Reliability in Design: FMEA Derived
from UML/SysML models
P. David, V. Idasiak & F. Kratz
PRISME Institute
Team-project MCDS
Wednesday, 24 September 2008
Outline
1.
2.
3.
4.
Background
UML and SysML for reliability analysis
Method for reliability study in design process
Automatic synthesis of FMEA
1. Previous works on FMEA synthesis
2. Crucial points for FMEA automatic synthesis
3. Exploiting UML/SysML Sequence diagrams
2
5.
6.
7.
Case study
Next step with SysML
Conclusion
Background
•
Difficult to conduct Reliability studies during
design:
Time consuming process
Complex formal methods
Communication difficulties
Mastering the complexity of multi-technological
systems
3
•
Unifying the processes around one modelling
language
Background
•
Improving reliability study during Design:
Creating tools and methods to support safety-critical
system design:
• Integrating formal methods to the design process (GSPN,
Markov Process)
• Developing tools and methods to efficiently conduct
widespread industrial practices (FMEA, Requirements
allocation)
4
•
Proposing algorithms and analysis to be integrated in
commercial tools (UML, SysML tools).
Guiding the design towards reliable solutions:
Insuring the traceability of Requirements
(performance, reliability, safety)
Using UML and SysML
•
•
•
5
•
Object-oriented languages:
Complex and multi technologic Systems
Hierarchical, modular and incremental approach
Graphical and accessible languages
Modelling constructs for Architecture and
Behaviour
Functional behaviour and architecture analysis
Dysfunctional behaviour modelling
Various works on merging UML with formal
methods (Markov Process, GSPN, Fault Trees)
Method for reliability study
Functional Hazard Analysis FHA
Preliminary Hazard Identification PHI
Automatic
FMEA
synthesis
Full FMEA
Formal languages
Functional Model
bdd [Package] SADStructure
«block»
Capteur
«block»
Alarme
operations
Activation ()
RetourEtatNominal ()
flow ports
in alim : AlimElec
out CommandeVanne : Commande
values
estActivé : Boolean
operations
InversionEtatSonnerie ()
CommandeAlarme ()
ValidationAlarme ()
flow ports
in alim : AlimElec
in CommandeCapteur : Commande
standardPorts
enceinte
values
estActivée : Boolean
2
cpt
«block»
Vanne
flow ports
inout entréeVa : FluxEau
inout sortieVa : FluxEau
values
dbe : DébitEntrant
dbs : DébitSortant
estOuvert : Boolean
operations
InversionEtat ()
1 al
«block»
ElectroVanne
«block»
AlimentationElectrique
flow ports
out alim : AlimElec
6
«block»
VanneManuelle
operations
CommandeVanne ()
InversionEtat ()
flow ports
in alim : AlimElec
inout entréeVa : FluxEau
in inCommandeCapteur : Commande
inout sortieVa : FluxEau
values
dbe : DébitEntrant
dbs : DébitSortant
estOuvert : Boolean
1
ae
«block»
SysDeContrôle
flow ports
inout entrée1 : FluxEau
1..* inout entrée2 : FluxEau
inout sortie1 : FluxEau
inout sortie2 : FluxEau
sdc
operations
InversionEtat ()
flow ports
inout entréeVa : FluxEau
inout sortieVa : FluxEau
values
dbe : DébitEntrant
dbs : DébitSortant
estOuvert : Boolean
standardPorts
volantVanne
2
2 va2
va3
bdd [Package] SADStructure
«block»
CircuitAlimentation
flow ports
inout alim : FluxEau
values
dbs : DébitSortant
«ItemFlow»
alimentation : Eau
*
source
* ca
«ItemFlow»
consommation : Eau
«block»
Cuve
*
stockage
flow ports
inout admission : FluxEau
inout evacuation : FluxEau
values
cap : Contenance
dbe : DébitEntrant
dbs : DébitSortant
vol : VolumeContenu
*
source
«block»
RéseauDistribution
*
flow ports
consommateur inout conso : FluxEau
values
dbe : DébitEntrant
«block»
Capteur
«block»
Alarme
operations
Activation ()
RetourEtatNominal ()
flow ports
in alim : AlimElec
out CommandeVanne : Commande
values
estActivé : Boolean
operations
InversionEtatSonnerie ()
CommandeAlarme ()
ValidationAlarme ()
flow ports
in alim : AlimElec
in CommandeCapteur : Commande
standardPorts
enceinte
values
estActivée : Boolean
«block»
Déversoir
flow ports
inout admission : FluxEau
values
dbe : DébitEntrant
* rd
1..* dv
1..* cu
2
cpt
«block»
SAD
«block»
Vanne
flow ports
inout entréeVa : FluxEau
inout sortieVa : FluxEau
values
dbe : DébitEntrant
dbs : DébitSortant
estOuvert : Boolean
operations
InversionEtat ()
1 al
«block»
ElectroVanne
«block»
AlimentationElectrique
flow ports
out alim : AlimElec
Architecture
1
ae
«block»
SysDeContrôle
flow ports
inout entrée1 : FluxEau
1..* inout entrée2 : FluxEau
inout sortie1 : FluxEau
sdc inout sortie2 : FluxEau
«block»
CircuitAlimentation
flow ports
inout alim : FluxEau
values
dbs : DébitSortant
* ca
«ItemFlow»
alimentation : Eau
*
source
*
stockage
«block»
Cuve
*
flow ports
source
inout admission : FluxEau
inout evacuation : FluxEau
values
cap : Contenance
dbe : DébitEntrant
dbs : DébitSortant
vol : VolumeContenu
«block»
VanneManuelle
operations
CommandeVanne ()
InversionEtat ()
flow ports
in alim : AlimElec
inout entréeVa : FluxEau
in inCommandeCapteur : Commande
inout sortieVa : FluxEau
values
dbe : DébitEntrant
dbs : DébitSortant
estOuvert : Boolean
operations
InversionEtat ()
flow ports
inout entréeVa : FluxEau
inout sortieVa : FluxEau
values
dbe : DébitEntrant
dbs : DébitSortant
estOuvert : Boolean
standardPorts
volantVanne
2
2 va2
«ItemFlow»
consommation : Eau
«block»
RéseauDistribution
*
flow ports
consommateur inout conso : FluxEau
values
dbe : DébitEntrant
* rd
va3
«block»
Déversoir
flow ports
inout admission : FluxEau
values
dbe : DébitEntrant
1..* dv
1..* cu
«block»
SAD
end if
end if
Ouverture de va4
InversionEtat
if vol.cu > 90%*cap.cu
{3 min}
end if
fermeture va3
InversionEtat
if vol.cu > 90%*cap.cu
InversionEtatSonnerie
extinction sonnerie
ValidationAlarme
Prise en compte de l'Alarme
end par
Alarme sonne
CommandeAlarme
Commande Alarme
InversionEtatSonnerie
also par
Fermeture va2
CommandeVanne
Commande Vanne va2
InversionEtat
par
par
Activation
Capteur cpt2 activé
if vol.cu > 95%*cap.cu
end if
Fermeture va
InversionEtat
Commande Vanne va
CommandeVanne
Capteur cpt activé
Description
niveau au début du scénario
Les capteurs ne détectent pas d'eau à leur
Activation
if vol.cu > 90%*cap.cu
Opérateur
/cpt:Capteur /cpt2:Capteur /va:ElectroVanne /va2:ElectroVanne /va3:VanneManuelle /va4:VanneManuelle /al:Alarme
Instance
Instance
Instance
Instance
Instance
Instance
Instance
«part»
«part»
«part»
«part»
«part»
«part»
«part»
Behaviour
Failure mode
repository
GSPN, Markov
Process, AltaRica,
Figaro
Automatic synthesis of
FMEA
•
7
•
Importance of FMEA process:
Performed at an early stage
Systematic identification of risks
Classify the risks
Underline weak points of the system
Weak points of FMEA
Time consuming
Error prone analysis
Huge amount of information to produce
Ambiguity of the quoted values
•
Previous works on FMEA
synthesis
Numerous existing works:
Organisational practises (Bassetto 2005)
Mastering simultaneous failures (Price and Taylor 2002)
Computing the effects at overall system scale (Price and
Taylor 2002), (Papadopoulos et al. 2004b)
8
•
Enhancing classification and promoting the use of
natural vocabulary (Bowles and Pelaez 1995)
Weak points of previous works:
Domain specific approach (electronic)
No help for FMEA initialisation (component
identification)
No real use of lesson learnt databases
Computation of failure effects only from a
dysfunctional model
Crucial points for FMEA
automatic synthesis
• Essential points for automatic FMEA
synthesis:
The exploited model:
9
• Hierarchy between blocks
• Architecture of the system and its functionalities
• Data and flow transmissions
A Dysfunctional Behaviour Database
• Contains lesson learnt on components failures
• References Failure modes name
• References Failure modes behaviour
Automatic synthesis of
FMEA
• Our ambitions:
10
Studying functional models at early stages of
design process
Insuring exhaustiveness of component
identification
Use and construction of a lesson learnt
database
Identifying the primary Failure Modes
Sequence Diagram
exploitation
componentA:A
componentB:B
Dysfunctional behaviour
database
ClassA
FailureMode :FailureMode[*]
message:MessageType
m2:m2type
11
Sequence Diagram (SD)
FMEA Table
ClassB
FailureMode :FailureMode[*]
Case Study: Level Control
System (LCS)
12
LCS Sequence Diagram
13
Preliminary FMEA report
Component Failure Mode
Possible Causes
Possible Effects
S1
Internal Cause
Internal Effect
No detection
From S1 by Activation On Ev1 by CommandEv
On S1 by Activation
False Detection
Internal Cause
Internal Effect
From S1 by Activation On Ev1 by CommandEv
On S1 by Activation
14
•
•
•
•
This table is a good help to build the final FMEA.
Relation to consider are indicated.
Known Failure Mode are already mentioned.
The heavy phase of FMEA is automatically performed
(Component census, Search in database).
Next step with SysML
15
15
Component Identification
Control signals
Flow transmission
Requirements
Traceability
Failure Mode
Repository
LCS in SysML
16
New preliminary FMEA
report
Component
Failure Mode
Possible Causes
Possible Effects
S1
No detection
Internal Cause
Internal Effect
From S1 by Activation On Ev1 by CommandEv
From Ps through
PopS-PiS1
[PowerInput]
On S1 by Activation
On Ev1 through CiS1-CiEv1
[CommandInterface]
17
False
Detection
Internal Cause
Internal Effect
From S1 by Activation On Ev1 by CommandEv
From Ps through
PopS-PiS1
[PowerInput]
On S1 by Activation
On Ev1 through CiS1-CiEv1
[CommandInterface]
Conclusion
•
•
•
18
•
•
A precious part of FMEA is automatically built.
The preliminary report is a great guideline for
analysts.
It helps saving a lot of time while respecting the
exhaustivity of the study.
SysML shows huge possibilities to enhance this
first solution.
Effective solution to start the deployment of the
presented method.
Acknowledgements
19
We specially want to thank all our partners
involved in the CAPTHOM project. This work was
realized with the financial help of the French
Industry Ministry and local collectivities, within the
framework of the CAPTHOM project of the
Competitiveness Pole S2E2, www.s2e2.fr.
© Copyright 2026 Paperzz