CN108170892B - Fault mode and influence analysis method based on accident dynamic deduction simulation - Google Patents

Abstract

The invention relates to a fault mode and influence analysis method based on accident dynamic deduction simulation, which is characterized in that a function block of each module of the lowest appointed level is constructed according to the characteristics of an analyzed object, a function block diagram is constructed, and the method is different from the traditional method of adding failure rate on the function module and analyzing the reliability. All the functional blocks are then connected into a whole by constructing logical and temporal relationships between the functional blocks. And finally, simulating the dynamic running process of the system by a discrete event dynamic simulation method, finding out the failure event of the system and the occurrence probability thereof, and performing further failure influence and hazard analysis. The problem that the traditional fault mode and influence analysis method cannot perform temporal logic analysis and combined function failure analysis is solved.

Description

Fault mode and influence analysis method based on accident dynamic deduction simulation

Technical Field

The invention discloses a fault mode and influence analysis method based on accident dynamic deduction simulation, and belongs to the technical field of complex system reliability analysis.

Background

Failure Mode, impact and hazard Analysis Failure Mode and impact Analysis (Failure Mode and Effects Analysis) is summarized in engineering practice, an Analysis technique based on Failure Mode and targeting Failure impact or consequences. The method comprehensively identifies weak links and key items in the design by analyzing the influence of different faults of each component on the system work one by one, and provides basic information for evaluating and improving the reliability of the system design.

Failure mode and impact analysis methods are currently widely adopted in the field of complex system reliability analysis. The traditional failure mode and influence analysis is based on a single independent function, the analysis considers more static logic relations among components and rarely considers dynamic time constraint relations among the components, only depends on the skills and experience of reliability analysts, is limited by human cognitive ability, is difficult to predict all possible behaviors (including normal and abnormal behaviors) of the system, is easy to neglect the influence of certain system failure states or misjudgment on system failure, and cannot adapt to the current highly complex and integrated system.

Currently, most of highly complex systems such as aerospace and the like are real-time systems, and the correctness of the system in the real-time system not only depends on the logic characteristics of the system, but also depends on the temporal characteristics of the system. For example, in a real-time system, an activity performs too late or performs operations using untimely data, and even if the activity or operation performs the correct function, it is not useful, and sometimes can be harmful, to the overall system. In recent years, the occurrence of air crash accidents has been more of a failure caused by insufficient temporal logic when the components interact. After-the-fact analysis shows that when the fault occurs, a single functional component has no problem, but when multiple components interact, a problem is generated.

To solve such problems, model verification based on formal verification was introduced into the field of reliability evaluation of complex airborne systems since 2001 abroad. And detecting whether the system model meets specific properties by adopting a state space searching method, and giving a counter example when the system does not meet the properties. However, the complete formalization method has the following problems in domestic popularization: 1) the complete formalization verification-based method in the model inspection is complex in modeling and difficult to adopt in partial systems, and the complete formalization method is difficult to popularize and use in China. 2) The model checking method ensures that the model is correct, but the failure probability of the hardware applied by the model cannot be reflected, and the failure probability of the actual use condition of the real system cannot be given.

In order to solve the above problems, it is necessary to research a failure mode and an influence analysis method that can analyze failure caused by temporal logic errors in the interaction process of a plurality of components and can reduce modeling complexity.

Disclosure of Invention

The invention provides a fault mode and influence analysis method based on accident dynamic deduction simulation aiming at the prior art, and aims to find out the failure event of a system and the occurrence probability thereof and further analyze the failure influence and damage by simulating the dynamic operation process of the system through a discrete event dynamic simulation method. The problem that the traditional fault mode and influence analysis method cannot perform temporal logic analysis and combined function failure analysis is solved.

The purpose of the invention is realized by the following technical scheme:

the fault mode and influence analysis method based on accident dynamic deduction simulation is characterized by comprising the following steps: the method comprises the following steps:

the method comprises the following steps that firstly, the composition and the function of an analyzed object are described according to a product protocol, product requirements and design documents of the analyzed object, the analyzed object is decomposed layer by layer according to the levels of a whole machine, a system, a subsystem, an external field replaceable unit and an internal field replaceable unit, and the analyzed object is decomposed to the lowest appointed level according to a fault mode and the requirement of influencing analysis;

step two, establishing a function block aiming at each module of the lowest appointed layer, and constructing a function block diagram, wherein in the function block diagram, one function block represents one function, the function can comprise sub-functions, the function blocks are connected by a line without an arrow according to the interdependence and the hierarchical relation among the function blocks, the physical relation among the function blocks is represented, and the description format of the function blocks is as follows:

"function name

Functional content definition

end function”；

Step three, aiming at each functional block in the functional block diagram, constructing an accident dynamic deduction simulation model for the internal behavior of the functional block, wherein the simulation model is a detailed description containing the following 10 elements, and comprises a subfunction C, an input variable I, a state variable S, an output variable O, an initial state R, a failure state F, an event E, a state conversion T, a transfer function L and an event association relation ER, and is simplified into a ten-tuple of < C, I, S, O, R, F, E, T, L and ER, and the specific description method is as follows:

1. the ten-tuple C represents a sub-function, which needs to be described for the functional block containing the sub-function, otherwise it does not need to be described. The description sequentially writes the sub-functions contained in the functional blocks. The description format of the subfunction is: "function name: function type ".

Wherein func1 contains three subffunc 1 types of functions E1, E2 and E3;

2. the I in the ten-tuple represents the input variable, and each functional block needs to describe this item. Each functional module contains one or more input variables. The specific format is "variable name: variable type: in", for example: input1: float: in. If the variable has a fixed initial value, the variable type may be replaced with a variable value, such as input2: [0,1]: in;

3. the ten-tuple S represents a state variable, which needs to be described for a block that does not contain a sub-function, otherwise it does not need to be described. A state variable refers to a condition or situation in the life cycle of a function, a state being the result of a function performing a series of activities, and one or more state variables contained in each functional module, and a state transition can be made when the corresponding condition is satisfied. The format of the state variable is "variable name: [ variable value ]: s", for example: state1: [ working, failed, repair ] s;

4. the ten-tuple R represents the initial state, which needs to be described for a block that does not contain a sub-function, otherwise it does not need to be described. There is only one initial state in each functional block diagram, where the initial state R is one of S, and R ∈ S is the state the function was in when the simulation started. The format of the initial state is: "state name: ═ state value", for example, state1: ═ working;

5. the F in the ten-tuple represents the failure state, which needs to be described for the block that does not contain the sub-function, otherwise it does not need to be described. And each functional block diagram is provided with one or more failure states, wherein the failure state is one of S, and F belongs to S, and in the simulation process, if the state is reached, the time for entering the state needs to be recorded and the failure occurrence probability needs to be calculated. The format of the failure state is: "state name: ═ state value", such as state1: ═ failed;

6. the O in the ten-tuple represents the output variable, and each functional block needs to describe this item. Each functional module contains one or more output variables. The format of the output variables is: "variable name: variable type: out", for example: output1: float: out;

7. the ten-tuple, E, represents an event, which needs to be described for a block that does not contain a sub-function, otherwise it does not need to be described. The event can trigger state transition, the state transition must meet corresponding transition conditions, and when the conditions are met, the event trigger can drive the state transition. The effect of the event is to add a delay time to the state transition. Events in this invention are mainly divided into two main categories: time delay events and transient events, respectively, wherein time delay events comprise two categories, random events (probability distribution function with parameters) and fixed time delay events, respectively. Transient events also include two categories, an immediate event and a pre-conditioned event. The format of the random event in the delayed event is: "event name (delay: ═ probability distribution function (failure probability lambda))", for example: failure1(delay: ═ exponential (1E-10)). The format of the fixed time delay event among the delay events is: "event name (delay: ═ Dirac (delay time))", for example: failure2 (delay:. Dirac (2)). The transient event only needs to specify the event name, and the condition of the preset condition event will be described in the state transition, so the format of the transient event is: "event name". For example: failure 3;

8. the T in the ten-tuple represents a state transition, which needs to be described for a block that does not contain a sub-function, otherwise it does not need to be described. A state transition is a relationship between two state variables that indicates that an object will perform a certain action in a source state and enter a target state upon the occurrence of a certain event or the satisfaction of certain conditions. The format of the state transition is: "status name: the source state value [ the conversion condition is true ] | -the event name- > the state name: ═ the target state ", wherein the conversion condition is selectable, and when the conversion condition is empty, the state conversion can be driven by the event occurrence. For example: (state 1:/failed) | -failure- > state 1:/failed represents that when failure event occurs, the state of state1 is converted from working to failed;

9. the L in the ten-tuple represents the transfer function, and each functional block needs to describe this item. The transfer function describes three logical relationships: the method comprises the following steps:

9.1 logical relationship between outputs and inputs and state variables inside the function, as shown in FIG. 1 (a). The transfer function equation is output variables on the left and logical expressions of input variables and state variables on the right. For example: output 1:if (state1 ═ work) the min (input1, capacity) else 0;

9.2 describes the relationship between the function modules in the same hierarchy in the system, as shown in (b) of FIG. 1. Firstly, input variables and output variables of two functional modules at two ends of a connecting line are found. And constructing a logic relation of the output variable and the input variable. For example: func2.input1 ═ func1. output;

9.3 describes the logical relationship between the input and output variables of functions and subfunctions in the system, as shown in FIG. 1 (c), for example:

function func1

C

E1:subfunc1；E2:subfunc1；E3:subfunc1；

I

input:float:in；

L

E1.input1:＝input,

end function

wherein, E1.input1: ═ input, describes that the input1 of the child function E1 is in equal relation to the input of the parent function func 1;

10. the ER in the ten-tuple represents the incidence relation of the event, and the item needs to be described for the function block containing the sub-function, otherwise, the item does not need to be described. ER represents the association of events in functions and sub-functions. The incidence relation of the events comprises three types: synchronization association, broadcast association, and common cause association;

10.1 construct a synchronous association relationship between the parent module and the events in the child modules contained in the parent module, as shown in (a) of fig. 2, the synchronous association means that the events must occur simultaneously and the state transition driven by the events must be performed simultaneously. The representation is in the form ER { event1& event2 … … event }. For example: ER { e1& e2} indicates that e1 and e2 occur simultaneously, and state transition of e1 driving and state transition of e2 driving are performed simultaneously;

10.2 construct the broadcast association relationship between the parent module and the events in the sub-modules contained in the parent module, as shown in (b) in fig. 2, when the broadcast association indicates that a certain event occurs, other events having the broadcast association relationship with the certain event are notified, if the transition condition of the state driven by these events is true, the execution is performed, otherwise, the execution is not performed. Expressed in the form ER { event1| event2 … … event };

10.3 construct a common cause correlation event of events in the parent module and the child modules contained in the parent module, as shown in (c) in fig. 2, the common cause event contains broadcast correlation, besides, a plurality of events having common correlation can independently occur like a common event. Common cause events are typically used for multiple submodules in a parent module, which may fail either due to an error within itself or due to a common cause failure. Expressed in the form ER { event1, event2 … … event };

fourthly, accident deduction is carried out by adopting a discrete event dynamic simulation method, and the failure probability of failure events is recorded;

the failure probability is obtained by multiple times of simulation and the addition and averaging of each simulation result, the failure probability is an approximate value, the approximate value gradually approaches to a true value along with the increase of the simulation times, and the execution process of the single simulation method is as follows:

4.1 initialization

4.1.1 setting the start time t0 and the end time tf of the simulation;

4.1.2 setting the initial state of the function represented by each functional block diagram, and initializing according to the value specified by R in the accident dynamic deduction simulation model ten-tuple;

4.2 set simulation clock TIME t0

4.3 dynamically updating the event list, finding out the event E meeting the triggering condition in the accident dynamic deduction simulation model at the moment, wherein the meeting of the triggering condition means that the conversion condition of the state conversion T corresponding to the event E is empty or true, and then performing the following two steps:

4.3.1 deleting the event which does not meet the triggering condition at the moment from the event list;

4.3.2 for the found event E meeting the triggering condition at the moment, for each event, if the event does not exist in the event table, adding the event into the event list, and marking the event as a new event;

the event list is used for storing events meeting triggering conditions, the events are empty at the beginning of simulation, dynamic update is carried out along with the running of the simulation, the events in the event list are sequenced from early to late according to the occurrence time, and when the simulation time reaches the occurrence time of the first event in the event list, the events trigger and drive the state to be converted, so that the simulation process is pushed to be advanced;

4.4 if the simulation TIME TIME is not less than tf or the event table is empty, turning to 4.9, otherwise, executing 4.5;

4.5 calculating the occurrence time of the newly added event in the event list, wherein the occurrence time of the event is equal to the sum of the simulation time and the event delay time, and the specific calculation mode is as follows: for transient events, the transient events occur immediately when the conversion conditions are met, the event delay time is 0, and the occurrence time is simulation time; for a fixed time delay event in the time delay events, the occurrence time is the sum of simulation time and delay time, for a random event in the time delay events, the occurrence probability needs to be sampled, and the occurrence probability of the event is assumed to obey 0,1 in the sampling process]Is uniformly distributed, and a specific value of p is obtained by random sampling, wherein p belongs to [0,1]]Then, the delay time of the event is determined for different distributions, taking an exponential distribution as an example, where the distribution function of the exponential distribution is p-1-e^-λtAfter p is obtained, the inverse can be obtainedThe specific formula of the numerical value of t is as follows:

similarly, for a weibull distribution, the formula is:

the other distributions are analogized in the same way, and the simulation time is added to t to obtain the execution time of the event;

4.6, arranging the events in the Event list from early to late according to the occurrence TIME, taking the Event with the earliest occurrence TIME from the Event list, and advancing the simulation TIME to the occurrence TIME of the Event, namely setting TIME to tEvent;

4.7, the event occurs and drives the state to be converted, whether the converted state is a failure state or not is judged, and if the converted state is the failure state, the failure probability is calculated to be 1/TIME according to the simulation TIME;

4.8, calculating the change of input and output variables of the system and the change of true and false values of state conversion conditions caused by state conversion according to the transfer function L in the model ten-tuple, and returning to execute 4.3;

4.9 the simulation ends.

And fifthly, based on the failure state and failure probability obtained by accident dynamic deduction simulation, performing failure mode and influence analysis, and filling a failure mode and influence analysis form, wherein the detailed process comprises the following steps: and if the failure state can cause the occurrence of the failure mode, a record is newly added in the failure mode and influence analysis table, and codes, products or function marks, functions and failure modes in the failure mode and influence analysis table are filled. And executing the following steps to fill in other items in the failure mode and the influence analysis form, otherwise, processing the next failure state until all failure states are processed, wherein when filling in the single record:

5.1 determining the current task stage and working mode of the system according to the fault mode and the failure state of the task section and the function interior, and filling the current task stage and working mode into a fault mode and influence analysis table;

5.2 analyzing the fault reason aiming at the fault mode, and filling the fault reason into a fault mode and influence analysis table;

5.3 analyzing the fault effects, including local effects, higher layer effects, and final effects, for the fault pattern. Filling the fault mode and the influence analysis form;

5.4 determining the severity category of the fault mode according to the fault influence analysis result, and filling the severity category into a fault mode and influence analysis table;

and 5.5, filling the fault detection method in sequence according to the analysis results of the fault mode reasons, the fault influences and the like. Filling the fault mode and the influence analysis form;

5.6 analyzing and improving compensation measures according to the results of fault influence, fault detection and the like, and filling the compensation measures into a fault mode and influence analysis form;

and 5.7, acquiring the probability value corresponding to the failure state obtained by calculation in the simulation process, and filling the probability value into a column of the failure mode and the failure rate of the influence analysis table.

The invention has the advantages and positive effects that:

the analysis method provided by the invention not only considers the physical failure probability of the hardware, but also considers the logic and time sequence relation in the function, so that the analysis result is more real and accurate.

Compared with the traditional method for calculating the static failure probability, the method realizes the time accessibility simulation of the system through the model dynamic simulation, and realizes the analysis of the time constraint rationality.

According to the invention, the accident deduction simulation model of a single functional module is constructed, and the incidence relation among the modules is established, so that the states and events in the whole system are constructed into a mesh structure. When the model is dynamically simulated, the influence of the event can be transmitted to other modules of the system through the mesh structure, the dynamic association behavior of the system is effectively simulated, and the failure of the combined function caused by the association of a plurality of functions is conveniently found.

The simulation model constructed by the method adopts accurate deterministic numerical values for describing the model. The problem is convenient to be manually reproduced and played back when being found. The failure event is accurately positioned, and the system failure is conveniently found and checked.

The model is constructed based on a standard functional block diagram, and accords with the relevant national military standard, and the constructed model can be directly used for traditional reliability analysis and safety index calculation, so that repeated modeling is avoided.

The verification platform constructed by the method greatly reduces the use threshold of the user and is easy to popularize. The technology adopted in the modeling module is generally mastered by practitioners in the related field, and the related model dynamic simulation method is convenient for realizing and simulating a computer program, so that the engineering implementation difficulty is greatly reduced.

Drawings

FIG. 1 is three logical relationships of functional transfer functions;

FIG. 2 is three correlations of events;

FIG. 3 is an example of a rudder system engagement hierarchy;

FIG. 4 is an example of a functional block diagram of a system;

FIG. 5 is a simulation model description example;

FIG. 6 is an example of failure modes and impact analysis results;

Detailed Description

The technical solution of the present invention will be further described in detail and in detail with reference to the accompanying drawings and examples. Taking an aircraft elevator system as an example, the following fault mode and influence analysis based on accident dynamic deduction simulation is performed, and the steps are as follows:

the method comprises the following steps that firstly, the composition and the function of an analyzed object are described according to a product protocol, product requirements and design documents of the analyzed object, the analyzed object is decomposed layer by layer according to the levels of a whole machine, a system, a subsystem, an external field replaceable unit and an internal field replaceable unit, and the analyzed object is decomposed to the lowest appointed level according to a fault mode and the requirement of influencing analysis;

the description system components and functions are: the elevator rudder system is a single-beam box type thin-wall structure and is a double-closed-chamber section structure consisting of beams, small beams, ribs and skins. In order to ensure the operation of the elevator rudder system is required by load and balancing performance, a trim plate with a counterweight and a wing tip counterweight are also arranged. FIG. 3 illustrates the system contract hierarchy results;

step two: and aiming at each functional block in the functional block diagram, constructing an accident dynamic deduction simulation model for the internal behavior of the functional block diagram. A simplified and functional block diagram of the system constructed for the shim assembly of fig. 3 is shown in fig. 4. The function Func in fig. 4 comprises two sub-functions, subfinct 1 and subfinct 2. The correlation relationship of the three functions is as follows: the input of function Func is connected to input1 of SubFunc 1.Output 1 of SubFunc1 and input2 of SubFunc 2. Output2 of SubFunc2 is connected with output of Func;

and thirdly, aiming at each functional block in the functional block diagram, constructing an accident dynamic deduction simulation model for the internal behavior of the functional block diagram. The simulation model is a detailed description containing the following 10 elements, including subfunction C, input variable I, state variable S, output variable O, initial state R, failure state F, event E, state transition T, transfer function L, event correlation ER, reduced to < C, I, S, O, R, F, E, T, L, ER > ten-tuple. Here, the ten-tuple is described by taking the SubFunc1 in fig. 4 as an example, the SubFunc1 does not include the subfunction, there is an input variable I of input1, there is a State variable S of State1, and the State1 can switch among S1, S2 and S3. SubFunc1 has an output variable O of output 1. The initial state R of subfinc 1 is S1. The failure state F of subfinc 1 is S3. The four events E contained in subfinc 1 are E1, E2, E3, E4, respectively. The state transitions T in the subfinc 1 include four, respectively 1) the transitions from S1 to S1 (state1 ═ S1) [ input1 ═ true ] | -e 1: > state1: ═ S1, 2) the transitions from S1 to S1 (state1 ═ S1) [ input1 ═ false ] | -e 1| - > state1: > S1, 3) the transitions from S1 to S1 (state1 ═ S1) [ input1 ═ false ] | -e 1: > state1: > S1, 4) the transitions from S1 to S1 (state 1: [ input1: > S1: > S1 ═ 1: ═ S1: > S1 ═ 1: > S1:. The results of the sub Func2 and Func are also shown in fig. 5;

step four: and adopting a discrete event dynamic simulation method to carry out accident deduction and recording the failure probability of the failure event. The single simulation algorithm execution process of the model corresponding to fig. 5 is as follows:

4.1 initialization

4.1.1 simulation start time t0 has a value of 0 and end time tf of 10¹⁰Hours;

4.1.2 setting the initial state of the function represented by each functional block diagram, and initializing according to the value specified by R in the accident dynamic deduction simulation model ten-tuple; (ii) a The initial value of state1 in subfinc 1 is S1, and the initial value of state2 in subfinc 2 is S6.

And 4.2 setting the simulation clock TIME to t0, wherein the system just starts to run, and the TIME is 0.

And 4.3, dynamically updating the event list, and finding out the event E meeting the triggering condition in the accident dynamic deduction simulation model at the moment, wherein the meeting of the triggering condition means that the conversion condition of the state conversion T corresponding to the event E is empty or true. Since input has a value of true, input1 also has a value of true. On the other hand, at system initialization, State1 is in State S1, not S2, so output1 is false, and input2 is also false. Therefore, state transitions that satisfy the condition include: a transition from S1 to S2 (event e1), a transition from S6 to S4 (event e6), and a transition from S6 to S5 (event e 7). Events E meeting the trigger conditions therefore include E1, E6, E7;

then the following two steps are carried out:

4.3.1 deleting the event which does not meet the triggering condition at the moment from the event list; at this point, the event list is empty and no event needs to be deleted.

4.3.2 for the found event E meeting the triggering condition at the moment, for each event, if the event does not exist in the event table, adding the event into the event list, and marking the event as a new event; e1, e6 and e7 do not exist in the event list and need to be added to the event list, and all three events are marked as newly-added events;

4.4 if the simulation TIME TIME is not less than tf or the event table is empty, go to 4.9, otherwise, execute 4.5. At this TIME, the simulation TIME is 0, TIME < tf, the event list contains 3 events e1, e6, e7, and if not empty, 4.5 is executed. Otherwise, if TIME is more than or equal to tf or the event list is empty, executing the step 4.9;

4.5 computing eventsThe occurrence time of the new event in the list. The delay time is calculated from the delay function of the event. e1 obeys the dirac distribution so the delay time t is equal to the parameter 100. e6 obeys exponential distribution, the calculation formula of the delay time is

Wherein λ has a value of 1E-6. Assume that the sampled value for the occurrence probability of e6 is 0.6, according to the formula

The delay time t has a value of 3979.40. e7 also follows an exponential distribution, assuming a randomly sampled value of 0.3 for the e7 occurrence probability p. The value of the delay time t is 154901.96;

4.6, arranging the events in the Event list from early to late according to the occurrence TIME, taking the Event with the earliest occurrence TIME from the Event list, and advancing the simulation TIME to the occurrence TIME of the Event, namely setting TIME to tEvent; the delay times of e1, e6, and e7 obtained in 4.5 were ranked from small to large as e1(100), e6(3979.40), and e7 (154901.96). Setting the system simulation TIME to 100;

4.7, the event occurs and drives the state to be converted, whether the converted state is a failure state or not is judged, and if the converted state is the failure state, the failure probability is calculated to be 1/TIME according to the simulation TIME; since the delay time of the e1 event is minimal, e1 occurs and state1 transitions from state S1 to S2. Since S2 is not a failure state, there is no need to calculate a failure probability;

4.8, calculating the change of input and output variables of the system and the change of true and false values of state conversion conditions caused by state conversion according to the transfer function L in the model ten-tuple, and returning to execute 4.3; according to output1: (state1 ═ S2& & input1 ═ true) the true else false, when S1 becomes S2, the value of output1 changes from false to true, and thus the value of input2 changes from false to true. Returning to execute the step 4.2;

4.9 the simulation ends.

Installing Visual Studio 2012 development platform in Windows 7 system, and writing computer program by using C # programming language to realize simulation algorithmExecuting the simulation process to finally obtain the time T when the SubFunc1 enters the failure state S3 in the simulation process_S3And time T at which SubFunc2 enters the spent state S4_S4. Here, a computer program-implemented simulation algorithm is executed 100 ten thousand times for T_S3And T_S4Is averaged to obtain

And

the probability of occurrence of each failure state is obtained by taking the reciprocal of time,

reciprocal of (2) is 1.56X 10^-6，

Reciprocal of (2) is 7.93X 10^-6；

And fifthly, based on the failure state and failure probability obtained by accident dynamic deduction simulation, performing failure mode and influence analysis, and filling a failure mode and influence analysis form, wherein the detailed process comprises the following steps: and if the failure state can cause the occurrence of the failure mode, a record is newly added in the failure mode and influence analysis table, and codes, products or function marks, functions and failure modes in the failure mode and influence analysis table are filled. And executing the following steps to fill in the failure mode and other items in the influence analysis table, otherwise, processing the next failure state until all the failure state processing is completed. In the simplified model of this example, the failure states S3 and S4 in the function found in the simulation process are subjected to failure recognition, and the failure mode corresponding to the failure state is described. In actual system aggregation, not every failure state can cause a failure to occur, so a typical failure mode of the system is analyzed first, and then whether the failure state can cause the failure mode is judged. In this example, typical failure modes of the elevator system include: 1) the control surface can not be accurately and timely deflected to a specified position when deflected; 2) the left elevator and the right elevator cannot keep synchronous deflection; 3) when the airplane stably flies for a long time, the control surface can not keep a determined balance position; 4) the clamping stagnation phenomenon occurs when the control surface deflects; 5) the control surface strongly vibrates in flight; 6) the adjusting sheet can not deflect normally according to requirements; 7) loosening the balance weight; 8) the control surface structure meets the requirements of strength and rigidity, and the structure is not damaged due to fatigue, corrosion and the like. For the failure state S3, the electromagnetic control valve fails, and the adjustment sheet has non-command movement fault when working in the non-balance mode, so that the adjustment sheet cannot normally deflect as required, the operation stability of the airplane is affected, and great potential safety hazard is caused. For the failure state S4, the right lock actuator cylinder control valve fails, and due to the backup mechanism of the component, the backup component will act after the component fails, and the system cannot be influenced;

and 5.1, aiming at the fault mode, determining the current task stage and working mode of the system by combining the task section and the failure state in the function, and filling the current task stage and working mode into a fault mode and influence analysis form. The non-command fault caused by the failure S3 of the electromagnetic valve occurs during the takeoff and approach of the airplane when the flap is put down;

and 5.2, analyzing the fault reason for the fault mode, and filling the fault mode and the influence analysis table. The failure reason of the electromagnetic valve failure S3 is that the electromagnet of the electromagnetic valve is locked;

5.3 analyzing the fault effects, including local effects, higher layer effects, and final effects, for the fault pattern. And fills in the failure mode and impact analysis form. The local effect of the solenoid failure S3 is to cause a malfunction in the non-commanded movement of the tab. The influence on the higher floor is that the right adjustment sheet is always in a balanced mode state when the aircraft elevator is operated in an unbalanced mode and cannot normally deflect as required. The ultimate effect is that the aircraft is unstable in flight during takeoff and approach, with significant safety concerns.

And 5.4, determining the severity category of the fault mode according to the fault influence analysis result. And fills in the failure mode and impact analysis form. The severity level of a failure mode caused by the failure S3 of the electromagnetic valve is I;

and 5.5, filling the fault detection method in sequence according to the analysis results of the fault mode reasons, the fault influences and the like. And fills in the failure mode and impact analysis form. The failure detection method of the electromagnetic valve failure S3 is to adjust the system to an unbalanced mode and detect whether the left adjustment sheet and the right adjustment sheet work normally according to the instruction requirement;

and 5.6, analyzing and improving compensation measures according to the results of fault influence, fault detection and the like, and filling the improved compensation measures into a fault mode and influence analysis form. The improved compensation measure of the electromagnetic valve failure S3 is regular maintenance and replacement;

and 5.7, acquiring the probability value corresponding to the failure state obtained by calculation in the simulation process, and filling the probability value into a column of the failure mode and the failure rate of the influence analysis table. According to the result of the dynamic simulation of the system, the failure probability of the electromagnetic valve failure S3 is 1.56 multiplied by 10^-6. The resulting failure mode and impact analysis table results are shown in fig. 6.

Claims (1)

1. A fault mode and influence analysis method based on accident dynamic deduction simulation is characterized in that: the method comprises the following steps:

the method comprises the following steps that firstly, the composition and the function of an analyzed object are described according to a product protocol, product requirements and design documents of the analyzed object, the analyzed object is decomposed layer by layer according to the levels of a whole machine, a system, a subsystem, an external field replaceable unit and an internal field replaceable unit, and the analyzed object is decomposed to the lowest appointed level according to a fault mode and the requirement of influencing analysis;

step two, establishing a function block aiming at each module of the lowest appointed layer, and constructing a function block diagram, wherein in the function block diagram, one function block represents one function, the function can comprise sub-functions, the function blocks are connected by a line without an arrow according to the interdependence and the hierarchical relation among the function blocks, the physical relation among the function blocks is represented, and the description format of the function blocks is as follows:

"function name

Functional content definition

end function”；

Step three, aiming at each functional block in the functional block diagram, constructing an accident dynamic deduction simulation model for the internal behavior of the functional block diagram, wherein the simulation model is a detailed description containing the following 10 elements, including a subfunction C, an input variable I, a state variable S, an output variable O, an initial state R, a failure state F, an event E, a state conversion T, a transfer function L and an event association relation ER, and is simplified into a ten-tuple of < C, I, S, O, R, F, E, T, L and ER, and the specific description method is as follows:

1. c in the ten-tuple represents a sub-function, the item needs to be described for the function block containing the sub-function, otherwise, the item does not need to be described, the sub-functions contained in the function block are written in sequence during description, and the description format of the sub-function is as follows: "function name: function type ";

2.in the ten-tuple, I represents an input variable, each function block needs to describe the item, each function comprises one or more input variables, and the specific format is variable name, variable type, in, if the variable has a fixed initial value, the variable type can be replaced by a variable value, and the specific format is variable name, variable value 1, variable value 2 … …, variable value n, in;

3. in the ten-tuple, S represents a state variable, the item needs to be described for a block which does not contain a sub-function, otherwise, the item does not need to be described, the state variable refers to a certain condition or state in the life cycle of the function, the state is the result of a series of activities executed by the function, each function contains one or more state variables, when the corresponding condition is met, state conversion can be carried out, and the format of the state variables is variable name: [ variable value ]: S ";

4. in the ten-tuple, R represents an initial state, which needs to be described for a block containing no sub-function, otherwise, there is no description, each functional block diagram has only one initial state, the initial state R is one of S, R belongs to S, which is the state of the function at the beginning of the simulation, and the format of the initial state is: "state name: ═ state value";

5. f in the ten-tuple represents a failure state, the item needs to be described for a box without a subfunction, otherwise, the item does not need to be described, each functional block diagram has one or more failure states, the failure state is one of S, F belongs to S, in the simulation process, if the state is reached, the time for entering the state needs to be recorded and the failure occurrence probability needs to be calculated, and the format of the failure state is as follows: "state name: ═ state value";

6. the O in the ten-tuple represents an output variable, each function block needs to describe the item, each function comprises one or more output variables, and the format of each output variable is as follows: "variable name: variable type: out";

7. the event E in the ten-tuple represents an event, the item needs to be described for a block which does not contain a subfunction, otherwise, the item does not need to be described, the event can trigger state conversion, the state conversion needs to meet corresponding conversion conditions, when the conditions are met, the event trigger can drive the state conversion, the event has the effect of adding delay time for the state conversion, and the event is divided into two categories: the method comprises the following steps that time delay events and transient events are respectively included, wherein the time delay events comprise two types, namely random events and fixed time delay events, the transient events comprise two types, namely immediate occurrence events and preset condition events, and the format of the random events in the delay events is as follows: the format of the fixed time delay event in the delay event is delay: ═ Dirac (delay time), the transient event only needs to specify the event name, the condition of the preset condition event will be described in the state transition, so the format of the transient event is: "event name";

8. the T in the ten-tuple represents state transition, which needs to be described for a block containing no sub-function, otherwise, the state transition is not described, and is a relationship between two state variables, which indicates that an object will perform a certain action in a source state and enter a target state when a certain event occurs or certain conditions are met, and the format of the state transition is as follows: "status name: the method comprises the following steps that (1) a source state value [ the conversion condition is true ] | -an event name- > a state name: ═ a target state ", wherein the conversion condition is selectable, and when the conversion condition is empty, an event occurs to drive state conversion;

9. the L in the ten-tuple represents a transfer function, each functional block needs to describe the item, and the transfer function describes three logical relations: the method comprises the following steps:

9.1 logic relation between output and input and state variables inside the function, the left side of the transfer function equation is output variable, and the right side is logic expression of input variable and state variable;

9.2, describing the incidence relation between the function modules at the same level in the system, firstly finding the input variable and the output variable of two functions at two ends of a connecting line, and constructing the logical relation between the output variable and the input variable;

9.3 describing the logical relationship between the input and output variables of the functions and the sub-functions in the system;

10. the ER in the ten-tuple represents the incidence relation of the event, which needs to be described for the function block containing the sub-function, otherwise, the ER represents the incidence relation of the event in the function and the sub-function, and the incidence relation of the event comprises three types: synchronization association, broadcast association, and common cause association;

10.1 constructing a synchronous association relationship between the parent module and the events in the child modules contained in the parent module, wherein the synchronous association indicates that the events must occur at the same time and the state transition driven by the events must be performed at the same time, and the synchronous association is represented by ER { event1& event2 … … eventn };

10.2, constructing a broadcast association relation of events in a parent module and submodules contained in the parent module, wherein the broadcast association indicates that when a certain event occurs, other events with the broadcast association relation are notified, if the transition condition of the event-driven states is true, the event-driven states are executed, and otherwise, the event-driven states are not executed and are represented as ER { event1| event2 … … eventn };

10.3, constructing a common cause correlation event of events in a parent module and sub-modules contained in the parent module, wherein the common cause event comprises a broadcast correlation relationship, besides, a plurality of events with the common correlation relationship can independently occur like common events, the common cause event is usually used for a plurality of sub-modules in the parent module, and the common cause event can not only fail due to internal errors of the sub-modules, but also can fail due to failure of a common cause and is expressed in the form of ER { event1, event2 … … event };

fourthly, accident deduction is carried out by adopting a discrete event dynamic simulation method, and the failure probability of failure events is recorded;

the failure probability is obtained by multiple times of simulation and the addition and averaging of each simulation result, the failure probability is an approximate value, the approximate value gradually approaches to a true value along with the increase of the simulation times, and the execution process of the single simulation method is as follows:

4.1 initialization

4.1.1 setting the start time t0 and the end time tf of the simulation;

4.1.2 setting the initial state of the function represented by each functional block diagram, and initializing according to the value specified by R in the accident dynamic deduction simulation model ten-tuple;

4.2 set simulation clock TIME t0

4.3 dynamically updating the event list, finding out the event E meeting the triggering condition in the accident dynamic deduction simulation model at the moment, wherein the meeting of the triggering condition means that the conversion condition of the state conversion T corresponding to the event E is empty or true, and then performing the following two steps:

4.3.1 deleting the event which does not meet the triggering condition at the moment from the event list;

4.3.2 for the found event E meeting the triggering condition at the moment, for each event, if the event does not exist in the event table, adding the event into the event list, and marking the event as a new event;

the event list is used for storing events meeting triggering conditions, the events are empty at the beginning of simulation, dynamic update is carried out along with the running of the simulation, the events in the event list are sequenced from early to late according to the occurrence time, and when the simulation time reaches the occurrence time of the first event in the event list, the events trigger and drive the state to be converted, so that the simulation process is pushed to be advanced;

4.4 if the simulation TIME TIME is not less than tf or the event table is empty, turning to 4.9, otherwise, executing 4.5;

4.5 calculating the occurrence time of the newly added event in the event list, wherein the occurrence time of the event is equal to the sum of the simulation time and the event delay time, and the specific calculation mode is: for transient events, the transient events occur immediately when the conversion conditions are met, the event delay time is 0, and the occurrence time is simulation time; for a fixed time delay event in the time delay events, the occurrence time is the sum of simulation time and delay time, for a random event in the time delay events, the occurrence probability needs to be sampled, and the occurrence probability of the event is assumed to obey 0,1 in the sampling process]Is uniformly distributed, and a specific value of p is obtained by random sampling, wherein p belongs to [0,1]]Then, the delay time of the event is determined for different distributions, taking an exponential distribution as an example, where the distribution function of the exponential distribution is p-1-e^-λtAfter p is obtained, the value of t can be deduced reversely, and the specific formula is as follows:

similarly, for a weibull distribution, the formula is:

the other distributions are analogized in the same way, and the simulation time is added to t to obtain the execution time of the event;

4.6, arranging the events in the Event list from early to late according to the occurrence TIME, taking the Event with the earliest occurrence TIME from the Event list, and advancing the simulation TIME to the occurrence TIME of the Event, namely setting TIME to tEvent;

4.7, the event occurs and drives the state to be converted, whether the converted state is a failure state or not is judged, and if the converted state is the failure state, the failure probability is calculated to be 1/TIME according to the simulation TIME;

4.8, calculating the change of input and output variables of the system and the change of true and false values of state conversion conditions caused by state conversion according to the transfer function L in the model ten-tuple, and returning to execute 4.3;

4.9 the simulation is finished;

and fifthly, based on the failure state and failure probability obtained by accident dynamic deduction simulation, performing failure mode and influence analysis, and filling a failure mode and influence analysis form, wherein the detailed process comprises the following steps: the method comprises the following steps of carrying out fault identification on a failure state in a function discovered in a simulation process, describing a fault mode corresponding to the failure state, if the failure state can cause the occurrence of the fault mode, adding a record in a fault mode and influence analysis table, filling codes, products or function marks, functions and fault modes in the fault mode and influence analysis table, and executing the following steps to fill other items in the fault mode and influence analysis table, otherwise, processing the next failure state until all failure states are processed, wherein when a single record is filled:

5.1 determining the current task stage and working mode of the system according to the fault mode and the failure state of the task section and the function interior, and filling the current task stage and working mode into a fault mode and influence analysis table;

5.2 analyzing the fault reason aiming at the fault mode, and filling the fault reason into a fault mode and influence analysis table;

5.3 analyzing the fault influence, including local influence, high-level influence and final influence, aiming at the fault mode, and filling the fault mode and the influence analysis form;

5.4 determining the severity category of the fault mode according to the fault influence analysis result, and filling the severity category into a fault mode and influence analysis table;

5.5 according to the failure mode reason and the failure influence analysis result, filling a failure detection method in sequence and filling the failure mode and influence analysis table;

5.6 analyzing and improving compensation measures according to the fault influence and the fault detection result, and filling the compensation measures into a fault mode and influence analysis form;

and 5.7, acquiring the probability value corresponding to the failure state obtained by calculation in the simulation process, and filling the probability value into a column of the failure mode and the failure rate of the influence analysis table.

Images