1、STD-SAE AR? 1B34A-ENGL 1777 7743725 055Ll387 T7 E The Engineering Society mAEFor Advancing Mobility -Land Sea Air and Space, AEROSPACE RECOMMENDED IN TE NA TI O N Lw 400 Commonwealth Drive, Warrendale, PA 15096-0001 PRACTICE Submitted for recognition as an American National Standard REV. A eAE ARP18
2、34 Issued 1986-08 Revised 1997-06 Reaffirmed 1 992-09 Superseding ARP1 834 FAULT/FAI LURE ANALYS IS For Digital Systems and Equipment (Use ARP4761 for Aircraft Safety Assessment) INTRODUCTION Background: A fault and failure analysis (F/FA) usually consists of one or more of the analysis processes de
3、picted by Figure 1, “Family of Fault/ Failure Analysis Processes.“ Typically, these analysis techniques are for the purpose of: a. Analyzing, assessing and documenting the effects of potential failures on a particular equipment item or system design; b. identifying those failures which affect operat
4、ional success or safety, and determining their pro bab i I i ty of occurrence; c. Enabling quantification of faulfailure detection and isolation capability as it relates to equipment safety and maintainability. Aerospace Recommended Practice ARP926A, “FaulFailure Analysis Procedure“, addresses the a
5、pplication of F/FA methods to parts, components and systems other than those of an essentially digital nature. The development of this separate ARP to address digital F/FA was initiated to recognize: a. The expanding use of digital hardware in military, commercial, and consumer products; b. The need
6、 to apply F/FA procedures to digital devices, components and systems; c. The distinctive characteristics of digital equipment, having unique potential failure modes which, if not recognized and designed for, can result in either excessive downtime or erroneous output with seve re ram if cations. CAE
7、 Technical Standards Board Rules provide that: This report is published by CAE to advance the state of technical and engineering sciences. The use of this report is entirely voluntary, and its applicability and suitability for any particular use, including any patent infringement arising therefrom,
8、is the sole responsibility of the user.“ SAE reviews each technical report at least every five years at which time it may be reaffirmed, revised, or cancelled. SAE invites your written comments and suggestions. Copyright 1997 Society of Automotive Engineers, Inc. All rights reserved. QUESTIONS REGAR
9、DING THIS DOCUMENT: TO PLACE A DOCUMENT ORDER: (41 2) 772-851 O (41 2) 776-4970 FAX (41 2) 776-0243 FAX (41 2) 776-0790 Printed in U.S.A STDDSAE ARP 183LiA-ENGL 1997 7993725 055q388 735 II SAE ARP1834 Revision A 1 . 1.1 2 . 2.1 2.1.1 2.1.2 2.1.3 2.1.4 2.2 3 . 3.1 3.1.1 3.1.2 3.1.3 3.2 3.2.1 3.2.2 3.
10、2.3 3.2.4 3.3 3.3.1 3.3.2 3.3.3 3.3.4 3.3.5 3.3.6 3.3.7 3.3.8 3.4 4 . 4.1 4.2 4.3 4.3.1 4.3.2 4.3.3 4.3.4 TABLE OF CONTENTS INTRODUCTION . 1 SCOPE 4 Use of ARP1 834 Guidelines for Safety Certification . 4 REFERENCES . 5 Applicable Documents . 5 SAE Publications 5 U.S. Government Publications . 5 RTC
11、A Publications . 5 Other References . 6 Glossary . 6 POSSIBLE APPROACHES 8 Influences Versus System Types . 10 Non-Processor-Based System WFAs . 12 Processor-Based System F/FAs 12 F/FA Scope and Approach . 13 Failure Consequences . 13 Architecture 14 Fault Management . 14 Maintainability Considerati
12、ons 15 Common to all System F/FAs . 10 F/FA Approach Considerations 15 Program Phase 15 Level of Detail versus Cost . 15 Skill Level, Expertise Required . 16 Facility . Special Needs 16 Fault Management . 17 Safety Hazard Identification . 19 Design Changes 19 F/FA Decision Tree 20 Software Design .
13、18 FAILURE MODES AND EFFECTS 20 Identification of General Needs 20 Failure Mechanisms . 22 Modes and Effects . 22 Device Failure Modes . 22 Soft Failures . 23 Latent Failures . 23 Failure Mode Data Sources 24 -2- STDSSAE ARP 1B34A-ENGL 1797 7743725 0554387 b7L W SAE ARP1 834 Revision A 4.4 4.5 4.6 5
14、 . 5.1 5.2 5.3 5.3.1 5.3.2 5.3.3 5.4 5.5 6 . 6.1 6.1.1 6.1.2 6.1.3 6.2 6.2.1 6.2.2 6.2.3 TABLE OF CONTENTS (Continued) Failure Rate Allocation . 25 Custom LSI 25 Software Considerations 25 FAULT MONITORING METHODOLOGY . 25 Reasons for Fault Monitoring . 26 System Architecture vs Fault Monitoring 26
15、Types of Fault Monitoring . 26 Processor Failure Detection . 27 Data Transmission Error Detection 27 Data Validity . 28 Fault Monitoring Effectiveness . 29 Method of Fault Monitoring Analysis 29 ANALYSIS METHODS . 29 Basic Methods and Elements . 29 General 29 Sequence . 30 F/FA Process Steps . 31 Sp
16、ecial Methods . 38 Fault Insertion Using Hardware 38 Fault Insertion into a Computer Simulation of the Hardware Functions 39 Fault Insertion Using Emulation . 39 APPENDIX A APPENDIX B APPENDIX C FIGURE 1 FIGURE 2 FIGURE 3 TABLE 1 TABLE 2 TABLE 3 TABLE 4 EXAMPLE . FIFA BASIC BOTTOM-UP APPROACH 41 EXA
17、MPLE . F/FA BASIC TOP-DOWN APPROACH . 58 67 Family of FauWFailure Analysis Processes . 9 Typical Analysis Flow . Scope. Direction. and Responsibility 11 An Example of a F/FA Decision Tree 21 F/FA Objective Versus Development Phase . 8 Digital Systems Considerations of F/FA Approaches 16 Typical Devi
18、ce Failure Modes . 23 One Example of Categorizing Scope and Approach of Analysis . 14 I SAE ARP1834 Revision A 1. SCOPE: ARP1834 provides general guidance for the selection, approach to, and performance of various kinds of F/FA of digital systems and equipment. Its prime objective is to present seve
19、ral industry-acceptable, cost-effective methods for identifying, analyzing, and documenting digital-equipment failure modes and their effects. The analysis techniques and considerations presented here are directed to digital-equipment hardware faults and failures exclusively. ARP1 834 is not intende
20、d as an exhaustive treatment of the enormously complex process involved in the analytical failure evaluation of complete digital systems, nor as a universally applicable, definitive listing of the necessary and sufficient steps and actions for such evaluation. ARP4761 provides updated methods and pr
21、ocesses for use on civil aircraft safety assessment. When analyzing these types of systems, ARP4761 should be used in lieu of this ARP. ARP1834 addresses the following areas of consideration in the preparation and performance of F/FAs for digital equipment: a. Possible Analysis Approaches: Top-Down
22、andor Bottom-Up (Section 3) b. FaulVFailure Modes, as they affect equipment operation and performance (Section 4) c. Fault Monitoring Methodology: Reasons for, types of, and effectiveness (Section 5) d. Analysis Methods: Preparation for, types of, effectiveness and coverage (Section 6) 1.1 Use of AR
23、P1 834 Guidelines for Safety Certification: If this document is used as guidance for analyses involved in achieving digital-equipment safety certification by a regulatory agency, early coordination with that agency should be initiated to establish the scope and level of analysis effort that will be
24、required to show compliance. Specific applications of F/FA processes discussed herein (and quite possibly others omitted here) will need to be negotiated on a case-by-case basis between the applicant and the agency, and between the prime contractor and his subcontractor or equipment supplier. For di
25、gital systems performing functions that are critical and/or essential (see 3.2.1), it may not be possible to demonstrate compliance with safety-certification requirements without the use of design techniques aimed at producing a fault-tolerant system. A goal for these design techniques is the possib
26、le reduction or elimination of the need for part-level FMEA. This consideration is of pivotal importance, because thorough, accurate and dependable FMEA of contemporary microcircuits is not a feasible undertaking (see 6.1.3.6.1). The depth of the F/FA required to show compliance will be strongly inf
27、luenced by such techniques. Typical design techniques which may be used in various combinations include: a. System Architecture (1) Similar Redundancy (2) Dissimilar Redundancy (3) Signal Consolidation or “Voting” (4) Hardware Functional Partitioning -4- STDmSAE ARP L834A-ENGL 1777 W 7743725 0554371
28、 22T 81 SAE ARP1834 Revision A 1.1 (Continued): b. Fault Detection and Isolation (1) Comparison Monitoring between redundant elements (2) In-line test and monitoring (3) In-line reasonableness checks c. Fault Response (1) System reconfiguration (2) Operational mode changing (3) System shutdown Altho
29、ugh such design considerations are outside the scope of this document, they must be taken into account by system designers and analysts in meeting overall system-safety objectives and in establishing the level of effort required for the F/FA. 2. REFERENCES: 2.1 Applicable Documents: The following pu
30、blications contain information relative to applications of tail bumpers. The latest issue of SAE publications shall apply. The applicable issue of other publications shall be the issue in effect on the date of the purchase order. In the event of conflict between the text of this specification and re
31、ferences cited herein, the text of this specification takes precedence. Nothing in this specification, however, supersedes applicable laws and regulations unless a specific exemption has been obtained. 2.1.1 2.1.2 2.1.3 SAE Publications: Available from SAE, 400 Commonwealth Drive, Warrendale, PA 150
32、96-0001. ARP926A ARP4761 U .S. Government Publications: Available from DODSSP, Subscription Services Desk, Building 4D, 700 Robbins Avenue, Philadelphia, PA 191 1 1-5094. MIL-HDBK-217 RTCA Publications: Available from RTCA Inc., 1 140 Connecticut Ave., NW, Suite 1020, Washington, DC 20036. RTCA Docu
33、ment No. DO-178 -5- STDmSAE ARP L834A-ENGL 1997 C. 7943725 0554372 Lbb I SAE ARP1834 Revision A 2.1.4 Other References: AC 20-1 15 AC 25.1309-1 RAC GIDEP (Government Industry Data Exchange Program) McGough, J., Swern, F., “Measurement of Fault Latency in a Digital Avionics Miniprocessor,“ Flight Sys
34、tems Division Bendix Corporation, NASA Contract NASI-15946, April, 1981. Sechu, S. and Freeman, D. N., “The Diagnosis of Asynchronous Sequential Switching Systems“, IRE Transactions on Electronic Computers, Vol. EC-11 No. 4 August, 1962, Hardie, F. H., and Suhocki, R. J., “Design and Use of Fault Si
35、mulation for Saturn Computer Design“, IEEE Transactions on Electronic Computers, Vol. EC-16, No. 4, August 1967, Bertolino, L., Grefsrud, L. E., “Failure Analysis of Digital Systems Using Simulation“, Proceedings; Reliability and Maintainability Symposium, 1977. pp. 459-465. pp. 412-429. 2.2 Glossar
36、y: This glossary contains definitions of terms used in the text of this document. ALGORITHM: An explicit set of rules, generally mathematical in nature, for solving a particular problem. When this set of rules is applied to identified inputs, the desired outputs will be obtained after a finite numbe
37、r of steps have been completed. AVAILABILITY: Probability that an item is in an operable state when required. (CPU) CENTRAL PROCESSING UNIT: The part of a computer that controls the interpretation and execution of instructions. CERTIFICATION: The process of obtaining regulatory agency approval for a
38、 function, equipment, system or aircraft, by establishing that it complies with all applicable government regulations. CHANGE CONTROL: The process of evaluating, approving, and documenting a system configuration and changes to the system. COMPARISON MONITORING: The technique of comparing a set of co
39、mputed variables with a corresponding set from an independent source. I -6- STD-SAE ARP LA34A-ENGL 1977 7943725 0554373 OT2 W SIMULATION: The representation of physical systems and phenomena by computerized models, e.g., an imitative type of data processing in which specialized computer programs are
40、 used to mimic the behavior of a physical device or system. SAE ARP1 834 Revision A 2.2 (Continued): EMULATOR: Software run on a host computer that accepts the same input data, executes the same programs, and yields the same outputs as the target computer. The emulation software may execute on a hos
41、t computer or on a computer similar to the computer that will actually be used in the system. Emulators replace the computer in the system to enable the computer/system interface to be tested, verified, and validated in an orderly fashion. FAILURE: The inability to perform within specified limits. F
42、AULT: An undesired anomaly in the functional operation of an equipment or system. FAULT ISOLATION: As used in reference to diagnostics or built-in-test equipment, the ability to identify the unit in which a fault has occurred. FAULT MANAGEMENT: Those aspects of the system design which cover fault mo
43、nitoring (detection), fault response, fault storage and fault annunciation, for both operational and maintenance purposes. FIRMWARE: A computer program that is stored in a fixed or “firm“ way, usually in a read-only memory. FUNCTIONAL ISOLATION: The property of a system which provides effective sepa
44、ration of functions to minimize adverse interaction. HOST COMPUTER: Any computer used to develop software for another (target) computer. LINE REPLACEABLE UNIT (LRU): An assembly which forms part of a system, designed to be removed and replaced in the event of failure to improve maintainability of a
45、vehicle. PARTITIONING: The process of determining how the system requirements will be implemented either in hardware and its components or in software and its components. In software, partitioning is said to exist if Co-resident tasks execute without any interdependency between them. PROCESSOR BASED
46、 SYSTEM: A system which uses a processor to control the timing and execution of all functions in a pre-determined relationship. REDUNDANCY: That feature of design architecture which provides more than one means to perform certain functions. STATE CHANGES: Conditions involving one or more bits changi
47、ng from O to 1, or from 1 to O. -7- STD.SAE ARP 1834A-ENGL 1777 m 7943725 0554394 T37 SAE ARP1834 Revision A 2.2 (Continued): TARGET COMPUTER: The digital computer embedded in the operational equipment that executes the operational software. VALIDATION: The process of demonstrating, through testing
48、in the real environment, or an environment as real as possible, that the system satisfies the users requirements. VERIFICATION: The process of demonstrating the logical correctness of the software and showing that it performs according to its specifications. VOLATILE MEMORY: A memory device which re
49、quires continuous power to retain data. 3. POSSIBLE APPROACHES: The prime criterion for performing any of the F/FA processes depicted by Figure 1, should be to provide credible results in the most cost effective manner. Of the various factors and influences which affect success or failure per this criterion, the phase of development at which the F/FA is expected to be performed and the analysis objectives are probably the most significant. Table 1 reflects how the iterative nature of FIFA, as the design progresses, can help to accomplish these F/FA objectives in a
