edits in the morning

fmmdset/fmmdset.tex

@@ -129,10 +129,11 @@ at a higher abstraction level.
 
 \subsubsection{An algebraic notation for identifying FMMD enitities}
 Each component $C$ is a set of failure modes for the component.
-We can define a function $\mathcal FM$ that returns the 
+We can define a function $FM$ that returns the 
 set of failure modes $S$ for the component.
 
-$$ \mathcal{FM}(C) \rightarrow S $$
+%$$ \mathcal{FM}(C) \rightarrow S $$
+$$ {FM}(C) \rightarrow S $$
 
 We can indicate the abstraction level of a component by using a superscript.
 Thus for the component $C$, where it is a `base component' we can asign it
@@ -182,11 +183,11 @@ $$ \bowtie( FG^0_1 ) = C^1_1 $$
 
 to look at this analysis process in more detail.
 
-By way of exqample applying $\mathcal{FM}$ to obtain the failure modes $f_N$ 
+By way of exqample applying ${FM}$ to obtain the failure modes $f_N$ 
 
 
- $$ \mathcal{FM}(C^0_1) = \{ f_1, f_2 \}  $$  
+ $$ {FM}(C^0_1) = \{ f_1, f_2 \}  $$  
- $$ \mathcal{FM}(C^0_2) = \{ f_3, f_4, f_5 \}  $$  
+ $$ {FM}(C^0_2) = \{ f_3, f_4, f_5 \}  $$  
 
 
 The analyst now considers failure modes $f_{1..5}$ in the context of the functional group.
@@ -196,7 +197,7 @@ We can now create a derived component $C^1_1$ with this set of failure modes.
 
 Thus:
 
-$$ \mathcal{FM}(C^1_1) =  \{ f_6, f_7, f_8 \} $$
+$$ {FM}(C^1_1) =  \{ f_6, f_7, f_8 \} $$
 
 
 We can represent this analysis process in a diagram see figure \ref{fig:onestage}
@@ -452,8 +453,36 @@ simply be given a different index number and re-used.
 
 \subsection{ Multi Channel Safety Critical Systems }
 
-Where a system has several independent parallel tasks, each one can be a separate hierarchy.
+It is common in safety critical systems to use redundancy.
+Two or sometimes three control systems will be assigned to the same process.
+An arbittraion system, the arbiter, will decide which channel may control
+the equipment.
+Where a system has several independent parallel control channels, each one can be a separate FMMD hierarchy.
 
+The FMMD trees for the channels can converge 
+up to a top hierarchy representing the arbiter (which is the sub-system that decides which control channels are valid).
+This is commponly referred to as a multi-channel safety critical system.
+Where there are 2 channels and one arbiter, the term 1oo2 is used (one out of two).
+The Ericsson AXE telephone exchange hardware is a 1oo2 system, and the arbiter (the AMD)
+can detect and switch control within on processor instruction. Should a hardware error
+be detected,\footnote{or in a test plant environment more likely someone coming along and `borrowing' a cpu board from
+your working exchange} the processor will side to the redundant side without breaking any telephone calls
+or any being set up. An alarm will be raised to inform that this has happened, but the impact to
+the 1oo2 system, is a one micro-processor instruction delay to the entire process.
+
+The premise here is that the arbiter should be able to determine which
+of the two control channels is faulty and use the data/allow control from the non-faulty one.
+1oo3 systems are common in highly critical systems.
+
+\paragraph{Fault mode mode of interfaces}
+An advantage with FMMD in this case is that the interface between the channels and the 
+safety arbiter is not only defined functionally but as a failure model as well.
+Thus failures in the interfacing between the safety arbiter and the 
+each channel is modelled.
+
+\paragraph{re-use of FMMD analysis}
+Note that we can reuse the results from analysing one channel to model them all.
+Identical channels will have the same high level failure modes.
 % \small
 % \bibliography{vmgbibliography,mybib}
 % \normalsize

logic_diagram/logic_diagram.tex

@@ -501,9 +501,9 @@ It has three SMG's Q,R and P. Thus there are three ways in which this functional
 \vspace{0.3cm}
  \begin{tabular}{||c|c|l||} \hline \hline
    {\em $SMG$ }  & {\em Failure Mode equation } &  {\em comments  }      \\ \hline
-       Q         &  $(a)$           &    T     \\ \hline
+       Q         &  $(a)$           &    Symptom Q is active when fault mode `a` is     \\ \hline
-       P         &  $(b \oplus c)$    &    T     \\ \hline
+       P         &  $(b \wedge c)$    &  Symptom P is active when `$b \wedge a$' is     \\ \hline
-       R         &  $(b \wedge c)$  &    F     \\ \hline
+       R         &  $(b \oplus c)$  &    Symptom R is active when either `b' or `c' is     \\ \hline
       % T         &  T  &    T     \\ \hline \hline
  \end{tabular}
 \vspace{0.3cm}
@@ -831,8 +831,7 @@ volcanic ash intake, affecting all engines.
 Obviously the symptom of this multiple failure would be loss of propulsion and more importantly
 the loss of ability to maintain altitude.
 % and maybe even the APU !
-The test case AFE provides the system modeller to introduce this
+The test case AFE represents the condition where all four engines have failed.
-possibility into the design.
 \begin{figure}[h]
  \centering
  \includegraphics[width=400pt,bb=0 0 349 236,keepaspectratio=true]{logic_diagram/allfourengines.jpg}