aggregation. The top aggregate conduit representing the parallel set is set to ideal and the bottom conduit representing the serial set with c5 is set to c.( oc6:2) (see Fig. 13). Back propagation.
(1) Starting at o6.1 which is the new fault, set speed to max. (2) Propagate maximum speed to the aggregate conduit o c 6:2. (3) Change speed ¼ max to torque ¼ 0. (4) Propagate torque ¼ 0 from oc6:2 to torque decrease (de ¼ ¹ ) on ge4. (5) Estimate torque decrease is a speed increase on ge4. (6) Propagate speed increase on ge4 to induced e.m.f. increase on ge3. (7) Propagate induced e.m.f. increase on ge3 to back e.m.f. increase on ge1. •
Forward propagation.
(8) Power supply is affected by back e.m.f. increase to produce current decrease (df ¼ ¹). (9) Propagate current decrease on ge1 to c2 and ge3. Set voltage drop decreases across c2. (10) Traduce current decrease from ge3 (df ¼ ¹) to torque decrease (de ¼ ¹) on ge4. (11) Resolve (back effect torque decrease (de ¼ ¹) ¹ supply torque decrease (de ¼ ¹ ) ¼ limited torque decrease (de ¼ ¹ limited) on ge4. (12) Effect of limited torque decrease on ge4 is limited speed increase (df ¼ þ limited). (13) Propagate limited speed increase on ge4 to c5 and o c 6:2. Set limited torque increase (de ¼ þ limited) on c5 (caused by friction at higher speeds). (14) The torque at oc6:2 is zero because it is an ideal conduit (see Section 5.1 Number 4.d.ii).
Fig. 13. Role model for broken drive shaft.
388
P. G. Hawkins, D. J. Woollons
(15) Propagate torque ¼ 0 from oc6:2 to o6.1 and set speed ¼ 0 on ge6. (16) Resolve o6.1 (limited speed increase ( oc6:2) ¹ 0(ge6) ¼ limited speed increase(df ¼ þ limited). (17) Traduce speed ¼ 0 from ge6 to flow rate ¼ 0 on gf7. (18) Propagate zero flow rate from gf7 to c8 and c9. Set pressure on c8 and c9 to zero. (19) Copy dependent variable on generator from conduits gf7 (e ¼ 0). The goal of the component is to produce flow rate from c8. This goal has been compromised since f is zero at c8. In summary, a broken drive shaft will cause the speed of the electric motor to increase but the pump will have no speed, producing no flow rate or pressure. As a side effect, the current in the electric circuit decreases because of the greater induced e.m.f. However, the induced e.m.f. will limit the maximum speed. 5.2.5 Limitations Roles c2 and c5 are probably negligible. If these are removed from the role model, it can be demonstrated that the variables that changed by limited increases or decreases from the qualitative reasoning would be different. The role model indicates influence relationships between domains as constant parameter relationships (linear). In particular, the back e.m.f. is proportional to the rotor speed according to the magnetic flux parameter F. In this example, the magnetic flux varies with current, resulting in the square relationship between torque and current which is not represented in the role model in Fig. 9. This leads to an interesting effect of load changes which cannot be deduced about the series motor. When the motor load is low or zero (as in example Section 5.2.4) the rotor speed becomes higher, the induced e.m.f. becomes higher which reduces the current and, hence, reduces the field strength, thus reducing the induced e.m.f. which allows the rotor speed to increase to dangerously high speeds. When the load on the motor is high (as in example Section 5.2.1) the rotor speed decreases, the induced e.m.f. becomes smaller and the current becomes greater. This has the effect of increasing the field strength, allowing higher torques to be produced and thus maintaining a reasonable speed at higher torques. In the example failure analysis, this behaviour is not found because the simplification of the system has resulted in a linear relationship between torque and current. The resultant behaviour is analogous to a shunt motor where the coils are connected in parallel. However, the failure analysis would identify the incorrect use of a current generator as a source of electrical power which would result in an increase of speed (not limited increase in speed as indicated in example Section 5.2.2 and Section 5.2.4) as a consequence of a load decrease.
inside a closed loop system by finding the change of state of the plant. The ability to change the plant input makes the failure analysis more complex. For analysis, the feedback loop is broken and the state changes are represented on a state transition diagram. The role model of the plant must indicate the state of the system for an initial condition that produces a steady state output (d ¼ 0). For tracking systems, the initial condition should be for a zero error. For limiting control schemes, the role model should indicate the system in a steady state below the limit value. When reasoning about failure inside a closed loop, the plant output is found for each plant input error for the faultfree system first. For tracking systems, the response from a positive and negative error are found. For upper limit control schemes, the response of the plant is found for a positive error above the limit and for lower limit control schemes, the response of the plant is found for a negative error above the limit. The state of the conduits in the role model may change for each error because the conduits may be affected by regulation influences. A failure mode is then inserted in the role model. The response of the plant is tested for each error signal. If the failure mode is inserted in a subsystem where the back propagation procedure will not reach the plant input because of regulation influences, the state of the conduits are set according to the normal behaviour for each error signal. The plant output will indicate how the plant has changed from the expected output for the initial steady-state error (zero in tracking systems). The combination of the responses indicates how the state of the system will be affected. Specific steady-state failure effects have been identified from the change in the state transition diagram. General failures for closed loop systems can be identified, but the position of a valve is used as an example in Table 7 to demonstrate the principle. For the normal case, a positive error and a max negative feedback signal should send the valve down to reduce the error (ref ¹ max ¼ ¹). A negative error and a zero negative feedback signal should send the valve up to reduce the error(ref ¹ 0 ¼ þ). Therefore, a max signal indicates the valve closes and a zero signal indicates the valve opens and a d ¼ 0 signal indicates no movement when 0 , ref , max. The failure effect of the component is described by indicating the condition of the state transition diagram using predefined descriptions which corresponds to the procedure by Rolls Royce (see Section 2.4). For example, a state transition diagram which illustrates that any error signal maps to a maximum reading from the sensor, will indicate that the component has failed in the closed position. For limiting control schemes, the failure effect descriptions will differ. 5.4 Functional change using teleological model
5.3 Feedback fault procedure This section describes how to determine the failure effect
When component activation changes, the truth of the goal tree can be updated using simple Boolean algebra.
Analysis of complex engineering systems
389
Table 7. Steady-state failure effects of tracking control schemes Error response þ max 0 max d¼0 max d¼0 max max
Failure effect 0 d¼0 0 max d¼0 d¼0 d¼0 0 max
¹ 0 0 max 0 d¼0 d¼0 0 0
6 CASE STUDY This project was funded by the SERC and included the participation of Lucas Aerospace Ltd as an industrial collaborator. The method for automating FMEA must provide suitable failure effect descriptions for current engineering products if industrial interest is to be sustained. Therefore, a fuel-metering unit, which is currently in production, was suggested by Lucas Aerospace Ltd as a means of testing the method against a suitably complex component. The FMU comprises part of the fuel-metering system for the Rolls Royce RB211 family of jet engine. The purpose of the unit is to convert a thrust demand from the pilot into a measured fuel flow rate to the engine. This is accomplished using a feedback loop, where the pilots demand is the reference input signal and the valve position is sensed and fed back into the controller. The flow rate is, therefore, not actually measured. The device relies on a constant pressure drop across the valve and precision engineering of the valve to generate the actual fuel flow rate. The component consists of five main sub-assemblies. A torque motor, a pressure regulator, an actuator, a pressure drop valve and a position sensor. The torque motor translates an electrical signal into mechanical displacement of a hydraulic flapper. The servo pressure regulator is assumed to provide a constant pressure source for this study; servo regulated pressure (SVP). The displacement of the torque motor flapper regulates the control pressure at the bottom of the valve (piston side of the actuator). The pressure at the annulus is kept constant using both the constant SVP which acts on a small area at the top of the valve (annulus of the actuator) and a low pressure source (LP) which also acts on another small area at the top of the valve (annulus side of the actuator). The pressure regulation is achieved like that of a spill valve, which allows a SVP to flow back to a constant LP according to the size of the controlled flapper orifice. The larger the orifice, the more pressure is by-passed back to LP, the lower the pressure at the piston side of the actuator, causing the actuator to retract and close the valve. A smaller orifice allows less fluid to escape from the system, causing a higher pressure at the piston side of the actuator, extending the actuator and opening the valve. The valve itself, is a hydraulic actuator with a specially cut orifice, allowing a known amount of fuel flow rate
Normal Stuck in Open position Stuck in Closed position Failed Open (Once opened) Failed Closed (Once closed) Stuck in Intermediate position Failure Compensated (requires smaller input) Failure Compensated (requires larger input)
through the valve for a particular displacement of the valve. The pressure drop across the fuel valve is kept constant using a pressure drop and spill valve. The position sensor consists of a rack and pinion, connected to the piston of the valve, converting linear to rotational energy and a position resolver, which converts the linear mechanical position into electrical energy. 6.1 Role model The complete role model for the valve section of the FMU is shown in Fig. 14. There are three state variables of the system determined by the regulated conduits. c8 is the status of the flapper, the status of the valve position and the status of the sensor resistor. The figure illustrates the role model in one particular state where the torque motor flapper is half open (c8) causing a balance of forces on the actuator, the valve is half open (c) and the sensor resistor is set at half of its maximum resistance (c). • • • • • • • • • • • • • • •
ge1 is the source of the servo regulated pressure (SVP). c c2 is the combined resistance through the fixed orifice (c4) and (c5). gf3 is the flow generated from the movement of the annulus side of the actuator. c4 is the fixed orifice. c c5 is the combined resistance of the piston side of actuator and cc6. c c6 is the combined resistance of the flapper orifice (c8) and cc9. gf7 is the flow rate moving into the piston as a result of the valve movement. c8 is the flapper orifice. c c9 is the combined resistance of the annulus and LP. ge10 is the LP. gf11 is the flow generated from the movement of the annulus side of the actuator. ge12 is the force on the piston side of the actuator. ge13 is the load on the actuator. ge14 is the force on the annulus side of the actuator. gf15 is the angular velocity generated on the pinion wheel of the position resolver.
390
P. G. Hawkins, D. J. Woollons are the torque motor, the hydraulic actuator and the position sensor and the component is the fuel-metering valve. The intention of the control system is to control the position of the valve. Therefore, failure effects are described in terms of the valve position. The valve position is obtained from the status of the valve conduit in the role model. The goal relating to the control of the fuel flow rate occurs at a higher level of abstraction where the context of the whole fuel-metering subsystem is considered. The control action is classed as a TRACKING goal because action is taken for positive and negative errors between the reference position and sensed feedback position signal. The feedback loop is broken to allow failure analysis to be conducted at different operating points. A plant output is expected for three different error signals. One for an increase in the valve position for negative errors, one for a decrease in the valve position for positive errors and one for no change in the valve position for zero errors. 6.3 Failure analysis of partial leakage from servo pressure line to actuator control line To demonstrate the failure analysis in a feedback system, one failure mode will be considered: a partial leakage of fluid that by-passes the restrictor in the torque motor. The partial leakage fault is inserted in the third subsystem.
Fig. 14. Role model for the torque motor, valve and position sensor of the FMU.
The system can be broken into six subsystems by separating the system for each different energy domain. (1) The electrical part of the torque motor (coils). (2) The mechanical part of the torque motor (flapper). (3) The hydraulic part of the FMU including the torque motor (orifice). (4) The mechanical piston and the pinion wheel. (5) The electrical sensor which sends a signal to the controller. (6) The hydraulic fuel orifice for the valve which supplies the jet turbine with fuel. 6.2 Teleological model One stage of an FMEA considers failure effects from subassemblies to components. In this case, the sub-assemblies
6.3.1 Normal behaviour The system structure and state is captured in the role model. However, only one state is represented for the FMU, where the valve and flapper are half open and the sensor reading is set at half. This occurs when the demand is set to half and there is zero error. The state of the system must be updated for the two additional error signals. A zero positional error will establish equal currents on the left and right coils. The role model has been written for this case where electromotive forces balance. To find how the behaviour changes for positive and negative errors, the generator for each coil is altered. A positive error signal will increase current (df ¼ þ ) on the right coil in the torque motor and a negative error signal will increase the current (df ¼ þ ) on the left coil in the torque motor. The behaviour changes for each subsystem are listed in Table 8, Table 9, Table 10, Table 11 and Table 12. The limited increases and decreases of the variable values have been ignored for simplicity. 6.3.1.1 Controller transition. In summary, a positive error will increase the sensor current reading to max and a negative error will cause the sensor reading to reduce to zero. 6.3.2 Faulty behaviour The failure mode is inserted in the hydraulic section; subsystem 3. Zero error. •
Subsystem 3: failure analysis in hydraulic and mechanical domain
Analysis of complex engineering systems
391
Table 8. Change in state of torque motor coils for positive negative error signals Input on right coil ( þ error) Forward propagation
From
Propagate current on left coil Traduce left coil current signal Propagate current on right coil Traduce right coil current signal
gf(df ¼ 0) c(df ¼ 0) gf(df ¼ þ ) c(df ¼ þ )
→ → → →
—Insert fault. This fault can be inserted by creating an extra path using one of two methods. Either by creating an extra serial set that links parallel sets A and C (c replaces the b) or by creating an extra parallel set which replaces c4. Opting for the latter, Create an extra flow path 4.1 in a parallel set with c4 and create an aggregate conduit 4.2 representing the fixed orifice c4 and the extra flow path c ¹ 4.1. This is effectively a change from a barrier in parallel to a conduit (c ¹ ) (see Fig. 15). —Aggregation. The top aggregate conduit for 4.2 will be c ¹ and the bottom aggregate conduit will be c( c c¹ 4:2). This will affect aggregate conduits in order of reasoning; c c¹ 2, c c¹ 5, c c¹ 6, c c¹ 9. —Back propagation. (1) The effect of (c ¹ )4.1 on the new parallel set B2 is a flow rate increase (df ¼ þ ). (2) Propagate flow rate increase to c c¹ 4:2. (3) Swap variable from flow rate increase to pressure decrease (de ¼ ¹) at c c¹ 4:2. (4) Propagate pressure decrease (de ¼ ¹ ) from c c¹ 4:2 to aggregate conduit c c¹ 2. (5) Swap variable from pressure decrease (de ¼ ¹) to flow rate increase (df ¼ þ ) at c c¹ 2. (6) Propagate flow rate increase from c c¹ 2 to ge1. —Forward propagation. (7) Propagate unchanged pressure (de ¼ 0) from ge10 to c c ¹ 9 and gf11. (8) Power supply effect of back effect flow rate increase (df ¼ þ ) on ge1 is pressure remains unchanged (de ¼ 0). (9) Propagate unchanged pressure (de ¼ 0) from ge1 to c c ¹ 2 and gf3. (10) Cannot set flow rate on gf3. (11) Resolve (ge1(df ¼ þ ) ¹ gf3(?) ¼ c c¹ 2(df ¼ þ )). (12) Propagate flow rate increase (df ¼ þ ) from c c¹ c c ¹ 2 to c 4:2 and c ¹ 5. (13) Set pressure increase (de ¼ þ ) on c c¹ 5.
Input on left coil ( ¹ error) To
From
c(df ¼ 0) ge(de ¼ 0) c(df ¼ þ ) ge(de ¼ þ )
gf(df ¼ þ ) c(df ¼ þ ) gf(df ¼ 0) c(df ¼ 0)
To → → → →
c(df ¼ þ ) ge(de ¼ þ ) c(df ¼ 0) ge(de ¼ 0)
(14) Resolve ( c c¹ 2(de ¼ 0) ¹ c c¹ 4:2(de ¼ þ ) ¼ c¹ c 4:2 decrease (de ¼ ¹ )). (15) Propagate pressure decrease (de ¼ ¹) from c c¹ 4:2 to c4 and c4.1. (16) Set flow rate increase (df ¼ ¹) at c4. (17) Resolve ( c c¹ 4:2(df ¼ þ ) ¹ c4(df ¼ ¹ ) ¼ c4:1 flow rate increase (df ¼ þ)). (18) Propagate pressure increase (de ¼ þ) from c c¹ c ¹ 5 to c 6 and gf7. (19) Set flow rate increase (df ¼ þ) at c c¹ 6. (20) Cannot set flow rate at gf7. (21) Propagate flow rate increase (df ¼ þ) from c¹ c c 6 to c8 and c ¹ 9. (22) Set pressure increase (de ¼ þ) on c8. (23) Traduce unchanged pressure (de ¼ 0) from gf3 and gf11 to unchanged force (de ¼ 0) at ge14. (24) Traduce pressure increase (de ¼ þ) from gf7 to force increase (de ¼ þ) on ge12. •
Subsystem 4: the mechanical actuator and pinion wheel
—Forward propagation. (25) Resolve back effect (back effect ge12 (de ¼ 0) ¹ supply ge12 (de ¼ þ ) ¼ ge12 (de ¼ ¹). (26) Effect of back effect force decrease (de ¼ ¹) on ge12 is a velocity increase. (27) Propagate velocity increase (df ¼ þ) from ge12 to ge13 and ge14. (28) Traduce velocity increase (df ¼ þ) from ge12 to flow rate increase at gf7. (29) Traduce velocity increase (df ¼ þ) from ge14 to flow rate decrease at gf3 and gf11. (30) Traduce velocity increase (df ¼ þ) from ge13 to angular velocity increase (df ¼ þ) at gf15. (31) Copy torque from dependent variable of conduits ge (e ¼ 0). (32) Traduce torque ¼ 0 from gf15 to friction ¼ 0 on ge13. (33) Regulate position resolver resistor from angular
Table 9. Change in state of torque motor flapper for negative and positive electro-motive forces Negative flapper force ( þ error) Resolve back force on flapper (result) Back effect of force on flapper Propagate velocity to flapper Integral regulation to flapper
(de ¼ 0) ¼ ge(de ¼ þ ) ge(de ¼ þ ) ge(df ¼ ¹ ) c(df ¼ ¹ )
Positive flapper force ( ¹ error)
¹
ge(de ¼ ¹ )
→ → →
ge(df ¼ ¹ ) c(df ¼ ¹ ) c8 → o8
(de ¼ 0) ¼ ge(de ¼ ¹ ) ge(de ¼ ¹ ) ge(df ¼ þ ) c(df ¼ þ )
¹
ge(de ¼ þ )
→ → →
ge(df ¼ þ ) c(df ¼ þ ) c8 → b8
392
P. G. Hawkins, D. J. Woollons Table 10. Change in state of hydraulic subsystem for different flapper positions Open flapper (þerror)
Closed flapper (¹error)
Insert change Flapper resistance
c8 changes to o8
c8 changes to b8
Aggregation
c c¹ c c c ¹ 2, c 5, c ¹ 6, c ¹ 9
c cþ c c c þ 2, c 5, b6, b9
Backward propagation
From
Effect of resistance change Propagate effort in serial set Swap variable to flow Propagate flow in parallel set Swap variable to effort Propagate effort in parallel set Swap variable to flow Propagate flow in parallel set
o8(e ¼ 0) o8(e ¼ 0) c c ¹ 6(de ¼ ¹ ) c c ¹ 6(df ¼ þ ) c¹ c 5(df ¼ þ ) c¹ c 5(de ¼ ¹ ) c c ¹ 2(de ¼ ¹ ) c c ¹ 2(df ¼ þ )
Forward propagation Propagate unchanged pressures (parallel set) (untrue serial set with back effect) (parallel set) (parallel set) Effect on generator Propagate pressure in parallel set (second conduit) (unable to set flow rate on gf) Resolve subject flow rate (result) Propagate flow rate in serial set (second conduit) Set dependent variable to same Resolve subject pressure (result) Propagate pressure in parallel set (second conduit) (unable to set flow rate on gf) Resolve subject (barrier) Propagate flow rate in serial set (second conduit) Traduce pressure to force Traduce pressure to force Traduce pressure to force
To
From
c c ¹ 6(de ¼ c c ¹ 6(df ¼ c¹ c 5(df ¼ c¹ c 5(de ¼ c c ¹ 2(de ¼ c c ¹ 2(df ¼
¹) þ) þ) ¹) ¹) þ) ge1(df ¼ þ)
b8(e ¼ max) b8(e ¼ max) c b6(e ¼ max) c b6(f ¼ 0) cþ c 5(df ¼ ¹ ) cþ c 5(de ¼ þ ) c c þ 2(de ¼ þ ) c c þ 2(df ¼ ¹ )
From
To
From
ge10(de ¼ 0) → ge10(de ¼ 0) → c → c ¹ 9(de ¼ 0) c → c ¹ 6(de ¼ ¹ ) c → c ¹ 6(de ¼ ¹ ) ge1(df ¼ þ) → ge1(de ¼ 0) → ge1(de ¼ 0) → gf3(df ¼ ?) ge1(df ¼ þ) ¹ ¼ c c¹ 2(df ¼ þ ) c → c ¹ 2(df ¼ þ ) c → c ¹ 2(df ¼ þ ) c4(de ¼ þ)
gf11(de ¼ 0) c c ¹ 9(de ¼ 0) c c ¹ 6(de ¼ ¹ ) gf7(de ¼ ¹) c¹ c 5(de ¼ ¹ ) ge1(de ¼ 0) c c ¹ 2(de ¼ 0) gf3(de ¼ 0)
ge10(de ¼ 0) ge10(de ¼ 0)
gf7(de ¼ ¹) gf3(de ¼ 0) gf11(de ¼ 0)
→ → → → → → →
→ → →
gf3(df ¼ ?) c4(df ¼ þ) c¹ c 5(df ¼ þ )
ge12(de ¼ ¹) ge14(de ¼ 0) ge14(de ¼ 0)
To → → → → → → →
c b6(e ¼ max) c b6(f ¼ 0) cþ c 5(df ¼ ¹ ) cþ c 5(de ¼ þ ) c c þ 2(de ¼ þ ) c c þ 2(df ¼ ¹ )
ge1(df ¼ ¹) To
→ →
ge1(df ¼ ¹) → ge1(de ¼ 0) → ge1(de ¼ 0) → gf3(df ¼ ?) ge1(df ¼ ¹) ¹ ¼ c cþ 2(df ¼ ¹ ) c → c þ 2(df ¼ ¹ ) c → c þ 2(df ¼ ¹ ) c4(de ¼ ¹) c ¹ c þ 2(de ¼ 0) ¼ c cþ 5(de ¼ þ ) cþ → c 5(de ¼ þ ) cþ 5(de ¼ þ ) → c gf7(df ¼ ?) c b6(df ¼ 0) c → b6(df ¼ 0) c 6(df ¼ 0) → b gf7(de ¼ þ) → gf3(de ¼ 0) → gf11(de ¼ 0) →
gf11(de ¼ 0) c b9(de ¼ 0)
ge1(de ¼ 0) c c þ 2(de ¼ 0) gf3(de ¼ 0) gf3(df ¼ ?) c4(df ¼ ¹) cþ c 5(df ¼ ¹ ) c4(de ¼ ¹) þ) gf7(de ¼ þ) c b6(de ¼
b8(df ¼ 0) c b9(df ¼ 0) ge12(de ¼ þ) ge14(de ¼ 0) ge14(de ¼ 0)
Table 11. Change in state of the actuator for different force Negative force (þerror)
Positive force (¹error)
Forward propagation
From
To
From
To
Resolve back force on actuator (result) Effect of back force on actuator Propagate velocity in serial set (second conduit) Traduce velocity to flow rate Traduce velocity to flow rate Traduce velocity to flow rate Traduce velocity to angular velocity Copy torque from conduits Traduce torque to pressure Integral regulation propagate
(de ¼ 0) ¹ ¼ ge12(de ¼ þ) ge12(de ¼ þ) → ge12(df ¼ ¹) → ge12(df ¼ ¹) → ge12(df ¼ ¹) → ge14(df ¼ ¹) → ge14(df ¼ ¹) → ge13(df ¼ ¹) → ge(e ¼ 0) ge(e ¼ 0) → gf15(df ¼ ¹) →
ge12(de ¼ ¹)
(de ¼ 0) ¹ ¼ ge12(de ¼ ¹) ge12(de ¼ ¹) → ge12(df ¼ þ) → ge12(df ¼ þ) → ge12(df ¼ þ) → ge14(df ¼ þ) → ge14(df ¼ þ) → ge13(df ¼ þ) → ge(e ¼ 0) ge(e ¼ 0) → gf15(df ¼ þ) →
ge12(de ¼ þ)
ge12(df ¼ ¹) ge13(df ¼ ¹) ge14(df ¼ ¹) gf7(df ¼ ¹) gf3(df ¼ þ) gf11(df ¼ þ) gf15(df ¼ ¹) ge13(e ¼ 0) c→o
ge12(df ¼ þ) ge13(df ¼ þ) ge14(df ¼ þ) gf7(df ¼ þ) gf3(df ¼ ¹) gf11(df ¼ ¹) gf15(df ¼ þ) ge13(e ¼ 0) c→b
Analysis of complex engineering systems
393
Table 12. Change in state of sensor output for electrical resistance changes
Insert change Sensor electrical resistance
No sensor resistance (þerror)
Maximum sensor resistance (¹error)
c changes to o
c changes to b
Aggregation Backward propagation
From
Effect of resistance change Propagate voltage in untrue set
o(e ¼ 0) o(e ¼ 0)
Forward propagation
From
Effect of voltage change on generator Propagate current in serial set
ge(e ¼ 0) ge(f ¼ max)
→ → →
velocity increase at gf15 (df ¼ þ) to electrical resistance increase (b) ( þ ve flow integral regulation). Enter sub-system 4. •
Subsystem 5: the electrical sensor reading
—Insert fault. Resistance increase in conduit changes c to b. —Aggregation. No aggregate resistors. —Back propagation. (34) Effect of b on serial set is max voltage (e ¼ max). (35) Propagate max voltage (e ¼ max) to ge. —Forward propagation. (36) Effect of max voltage (e ¼ max) on ge is current ¼ 0 (f ¼ 0) at c. (37) Resolve voltage drop (ge(max) ¹ (de ¼ 0) ¼ c(e ¼ 0)). A zero error will produce a current reading of zero from the sensor. Positive error. •
Subsystem 3: failure analysis in hydraulic and mechanical domain
Fig. 15. Role model for servo controlled valve.
To
From
ge(e ¼ 0)
b(e ¼ max) b(e ¼ max)
To
From
ge(f ¼ max) c(f ¼ max)
ge(e ¼ max) ge(f ¼ 0)
To →
ge(e ¼ max) To
→ →
ge(f ¼ 0) c(f ¼ 0)
—Insert fault. The fault is inserted in the same way as previously mentioned with a zero error. —Aggregation. Aggregate conduits are the same for zero error. ( c c¹ 2, c c¹ 4:2, c c¹ 5, c c¹ 6, c c¹ 9. —Back propagation. (1) The effect of (c ¹ )4.1 on the new parallel set B2 is a flow rate increase (df ¼ þ). (2) Propagate flow rate increase to c c¹ 4:2. (3) Swap variable from flow rate increase to pressure decrease (de ¼ ¹) at c c¹ 4:2. (4) Propagate pressure decrease (de ¼ ¹) from c c¹ 4:2 to aggregate conduit c c¹ 2. (5) Swap variable from pressure decrease (de ¼ ¹) to flow rate increase (df ¼ þ) at c c¹ 2. (6) Propagate flow rate increase from c c¹ 2 to ge1. —Forward propagation. (7) Propagate unchanged pressure supply (de ¼ 0) from ge10 to c c¹ 9 and gf11. (8) Since set D is an untrue set, propagate unchanged pressure supply (de ¼ 0) from c c¹ 9 to c c¹ 6. (9) Propagate unchanged pressure supply (de ¼ 0) from c¹ c c 6 to c ¹ 5 and gf7. (10) Power supply effect of flow rate increase (df ¼ þ) on ge1 is pressure remains unchanged (de ¼ 0). (11) Propagate unchanged pressure (de ¼ 0) from ge1 to c c ¹ 2 and gf3. (12) Cannot resolve flow rate at gf3. (13) Resolve (ge1(df ¼ þ) ¹ gf3(?) ¼ c c¹ 2 flow increase (df ¼ þ)). (14) Propagate flow rate increase (df ¼ þ) from c c¹ c c ¹ 2 to c 4:2 and c ¹ 5. (15) Set pressure increase (de ¼ þ ) on c c¹ 5. (16) Resolve ( c c¹ 2(de ¼ 0) ¹ c c¹ 5(de ¼ þ ) ¼ c c¹ 4:2 limited pressure decrease(de ¼ ¹). (17) Propagate pressure decrease (de ¼ ¹) from c c¹ 4:2 to c4 and (c ¹ )4.1. (18) Set flow rate increase (df ¼ ¹) at c4. (19) Resolve ( c c¹ 4:2(df ¼ þ) ¹ c4(df ¼ ¹) ¼ c4.1 flow rate increase (df ¼ þ). (20) Traduce unchanged pressure (de ¼ 0) from gf3, gf11 to ge14. (21) Traduce unchanged pressure (de ¼ 0) from gf7 to ge12.
394
P. G. Hawkins, D. J. Woollons •
Subsystem 4: the actuator and pinion wheel
—Forward propagation. (22) Resolve back effect (back effect ge12(de ¼ 0) ¹ supply ge12(de ¼ 0) ¼ resultant back effect ge12(de ¼ 0)). (23) Effect of back force unchanged (de ¼ 0) on ge12 is no change in velocity ge12 (df ¼ 0). (24) Propagate velocity unchanged (df ¼ 0) from ge12 to ge13 and ge14. (25) Traduce velocity unchanged (df ¼ 0) from ge12 to flow rate unchanged (df ¼ 0) at gf7. (26) Traduce velocity unchanged (df ¼ 0) from ge14 to flow rate unchanged (df ¼ 0) at gf7. (27) Traduce velocity unchanged (df ¼ 0) from ge13 to angular velocity unchanged (df ¼ 0) at gf15. (28) Copy torque from dependent variable of conduits ge (e ¼ 0). (29) Traduce torque ¼ 0 from gf15 to friction ¼ 0 on ge13. (30) Regulate position resolver resistor from angular velocity unchanged gf15 (df ¼ 0) to electrical resistance unchanged from normal positive error (b). Enter sub-system 3. •
Subsystem 5: the electrical sensor reading
—Insert fault. Resistance unchanged (b). —Aggregation. No aggregate resistors. —Back propagation. (31) Effect of b on serial set is max voltage (e ¼ max). (32) Propagate max voltage(e ¼ max) to ge. —Forward propagation. (33) Effect of max voltage (e ¼ max) on ge is current ¼ 0 (f ¼ 0) at c. (34) Resolve voltage drop (ge(max) ¹ (de ¼ 0) ¼ c(e ¼ 0)). A positive error will change the sensor reading to max. Negative error. •
Subsystem 3: failure analysis in hydraulic and mechanical domain
—Insert fault. The fault is inserted in the same way as before. —Aggregation. When the flapper is closed (b8) aggregate conduits are: c c¹ 2, c c¹ 4:2, c c¹ 5, c b¹ 6, bc9. —Back propagation. (1) The effect of (c ¹ )4.1 on the new parallel set B2 is a flow rate increase (df ¼ þ). (2) Propagate flow rate increase to c c¹ 4:2. (3) Swap variable from flow rate increase to pressure decrease (de ¼ ¹) at c c¹ 4:2. (4) Propagate pressure decrease (de ¼ ¹) from c c¹ 4:2 to aggregate conduit c c¹ 2. (5) Swap variable from pressure decrease (de ¼ ¹) to flow rate increase (df ¼ þ) at c c¹ 2.
(6) Propagate flow rate increase from
c c¹2
to ge1.
—Forward propagation. (7) Propagate unchanged pressure (de ¼ 0) from ge10 to gf11. (8) Power supply effect of back flow rate increase (df ¼ þ ) on ge1 is pressure remains unchanged (de ¼ 0). (9) Propagate unchanged pressure (de ¼ 0) from ge1 to c c ¹ 2 and gf3. (10) Cannot set flow rate on gf3. (11) Resolve (ge1(df ¼ þ) ¹ gf3(?) ¼ c c¹ 2(df ¼ þ)). (12) Propagate flow rate increase (df ¼ þ ) from c c¹ c c ¹ 2 to c 4:2 and c ¹ 5. (13) Set pressure increase (de ¼ þ) on c c¹ 5. (14) Resolve ( c c¹ 2(de ¼ 0) ¹ c c¹ 5(de þ ) ¼ c c¹ 4:2 pressure decrease(de ¼ ¹)). (15) Propagate pressure decrease (de ¼ ¹) from c c¹ 4:2 to c4 and c4.1. (16) Set flow rate increase (df ¼ ¹) at c4. (17) Resolve ( c c¹ 4:2(df ¼ þ) ¹ c4(df ¼ ¹) ¼ c4.1(df ¼ þ)). (18) Propagate pressure increase (de ¼ þ ) from c c¹ 5 to gf7 and c b¹ 6. (19) Cannot set flow rate at gf7. (20) Resolve subject which is a barrier c b¹ 6(f ¼ 0). (21) Propagate zero flow rate (f ¼ 0) from c c¹ 6 to b8 and bc9. (22) Set pressure max on b8. (23) Traduce unchanged pressure (de ¼ 0) from gf3 and gf11 to unchanged force (de ¼ 0) at ge14. (24) Traduce pressure increase (de ¼ þ) from gf7 to force increase (de ¼ þ) on ge12. •
Subsystem 4: the actuator and pinion wheel
—Forward propagation. (25) Resolve back effect (back effect ge12(de ¼ 0) ¹ supply ge12(de ¼ þ) ¼ resultant back effect ge12 (de ¼ ¹)). (26) Effect of back force increase (de ¼ ¹) on ge12 is a velocity increase (up). (27) Propagate velocity increase (df ¼ þ) from ge12 to ge13 and ge14. (28) Traduce velocity increase (df ¼ þ) from ge12 to flow rate increase at gf7. (29) Traduce velocity increase (df ¼ þ) from ge14 to flow rate decrease at gf3 and gf11. (30) Traduce velocity increase (df ¼ þ ) from ge13 to angular velocity increase (df ¼ þ) at gf15. (31) Copy torque from dependent variable of conduits ge (e ¼ 0). (32) Traduce torque ¼ 0 from gf15 to friction ¼ 0 on ge13. (33) Regulate position resolver resistor from angular velocity increase at gf15 (df ¼ þ ) to electrical resistance increase (b) ( þ ve flow integral regulation). Enter sub-system 3. •
Subsystem 5: the electrical sensor reading
Analysis of complex engineering systems —Insert fault. Resistance increase in conduit changes c to b. —Aggregation. No aggregate resistors. —Back propagation. (34) Effect of b on serial set is max voltage (e ¼ max). (35) Propagate max voltage (e ¼ max) to ge. —Forward propagation. (36) Effect of max voltage (e ¼ max) on ge is current ¼ 0 (f ¼ 0) at c. (37) Resolve voltage drop (ge(max) ¹ (de ¼ 0) ¼ c(e ¼ 0)). A negative error will set the current reading to zero for the sensor. Combination of outputs. Therefore the output from the plant for the three errors is • • •
positive error produces a max sensor reading (valve closes); zero error produces a minimum sensor reading (valve opens); negative error produces a minimum sensor reading (valve opens).
In this case, the failure effect from Table 7 is that the control system remains operational but requires less input (power) to compensate for the fault. The input for the FMU is the electrical power to the torque motor. This type of fault can be identified from the cockpit because of the on-board diagnostic capability for identifying unexpected power changes in the electrical control system.
7 CONCLUSIONS This paper has presented a formal method for representing complex physical systems using a modified set of models developed by Chittaro13 and reasoning about changes in steady-state behaviour of open and closed loop systems using a unique qualitative algorithm (QRED). By finding differences between calculated behaviour and expected behaviour, failure descriptions can be derived for the purpose of functional and hardware FMEA. Failure effects of closed loop systems are found from the open loop response of the plant for three separate input signals. The combination of the difference in plant output and expected plant output for each input, indicates a state transition for the control system. The state transitions of the control system can be interpreted to give a general description of the final steady state of the plant. The technique has been shown to work on two different engineering systems. Four different types of failure mode were used to test the behaviour differences of an electrically driven gear pump. The resultant behaviour demonstrated that differences between normal and faulty behaviour can be identified. Subtle differences between variable changes (limited increase, limited decrease) can also be identified by extrapolating variable changes until they become
395
insignificant or negligible. The case study in this paper illustrated how a complex closed loop component suggested by Lucas Aerospace Ltd was analysed for a single failure mode. A single model of the system (representing one operating mode) was used to derive behaviour for two different error signals representing two different operating modes for the normal working system. After inserting a failure mode, the change of behaviour for each operating mode was identified. The combination of the three responses could be interpreted from a table to identify the failure effect. The number of systems and type of failure mode that can be represented with the model is numerous. Even bridge networks can be modelled, if the flow direction through each conduit is initially known. However, there is a limitation in the representation, which does not allow parameter values to be changed. The current model expresses all relations between influencing domains as a proportional relationship. The consequence of this assumption is a simplification of behaviour for systems that have changing parameter relationships. This has been demonstrated with the electric motor where the field and rotor coil are connected in series. Another drawback of this limitation is that failure modes which affect this parameter cannot be represented. For example, a typical fault in a mechanical system is the irreversible damage to a spring during plastic deformation. The change of resultant force for the same extension cannot be specified. Another common system that cannot be represented is an alternating current power supply or modulating parameter relationship. All input generators are assumed to have one constant power variable. The change in mass or substance between systems is also not represented in the model. The consequence of this omission plays a role for closed systems or with systems with limited resources. Another limitation of the possible types of failure mode that can be considered is due to the causal approach of the reasoning method. Only single failure modes can be inserted at any one time. This includes single failure modes that change the resistance at separate points in the network. For example, the shifting of a hydraulic control valve will change two separate resistive paths. One possible method to cope with this limitation would be to derive separate models for each operating mode (valve position). Although the qualitative reasoning method can realize the steady- state changes of feedback systems, dynamic failure effects are not considered here. Therefore, failure effects that occur during state transitions are not revealed. The implication of this on FMEA is not severe. An FMEA usually considers changes in state only. For dynamic analysis, detailed quantitative models are usually employed to fine tune the response of the control system. The role model does not contain any method for checking if the model is physically correct. The rules of causality assignment (explained in Karnopp16 p. 129) on a bond graph indicates if the model has omitted a dynamic parameter. However, the qualitative reasoning method can cope with models which are not adequately causally assigned.
396
P. G. Hawkins, D. J. Woollons
This is explained in Section 5 in the back propagation at step estimate and the forward propagation procedure at step influence. 7.1 Further work A framework for behaviour reasoning has been presented which operates on generalized engineering functional concepts. The method has not been implemented in any computer language but the modelling concepts have been structured with an object-oriented design methodology in mind. An ideal language for this implementation would be Cþþ. For example, an abstract role class would exist which would contain an effort and flow variable for the change in activity. A relation influencing which points to a influence object and a belongTo variable which indicates the set the role is contained in. A further three abstract role classeses would be sub-classed from this class, one each for the generator, conduit and reservoir. The generator class would have a pointer to a relation that influences it, influences. Each generator could be subclassed into an effort (ge) or flow (gf) generator. Each conduit could be sub-classed into either an ideal conduit (o), a conduit of decreased resistance (c¹), a normal conduit (c), a conduit of increased resistance (cþ) and a blocked conduit (barrier) (b). The conduit would also contain a link to a set at a lower aggregate level. A reservoir could be sub-classed to one of two types depending on the energy storage type, either potential (rq) or kinetic (rp). An influence class captures the information necessary for each relation in the model. An influence would point to the two roles it connects from and to. Two abstract subclasses could also exist, a transduction and a regulation class. The transduction class could exist for relations influencing generators and could be sub-classed into a high power influence relation and a low power signal relation. The regulation class would exist for relations influencing conduits and would contain the sign of the relation ( 6 ). It could be sub-classed into a standard regulation relation and an integral regulation relation. The standard relation could be further sub-classed into an effort (e) or flow (e) influencing relation. The integral relation could be sub-classed into a position (q) or momentum (p) influencing regulation relation. A set object would consist of an ordered collection of role objects and the set would be linked to a conduit at a higher aggregate level. The set could be sub-classed into serial and parallel classes to separate each of the different behaviours. All models presented in this paper have been created from scratch. However, further work on building common engineering components would benefit from the declarative nature of the model and would aid the development of system models through the use of a component library. A component object could be a collection of related instances of roles, influences and sets. Component input and output ports could be distinguished by identifying specific roles in the model that can be connected to other component objects.
Component models could then be plugged together with other component models through input and output roles to form more complex subsystems, and eventually system models. To overcome the single failure mode problem, further work might include investigation of the combination of two different behaviour effects from two separate failure analysises of the same system. In practice, multiple failure modes always occur in a particular order. The approach in this paper would ideally suit this type of ordered analysis since the effect of the first failure mode may change the state of conduits as a result of a change of power in conduits that regulate other conduits. These altered conduits could then be used as the starting state for a second failure mode to produce a behaviour description. If the order of the two failure modes is reversed, the result may identify different behaviour. This area of research could help improve the quality of existing FMEAs by identifying specific failure modes that, individually may be trivial, but in combination could be critical. Another interesting extension to the work would be to find common phenomena that cause problems in engineering systems for each specific domain. For example, in hydraulics, cavitation can occur in pumps which is a specific phenomena in hydraulics attributable to low pressure.
ACKNOWLEDGEMENTS The authors wish to acknowledge the useful discussions that took place with Professor C. R. Burrows, Professor K. A. Edge and Dr D. R. Bull at the Fluid Power Centre at the University of Bath. Thanks also to P. Britton, R. Jackson and D. Russell at Lucas Aerospace Ltd for their time, discussing and illustrating the functions of the fuel-metering unit. Thanks also to D. Neuffer at Exeter University for his patience and the lengthy discussions on control systems and G. Weiss for sharing his expert knowledge of electric motors.
REFERENCES 1. British Standards, BS5760, 1991. 2. Aerospace Recommended Practice (ARP926A), 1979. 3. Atkinson, R. M., Montakhab, M. R., Pillay, K. D. A., Woollons, D. J., Hogan, P. A., Burrows, C. R. and Edge, K. A. Automated fault analysis of hydraulic circuits: Part 1—Fundamentals. IMechE Proceedings, 1993, 206, 207–214. 4. Hogan, P. A., Burrows, C. R., Edge, K. A., Woollons, D. J., Atkinson, R. M. and Montakhab, M. R. Automated fault analysis of hydraulic circuits: Part 2—Applications. IMechE Proceedings, 1993, 206, 215–224. 5. Price, C. J., Pugh, D. R., Wilson, M. S. & Snooke, N., The flame system: automating electrical failure modes and effects analysis (FMEA). In Proceedings of the Ann. Reliability and Maintainability Symposium. IEE Press, New York, 1995, pp. 90–5. 6. Kocza, G. and Bossche, A. Integrated reliability analysis system (IRAS). Quality and Reliability Engineering International, 1996, 12, 371–381.
Analysis of complex engineering systems 7. Dhillon, B. S. & Singh, C., Engineering Reliability: New Techniques and Applications. John Wiley, New York, 1981. 8. Johnson, N. E., Mediating representations in knowledge elicitation. In Knowledge Elicitation: Principles, Techniques and Applications, ed. D. Diaper, Chap. 4. Ellis Horwood, Chichester, 1989, pp. 179–94. 9. Diaper, D. (ed.), Knowledge Elicitation: Principles, Techniques and Applications. Ellis Horwood, Chichester, 1989. 10. Crowther, W. J., Bull, D. R., Burrows, C. R., Edge, K. A., Atkinson, R. M., Hawkins, P. G. & Woollons, D. J., Knowledge acquisition for engineering systems using bond graphs. British Computer Society ES95, Cambridge, U.K., 1995. 11. Lind, M. Modelling goals and functions of complex industrial plants. Applied Artificial Intelligence, 1994, 8(2), 259– 283. 12. Kim, I. S. and Modarres, M. Application of goal tree–success tree model as the knowledge-base of operator advisory systems. Nuclear Engineering and Design, 1987, 104, 67–81. 13. Chittaro, L., Guida, G., Tasso, C. and Toppano, E. Functional and teleological knowledge in the multimodeling approach
14. 15. 16. 17.
18. 19.
397
for reasoning about physical systems: A case study in diagnosis. IEEE Transactions on Systems Man and Cybernetics, 1993, 23, 1718–1751. Forbus, K. D. Qualitative process theory. Artificial Intelligence, 1984, 24, 85–168. Chittaro, L., Tasso, C. & Toppano, E., Putting functional knowledge on firmer ground. In Applied Artificial Intelligence. Taylor & Francis, New York, 1994, pp. 239–58. Karnopp, D. C., Margolis, D. L. & Rosenberg, R. C., System Dynamics—A Unified Approach, 2nd edn. John Wiley, New York, 1990. Chittaro, L. & Ranon, R., Augmenting the diagnostic power of flow-based approaches to functional reasoning. In AAAI96 Proceedings, Vol. 2. American Association of Artificial Intelligence, MIT Press, Cambridge, MA, 1996, pp. 1010– 15. Pinches, M. J. & Ashby, J. J., Power Hydraulics. Prentice Hall, Englewood Cliffs, NJ, 1988. Cotton, H., Applied Electricity, 4th edn. Cleaver-Hume Press Ltd, 1955.