.

fmmdset/fmmdset.tex

@@ -29,8 +29,8 @@ EN298, EN61508, EN12067, EN230, UL1998.
 The purpose of the FMMD methodology is to apply formal techniques to
 the assessment of safety critical designs, aiding in identifying detected and undetected faults
 \footnote{Undetectable faults 
-are faults which may occur but are not self~detected, or are impossible to detect by the system}.
-Formal methods are just begining to be specified in some safety standards.\footnote{Formal methods 
+are faults which may occur but are not self~detected, or are impossible to detect by the system.}.
+Formal methods are just beginning to be specified in some safety standards.\footnote{Formal methods 
 such as the Z notation appear as `highly recommended' techniques in the EN61508 standard\cite{en61508}, but
 apply only to software currently.} However, some standards are now implying the handling of
 simultaneous faults which complicates the scenario based approvals that are 
@@ -126,7 +126,7 @@ at a higher abstraction level.
 Reference the symptom abstraction paper here
 }
 {
-This analysis and symptom collection process is described in detail in the Symptom extraction chapter\ref{symptomex}.
+This analysis and symptom collection process is described in detail in the Symptom extraction (see chapter \ref{symptomex}).
 }
 
 
@@ -162,7 +162,7 @@ $$  FM ( C ) = F $$
 %$$ {FM}(C) \rightarrow S $$
 
 We can indicate the abstraction level of a component by using a superscript.
-Thus for the component $C$, where it is a `base component' we can asign it
+Thus for the component $C$, where it is a `base component' we can assign it
 the abstraction level zero thus $C^0$. Should we wish to index the components
 (for example as in a product parts~list) we can use a sub-script.
 Our base component (if first in the parts~list) could now be uniquely identified as
@@ -195,7 +195,7 @@ it was derived from.
 \subsubsection{FMMD Hierarchy}
 
 By applying stages of analysis to higher and higher abstraction
-levels we can converge to a complete failure mode model of the system under analysis.
+levels, we can converge to a complete failure mode model of the system under analysis.
 
 An example of a simple system will illustrate this.
 
@@ -311,8 +311,9 @@ create a functional group from components at different levels of failure mode ab
 \subsection{ Proof of number of component~failure \\ modes preserved in hierarchy build}
 
 Here we need to prove that if there is an abstract fault, then as it goes higher in the tree, it can only collect MORE not less
-actual part~failure modes. This is obvious but needs a proof.
-Also this means that we may need dummy modules so as not to violate jumping up the tree structure
+actual {\bc} failure modes. 
+%% This is obvious but needs a proof.
+%% Also this means that we may need dummy modules so as not to violate jumping up the tree structure
 
 %Complete coverage for all derived hierarch levels can be generalised thus:
 
@@ -465,14 +466,14 @@ Suppose that we were handed one of these `dual milli-volt' sensors and told that
 fault and asked to trouble shoot and hopefully fix it.
 The natural process would be to work from the top down.
 First of all we would look at perhaps a circuit schematic.
-We might, not beliving the operator that the equipment is actually faulty, feed in a known and valid milli-volt signal into the input.
+We might, not believing the operator that the equipment is actually faulty, feed in a known and valid milli-volt signal into the input.
 On verifying it was actually faulty,
 we could then find the ADC port pins used to make the reading, and measure a voltage on them.
 We would find that the voltage was indeed out of range and our attention would turn to
 the circuitry between the input milli-volt signal and the ADC/Microcontroller.
 On examining this we would probably measure the in circuit resistances
 and discover the faulty resistor.
-With the natural fault finding process, we have narrowed down until we come to
+With the natural fault finding process, we have narrowed down until we came to
 the faulty component. FMMD analysis works from the bottom~up, and this is
 because it must cover all component failure modes.
 %%
@@ -484,7 +485,7 @@ because it must cover all component failure modes.
 
 \subsection{ Production Quality Control }
 
-Having a fault causation tree, could be used for PCB board fault finding (from the fault codes that are reported
+Having a fault causation tree could be used for PCB board fault finding (from the fault codes that are reported
 by the equipment). This could be used in conjunction with a database to provide 
 Production oriented FMEA\footnote{The term FMEA applied to production\cite{bfmea}, is a statistical process of 
 determining the probability of the fault occurring and multiplying that by the costs incurred from the fault. 
@@ -498,8 +499,8 @@ they can be sold, and this usually is a legal or contractural requirement, backe
 and and an approval process.
 
 They are usually a clamp arrangement where the PCB under test is placed.
-Precesion and calibrated test signals are then applied to the board under test. For PCBs containing 
-microprocessor, custom test~rig software may be run on them to exersize
+Precision and calibrated test signals are then applied to the board under test. For PCBs containing 
+microprocessor, custom test~rig software may be run on them to exercise
 active sections of the PCB (for instance to drive outputs, relays etc).
 
 The main purpose of a test rig is to prevent fault equipment from being shipped.
@@ -508,7 +509,7 @@ or missing parts). These boards can be mended and re-submitted to the test rig.
 
 It is often a problem, when a unit fails in a test rig, to quickly determine why it has failed.
 
-Having a fault causation tree, would be useful for identifying which parts may be missing, not soldered down
+Having a fault causation tree would be useful for identifying which parts may be missing, not soldered down
 or simply incorrect. The test rig armed with the fault analysis tree could point to parts or combinations of parts that could be checked
 to correct the product.
 
@@ -522,13 +523,13 @@ simply be given a different index number and re-used.
 
 It is common in safety critical systems to use redundancy.
 Two or sometimes three control systems will be assigned to the same process.
-An arbittraion system, the arbiter, will decide which channel may control
+An arbittration system, the arbiter, will decide which channel may control
 the equipment.
 Where a system has several independent parallel control channels, each one can be a separate FMMD hierarchy.
 
 The FMMD trees for the channels can converge 
 up to a top hierarchy representing the arbiter (which is the sub-system that decides which control channels are valid).
-This is commponly referred to as a multi-channel safety critical system.
+This is commonly referred to as a multi-channel safety critical system.
 Where there are 2 channels and one arbiter, the term 1oo2 is used (one out of two).
 The Ericsson AXE telephone exchange hardware is a 1oo2 system, and the arbiter (the AMD)
 can detect and switch control within on processor instruction. Should a hardware error
@@ -541,7 +542,7 @@ The premise here is that the arbiter should be able to determine which
 of the two control channels is faulty and use the data/allow control from the non-faulty one.
 1oo3 systems are common in highly critical systems.
 
-\paragraph{Fault mode mode of interfaces}
+\paragraph{Fault mode of interfaces}
 An advantage with FMMD in this case is that the interface between the channels and the 
 safety arbiter is not only defined functionally but as a failure model as well.
 Thus failures in the interfacing between the safety arbiter and the 

symptom_ex_process/paper.tex

@@ -10,7 +10,7 @@
 \newboolean{paper}
 \setboolean{paper}{true} % boolvar=true or false
 
-%\input{../style}
+\input{../style}
 
 %\newtheorem{definition}{Definition:}