Put CH4 in because it needed the refs

CH4 unfinished. CH5 getting there.
2012-03-31 10:39:41 +01:00 · 2012-03-31 10:39:41 +01:00 · 0bce1d0596
commit 0bce1d0596
parent ce7de75626
15 changed files with 1064 additions and 80 deletions
--- a/old_thesis/titlepage/titlepage.tex
+++ b/old_thesis/titlepage/titlepage.tex
@ -10,7 +10,7 @@
 \vspace{2.15in}
-{ \bf A mathematical methodology to model and analyse safety critical integrated mechanical/electronic/software systems }
+{ \bf OLD VERSION----- OLD THESIS VERSION -------------------------- OLD THESIS VERSION ------------------------------- }
 \vspace{1.15in}
--- a/submission_thesis/CH4_FMMD/Makefile
+++ b/submission_thesis/CH4_FMMD/Makefile
@ -0,0 +1,25 @@
 PNG_DIA = cfg2.png  cfg.png  compco2.png  compco3.png  compco.png  component.png  componentpl.png  fmmd_uml2.png  fmmd_uml.png  partitioncfm.png master_uml.png
 %.png:%.dia
 	dia -t png $<
 	echo " Chapter 4 DIA images generated"
 pdf:    $(PNG_DIA)
 	pdflatex discussion_doc
 	acroread discussion_doc.pdf &
 # this is the target used
 # to make all images, dia gnuplot etc
 #
 copy: $(PNG_DIA)
 	echo "Chapter 4 sub make called"
 bib:
 	bibtex discussion_doc
 	#makeindex opamps.glo -s opamps.ist -t opamps.glg -o opamps.gls
--- a/submission_thesis/CH4_FMMD/cfg.dia
+++ b/submission_thesis/CH4_FMMD/cfg.dia
--- a/submission_thesis/CH4_FMMD/cfg2.dia
+++ b/submission_thesis/CH4_FMMD/cfg2.dia
--- a/submission_thesis/CH4_FMMD/compco.dia
+++ b/submission_thesis/CH4_FMMD/compco.dia
--- a/submission_thesis/CH4_FMMD/compco2.dia
+++ b/submission_thesis/CH4_FMMD/compco2.dia
--- a/submission_thesis/CH4_FMMD/compco3.dia
+++ b/submission_thesis/CH4_FMMD/compco3.dia
--- a/submission_thesis/CH4_FMMD/component.dia
+++ b/submission_thesis/CH4_FMMD/component.dia
--- a/submission_thesis/CH4_FMMD/componentpl.dia
+++ b/submission_thesis/CH4_FMMD/componentpl.dia
--- a/submission_thesis/CH4_FMMD/copy.tex
+++ b/submission_thesis/CH4_FMMD/copy.tex
@ -2,6 +2,946 @@
 \ifthenelse {\boolean{paper}}
 {
 \abstract{ 
 This paper defines %what is meant by 
 the terms
 components, derived~components, functional~groups, component fault modes and `unitary~state' component fault modes.
 %The application of Bayes theorem  in current methodologies, and
 %the suitability of the `null hypothesis' or `P' value statistical approach
 %are discussed.
 The general concept of the cardinality constrained powerset is introduced
 and calculations for it described, and then for
 calculations under `unitary state' fault mode conditions.
 Data types and their relationships are described using UML.
 Mathematical constraints and definitions are made using set theory.}
 }
 {
 \section{Overview}
 This chapter defines the FMMD process and related concepts and calculations.
 Firstly, %what is meant by 
 the terms
 components, failure~modes, derived~components, functional~groups, component fault modes and `unitary~state' component fault modes are defined.
 The general concept of the cardinality constrained powerset is introduced
 and calculations for it described, and then performance
 calculations under `unitary state' fault mode conditions.
 Data types and their relationships are described using UML.
 Mathematical constraints and definitions are made using set theory.
 }
 \section{Introduction}
 This 
 \ifthenelse {\boolean{paper}}
 {
 paper
 }
 {
 chapter 
 }
 describes the data types and concepts for the Failure Mode Modular De-composition (FMMD) method.
 When analysing a safety critical system using 
 this methodology, we need clearly defined failure modes for
 all the components that are used to model the system.
 In our model, we have  a constraint  that
 the component failure modes must be mutually exclusive.
 When this constraint is complied with, we can use the FMMD method to 
 build hierarchical bottom-up models of failure mode behaviour.
 %This and the definition of a component are 
 %described in this chapter.
 %When building a system from components, 
 %we should be able to find all known failure modes for each component.
 %For most common electrical and mechanical components, the failure modes
 %for a given type of part can be obtained from standard literature~\cite{mil1991}
 %\cite{mech}. %The failure modes for a given component $K$ form a set $F$.
 \label{defs}
 %%
 %% Paragraph component and its relationship to its failure modes
 %%
 \section{ Defining the term Component }
 \begin{figure}[h]
 \centering
 \includegraphics[width=300pt,bb=0 0 437 141,keepaspectratio=true]{CH4_FMMD/component.png}
 % component.png: 437x141 pixel, 72dpi, 15.42x4.97 cm, bb=0 0 437 141
 \caption{A Component and its Failure Modes}
 \label{fig:component}
 \end{figure}
 Let us first define a component. 
 %This is anything with which we use to build a product or system. 
 This is anything we use to build a product or system. 
 It could be something quite complicated 
 like an integrated micro controller, or quite simple like the humble resistor.
 We can define a 
 component by its name, a manufacturers' part number and perhaps
 a vendors' reference number.
 Geffory Hall, writing in Spacecraft systems engineering\cite{scse}[p.619]
 defines a `part' thus
 ``{{Part(definition)}---The lowest level of assembly, beyond which further disassembly irrevocably destroys the item''
 The term component, in American English, can mean a building block or a part.
 In British-English a component generally is given to mean the definition for part above.
 For this study, we will use {\bc} to mean a `part', and component
 to mean a part or a sub-assembly. 
 What components all have in common is that they can fail, and fail in
 a number of well defined ways. For common base-components
 there is established literature for the failure modes for the system designer to consider (often with accompanying statistical
 failure rates)~\cite{mil1991}. For instance, a simple resistor is generally considered 
 to fail in two ways, it can go open circuit or it can short.  
 Thus we can associate a set of faults to this component $ResistorFaultModes=\{OPEN, SHORT\}$.
 The UML diagram in figure 
 \ref{fig:component} shows a component as a data
 structure with its associated failure modes.
 From this diagram we see that each component must have at least one failure mode.
 To clearly show that the failure modes are mutually exclusive states, or unitary states associated with one component,
 each failure mode is referenced back to only one component. 
 %%-%% MTTF STATS CHAPTER MAYBE ??
 %%-%%
 %%-%% This modelling constraint is due to the fact that even generic components with the same 
 %%-%% failure mode types, may have different statistical MTTF properties within the same 
 %%-%% circuitry\footnote{For example, consider resistors one of high resistance and one low.
 %%-%% The generic failure modes for a resistor will be the same for both.
 %%-%% The lower resistance part will draw more current and therefore have a statistically higher chance of failure.}.
 A products are built using  of many base-components and these are traditionally
 kept in a `parts~list'. For a safety critical product this is usually a formal document
 and is used by quality inspectors to ensure the correct parts are being fitted.
 The parts list is shown for
 completeness here, as people involved with Printed Circuit Board (PCB) and electronics production, verification
 and testing would want to know where it lies in the model.
 The parts list is not actively used in the FMMD method.
 For the UML diagram in figure \ref{fig:componentpl} the parts list is simply a collection of components.
 \begin{figure}[h]
 \centering
 \includegraphics[width=400pt,bb=0 0 712 68,keepaspectratio=true]{CH4_FMMD/componentpl.png}
 % componentpl.png: 712x68 pixel, 72dpi, 25.12x2.40 cm, bb=0 0 712 68
 \caption{Parts List of Components}
 \label{fig:componentpl}
 \end{figure}
 Components in the parts list % (bought in parts) 
 will be termed `base~components'.
 Components derived from base~components will not always require 
 parts~numbers\footnote{It is common practise for sub assemblies, PCB's, mechanical parts,
 software modules and some collections of components to have part numbers.
 This is a production/configuration~control issue and linked to Bill of Material (BOM)
 database structures etc. Parts numbers for derived components are not directly related to the analysis process
 we are concerned with here.}, and will
 not require a vendor reference, but must be named locally in the FMMD model.
 We can term `modularising a system', to mean recursively breaking it into smaller sections for analysis.
 When modularising a system from the top~down, as in Fault Tree Analysis~\cite{nasafta}\cite{nucfta} (FTA),
 it is common to term the modules identified as sub-systems.
 When building from the bottom up, it is more meaningful to call them `derived~components'.
 \section{Failure Modes in depth}
 For FMEA appraisals of systems we begin with components. 
 %These will have a set of failure modes assigned to them.
 In order to perform FMEA we require a set of failure modes for each component in the system under investigation.
 These are failure modes from the perspective of the user
 of the component. We are not usually concerned with how the component has failed
 internally. What we need to know are the symptoms of failure.
 With these symptoms, we can trace their effects through the system under investigation
 and determine outcomes.
 Different approval agenices may list different failure mode sets for the same generic components.
 %%
 %% DETAILED LOOK AT TWO COMPONENTS AND THEIR FAILURE MODES
 %%
 %% FROM TWO LITERATURE SOURCES, FMD-91 and EN298
 %%
 %%% THIS HAS BEEN TAKEN OUT AND PLACED IN THE C_GARRET OPAMPS DOCUMENT
 \section{Fault Mode Analysis, top down or bottom up?}
 Traditional static fault analysis methods work from the top down.
 They identify faults that can occur in a system, and then work down
 to see how they could be caused. Some apply statistical techniques to
 determine the likelihood of component failures 
 causing specific system level errors. For example, Bayes theorem \ref{bayes}, the relation between a conditional probability and its reverse,
 can be applied to specific failure modes in components and the probability of them causing given system level errors.
 Another top down methodology is to apply cost benefit analysis 
 to determine which faults are the highest priority to fix~\cite{bfmea}.
 The aim of FMMD analysis is to produce complete  failure
 models of safety critical systems  from the bottom-up,
 starting, where possible with known base~component failure~modes.
 An advantage of working from the bottom up is that we can ensure that
 all component failure modes must be considered. A top down approach
 can miss individual failure modes of components~\cite{faa}[Ch.~9],
 especially where they are non obvious top-level faults.
 In order to analyse from the bottom-up, we need to take
 small groups of components from the parts~list that naturally
 work together to perform a simple function.
 The components to include in a  {\fg} are chosen by a human, the analyst.
 %We can represent the `Functional~Group' as a class. 
 When we have a 
 `{\fg}' we can look at the components it contains,
 and from this determine the failure modes of all the components that belong to it.
 %
 % and determine a failure mode model for that group.
 %
 % expand 21sep2010
 %The `{\fg}' as used by the analyst is a collection of component failures modes.
 The analysts interest is the ways in which the components within the {\fg}
 can fail. All the failure modes of all the components within an {\fg} are collected.
 As each component mode holds a set of failure modes, these set of sets of failure modes
 is converted into
 into a flat set 
 of failure modes
 (i.e. a set containing just failure modes not sets of failure modes).
 %
 Each of these failure modes, and optionally combinations of them, are
 formed into `test cases' which are
 analysed for their effect on the failure mode behaviour of the `{\fg}'.
 %
 Once we have the failure mode behaviour of the {\fg}, we can determine a new set of failure modes, the derived failure modes of the
 `{\fg}'.
 % 
 Or in other words we can determine how the `{\fg}' can fail.
 We can now consider the {\fg} as a sort of super component
 with its own set of failure modes.
 \subsection{From functional group to newly derived component}
 \label{fg}
 The process for taking a {\fg}, considering
 all the failure modes of all the components in the group,
 and analysing it is called `symptom abstraction'.
 \ifthenelse {\boolean{paper}}
 {
 }
 {
 This 
 is dealt with in detail in chapter \ref{symptom_abstraction}.
 }
 % define difference between a \fg and a \dc
 A {\fg} is a collection of components, a {\dc} is a new `theorectical'
 component which has a set of failure modes, which
 correspond to the failure modes of the {\fg} it was derived from.
 We could consider a {\fg} as a black box, or component 
 to use, and in this case it would have a set of failure modes.
 Looking at the {\fg} in this way is seeing it as a {\dc}.
 In terms of our UML model, the symptom abstraction process takes a {\fg}
 and creates a new {\dc} from it.
 %To do this it first creates
 %a new set of failure modes, representing the fault behaviour
 %of the functional group. This is a human process and to do this the analyst
 %must consider all the failure modes of the components in the functional
 %group.
 The newly created {\dc} requires a set of failure modes of its own.
 These failure modes are the failure mode behaviour of the {\fg} from which it was derived.
 %
 Because these new failure modes were derived from a {\fg}, we can call 
 these `derived~failure~modes'.
 %It then creates a new derived~component object, and associates it to this new set of derived~failure~modes.
 We thus have a `new' component, or system building block, but with a known and traceable
 fault behaviour.
 The UML representation  (in figure \ref{fig:cfg}) shows a `functional group' having a one to one relationship with a derived~component.
 The symbol $\bowtie$ is used to indicate the analysis process that takes a
 functional group and converts it into a new component.
 with $\mathcal{FG}$ represeting the set of all functional groups, and $\mathcal{DC}$ the set of all derived components,
 this can be expresed as  $ \bowtie : \mathcal{FG}  \rightarrow \mathcal{DC} $ .
 \begin{figure}[h]
 \centering
 \includegraphics[width=400pt,bb=0 0 712 286,keepaspectratio=true]{./CH4_FMMD/cfg.png}
 % cfg.png: 712x286 pixel, 72dpi, 25.12x10.09 cm, bb=0 0 712 286
 \caption{UML Meta model for FMMD hierarchy}
 \label{fig:cfg}
 \end{figure}
 \subsection{Keeping track of the derived components position in the hierarchy}
 \label{alpha}
 The UML meta model in figure \ref{fig:cfg}, shows the relationships
 between the classes and sub-classes.
 Note that because we can use derived components to build functional groups,
 this model intrinsically supports building a hierarchy.
 %
 In use we will build a hierarchy of
 objects, with derived~components forming functional~groups, and creating
 derived components higher up in the structure.
 %
 To keep track of the level in the hierarchy (i.e. how many stages of component 
 derivation `$\bowtie$' have lead to the current derived component)
 we can add an attribute to the component data type. 
 This can be a natural number called the level variable $\alpha \in \mathbb{N}$.
 % J. Howse says zero is a given in comp sci. This can be a natural number called the level variable $\alpha \in \mathbb{N}_0$.
 The $\alpha$ level variable in each component,
 indicates the position in the hierarchy. Base or parts~list components
 have a `level' of $\alpha=0$. 
 % I do not know how to make this simpler
 Derived~components take a level based on the highest level
 component used to build the functional group it was derived from plus 1.
 So a derived component built from base level or parts list components
 would have an $\alpha$ value of 1.
 %\clearpage
 % \section{Set Theory Description}
 % 
 % $$ System \stackrel{has}{\longrightarrow} PartsList $$
 % 
 % $$ PartsList  \stackrel{has}{\longrightarrow} Components $$
 % 
 % $$ Component \stackrel{has}{\longrightarrow} FailureModes $$
 % 
 % $$ FunctionalGroup  \stackrel{has}{\longrightarrow} Components $$
 % 
 % Using the symbol $\bowtie$ to indicate an analysis process that takes a
 % functional group and converts it into a new component.
 % 
 % $$ \bowtie ( FG ) \rightarrow DerivedComponent $$
 % 
 \subsection{Relationships between functional~groups and failure modes}
 Let the set of all possible components  be $\mathcal{C}$
 and let the set of all possible failure modes be $\mathcal{F}$ and $\mathcal{PF}$ is the powerset of
 all $\mathcal{F}$.
 We can define a function $fm$ as equation \ref{eqn:fmset}.
 \label{fmdef}
 \begin{equation}
 fm : \mathcal{C} \rightarrow \mathcal{P}\mathcal{F}
  \label{eqn:fmset}
 \end{equation}
 %% 
 % Above def gives below anyway
 %
 %The is defined by equation \ref{eqn:fminstance}, where C is a component and F is a set of failure modes.
 %
 %\begin{equation}
 %  fm ( C ) = F
 %  \label{eqn:fminstance}
 %\end{equation}
 \paragraph{Finding all failure modes within the functional group}
 For FMMD failure mode analysis we need to consider the failure modes
 from all the components in a functional~group.
 In a functional group we have a collection of Components
 that hold failure mode sets.
 We need to collect these failure mode sets and place all the failure
 modes into a single set; this can be termed flattening the set of sets.
 %%Consider the components in a functional group to be $C_1...C_N$.
 The flat set of failure modes $FSF$ we are after can be found by applying function $fm$ to all the components
 in the functional~group and taking the union of them thus:
 %%$$ FSF = \bigcup_{j=1}^{N} fm(C_j) $$
 $$ FSF = \bigcup_{c \in FG} fm(c) $$
 We can actually overload the notation for the function $fm$ % FM
 and define it for the set components within a functional group $\mathcal{FG}$ (i.e. where $\mathcal{FG} \subset \mathcal{C} $) 
 in equation \ref{eqn:fmoverload}.
 \begin{equation}
 fm : \mathcal{FG} \rightarrow \mathcal{F}
 \label{eqn:fmoverload}
 \end{equation}
 \section{Unitary State Component Failure Mode sets}
 \label{sec:unitarystate}
 \paragraph{Design Descision/Constraint}
 An important factor in defining a set of failure modes is that they
 should represent the failure modes as simply and minimally as possible.
 It should not be possible, for instance, for
 a component to have two or more failure modes active at once.
 Were this to be the case, we would have to consider additional combinations of 
 failure modes within the component.
 Having a set of failure modes where $N$ modes could be active simultaneously
 would mean having to consider an additional $2^N-1$ failure mode scenarios.
 Should a component be analysed and simultaneous failure mode cases exist,
 the combinations could be represented by new failure modes, or
 the component should be considered from a fresh perspective,
 perhaps considering it as several smaller components
 within one package.
 This property, failure modes being mutually exclusive, is termed `unitary state failure modes'
 in this study.
 This corresponds to the `mutually exclusive' definition in 
 probability theory~\cite{probstat}.
 \begin{definition}
 A set of failure modes where only one failure mode
 can be active at one time is termed a {\textbf{unitary~state}} failure mode set.
 \end{definition}
 Let the set of all possible components be $ \mathcal{C}$
 and let the set of all possible failure modes be $ \mathcal{F}$.
 The set of failure modes of a particular component are of interest 
 here. 
 What is required is to define a property for
 a set of failure modes where only one failure mode can be active at a time;
 or borrowing from the terms of  statistics, the failure mode being an event that is mutually exclusive
 with a set $F$.
 We can define a set of failure mode sets called $\mathcal{U}$ to represent this
 property for a set of failure modes..
 \begin{definition}
 We can define a set $\mathcal{U}$ which is a set of sets of failure modes, where
 the component failure modes in each of its members are unitary~state.
 Thus if the failure modes of  a component $F$ are unitary~state, we can say $F \in \mathcal{U}$ is true.
 \end{definition}
 \section{Component failure modes: Unitary State example}
 An example of a component with an obvious set of  ``unitary~state'' failure modes is the electrical resistor.
 Electrical resistors can fail by going OPEN or SHORTED.
 For a given resistor R we can apply the 
 function $fm$ to find its set of failure modes thus  $ fm(R) =  \{R_{SHORTED}, R_{OPEN}\} $.
 A resistor cannot fail with the conditions open and short active at the same time! The conditions
 OPEN and SHORT are thus mutually exclusive.
 Because of this, the failure mode set $F=fm(R)$ is `unitary~state'.
 Thus because both fault modes cannot be active at the same time, the intersection of $ R_{SHORTED} $ and $ R_{OPEN} $ cannot exist.
 The intersection of these is therefore the empty set, $ R_{SHORTED} \cap R_{OPEN} = \emptyset $,
 therefore
 $ fm(R) \in \mathcal{U} $.
 We can make this a general case by taking a set $F$ (with $f_1, f_2 \in F$) representing a collection
 of component failure modes.
 We can define a boolean function {\ensuremath{\mathcal{ACTIVE}}} that returns 
 whether a fault mode is active (true) or dormant (false).
 We can say that if any pair of fault modes is active at the same time, then the failure mode set is not
 unitary state:
 we state this formally
 \begin{equation}
  \exists f_1,f_2 \in F \dot ( f_1 \neq f_2 \wedge \mathcal{ACTIVE}({f_1}) \wedge \mathcal{ACTIVE}({f_2}) ) \implies F \not\in \mathcal{U} 
 \end{equation}
 % 
 % \begin{equation}
 %  c1 \cap c2 \neq \emptyset  | c1 \neq c2 \wedge c1,c2 \in C \wedge C \not\in U
 % \end{equation}
 That is to say that it is impossible that any pair of failure modes can be active at the same time
 for the failure mode set $F$ to exist in the family of sets $\mathcal{U}$.
 Note where there are more than two failure~modes, 
 by banning any pairs from being active at the same time,
 we have banned larger combinations as well.
 \subsection{Design Rule: Unitary State}
 All components must have unitary state failure modes to be used with the FMMD methodology,
 for base~components, this is usually the case. Most simple components fail in one
 clearly defined way and generally stay in that state.
 However, where a complex component is used, for instance a microcontroller
 with several modules that could all fail simultaneously, a process
 of reduction into smaller theoretical components will have to be made.
 This is sometimes termed `heuristic~de-composition'.
 A modern microcontroller will typically have several modules, which are configured to operate on
 pre-assigned pins on the device. Typically voltage inputs (\adcten / \adctw), digital input and outputs,
 PWM (pulse width modulation), UARTs and other modules will be found on simple cheap microcontrollers~\cite{pic18f2523}.
 For instance the voltage reading functions which consist
 of an ADC multiplexer and ADC can be considered to be components
 inside the microcontroller package.
 The microcontroller thus becomes a collection of smaller components
 that can be analysed separately~\footnote{It is common for the signal paths
 in a safety critical product to be traced, and when entering a complex
 component like a microcontroller, the process of heuristic de-compostion
 applied to it}.
 \paragraph{Reason for Constraint} Were this constraint to not be applied
 each component could not have $N$ failure modes to consider but potentially
 $2^N$. This would make the job of analysing the failure modes
 in a {\fg} impractical due to the sheer size of the task.
 %%- Need some refs here because that is the way gastec treat the ADC on microcontroller on the servos
 \section{Handling Simultaneous Component Faults}
 For some integrity levels of static analysis, there is a need to consider not only single
 failure modes in isolation, but cases where more then one failure mode may occur
 simultaneously.
 Note that the `unitary state' conditions apply to failure modes within a component.
 The scenarios presented here are where two or more components fail simultaneously.
 It is an implied requirement of EN298~\cite{en298} for instance to 
 consider double simultaneous faults\footnote{This is under the conditions
 of LOCKOUT in an industrial burner controller that has detected one fault already.
 However, from the perspective of static failure mode analysis, this amounts
 to dealing with double simultaneous failure modes.}.
 To generalise, we may need to consider $N$ simultaneous 
 failure modes when analysing a functional group. This involves finding
 all combinations of failures modes of size $N$ and less.
 %The Powerset concept from Set theory is useful to model this.
 The powerset, when applied to a set S is the set of all subsets of S, including the empty set 
 \footnote{The empty set ( $\emptyset$ ) is a special case for FMMD analysis, it simply means there
 is no fault active in the functional~group under analysis.}
 and S itself.
 In order to consider combinations for the set S where the number of elements in each subset of S is $N$ or less, a concept of the `cardinality constrained powerset'
 is proposed and described in the next section. 
 %\pagebreak[1] 
 \subsection{Cardinality Constrained Powerset }
 \label{ccp}
 A Cardinality Constrained powerset is one where subsets of a cardinality greater than a threshold
 are not included. This threshold is called the cardinality constraint.
 To indicate this, the cardinality constraint $cc$ is subscripted to the powerset symbol thus $\mathcal{P}_{cc}$.
 Consider the set $S = \{a,b,c\}$. 
 The powerset of S: 
 $$ \mathcal{P} S = \{ \emptyset, \{a,b,c\}, \{a,b\},\{b,c\},\{c,a\},\{a\},\{b\},\{c\} \} .$$
 $\mathcal{P}_{\le 2} S $ means all non-empty subsets of S where the cardinality of the subsets is 
 less than or equal to 2 or less.
 $$ \mathcal{P}_{\le 2} S = \{ \{a,b\},\{b,c\},\{c,a\},\{a\},\{b\},\{c\} \} . $$
 Note that $\mathcal{P}_{1} S $ (non-empty subsets where cardinality $\leq 1$) for this example is:
 $$ \mathcal{P}_{1} S = \{ \{a\},\{b\},\{c\} \} $$.
 \paragraph{Calculating the number of elements in a cardinality constrained powerset}
 A $k$ combination is a subset with $k$ elements.  
 The number of $k$ combinations (each of size $k$) from a set $S$ 
 with $n$ elements (size $n$) is the binomial coefficient~\cite{probstat} shown in equation \ref{bico}.
 \begin{equation}
 C^n_k = {n \choose k} = \frac{n!}{k!(n-k)!} .
 \label{bico}
 \end{equation} 
 To find the number of elements in a cardinality constrained subset S with up to $cc$ elements
 in each combination sub-set,
 we need to sum the combinations, 
 %subtracting $cc$ from the final result 
 %(repeated empty set counts)
 from $1$ to $cc$ thus
 %
 % $$ {\sum}_{k = 1..cc} {\#S \choose k} = \frac{\#S!}{k!(\#S-k)!} $$
 %
 \begin{equation}
 |{\mathcal{P}_{cc}S}| = \sum^{cc}_{k=1} \frac{|{S}|!}{ k! ( |{S}| - k)!} .
 \label{eqn:ccps}
 \end{equation} 
 \subsection{Actual Number of combinations to check with Unitary State Fault mode sets}
 If all of the fault modes in $S$ were independent,
 the cardinality constrained powerset
 calculation (in equation \ref {eqn:ccps}) would give the correct number of test case combinations to check.
 Because  sets of failure modes in FMMD analysis are constrained to be unitary state,
 the actual number of test cases to check will usually 
 be less than this. 
 This is because combinations of faults within a components failure mode set,
 are impossible under the conditions of  unitary state failure mode.
 To modify equation \ref{eqn:ccps} for unitary state conditions, we must subtract the number of component `internal combinations'
 for each component in the functional group under analysis.
 Note we must sequentially subtract using combinations above 1 up to the cardinality constraint. 
 For example, say 
 the cardinality constraint was 3, we would need to subtract both
 $|{n \choose 2}|$ and $|{n \choose 3}|$ for each component in the functional~group.
 \subsubsection{Example: Two Component functional group cardinality Constraint of 2}
 For example: suppose we have a simple functional group with two components R and T, of which
 $$fm(R) = \{R_o, R_s\}$$ and $$fm(T) = \{T_o, T_s, T_h\}.$$
 This means that the functional~group $FG=\{R,T\}$ will have a component failure mode set 
 of $fm(FG) = \{R_o, R_s, T_o, T_s, T_h\}$
 For a cardinality constrained powerset of 2, because there are 5 error modes ( $|fm(FG)|=5$),
 applying equation \ref{eqn:ccps} gives :-
 $$ | P_2 (fm(FG)) |  = \frac{5!}{1!(5-1)!} + \frac{5!}{2!(5-2)!}  = 15.$$
 This is composed of ${5 \choose 1}$
 five single fault modes, and ${5 \choose 2}$ ten double fault modes.
 However we know that the faults are mutually exclusive within a component.
 We must then subtract the number of `internal' component fault combinations 
 for each component in the functional~group.
 For component R there is only one internal component fault that cannot exist
 $R_o \wedge R_s$. As a combination ${2 \choose 2} = 1$. For the component $T$ which has 
  three  fault modes ${3 \choose 2} = 3$.
 Thus for $cc == 2$, under the conditions of unitary state failure modes in the components $R$ and $T$, we must subtract $(3+1)$.
 The number of combinations to check is thus 11, $|\mathcal{P}_{2}(fm(FG))| = 11$, for this example and this can be verified
 by listing all the required combinations:
 $$ \mathcal{P}_{2}(fm(FG)) =  \{
 \{R_o T_o\}, \{R_o T_s\}, \{R_o T_h\}, \{R_s T_o\}, \{R_s T_s\}, \{R_s T_h\}, \{R_o \}, \{R_s \}, \{T_o \}, \{T_s \}, \{T_h \}
 \}
 $$
 and whose cardinality is 11. % by inspection
 %$$ 
 %| 
 %\{
 %    \{R_o T_o\}, \{R_o T_s\}, \{R_o T_h\}, \{R_s T_o\}, \{R_s T_s\}, \{R_s T_h\}, \{R_o \}, \{R_s \}, \{T_o \}, \{T_s \}, \{T_h \}
 %\}
 %| = 11 
 %$$
 \pagebreak[1]
 \subsubsection{Establishing Formulae for unitary state failure mode 
 cardinality calculation}
 The cardinality constrained powerset in equation \ref{eqn:ccps}, can be modified for % corrected for 
 unitary state failure modes.
 %This is written as a general formula in equation \ref{eqn:correctedccps}. 
 %\indent{
 %To define terms :
 %\begin{itemize}
 %\item 
 Let $C$ be a set of components (indexed by $j \in  J$)
 that are members of the functional group $FG$
 i.e. $ \forall j \in J | C_j \in FG $.
 %\item 
 Let $|fm({C}_{j})|$
 indicate the number of mutually exclusive fault modes of component $C_j$.
 %\item 
 Let $fm(FG)$ be the collection of all failure modes
 from all the components in the functional group. 
 %\item 
 Let $SU$ be the set of failure modes from the {\fg} where all $FG$   is such that
 components $C_j$ are in
 `unitary state' i.e. $(SU = fm(FG)) \wedge (\forall j \in J | fm(C_j) \in \mathcal{U}) $, then 
 %\end{itemize}
 %}
 \begin{equation}
  |{\mathcal{P}_{cc}SU}| = {\sum^{cc}_{k=1}  \frac{|{SU}|!}{k!(|{SU}| - k)!}}  
 - {\sum_{j \in J} {|FM({C_{j})}| \choose 2}} .
  \label{eqn:correctedccps}
 \end{equation} 
 Expanding the combination in equation \ref{eqn:correctedccps}
 \begin{equation}
 |{\mathcal{P}_{cc}SU}| = {\sum^{cc}_{k=1}  \frac{|{SU}|!}{k!(|{SU}| - k)!}}   
 - {{\sum_{j \in J}   \frac{|FM({C_j})|!}{2!(|FM({C_j})| - 2)!}}  } .
 \label{eqn:correctedccps2}
 \end{equation} 
 \paragraph{Use of Equation \ref{eqn:correctedccps2} }
 Equation \ref{eqn:correctedccps2} is useful for an automated tool that
 would verify that a single or double simultaneous failures model has complete failure mode coverage.
 By knowing how many test cases should be covered, and checking the cardinality
 associated with the test cases, complete coverage would be verified.
 %\paragraph{Multiple simultaneous failure modes disallowed combinations}
 %The general case of equation \ref{eqn:correctedccps2}, involves not just dis-allowing pairs
 %of failure modes within components, but also ensuring that combinations across components
 %do not involve any pairs of failure modes within the same component.
 %%%%- NOT SURE ABOUT THAT !!!!! 
 %%%-      A recursive algorithm and proof is described in appendix \ref{chap:vennccps}.
 %%\paragraph{Practicality}
 %%Functional Group may consist, typically of four or five components, which typically
 %%have two or three failure modes each. Taking a worst case of mutiplying these
 %%by a factor of five (the number of failure modes and components) would give
 %%$25 \times 15 = 375$
 %%
 %%
 %%
 %%\begin{verbatim}
 %%
 %%# define a factorial function
 %%# gives 1 for negative values as well
 %%define f(x) {
 %%  if (x>1) {
 %%    return (x * f (x-1))
 %%  }
 %%  return (1)
 %%
 %%}
 %%define u1(c,x) {
 %% return f(c*x)/(f(1)*f(c*x-1))
 %%}
 %%define u2(c,x) {
 %% return f(c*x)/(f(2)*f(c*x-2))
 %%}
 %%
 %%define uc(c,x) {
 %% return c * f(x)/(f(2)*f(x-2))
 %%}
 %%
 %%# where c is number of components, and x is number of failure modes
 %%# define function u to calculate combinations to check for double sim failure modes
 %%define u(c,x) {
 %%f(c*x)/(f(1)*f(c*x-1)) + f(c*x)/(f(2)*f(c*x-2)) - c * f(c)/(f(2)*f(c-2))
 %%}
 %%
 %%
 %%\end{verbatim}
 %%
 \pagebreak[1]
 \section{Component Failure Modes  and Statistical Sample Space}
 %\paragraph{NOT WRITTEN YET PLEASE IGNORE}
 A sample space is defined as the set of all possible outcomes.
 For a component in FMMD analysis, this set of all possible outcomes is its normal correct
 operating state and all its failure modes.
 We are thus considering the failure modes as events in the sample space.
 %
 When dealing with failure modes, we are not interested in 
 the state where the component is working perfectly or `OK' (i.e. operating with no error).
 %
 We are interested only in ways in which it can fail.
 By definition while all components in a system are `working perfectly' 
 that system will not exhibit faulty behaviour.
 We can say that the OK state corresponds to the empty set.
 Thus the statistical sample space $\Omega$ for a component or derived~component $C$ is
 %$$ \Omega = {OK, failure\_mode_{1},failure\_mode_{2},failure\_mode_{3} ... failure\_mode_{N} $$
 $$ \Omega(C) = \{OK, failure\_mode_{1},failure\_mode_{2},failure\_mode_{3}, \ldots ,failure\_mode_{N}\} . $$
 The failure mode set $F$ for a given component or derived~component $C$
 is therefore
 $ fm(C) = \Omega(C) \backslash \{OK\} $
 (or expressed as
 $ \Omega(C) = fm(C) \cup \{OK\} $).
 The $OK$ statistical case is the largest in probability, and is therefore
 of interest when analysing systems from a statistical perspective.
 This is of interest for the application of conditional probability calculations
 such as Bayes theorem~\cite{probstat}; 
 The current failure modelling methodologies (FMEA, FMECA, FTA, FMEDA) all use Bayesian
 statistics to justify their methodologies~\cite{nucfta}\cite{nasafta}.
 That is to say, a base component or a sub-system failure
 has a probability of causing given system level failures.
 Another way to view this is to consider the failure modes of
 component, with the $OK$ state, as a universal set $\Omega$, where
 all sets within $\Omega$ are partitioned.
 Figure \ref{fig:partitioncfm} shows a partitioned set representing 
 component failure modes $\{ B_1 ... B_8, OK \}$ : partitioned sets
 where the OK or empty set condition is included, obey unitary state conditions.
 Because the subsets of $\Omega$ are partitionned we can say these 
 failure modes are unitary state.
 \begin{figure}[h]
 \centering
 \includegraphics[width=350pt,keepaspectratio=true]{./CH4_FMMD/partitioncfm.png}
 % partition.png: 510x264 pixel, 72dpi, 17.99x9.31 cm, bb=0 0 510 264
 \caption{Base Component Failure Modes with OK mode as partitioned set}
 \label{fig:partitioncfm}
 \end{figure}
 \section{Components with Independent failure modes}
 Suppose that we have a component that can fail simultaneously
 with more than one failure mode.
 This would make it seemingly impossible to model as  `unitary state'.
 \paragraph{De-composition of complex component.}
 There are two ways in which we can deal with this.
 We could consider the component a composite
 of two simpler components, and model their interaction to
 create a derived component.
 \ifthenelse {\boolean{paper}}
 {
 This technique is outside the scope of this paper.
 }
 {
 This technique is dealt in chapter \ref{fmmd_complex_comp} which shows how derived components may be assembled.
 }
 \begin{figure}[h]
 \centering
 \includegraphics[width=200pt,bb=0 0 353 247,keepaspectratio=true]{./CH4_FMMD/compco.png}
 % compco.png: 353x247 pixel, 72dpi, 12.45x8.71 cm, bb=0 0 353 247
 \caption{Component with three failure modes as partitioned sets}
 \label{fig:combco}
 \end{figure}
 \paragraph{Combinations become new failure modes.}
 Alternatively, we could consider the combinations
 of the failure modes as new failure modes.
 We can model this using an Euler diagram representation of
 an example component with three failure modes\footnote{OK is really the empty set, but the term OK is more meaningful in
 the context of component failure modes} $\{ B_1, B_2, B_3, OK \}$ see figure \ref{fig:combco}.
 For the purpose of example let us consider $\{ B_2, B_3 \}$
 to be intrinsically mutually exclusive, but $B_1$ to be independent.
 This means the we have the possibility of two new combinations
 $ B_1 \cap B_2$ and $ B_1 \cap B_3$.
 We can represent these 
 as shaded sections of figure \ref{fig:combco2}.
 \begin{figure}[h]
 \centering
 \includegraphics[width=200pt,bb=0 0 353 247,keepaspectratio=true]{./CH4_FMMD/compco2.png}
 % compco.png: 353x247 pixel, 72dpi, 12.45x8.71 cm, bb=0 0 353 247
 \caption{Component with three failure modes where $B_1$ is independent}
 \label{fig:combco2}
 \end{figure}
 We can calculate the probabilities for the shaded areas
 assuming the failure modes are statistically independent
 by multiplying the probabilities of the members of the intersection.
 We can use the function $P$ to return the probability of a 
 failure mode, or combination thereof.
 Thus for $P(B_1 \cap B_2) = P(B_1)P(B_2)$ and  $P(B_1 \cap B_3) = P(B_1)P(B_3)$.
 \begin{figure}[h]
 \centering
 \includegraphics[width=200pt,bb=0 0 353 247,keepaspectratio=true]{./CH4_FMMD/compco3.png}
 % compco.png: 353x247 pixel, 72dpi, 12.45x8.71 cm, bb=0 0 353 247
 \caption{Component with two new failure modes}
 \label{fig:combco3}
 \end{figure}
 We can now consider the shaded areas as new failure modes of the component (see figure \ref{fig:combco3}).
 Because of the combinations, the probabilities for the failure modes
 $B_1, B_2$ and $B_3$ will now reduce.
 We can use the prime character ($\; \prime \;$), to represent the altered value for a failure mode, i.e.
 $B_1^\prime$ represents the altered value for $B_1$.
 Thus
 $$ P(B_1^\prime) = B_1 - P(B_1 \cap B_2) - P(B_1 \cap B_3)\; , $$
 $$ P(B_2^\prime) = B_2 - P(B_1 \cap B_2) \; and $$ 
 $$ P(B_3^\prime) = B_3 - P(B_1 \cap B_3) \; . $$
 We now have two new component failure mode $B_4$ and $B_5$, shown in figure \ref{fig:combco3}.
 We can express their probabilities as $P(B_4) = P(B_1 \cap B_3)$ and $P(B_5) = P(B_1 \cap B_2)$.
 %%-
 %%- Need a complete and more complicated UML diagram here
 %%- the other parts were just fragments to illustrate points
 %%-
 %%-
 \section{Complete UML Diagram}
 For a complete UML data model we need to consider the System
 as an object. This holds a parts list, and is the 
 key reference point in the data structure.
 A real life system will be expected to perform in a given environment.
 Environment in the context of this study
 means external influences the System could be expected to work under.
 A typical data sheet for an electrical component will give 
 a working temperature range for instance.
 Mechanical components will be specified for stress and loading limits.
 \paragraph{Environmental Modelling.} The external influences/environment could typically be temperature ranges,
 levels of electrical interference, high voltage contamination on supply
 lines, radiation levels etc.
 Environmental influences will affect specific components in specific ways.
 Environmental analysis is thus applicable to components.
 Environmental influences, such as over stress due to voltage
 can be eliminated by down-rating of components as discussed in section~\ref{downrate}.
 With given environmental constraints, we can therefore eliminate some failure modes from the model.
 \paragraph{Operational states.}
 Within the field of safety critical engineering we often encounter 
 sub-system that include test facilities. We also encounter degraded performance
 (such as only performing functions in an emergency) and lockout conditions.
 These can be broadly termed operational states, and apply to the 
 functional groups.
 Consider for instance an electrical circuit that has a TEST line.
 When the TEST line is activated, it supplies a test signal
 which will validate the circuit. This circuit will have two operational states,
 NORMAL and TEST mode.
 It is natural to apply the operational states to functional groups.
 Functional groups by definition implement functionality, or purpose
 of particular sub-systems, and therefore are the best objects to model
 operational states.
 \paragraph{Inhibit Conditions}
 Some failure modes may only be active given specific environmental conditions
 or when other failures are already active.
 To model this, an `inhibit' class has been added.
 This is an optional attribute of 
 a failure mode. This inhibit class can be triggered
 on a combination of environmental or failure modes.
 \paragraph{UML Diagram Additional Objects.}
 The additional objects System, Environment and Operational States
 are added to  UML diagram in figure \ref{fig:cfg} and represented in figure \ref{fig:cfg2}.
 \label{completeuml}
 \begin{figure}[h]
 \centering
 \includegraphics[width=400pt,keepaspectratio=true]{./CH4_FMMD/master_uml.png}
 % cfg2.png: 702x464 pixel, 72dpi, 24.76x16.37 cm, bb=0 0 702 464
 \caption{Complete UML diagram}
 \label{fig:cfg2}
 \end{figure}
 \subsection{Ontological work on FMEA}
 Ontological work on FMEA reviewed so far, has concentrated on
 formalising the natural language process of FMEA and thus
 defining relationships between components, failure modes and top level outcomes
 an overview of this work may found here~\cite{ontfmea}.
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \subsection{An algebraic notation for identifying FMMD enitities}
 Consider all `components' to exist as
 members of a set $\mathcal{C}$.
@ -581,27 +1521,3 @@ For Functional Group 2 (FG2), let us map:
 %This AUTOMATIC check can reveal WHEN double checking no longer necessary 
 %in the hierarchy to cover dub sum !!!!! YESSSS
 sample text
 sample text
 sample text
 sample text
 sample text
 sample text
 sample text
 sample text
 sample text
 sample text
 sample text
 sample text
 sample text
 sample text
 sample text
 sample text
 sample text
 sample text
 sample text
 sample text
 sample text
 sample text
 sample text
 sample text
--- a/submission_thesis/CH4_FMMD/fmmd_uml.dia
+++ b/submission_thesis/CH4_FMMD/fmmd_uml.dia
--- a/submission_thesis/CH4_FMMD/fmmd_uml2.dia
+++ b/submission_thesis/CH4_FMMD/fmmd_uml2.dia
--- a/submission_thesis/CH4_FMMD/partitioncfm.dia
+++ b/submission_thesis/CH4_FMMD/partitioncfm.dia
--- a/submission_thesis/CH5_Examples/copy.tex
+++ b/submission_thesis/CH5_Examples/copy.tex
@ -1,12 +1,13 @@
 %\clearpage %\pagenumbering{arabic}
-This chapter gives examples of FMMD applied to 
+This chapter demonstrates FMMD applied to 
 a variety of common electronic circuits.
 \section{Basic Concepts Of FMMD}
-The idea behind FMMD is to modularise, from the bottom-up, failure mode effects analysis.
+The %idea 
 driving concept behind FMMD is to modularise, from the bottom-up, failure mode effects analysis.
 Traditional FMEA takes part failure modes and then determines what effect each of these
 failure modes could have on the system under investigation.
@ -28,9 +29,10 @@ to form well-defined and well-known building blocks.
 These commonly used configurations of parts, or {\fgs}, will
 also have a specific failure mode behaviour. 
 We can take a {\fg} and determine its symptoms of failure.
 When we have done this we can treat this as a component in its own right.
-If we terms `parts' as base~components and components we have determined
+If we terms `parts' as base~components, components we have determined
-from functional groups as derived components, we can modularise FMEA.
+from functional groups as derived components, we modularise the  FMEA process.
 If we start building {\fgs} from derived components we can start to build a modular
 hierarchical failure mode model. Modularising FMEA should give benefits of reducing reasoning distance,
 allowing re-use of modules and reducing the number of by-hand analysis checks to consider.
@ -81,10 +83,12 @@ and describes `failures' of common electronic components, with percentage statis
 FMD-91 entries include general descriptions of  internal failures alongside {\fms} of use to an FMEA investigation.
 FMD-91 entries need, in some cases, some interpretation to be mapped to a clear set of
 component {\fms} suitable for use in FMEA.
-MIL-1991~\cite{mil1991} provides overall reliability statistics for 
+A third document, MIL-1991~\cite{mil1991} often used alongside FMD-91,  provides overall reliability statistics for 
 component types but does not detail specific failure modes.
 Used in conjunction with FMD-91, we can determine statistics for the failure modes
-of component types.
+of component types. The FMEDA process from european standard EN61508~\cite{en61508} for instance,
 requires statistics for Meantime to Failure (MTTF)
 for all part failure modes.
 % One is from the US military document FMD-91, where internal failures
@ -114,10 +118,10 @@ Finally we compare and contrast the failure modes determined for these component
 from the FMD-91 reference source and from the guidelines of the 
 European burner standard EN298.
-\subsection{Failure mode determination for generic resistor}
+\subsection{Failure mode determination for generic resistor.}
 %- Failure modes. Prescribed failure modes EN298 - FMD91
-\paragraph{Resistor failure modes according to FMD-91}
+\paragraph{Resistor failure modes according to FMD-91.}
 The resistor is a ubiquitous component in electronics, and is therefore a prime
@ -156,7 +160,7 @@ modes do not include drift.
 If we can ensure that our resistors will not be exposed to overload conditions, drift (sometimes called parameter change)
 can be reasonably excluded.
-\paragraph{Resistor failure modes according to EN298}
+\paragraph{Resistor failure modes according to EN298.}
 EN298, the European gas burner safety standard, tends to be give  failure modes more directly usable by FMEA than FMD-91.
 EN298 requires that a full FMEA be undertaken, examining all failure modes
@ -171,7 +175,8 @@ For resistor types not specifically listed in EN298, the failure modes
 are considered to be either OPEN or SHORT.
 The reason that parameter change is not considered for resistors chosen for an EN298 compliant system; is that they must be must be {\em downrated},
 that is to say the power and voltage ratings of components must be calculated
-for maximum possible exposure, with a 40\% margin of error. This ensures the resistors will not be overloaded.
+for maximum possible exposure, with a 40\% margin of error. This ensures the resistors will not be overloaded,
 and thus subject to drift/parameter change.
 % XXXXXX get ref from colin T
@ -193,7 +198,7 @@ for maximum possible exposure, with a 40\% margin of error. This ensures the res
 For this study we will take the conservative view from EN298, and consider the failure
 modes for a generic resistor to be both OPEN and SHORT.
 i.e.
-
+\label{ros}
 $$ fm(R) = \{ OPEN, SHORT \} . $$
 \subsection{Failure modes determination for generic operational amplifier}
@ -206,7 +211,7 @@ $$ fm(R) = \{ OPEN, SHORT \} . $$
 \label{fig:lm258}
 \end{figure}
-The operational amplifier (op-amp) is a differential amplifier and is very widely used in nearly all fields of modern electronics.
+The operational amplifier (op-amp) is a differential amplifier and is very widely used in nearly all fields of modern analogue electronics.
 They are typically packaged in dual or quad configurations---meaning
 that a chip will typically contain two or four amplifiers.
 For the purpose of example, we look at
@ -219,8 +224,9 @@ a typical op-amp designed for instrumentation and measurement, the dual packaged
 For OP-AMP failures modes, FMD-91\cite{fmd91}{3-116] states,
 \begin{itemize}
 \item Degraded Output 50\% Low Slew rate - poor die attach
-  \item No Operation - overstress 31.3\%   \item Shorted $V_+$ to $V_-$, overstress, resistive short in amplifier\%  
+ \item No Operation - overstress 31.3\%   
- \item Opened $V_+$ open\%  
+ \item Shorted $V_+$ to $V_-$, overstress, resistive short in amplifier 12.5\%  
 \item Opened $V_+$ open 6.3\%  
 \end{itemize}
 Again these are mostly internal causes of failure, more of interest to the component manufacturer
@ -330,7 +336,7 @@ and determine its {\fms}.
 \end{table}
-\clearpage
+%\clearpage
@ -338,7 +344,7 @@ and determine its {\fms}.
 The EN298 pinouts failure mode technique cannot reveal failure modes due to internal failures.
 The FMD-91 entires for op-amps are not directly usable as 
-component {\fms} in FMEA or FMMD.
+component {\fms} in FMEA or FMMD and require interpretation.
 %For our OP-AMP example could have come up with different symptoms for both sides. Cannot predict the effect of  internal errors, for instance ($LOW_{slew}$)
 %is missing from the EN298 failure modes set.
@ -396,7 +402,8 @@ transition to a higher level in the hierarchy.
 The first stage is to choose
 {\bcs} that interact and naturally form {\fgs}. The initial {\fgs} are   collections of base components.
 %These parts all have associated fault modes. A module is a set fault~modes. 
-From the point of view of fault analysis, we are not interested in the components themselves, but in the ways in which they can fail.
+From the point of view of failure analysis, 
 we are not interested in the components themselves, but in the ways in which they can fail.
 A {\fg} is a collection of components that perform some simple task or function.
 %
@ -486,8 +493,9 @@ So we can examine  $\{ R1, R2 \}$  as a {\fg}.
 \subsection{The Resistor in terms of failure modes}
 We can now determine how the resistors can fail.
-According to GAS standard EN298 the failure modes to consider for resistors are OPEN and SHORT.
+We consider the {\fms} for resistors to be OPEN and SHORT (see section~\ref{ros}).
-
+%, i.e.
 %$ fm(R) = \{ OPEN, SHORT \} . $
 We can express the failure modes of a component using the function $fm$, thus for the resistor,  $ fm(R) = \{ OPEN, SHORT \}$.
@ -600,7 +608,7 @@ Both approaches are followed in the next two sub-sections.
 \subsection{Inverting OPAMP using a Potential Divider {\dc}}
 We cannot simply re-use the $PD$ from section~\ref{potdivfmmd}---that potential divider would only be valid if the  input signal were negative.
-We want if possible to have detectable errors, HIGH and LOW are better than OUTOFRANGE.
+We want if possible to have detectable errors, HIGH and LOW failures are more observable  than a more generic failure modes such as `OUTOFRANGE'.
 If we can refine the operational states of the functional group, we can obtain clearer
 symptoms.
 If we consider the input will only be positive, we can invert the potential divider (see table~\ref{tbl:pdneg}).
@ -793,7 +801,7 @@ IC1 and PD provide the function of buffering
 We can now examine IC1 and PD as a functional group.
 \pagebreak[3]
-\subsection{Functional Group: Amplifier}
+\subsection{Functional Group: Amplifier first stage}
 Let use now consider the op-amp. According to 
 FMD-91~\cite{fmd91}[3-116] an op amp may have the following failure modes:
@ -933,7 +941,7 @@ Collecting the symptoms, we can determine the failure modes for this circuit, $\
 We now create a derived component to represent the circuit in figure~\ref{fig:circuit1}.
-$$ fm (DiffAMP) = \{DiffAMPLow, DiffAMPHigh,  DiffAMP\_LP DiffAMPIncorrect\} $$
+$$ fm (DiffAMP) = \{DiffAMPLow, DiffAMPHigh,  DiffAMP\_LP,  DiffAMPIncorrect\} $$
 Its interesting here to note that we can draw a directed graph (figure~\ref{fig:circuit1_dag})
@ -955,8 +963,14 @@ when it becomes a V2 follower).
 \label{fig:circuit1_dag}
 \end{figure}
-
+The {\fm} $DiffAMPIncorrect$ may seem like a vague {\fm}---however, this {\fm} is currently impossible to detect---
-
+in fault finding terminology~\cite{garrett}~\cite{mawokinski} this {\fm} is said to be unobservable, and in EN61508
 terminology is called an undetectable fault.
 Were this failure to have safety implications this FMMD analysis will have revealed
 the un-observability and a prompt a re-design of this 
 circuit\footnote{A typical way to solve an un-observability such as this is 
 to periodically switch test signals in place of the input signal}
 .
 \clearpage
 \section{Op-Amp circuit 2}
@ -1250,12 +1264,10 @@ The signal path is circular (its a positive feedback circuit) and most failures
 %{\fgs} and apply analysis from a failure mode perspective.
 %
 If we were to analyse this circuit using traditional FMEA (i.e. without modularisation) we observe 14 components with
-($4.4 +10.2 = 36$) failure modes. 
+($4.4 +10.2 = 36$) failure modes. Applying equation~\ref{eqn:rd2} gives a complexity comparison figure of $13.36=468$.
 Applying equation~\ref{eqn:rd2} gives a complexity comparison figure of $13.36=468$.
 We now create FMMD models and compare the complexity of FMMD and FMEA.
-We apply FMMD and start by determining {\fgs}.
+We start the FMMD process  by determining {\fgs}.
 We initially identify three types functional groups, an inverting amplifier (analysed in section~\ref{fig:invamp}),
 a 45 degree phase shifter (a {$10k\Omega$} resistor and a $10nF$ capacitor) and a non-inverting buffer
 amplifier. We can name these $INVAMP$, $PHS45$ and $NIBUFF$ respectively.
@ -1638,17 +1650,25 @@ of complexity comparison.
 \section{PT100 Analysis: Double failures and MTTF statistics}
 {
-This section shows a practical example of 
+This section 
-one `symptom~abstraction' stage in the FMMD process.
+% shows a practical example of 
-We take a functional group of base components,
+% one `symptom~abstraction' stage in the FMMD process.
-and using their failure modes, analyse the circuit
+% We take a functional group of base components,
-to find failure symptoms.
+% and using their failure modes, analyse the circuit
-These failure symptoms are used to define 
+% to find failure symptoms.
-a derived component. 
+% These failure symptoms are used to define 
 % a derived component. 
 %
-An industry standard temperature measurement circuit,
+demonstrates FMMDs ability to model multiple {\fms}, and shows
-the PT100 is described and then analysed using the FMMD methodology.
+ how statistics for part {\fms} can be used to determine the statistical likelihood of failure symptoms.
-A derived component, representing this circuit is then presented.
+
 For this example we look at an industry standard temperature measurement circuit,
 the PT100. 
 The circuit is described and then analysed using the FMMD methodology.
 %A derived component, representing this circuit is then presented.
 The PT100, or platinum wire \ohms{100} sensor is 
@ -1661,8 +1681,14 @@ four wire circuit, and analyses it from an FMEA perspective twice.
 Once considering single faults (cardinality constrained powerset of 1) and then again, considering the 
 possibility of double faults (cardinality constrained powerset of 2).
 \ifthenelse {\boolean{pld}}
 {
 The section is performed using Propositional Logic
 diagrams to assist the reasoning process.
 }
 {
 }
 This chapter describes taking
 the failure modes of the components, analysing the circuit using FMEA
 and producing a failure mode model for the circuit as a whole.
@ -1708,7 +1734,7 @@ Note that the low reading goes down as temperature increases, and the higher rea
 For this reason the low reading will be referred to as {\em sense-}
 and the higher as {\em sense+}.
-\paragraph{Accuracy despite variable \\ resistance in cables}
+\paragraph{Accuracy despite variable resistance in cables}
 For electronic and accuracy reasons a four wire circuit is preferred
 because of resistance in the cables. Resistance from the supply
@ -1719,7 +1745,7 @@ causes only a negligible voltage drop, and thus the four wire
 configuration is more accurate\footnote{The increased accuracy is because the voltage measured, is the voltage across
 the thermistor and not the voltage across the thermistor and current supply wire resistance.}.
-\paragraph{Calculating Temperature from \\ the sense line voltages}
+\paragraph{Calculating Temperature from the sense line voltages}
 The current flowing though the 
 whole circuit can be measured on the PCB by reading a third
@ -1767,7 +1793,7 @@ Where this occurs a circuit re-design is probably the only sensible course of ac
 \fmodegloss
-\paragraph{Single Fault FMEA Analysis \\ of PT100 Four wire circuit}
+\paragraph{Single Fault FMEA Analysis of PT100 Four wire circuit}
 \label{fmea}
 The PT100 circuit consists of three resistors, two `current~supply'
@ -1927,13 +1953,14 @@ the resistance of $R_3$.
 %
 As ohms law is linear, the accuracy of the reading
 will be determined by the accuracy of $R_2$ and $R_{3}$. It is reasonable to
-take the mean square error of these accuracy figures.
+take the mean square error of these accuracy figures~\cite{easp}.
 \paragraph{Single Fault FMEA Analysis \\ of PT100 Four wire circuit}
 \ifthenelse {\boolean{pld}}
 {
 \paragraph{Single Fault Modes as PLD}
 The component~failure~modes in table \ref{ptfmea} can be represented as contours
@ -2052,7 +2079,11 @@ resistors in this circuit has failed.
 \subsection{Derived Component : The PT100 Circuit}
 The PT100 circuit can now be treated as a component in its own right, and has one failure mode, 
-{\textbf OUT\_OF\_RANGE}. It can now be represnted as a PLD see figure \ref{fig:pt100_singlef}.
+{\textbf OUT\_OF\_RANGE}. 
 %
 \ifthenelse{\boolean{pld}}
 {
 It can now be represnted as a PLD see figure \ref{fig:pt100_singlef}.
 \begin{figure}[h]
 \centering
@ -2061,7 +2092,7 @@ The PT100 circuit can now be treated as a component in its own right, and has on
 \caption{PT100 Circuit Failure Modes : From Single Faults Analysis}
 \label{fig:pt100_singlef}
 \end{figure}
-
+}
 %From the single faults (cardinality constrained powerset of 1) analysis, we can now create
 %a new derived component, the {\empt100circuit}. This has only \{ OUT\_OF\_RANGE \}
@ -2070,7 +2101,7 @@ The PT100 circuit can now be treated as a component in its own right, and has on
 %Interestingly we can calculate the failure statistics for this circuit now.
 %Mill 1991 gives resistor stats of ${10}^{11}$ times 6 (can we get special stats for pt100) ???
-\clearpage
+%\clearpage
 \subsection{Mean Time to Failure}
 Now that we have a model for the failure mode behaviour of the pt100 circuit
@ -2181,7 +2212,7 @@ resistor{\lambda}_p = {\lambda}_{b}{\pi}_Q{\pi}_E
 \end{equation}
-Thus thermistor, bead type, non military spec is given a FIT of 315.0
+Thus thermistor, bead type, `non~military~spec' is given a FIT of 315.0
 Using the RIAC finding we can draw up the following table (table \ref{tab:stat_single}),
 showing the FIT values for all faults considered.
@ -2238,12 +2269,12 @@ The PT100 analysis presents a simple result for single faults.
 The next analysis phase looks at how the circuit will behave under double simultaneous failure
 conditions.
-\clearpage
+%\clearpage
-\section{ PT100 Double Simultaneous \\ Fault Analysis}
+\section{ PT100 Double Simultaneous  Fault Analysis}
 In this section we examine the failure mode behaviour for all single 
 faults and double simultaneous faults.
-This corresponds to the cardinality constrained powerset of
+This corresponds to the cardinality constrained powerset of one (see section~\ref{ccp}), of
 the failure modes in the functional group.
 All the single faults have already been proved in the last section.
 For the next set of test cases, let us again hypothesise
@ -2287,7 +2318,7 @@ TC 18: &  $R_2$ SHORT $R_3$ SHORT   &  low        &   low    &  Both out of Rang
 \label{tab:ptfmea2}
 \end{table}
-\subsection{Verifying complete coverage for a \\ cardinality constrained powerset of 2}
+\subsection{Verifying complete coverage for a cardinality constrained powerset of 2}
 \fmodegloss
@ -2442,9 +2473,10 @@ The sense- value will be out of range.
 This shorts the sense+ and sense- to Vcc.
 Both values will be out of range.
-\clearpage
+%\clearpage
 \ifthenelse{\boolean{pld}}
 {
 \subsection{Double Faults Represented on a PLD Diagram}
 We can show the test cases on a diagram with the double faults residing on regions 
@ -2466,6 +2498,9 @@ a given cardinality constraint is not visually obvious.
 From the diagram it is easy to verify
 the number of failure modes considered for each test case, but 
 not that all for a given cardinality constraint have been included.
 }
 {
 }
 \paragraph{Symptom Extraction}
@ -2477,6 +2512,7 @@ into the symptom $OUT\_OF\_RANGE$.
 As a symptom $TC\_7$ could be described as $FLOATING$. 
 \ifthenelse{\boolean{pld}}
 {
 We can thus draw a PLD diagram representing the
 failure modes of this functional~group, the pt100 circuit from the perspective of double simultaneous failures,
 in figure \ref{fig:pt100_doublef}.
@ -2489,13 +2525,16 @@ in figure \ref{fig:pt100_doublef}.
 \label{fig:plddoublesymptom}
 \end{figure}
 } %% \ifthenelse {\boolean{pld}}
 {
 }
-\clearpage
+%\clearpage
 \subsection{Derived Component : The PT100 Circuit}
 The PT100 circuit again, can now be treated as a component in its own right, and has two failure modes, 
 {\textbf{OUT\_OF\_RANGE}} and {\textbf{FLOATING}}. 
 \ifthenelse{\boolean{pld}}
 {
 It can now be represented as a PLD see figure \ref{fig:pt100_doublef}.
 \begin{figure}[h]
 \centering
@ -2505,6 +2544,8 @@ It can now be represented as a PLD see figure \ref{fig:pt100_doublef}.
 \label{fig:pt100_doublef}
 \end{figure}
 } % \ifthenelse {\boolean{pld}}
 {
 }
 \subsection{Statistics}
--- a/submission_thesis/thesis.tex
+++ b/submission_thesis/thesis.tex
@ -17,6 +17,8 @@
 %% fix for hyperref bug in algorithm package
 \newcommand{\theHalgorithm}{\thechapter.\arabic{algorithm}}
 \usepackage{ifthen}
 \newboolean{pld}
 \setboolean{pld}{false} % boolvar=true or false
 \newboolean{paper}
 \setboolean{paper}{false} % boolvar=true or false
 \input{style}