OK just about to put the noninvopamp in

fmmd_concept/System_safety_2011/submission.tex

@@ -105,7 +105,6 @@ and there is no facility to cross check between diagrams. It has limited
 support for environmental and operational states.
 
 
-<<<<<<< HEAD
 \paragraph{Fault Mode Effects Analysis FMEA)} is used principally in manufacturing. 
 Each top level failure is assessed by its cost to repair and its frequency,%, using a 
 %failure mode ratio. 
@@ -114,7 +113,12 @@ It is easy to identify single component failure to system failure scenarios
 and an estimate of product reliability can be calculated. 
 %
 It cannot focus on 
-=======
+component interactions that cause system failure modes or determine potential 
+problems from simultaneous failure modes. It does not consider environmental 
+or operational states in sub-systems or components. It cannot model 
+self-checking safety elements or other in-built safety features or 
+analyse how particular components may fail.
+
 \subsection{Fault Mode Effects Analysis FMEA)}
 FMEA is used principally in manufacturing. 
 Each defect is assessed by its cost to repair and its frequency. %, using a 
@@ -152,9 +156,9 @@ the safety integrity standards IOC5108 and EN61508~\cite{en61508}.
 level failure modes~\cite{faa}[Ch.9]. Since one FTA tree is drawn for each top level
 event, this leads to repeated work, with limited ability for cross checking/model validation.
 
-\subsection{Bottom-up approach: FMEA, FMECA, FMEDA}
+%\subsection{Bottom-up approach: }
 
-\paragraph{State Explosion problem}
+\paragraph{State Explosion problem for FMEA, FMECA, FMEDA.}
 The bottom -up techniques all suffer from a problem of state explosion.
 To perform the analysis rigorously, we would need to consider the effect
 of a component failure against all other components. Adding environmental
@@ -236,13 +240,12 @@ for its results, such as  error causation trees.%, reliability and safety statis
 %\end{itemize}
 }
 
-% A new methodology must ensure that it represents all component failure modes and it therefore should be bottom-up, 
-% starting with individual component failure modes. 
+
 % 
-% In order to control the state explosion problem, the process must be modular
-% and deal with small groups of components. The design process follows this 
-% rationale, sub-systems are build to perform often basic functions from base components.
-% We can term these small groups {\fgs}.
+
+% The design process follows this 
+%rationale, sub-systems are build t%o perform often basic functions from base components.
+%We can term these small groups {\fgs}.
 % 
 % Components should be collected
 % into small functional groups to enable the examination of the effect of a
@@ -261,7 +264,8 @@ for its results, such as  error causation trees.%, reliability and safety statis
 %Development of the new methodology 
 % 
 % \section{An ontology of failure modes}
-% 
+% In order to address the state explosion problem, the process must be modular
+%and deal with small groups of components at a time. This approach should address the state explosion problem : criteria 1.
 % An ontology is now developed of  
 % failure modes and their relationship to environmental factors, 
 % applied/operational states and the hierarchical nature inherent in product design, 
@@ -304,22 +308,43 @@ for its results, such as  error causation trees.%, reliability and safety statis
 
 \section{The proposed Methodology}
 \label{fmmdproc}
-The proposed methodology is a bottom-up process
+Any new static failure mode methodology must ensure that it 
+represents all component failure modes and it therefore should be bottom-up, 
+starting with individual component failure modes.
+This seems essential to satisfy criteria 2.
+The proposed methodology is therefore a bottom-up process
 starting with base~components.
-These are collected into functional groups
+%
+Because we are only modelling failure modes, which could arise from
+mechanical, electronic or software components,
+criteria 3 is satisfied.
+%
+In order to address the state explosion problem, the process must be modular
+and deal with small groups of components at a time. This approach should address the state explosion problem : criteria 1.
+In the proposed methodology components are collected into functional groups
 and each component failure mode (and optionally combinations) are considered in the 
-context of the {\fg}. These are termed `test~cases'. For each test~case
-there will be a corresponding failure mode, from the perspective of the {\fg}.
+context of the {\fg}.
+%
+The component failure modes (and optional combinations) are termed `test~cases'. For each test~case
+there will be a corresponding resultant failure, from the perspective of the {\fg}.
+% MAYBE NEED TO DESCRIBE WHAT A SYMPTOM IS HERE
 A symptom collection stage is then applied. Here common symptoms are collected
-from the results of the test~cases.Diagram1
+from the results of the test~cases. Because optional combinations of failures are possible,
+multiple failures can be modelled, satisfying criteria 6.
+%
 With a collection of the {\fg} failure symptoms, we can now create a {\dc}.
 The failure modes of this new {\dc} are the symptoms of the {\fg} it was derived from.
-
+This satisfies criteria 3, as we can now treat {\dcs} as ready analysed
+modules to re-use.
+ 
 By using {\dcs} in higher level functional groups, a hierarchy can be built representing
-the failure mode behaviour of a SYSTEM.
+the failure mode behaviour of a SYSTEM. Because the hierarchy maintains information 
+linking the symptoms to test~cases to component failure modes, we have traceable
+reasoning connections from base component failures to top level failures.
+The traceability should satisfy criteria 5.
 
  
-\subsection{Environmental Conditions, Operational States}
+\paragraph{Environmental Conditions, Operational States.}
 
 Any real world sub-system will exist in a variable environment
 and may have several modes of operation.
@@ -336,8 +361,8 @@ to {\fgs}, components, or {\dcs}.
 \paragraph {Environmental Conditions.}
 
 Environmental conditions are external to the
-{\fg} and are often things over which the system has no direct control.
-Consider ambient temperature, pressure or even electrical interference levels.
+{\fg} and are often things over which the system has no direct control
+( e.g. ambient temperature, pressure or  electrical interference levels).
 %
 Environmental conditions may affect different components in a {\fg}
 in different ways.
@@ -364,40 +389,9 @@ normal operation, graceful degradation or lockout.
 Alternatively they could be self~checking sub-systems that are either in a normal, alarm/lockout or self~check state.
 
 Operational states are conditions that apply to some functional groups, not individual components.
-%% Andrew says that that does no make sense But I think it does
-%
-%\paragraph{Design Decision.}
-%Operational state  will be applied to {\fg}s.
-%
-%\paragraph{UML Model of FMMD Analysis}
-%
-% The UML diagram in figure \ref{fig:env_op_uml}, shows the data
-% relationships between {\fgs} and operational states, and component
-% failure modes and environmental factors.
 
 
-% \begin{figure}[h]
-%  \centering
-%  \includegraphics[width=200pt,bb=0 0 818 249,keepaspectratio=true]{./fmmd_env_op_uml.png}
-%  % fmmd_env_op_uml.jpg: 818x249 pixel, 72dpi, 28.86x8.78 cm, bb=0 0 818 249
-%  \caption{UML model of Environmental and Operational states w.r.t FMMD}
-%  \label{fig:env_op_uml}
-% \end{figure}
-
-% 
-% \begin{figure}[h]
-%  \centering
-%  \includegraphics[width=200pt]{./fmmd_env_op_uml.png}
-%  % fmmd_env_op_uml.png: 816x246 pixel, 72dpi, 28.79x8.68 cm, bb=0 0 816 246
-%  \caption{UML model of failure mode ontology}
-%  \label{fig:env_op_uml}
-% \end{figure}
-
-%This is because environmental \def\layersep{2.5cm}conditions will apply SYSTEM wide,
-%but may only affect specific components.
-
-%DEVELOP UML MODELS
-
+\section{Worked example: Non Inverting Operational Amplifier}
 
 \subsection{FMMD analysis Example: A Voltage/Potential Divider}
 \begin{figure}