diff --git a/fmmd_concept/fmmd_concept.tex b/fmmd_concept/fmmd_concept.tex
index d99088f..32642be 100644
--- a/fmmd_concept/fmmd_concept.tex
+++ b/fmmd_concept/fmmd_concept.tex
@@ -413,7 +413,7 @@ based on hueristics or field data.
 Because we have statistics for each component failure mode,
 we can now now classify these in terms of safe and dangerous lambda values.
 Detectable failure probabilities are labelled `$\lambda_D$' (for
-dangerous) and  `$\lambda_S$' (for safe) \cite{EN61508}.
+dangerous) and  `$\lambda_S$' (for safe) \cite{en61508}.
 
 \paragraph{Determine Detectable and Undetectable Failures.}
 Each safe and dangerous failure mode is now
@@ -504,6 +504,8 @@ become stricter for each SIL level.
 Thus FMEDA uses statistical methods to determine 
 a safety level (SIL), typically used to meet an acceptable risk 
 value, specified for the environment the SYSTEM must work in.
+EN61508 defines in general terms,
+ risk assessment and required SIL levels \cite{en61508} [5 Annex A].
 
 %the probability of
 %failures occurring, and provide an adaquate risk level.
diff --git a/fmmd_design_aide/fmmd_design_aide.tex b/fmmd_design_aide/fmmd_design_aide.tex
index 2209c79..489c252 100644
--- a/fmmd_design_aide/fmmd_design_aide.tex
+++ b/fmmd_design_aide/fmmd_design_aide.tex
@@ -56,6 +56,10 @@ are the symptoms of the {\fg} we derived it from.
 The symptoms will be detectable (like a value of  of range)
 or undetectable (like a logic state or value being incorrect).
 The `undetectable' failure modes are the most worrying for the safety critical designer.
+EN61058, the statistically based European Norm, using ratios
+of detected and undetected system failure modes to
+classify the safety level \cite{EN61508}.
+
 %It is these that are, generally the ones that stand out as single 
 %failure modes. 
 For instance, out of range values, are easy to detect by
@@ -117,17 +121,38 @@ We then analsye the {\fg} and the resultant {\dc} failure modes/symptoms are dis
 
 \subsection{Brief Circuit Description}
 
-This circuit amplifies a milli-volt input by a gain of $\approx$ 184 ($\frac{150E3}{820}+1$).
+This circuit amplifies a milli-volt input by a gain of $\approx$ 184 ($\frac{150E3}{820}+1$)
+\footnote{The resistors used to program the gain of the op-amp would typically be of a $ \le 1\%$ guaranteed
+tolerance. In practise, the small variations would be corrected with software constants prorgammed during production
+test/calibration.}.
 An offset is applied to the input by R18 and R22 forming a potential divider
 of $\frac{820}{2.2E6+820}$. With 5V applied as Vcc this gives an input offset of $1.86\,mV$.
-So the amplified offset is $\approx 342 \, mV$. We can determine the output of the amplifier
+This amplified offset
+can be termed a $\Delta V$, an addition to the mV value provided by the sensor.
+So the amplified offset is $\approx 342 \, mV$. 
+We can determine the output of the amplifier
 by subtracting this amount from the reading. We can also define an acceptable 
 range for the readings. This would depend on the characteristics of milli-volt source, and also on the 
 thresholds of the volatges considered out of range. For the sake of example let us
 consider this to be a type K thermocouple amplifier, with a range of temperatures 
 expected to be within {{0}\oc} and {{300}\oc}.
 
-EXPAND
+\paragraph{Voltage range for {{0}\oc} to {{300}\oc}.}
+Choosing the common Nickel-Chromium v. Nickel Aluminium `K' type thermocouple,
+{{0}\oc} provides an EMF of 0mV, and {{300}\oc} 12.207.
+Multiplying these by 184 and adding the 1.86mV offset gives
+342.24mV and 2563.12mV. This is now in a suitable range to be read by
+an analogue didtital converter, which will have a voltage span
+typically between 3.3V and 5V on modern microcontrollers/ADC (Analogue Digital Converter) chips.
+Note that this also leaves a margin or error on both sides of the range.
+If the thermocouple were to become colder than {{0}\oc} it would supply
+a negative voltage, which would subtract from the offset.
+At around {{-47}\oc} the amplifier output would be zero;
+but anything under 342.24mV is considered out of range.
+Thus the ADC can comfortably read out of range values
+but controlling software can determine it as invalid.
+Similarly anything over 2563.12mV would be considered out of range
+but would be still within comfortable reading range for an ADC.
  
 \section{FMMD Analysis}
 
@@ -179,6 +204,8 @@ we can represent this in an FMMD hierarchy diagram, see figure \ref{fig:mvamp_fm
 
 The table \ref{tab:fmmdaide1} shows two possible causes for an undetectable
 error, that of a low reading due to the loss of the offset millivolt signal.
+The loss of the $\Delta V$ would mean an incorrect temperature
+reading would be made.
 Typically this type of circuit would be used to read a thermocouple
 and this error symptom, `low\_reading' would mean our plant could 
 beleive that the temperature reading is lower than it actually is.
@@ -379,9 +406,9 @@ group w.r.t the failure modes in the two derived compoennts.
  \label{fig:testable_mvamp}
 \end{figure}
 
-\subsection{Analysis of FMMD Derived component `added safety milli-volt amp'}
+\subsection{Analysis of FMMD Derived component `testable milli-volt amp'}
 
-The failure mode of most concern is the the `low~reading'. This has two potential
+The failure mode of most concern is the undetectable failure `low~reading'. This has two potential
 causes in the unmodified circuit, R22\_SHORT and R18\_OPEN.
 
 \paragraph{R22\_SHORT with safety addition}
@@ -411,6 +438,31 @@ giving an out of range reading from the op-amp output.
 We can group `low~reading' with `out~of~range'.
 The `low~reading' will now becomes either `no~test~effect' or `out~of~range' depending on the $\overline{TEST\_LINE}$ state.
 
+\begin{table}[h+]
+\caption{Testable Milli Volt Amplifier Single Fault FMMD} % title of Table
+\centering % used for centering table
+\begin{tabular}{||l|c|l|c||}
+\hline \hline
+ \textbf{Test} & \textbf{Failure } & \textbf{Symptom } & \textbf{MTTF}   \\
+ \textbf{Case} &  \textbf{mode} & \textbf{       } &    \\ % \textbf{per $10^9$ hours of operation}   \\
+%   R         &    wire        & res +         & res -    & description
+\hline
+\hline
+TC:1 $testcircuit$ &  open potential divider       &  Out of range        &  XX 1.38  \\ \hline
+ \hline
+TC:2 $testcircuit$ &  no test effect               &  no test effect & XX 1.38  \\ \hline
+\hline
+TC:3 $mvamp$       &  out of range                 &  Out of Range   &  XX 1.38  \\
+\hline
+TC:4 $mvamp$       &  low reading                  &  Out of range \& no test effect  &  XX 1.38  \\
+\hline
+
+\end{tabular}
+\label{tab:fmmdaide2}
+\end{table}
+
+
+
 We now have two symptoms, `out~of~range' or `no~test~effect'. So for single component failures
 we now have a circuit where there are no undetectable failure modes.
 
@@ -423,12 +475,17 @@ We can surmise the symptoms in a list.
 
 
 
-
 \section{conclusions}
 
-With safety addition reliability GOES DOWN !
-But safety goes UP !
-Work it out 
+With safety addition the undetectable failure mode of \textbf{low~reading}
+disappears. The overall reliability though goes down !
+This is simply because we have more components that {\em can} fail.
 
-Yes so we now have aditional failure modesso the reliability
-of the `self testing' circuit is lower than the basic one.
+%% Safety vs. reliability paradox.
+
+The sum of the MTTF's for the original circuit is DAH, and for the new one
+DAH. The circuit is arguably safer now
+but statistically less reliable.
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%