From 459d924cae172f26349d95b20622efc71b0a9f7c Mon Sep 17 00:00:00 2001 From: Robin Clark Date: Sat, 25 Sep 2010 12:05:51 +0100 Subject: [PATCH] . --- .../component_failure_modes_definition.tex | 668 ++++++++++++++++++ 1 file changed, 668 insertions(+) create mode 100644 component_failure_modes_definition/component_failure_modes_definition.tex diff --git a/component_failure_modes_definition/component_failure_modes_definition.tex b/component_failure_modes_definition/component_failure_modes_definition.tex new file mode 100644 index 0000000..3a498aa --- /dev/null +++ b/component_failure_modes_definition/component_failure_modes_definition.tex @@ -0,0 +1,668 @@ + + + +\ifthenelse {\boolean{paper}} +{ +\abstract{ +This paper defines %what is meant by +the terms +components, derived~components, functional~groups, component fault modes and `unitary~state' component fault modes. +%The application of Bayes theorem in current methodologies, and +%the suitability of the `null hypothesis' or `P' value statistical approach +%are discussed. +The general concept of the cardinality constrained powerset is introduced +and calculations for it described, and then for +calculations under `unitary state' fault mode conditions. +Data types and their relationships are described using UML. +Mathematical constraints and definitions are made using set theory.} +} +{ +\section{Overview} +This chapter defines %what is meant by +the terms +components, derived~components, functional~groups, component fault modes and `unitary~state' component fault modes. +The general concept of the cardinality constrained powerset is introduced +and calculations for it described, and then for +calculations under `unitary state' fault mode conditions. +Data types and their relationships are described using UML. +Mathematical constraints and definitions are made using set theory. +} + + +\section{Introduction} +This chapter describes the data types and concepts for the Failure Mode Modular De-composition (FMMD) method. +When analysing a safety critical system using +this technique, we need clearly defined failure modes for +all the components that are used to model the system. +In our model we have a constraint that +the component failure modes must be mutually exclusive. +When this constraint is complied with we can use the FMMD method to +build hierarchical bottom-up models of failure mode behaviour. +%This and the definition of a component are +%described in this chapter. +%When building a system from components, +%we should be able to find all known failure modes for each component. +%For most common electrical and mechanical components, the failure modes +%for a given type of part can be obtained from standard literature\cite{mil1991} +%\cite{mech}. %The failure modes for a given component $K$ form a set $F$. + + +%% +%% Paragraph component and its relationship to its failure modes +%% + +\section{ Defining the term Component } + + +\begin{figure}[h] + \centering + \includegraphics[width=300pt,bb=0 0 437 141,keepaspectratio=true]{component_failure_modes_definition/component.jpg} + % component.jpg: 437x141 pixel, 72dpi, 15.42x4.97 cm, bb=0 0 437 141 + \caption{A Component and its Failure Modes} + \label{fig:component} +\end{figure} + +Let us first define a component. This is anything which we use to build a +product or system with. +It could be something quite complicated +like an integrated microcontroller, or quite simple like the humble resistor. +We can define a +component by its name, a manufacturers' part number and perhaps +a vendors' reference number. +What these components all have in common is that they can fail, and fail in +a number of well defined ways. For common components +there is established literature for the failure modes for the system designer to consider (often with accompanying statistical +failure rates)\cite{mil1991}. For instance, a simple resistor is generally considered +to fail in two ways, it can go open circuit or it can short. +Thus we can associate a set of faults to this component $ResistorFaultModes=\{OPEN, SHORT\}$. +The UML diagram in figure +\ref{fig:component} shows a component as a data +structure with its associated failure modes. + +From this diagram we see that each component must have at least one failure mode. +To clearly show that the failure modes are mutually exclusive states, or unitary states associated with one component, +each failure mode is referenced back to only one component. + +%%-%% MTTF STATS CHAPTER MAYBE ?? +%%-%% +%%-%% This modelling constraint is due to the fact that even generic components with the same +%%-%% failure mode types, may have different statistical MTTF properties within the same +%%-%% circuitry\footnote{For example, consider resistors one of high resistance and one low. +%%-%% The generic failure modes for a resistor will be the same for both. +%%-%% The lower resistance part will draw more current and therefore have a statistically higher chance of failure.}. + + +A product naturally consists of many components and these are traditionally +kept in a `parts list'. For a safety critical product this is usually a formal document +and is used by quality inspectors to ensure the correct parts are being fitted. +The parts list is shown for +completeness here, as people involved with PCB and electronics production, verification +and testing would want to know where it lies in the model. +The parts list is not actively used in the FMMD method. +For the UML diagram in figure \ref{fig:componentpl} the parts list is simply a collection of components. +\begin{figure}[h] + \centering + \includegraphics[width=400pt,bb=0 0 712 68,keepaspectratio=true]{component_failure_modes_definition/componentpl.jpg} + % componentpl.jpg: 712x68 pixel, 72dpi, 25.12x2.40 cm, bb=0 0 712 68 + \caption{Parts List of Components} + \label{fig:componentpl} +\end{figure} + +Components in the parts list % (bought in parts) +will be termed `base~components'. +Components derived from base~components will not always require +parts~numbers\footnote{It is common practise for sub assemblies, PCB's, mechanical parts, +software modules and some collections of components to have part numbers. +This is a production/configuration~control issue and linked to Bill of Material (BOM) +database structures etc. Parts numbers for derived components are not directly related to the analysis process +we are concerned with here.}, and will +not require a vendor reference, but must be named locally in the FMMD model. + +We can term `modularising a system', to mean recursively breaking it into smaller sections for analysis. +When modularising a system from the top~down, as in Fault Tree Analysis\cite{nasafta}\cite{nucfta} (FTA) +it is common to term the modules identified as sub-systems. +When building from the bottom up, it is more meaningful to call them `derived~components'. + + +%% +%% Paragraph using failure modes to build from bottom up +%% + +\section{Fault Mode Analysis, \\ top down or bottom up?} + +Traditional static fault analysis methods work from the top down. +They identify faults that can occur in a system, and then work down +to see how they could be caused. Some apply statistical techniques to +determine the likelihood of component failures +causing specific system level errors. For example, Bayes theorem \ref{bayes}, the relation between a conditional probability and its inverse, +can be applied to specific failure modes in components and the probability of them causing given system level errors. +Another top down technique is to apply cost benefit analysis +to determine which faults are the highest priority to fix\cite{bfmea}. +The aim of FMMD analysis is to produce complete failure +models of safety critical systems from the bottom-up, +starting, where possible with known base~component failure~modes. + +An advantage of working from the bottom up is that we can ensure that +all component failure modes must be considered. A top down approach +can miss individual failure modes of components\cite{faa}[Ch.~9], +especially where they are non obvious top-level faults. + +In order to analyse from the bottom-up, we need to take +small groups of components from the parts~list that naturally +work together to perform a simple function. +The components to include in a {\fg} are chosen by a human, the analyst. +%We can represent the `Functional~Group' as a class. + When we have a +`{\fg}' we can look at the components it contains, +and from this determine the failure modes of all the components that belong to it. +% +% and determine a failure mode model for that group. +% +% expand 21sep2010 +%The `{\fg}' as used by the analyst is a collection of component failures modes. +The analysts interest is the ways in which the components within the {\fg} +can fail. All the failure modes of all the components with an {\fg} are collected +into a flat set of failure modes. +% +Each of these failure modes, and optionally combinations of them, are +formed into `test cases' which are +analysed for their effect on the failure mode behaviour of the `{\fg}'. +% +Once we have the failure mode behaviour of the {\fg}, we can determine a new set of failure modes, the derived failure modes of the +`{\fg}'. +% +Or in other words we can determine how the `{\fg}' can fail. +We can now consider the {\fg} as a sort of super component +with its own set of failure modes. + + +\subsection{From functional group to newly derived component} + +The process for taking a {\fg}, considering +all the failure modes of all the components in the group, +and analysing it is called `symptom abstraction' and +is dealt with in detail in chapter \ref{symptom_abstraction}. +% define difference between a \fg and a \dc +A {\fg} is a collection of components, a {\dc} is a new `theorectical' +component which has a set of failure modes, which +correspond to the failure modes of the {\fg} is was derived from. +We could consider a {\fg} as a black box, or component +to use, and in this case it would have a set of failure modes. +Looking at the {\fg} in this way is seeing it as a {\dc}. + +In terms of our UML model, the symptom abstraction process takes a {\fg} +and creates a new {\dc} from it. +%To do this it first creates +%a new set of failure modes, representing the fault behaviour +%of the functional group. This is a human process and to do this the analyst +%must consider all the failure modes of the components in the functional +%group. +The newly created {\dc} requires a set of failure modes of its own. +These failure modes are the failure mode behaviour of the {\fg} that it was derived from. +Because these new failure modes were derived from a {\fg} we can call +these `derived~failure~modes'. +%It then creates a new derived~component object, and associates it to this new set of derived~failure~modes. +We thus have a `new' component, or system building block, but with a known and traceable +fault behaviour. + +The UML representation shows a `functional group' having a one to one relationship with a derived~component, +which we represent in the UML diagram in figure \ref{fig:cfg}. + +The symbol $\bowtie$ is used to indicate the analysis process that takes a +functional group and converts it into a new component. + +This can be expresed as $ \bowtie ( FG ) \rightarrow DerivedComponent $ . + + +\begin{figure}[h] + \centering + \includegraphics[width=400pt,bb=0 0 712 286,keepaspectratio=true]{./component_failure_modes_definition/cfg.jpg} + % cfg.jpg: 712x286 pixel, 72dpi, 25.12x10.09 cm, bb=0 0 712 286 + \caption{UML Meta model for FMMD hierarchy} + \label{fig:cfg} +\end{figure} + + +\subsection{Keeping track of the derived \\ components position in the hierarchy} + +The UML meta model in figure \ref{fig:cfg}, shows the relationships +between the classes and sub-classes. +Note that because we can use derived components to build functional groups, +this model intrinsically supports building a hierarchy. +% +In use we will build a hierarchy of +objects, with derived~components forming functional~groups, and creating +derived components higher up in the structure. +% +To keep track of the level in the hierarchy (i.e. how many stages of component +derivation `$\bowtie$' have lead to the current derived component) +we can add an attribute to the component data type. +This can be a natural number called the level variable $\alpha \in \mathbb{N}_0$. +The $\alpha$ level variable in each component, +indicates the position in the hierarchy. Base or parts~list components +have a `level' of $\alpha=0$. +% I do not know how to make this simpler +Derived~components take a level based on the highest level +component used to build the functional group it was derived from plus 1. +So a derived component built from base level or parts list components +would have an $\alpha$ value of 1. +%\clearpage + + + +% \section{Set Theory Description} +% +% $$ System \stackrel{has}{\longrightarrow} PartsList $$ +% +% $$ PartsList \stackrel{has}{\longrightarrow} Components $$ +% +% $$ Component \stackrel{has}{\longrightarrow} FailureModes $$ +% +% $$ FunctionalGroup \stackrel{has}{\longrightarrow} Components $$ +% +% Using the symbol $\bowtie$ to indicate an analysis process that takes a +% functional group and converts it into a new component. +% +% $$ \bowtie ( FG ) \rightarrow DerivedComponent $$ +% + +\subsection{Relationships between functional~groups and failure modes} + +Let the set of all possible components be $\mathcal{C}$ +and let the set of all possible failure modes be $\mathcal{F}$. + +We can define a function $fm$ as equation \ref{eqn:fmset}. + +\begin{equation} +fm : \mathcal{C} \rightarrow \mathcal{P}\mathcal{F} + \label{eqn:fmset} +\end{equation} + +The is defined by equation \ref{eqn:fminstance}, where C is a component and F is a set of failure modes. + +\begin{equation} + fm ( C ) = F + \label{eqn:fminstance} +\end{equation} + +\paragraph{Finding all failure modes within the functional group} + +For FMMD failure mode analysis we need to consider the failure modes +from all the components in a functional~group as a flat set. +Consider the components in a functional group to be $C_1...C_N$. +The flat set of failure modes $FSF$ we are after can be found by applying function $fm$ to all the components +in the functional~group and taking the union of them thus: + +$$ FSF = \bigcup_{j=1}^{N} FM(C_j) $$ + +We can actually overload the notation for the function $fm$ % FM +and define it for the set components within a functional group $\mathcal{FG}$ (i.e. where $\mathcal{FG} \subset \mathcal{C} $) +in equation \ref{eqn:fmoverload}. + +\begin{equation} +fm : \mathcal{FG} \rightarrow \mathcal{F} +\label{eqn:fmoverload} +\end{equation} + + +\section{Unitary State Component \\ Failure Mode sets} + +\paragraph{Design Descision/Constraint} +An important factor in defining a set of failure modes is that they +should be represent the failure modes as simply and minimally as possible. +It should not be possible, for instance for +a component to have two or more failure modes active at once. +Were this to be the case, we would have to consider additional combinations of +failure modes within the component. +Having a set of failure modes where $N$ modes could be active simultaneously +would mean having to consider an additional $2^N-1$ failure mode scenarios. +Should a component be analysed and simultaneous failure mode cases exit, +the combinations could be represented by new failure modes, or +the component should be considered from a fresh perspective, +perhaps considering it as several smaller components +within one package. +This property, failure modes being mutually exclusive, is termed `unitary state failure modes' +in this study. +This corresponds to the `mutually exclusive' definition in +probability theory \cite{probstat}. + + +\begin{definition} +A set of failure modes where only one failure mode +can be active at one time is termed a `unitary~state' failure mode set. +\end{definition} + +Let the set of all possible components to be $ \mathcal{C}$ +and let the set of all possible failure modes be $ \mathcal{F}$. + +\begin{definition} +We can define a set $\mathcal{U}$ which is a set of sets of failure modes, where +the component failure modes in each of its members are unitary~state. +Thus if the failure modes of a component $F$ are unitary~state, we can say $F \in \mathcal{U}$ is true. +\end{definition} + +\section{Component failure modes:\\ Unitary State example} + +An example of a component with an obvious set of ``unitary~state'' failure modes is the electrical resistor. + +Electrical resistors can fail by going OPEN or SHORTED. + +For a given resistor R we can apply the +the function $fm$ to find its set of failure modes thus $ fm(R) = \{R_{SHORTED}, R_{OPEN}\} $. +A resistor cannot fail with both conditions open and short active at the same time! The conditions +OPEN and SHORT are thus mutually exclusive. +Because of this, the failure mode set $F=fm(R)$ is `unitary~state'. + + +Thus because both fault modes cannot be active at the same time, the intersection of $ R_{SHORTED} $ and $ R_{OPEN} $ cannot exist. + +The intersection of these is therefore the empty set, $$ R_{SHORTED} \cap R_{OPEN} = \emptyset $$, +therefore +$ fm(R) \in \mathcal{U} $. + + + +We can make this a general case by taking a set $F$ (where $f_1, f_2 \in F$) representing a collection +of component failure modes. +We can define a boolean function {\ensuremath{\mathcal{ACTIVE}}} that returns +whether a fault mode is active (true) or dormant (false). + +We can say that if any pair of fault modes is active at the same time, then the failure mode set is not +unitary state: +we state this formally + + + \begin{equation} + \forall f_1,f_2 \in F \dot ( f_1 \neq f_2 \wedge \mathcal{ACTIVE}({f_1}) \wedge \mathcal{ACTIVE}({f_2}) ) \implies F \not\in \mathcal{U} + \end{equation} + + +% +% \begin{equation} +% c1 \cap c2 \neq \emptyset | c1 \neq c2 \wedge c1,c2 \in C \wedge C \not\in U +% \end{equation} + +That is to say that it is impossible that any pair of failure modes can be active at the same time +for the failure mode set $F$ to exist in the family of sets $\mathcal{U}$. +Note where there are more than two failure~modes, +by banning any pairs from being active at the same time, +we have banned larger combinations as well. + +\subsection{Design Rule: Unitary State} + +All components must have unitary state failure modes to be used with the FMMD methodology. +Where a complex component is used, for instance a microcontroller +with several modules that could all fail simultaneously, a process +of reduction into smaller theoretical components will have to be made +\footnote{A modern microcontroller will typically have several modules, which are configurged to operate on +pre-assigned pins on the device. Typically voltage inputs (\adcten / \adctw), digital input and outputs, +PWM (pulse width modulation), UARTs and other modules will be found on simple cheap microcontrollers \cite{pic18f2523}}. +For instance the voltage reading functions which consist +of an ADC multiplexer and ADC can be considered to be components +inside the microcontroller package. +The microcontroller thuis becomes a collection of smaller components +the can be analysed separately. +\paragraph{Reason for Constraint} Were this constraint to not be applied +each component could not have $N$ failure modes to consider but potentially +$2^N$. This would make the job of analysing the failure modes +in a {\fg} impractical due to the sheer size of the task. + +%%- Need some refs here because that is the way gastec treat the ADC on microcontroller on the servos + +\section{Handling Simultaneous \\ Component Faults} + +For some integrity levels of static analysis, there is a need to consider not only single +failure modes in isolation, but cases where more then one failure mode may occur +simultaneously. +Note that the `unitary state' conditions apply to failure modes within a component. +The scenarios presented here are where two or more components fail simultaneously. +It is an implied requirement of EN298 \cite{en298} for instance to +consider double simultaneous faults\footnote{This is under the conditions +of LOCKOUT in an industrial burner controller that has detected one fault already. +However, from the perspective of static failure mode analysis, this amounts +to dealing with double simultaneous failure modes.}. +To generalise, we may need to consider $N$ simultaneous +failure modes when analysing a functional group. This involves finding +all combinations of failures modes of size $N$ and less. +The Powerset concept from Set theory is useful to model this. +The powerset, when applied to a set S is the set of all subsets of S, including the empty set +\footnote{The empty set ( $\emptyset$ ) is a special case for FMMD analysis, it simply means there +is no fault active in the functional~group under analysis.} +and S itself. +In order to consider combinations for the set S where the number of elements in each sub-set of S is $N$ or less, a concept of the `cardinality constrained powerset' +is proposed and described in the next section. + +%\pagebreak[1] +\subsection{Cardinality Constrained Powerset } +\label{ccp} + +A Cardinality Constrained powerset is one where sub-sets of a cardinality greater than a threshold +are not included. This threshold is called the cardinality constraint. +To indicate this, the cardinality constraint $cc$ is subscripted to the powerset symbol thus $\mathcal{P}_{cc}$. +Consider the set $S = \{a,b,c\}$. + +The powerset of S: + +$$ \mathcal{P} S = \{ \emptyset, \{a,b,c\}, \{a,b\},\{b,c\},\{c,a\},\{a\},\{b\},\{c\} \} $$ + + +$\mathcal{P}_{2} S $ means all non-empty subsets of S where the cardinality of the subsets is +less than or equal to 2 or less. + +$$ \mathcal{P}_{2} S = \{ \{a,b\},\{b,c\},\{c,a\},\{a\},\{b\},\{c\} \} $$ + +Note that $\mathcal{P}_{1} S $ (non-empty subsets where cardinality $\leq 1$) for this example is: + +$$ \mathcal{P}_{1} S = \{ \{a\},\{b\},\{c\} \} $$ + +\paragraph{Calculating the number of elements in a cardinality constrained powerset} + +A $k$ combination is a subset with $k$ elements. +The number of $k$ combinations (each of size $k$) from a set $S$ +with $n$ elements (size $n$) is the binomial coefficient \cite{probstat} shown in equation \ref{bico}. + +\begin{equation} +C^n_k = {n \choose k} = \frac{n!}{k!(n-k)!} +\label{bico} +\end{equation} + +To find the number of elements in a cardinality constrained subset S with up to $cc$ elements +in each combination sub-set, +we need to sum the combinations, +%subtracting $cc$ from the final result +%(repeated empty set counts) +from $1$ to $cc$ thus + +% +% $$ {\sum}_{k = 1..cc} {\#S \choose k} = \frac{\#S!}{k!(\#S-k)!} $$ +% + +\begin{equation} + |{\mathcal{P}_{cc}S}| = \sum^{cc}_{k=1} \frac{|{S}|!}{ k! ( |{S}| - k)!} + \label{eqn:ccps} +\end{equation} + + + +\subsection{Actual Number of combinations to check \\ with Unitary State Fault mode sets} + +If all of the fault modes in $S$ were independent, +the cardinality constrained powerset +calculation (in equation \ref {eqn:ccps}) would give the correct number of test case combinations to check. +Because sets of failure modes in FMMD analysis are constrained to be unitary state, +the actual number of test cases to check will usually +be less than this. +This is because combinations of faults within a components failure mode set, +are impossible under the conditions of unitary state failure mode. +To modify equation \ref{eqn:ccps} for unitary state conditions, we must subtract the number of component `internal combinations' +for each component in the functional group under analysis. +Note we must sequentially subtract using combinations above 1 up to the cardinality constraint. +For example, say +the cardinality constraint was 3, we would need to subtract both +$|{n \choose 2}|$ and $|{n \choose 3}|$ for each component in the functional~group. + +\subsubsection{Example: Two Component functional group \\ cardinality Constraint of 2} + +For example: suppose we have a simple functional group with two components R and T, of which +$$fm(R) = \{R_o, R_s\}$$ and $$fm(T) = \{T_o, T_s, T_h\}$$. + +This means that the functional~group $FG=\{R,T\}$ will have a component failure mode set +of $fm(FG) = \{R_o, R_s, T_o, T_s, T_h\}$ + +For a cardinality constrained powerset of 2, because there are 5 error modes ( $|fm(FG)|=5$), +applying equation \ref{eqn:ccps} gives :- + +$$ | P_2 (fm(FG)) | = \frac{5!}{1!(5-1)!} + \frac{5!}{2!(5-2)!} = 15$$. + +This is composed of ${5 \choose 1}$ +five single fault modes, and ${5 \choose 2}$ ten double fault modes. +However we know that the faults are mutually exclusive within a component. +We must then subtract the number of `internal' component fault combinations +for each component in the functional~group. +For component R there is only one internal component fault that cannot exist +$R_o \wedge R_s$. As a combination ${2 \choose 2} = 1$. For the component $T$ which has + three fault modes ${3 \choose 2} = 3$. +Thus for $cc == 2$, under the conditions of unitary state failure modes in the components $R$ and $T$, we must subtract $(3+1)$. +The number of combinations to check is thus 11, $|\mathcal{P}_{2}(fm(FG))| = 11$, for this example and this can be verified +by listing all the required combinations: + + + +$$ \mathcal{P}_{2}(fm(FG)) = \{ + \{R_o T_o\}, \{R_o T_s\}, \{R_o T_h\}, \{R_s T_o\}, \{R_s T_s\}, \{R_s T_h\}, \{R_o \}, \{R_s \}, \{T_o \}, \{T_s \}, \{T_h \} + \} +$$ + +And % by inspection +$$ +| +\{ + \{R_o T_o\}, \{R_o T_s\}, \{R_o T_h\}, \{R_s T_o\}, \{R_s T_s\}, \{R_s T_h\}, \{R_o \}, \{R_s \}, \{T_o \}, \{T_s \}, \{T_h \} +\} +| = 11 +$$ + + +\pagebreak[1] +\subsubsection{Establishing Formulae for unitary state failure mode \\ +cardinality calculation} + +The cardinality constrained powerset in equation \ref{eqn:ccps}, can be modified for % corrected for +unitary state failure modes. +This is written as a general formula in equation \ref{eqn:correctedccps}. + +%\indent{ +To define terms : +\begin{itemize} +\item Let $C$ be a set of components (indexed by $j \in J$) +that are members of the functional group $FG$ +i.e. $ \forall j \in J | C_j \in FG $ +\item Let $|fm({C}_{j})|$ +indicate the number of mutually exclusive fault modes of component $C_j$. +\item Let $fm(FG)$ be the collection of all failure modes +from all the components in the functional group. +\item Let $SU$ be the set of failure modes from the {\fg} where all $FG$ is such that +components $C_j$ are in +`unitary state' i.e. $(SU = fm(FG)) \wedge (\forall j \in J | fm(C_j) \in \mathcal{U}) $ +\end{itemize} +%} + +\begin{equation} + |{\mathcal{P}_{cc}SU}| = {\sum^{cc}_{k=1} \frac{|{SU}|!}{k!(|{SU}| - k)!}} + - {\sum_{j \in J} {|FM({C_{j})}| \choose 2}} + \label{eqn:correctedccps} +\end{equation} + +Expanding the combination in equation \ref{eqn:correctedccps} + + +\begin{equation} + |{\mathcal{P}_{cc}SU}| = {\sum^{cc}_{k=1} \frac{|{SU}|!}{k!(|{SU}| - k)!}} +- {{\sum_{j \in J} \frac{|FM({C_j})|!}{2!(|FM({C_j})| - 2)!}} } + \label{eqn:correctedccps2} +\end{equation} + +\paragraph{Use of Equation \ref{eqn:correctedccps2} } +Equation \ref{eqn:correctedccps2} is useful for an automated tool that +would verify that a single or double simultaneous failures model has complete failure mode coverage. +By knowing how many test cases should be covered, and checking the cardinality +associated with the test cases, complete coverage would be verified. + +\paragraph{N Venn disallowed combinations} +The general case of equation \ref{eqn:correctedccps2}, involves not just dis-allowing pairs +of failure modes within components, but also ensuring that combinations across components +do not involve any pairs of failure modes within the same component. +A recursive algorithm and proof is described in appendix \ref{chap:vennccps}. + +%%\paragraph{Practicality} +%%Functional Group may consist, typically of four or five components, which typically +%%have two or three failure modes each. Taking a worst case of mutiplying these +%%by a factor of five (the number of failure modes and components) would give +%%$25 \times 15 = 375$ +%% +%% +%% +%%\begin{verbatim} +%% +%%# define a factorial function +%%# gives 1 for negative values as well +%%define f(x) { +%% if (x>1) { +%% return (x * f (x-1)) +%% } +%% return (1) +%% +%%} +%%define u1(c,x) { +%% return f(c*x)/(f(1)*f(c*x-1)) +%%} +%%define u2(c,x) { +%% return f(c*x)/(f(2)*f(c*x-2)) +%%} +%% +%%define uc(c,x) { +%% return c * f(x)/(f(2)*f(x-2)) +%%} +%% +%%# where c is number of components, and x is number of failure modes +%%# define function u to calculate combinations to check for double sim failure modes +%%define u(c,x) { +%%f(c*x)/(f(1)*f(c*x-1)) + f(c*x)/(f(2)*f(c*x-2)) - c * f(c)/(f(2)*f(c-2)) +%%} +%% +%% +%%\end{verbatim} +%% + +\pagebreak[1] +\section{Component Failure Modes \\ and Statistical Sample Space} +%\paragraph{NOT WRITTEN YET PLEASE IGNORE} +A sample space is defined as the set of all possible outcomes. +For a component in FMMD analysis, this set of all possible outcomes is its normal correct +operating state and all its failure modes. +When dealing with failure modes, we are not interested in +the state where the component is working perfectly or `OK' (i.e. operating with no error). +We are interested only in ways in which it can fail. +By definition while all components in a system are `working perfectly' +that system will not exhibit faulty behaviour. +Thus the statistical sample space $\Omega$ for a component or derived~component $C$ is +%$$ \Omega = {OK, failure\_mode_{1},failure\_mode_{2},failure\_mode_{3} ... failure\_mode_{N} $$ +$$ \Omega(C) = \{OK, failure\_mode_{1},failure\_mode_{2},failure\_mode_{3}, \ldots ,failure\_mode_{N}\} $$ +The failure mode set $F$ for a given component or derived~component $C$ +is therefore +$$ F = \Omega(C) \backslash \{OK\} $$ + +The $OK$ statistical case is the largest in probability, and is therefore +of interest when analysing systems from a statistical perspective. +This is of interest for the application of conditional probability calculations +such as Bayes theorem \cite{probstat}. + + +%%- +%%- Need a complete and more complicated UML diagram here +%%- the other parts were just fragments to illustrate points +%%- +%%- + + +\vspace{40pt}