%%%% FORMAL DEFINITIONS %%%% THESE MIGHT BE MOVED TO AN APPENDIX \chapter{Formal Definitions} \label{sec:formalfmmd} \section{An algebraic notation for identifying FMMD enitities} Consider all `components' to exist as members of a set $\mathcal{C}$. % Each component $c$ has an associated set of failure modes. We can define a function $fm$ that returns a set of failure modes $F$, for the component $c$. Let the set of all possible components be $\mathcal{C}$ and let the set of all possible failure modes be $\mathcal{F}$. We now define the function $fm$ as \begin{equation} \label{eqn:fm} fm : \mathcal{C} \rightarrow \mathcal{P}\mathcal{F}. \end{equation} This is defined by, where $c$ is a component and $F$ is a set of failure modes, $ fm ( c ) = F. $ We can use the variable name $\FG$ to represent a {\fg}. A {\fg} is a collection of components. %We thus define $FG$ as a set of chosen components defining %a {\fg}; all functional groups We can state that {\FG} is a member of the power set of all components, $ \FG \in \mathcal{P} \mathcal{C}. $ We can overload the $fm$ function for a functional group {\FG} where it will return all the failure modes of the components in {\FG} given by $$ fm ({\FG}) = F. $$ Generally, where $\mathcal{{\FG}}$ is the set of all functional groups, \begin{equation} fm : \mathcal{{\FG}} \rightarrow \mathcal{P}\mathcal{F}. \end{equation} \section{Relationships between functional~groups and failure modes} Let the set of all possible components be $\mathcal{C}$ and let the set of all possible failure modes be $\mathcal{F}$, and $\mathcal{PF}$ is the power-set of $\mathcal{F}$. In order to analyse failure mode effects we need to be able to determine the failure modes of a component. We define a function $fm$ to perform this (see equation~\ref{eqn:fmset}). \label{fmdef} \begin{equation} fm : \mathcal{C} \rightarrow \mathcal{P}\mathcal{F} \label{eqn:fmset} \end{equation} %% % Above def gives below anyway % %The is defined by equation \ref{eqn:fminstance}, where C is a component and F is a set of failure modes. % %\begin{equation} % fm ( C ) = F % \label{eqn:fminstance} %\end{equation} \paragraph{Finding all failure modes within the functional group.} For FMMD failure mode analysis %we need to consider the failure modes from all the components in a functional~group. In a functional group we have a collection of Components which have associated failure mode sets. we need to collect failure mode sets from the components and place them all %modes into a single set; this can be termed flattening the set of sets. %%Consider the components in a functional group to be $C_1...C_N$. The flat set of failure modes $FSF$ we are after can be found by applying function $fm$ to all the components in the functional~group and taking the union of them thus: %%$$ FSF = \bigcup_{j=1}^{N} fm(C_j) $$ $$ FSF = \bigcup_{c \in FG} fm(c) \; .$$ We can actually overload the notation for the function $fm$ % FM and define it for the set components within a functional group $\mathcal{FG}$ (i.e. where $\mathcal{FG} \subset \mathcal{C} $) in equation \ref{eqn:fmoverload}. \begin{equation} fm : \mathcal{FG} \rightarrow \mathcal{F} \label{eqn:fmoverload} \end{equation} \section{Unitary State Component Failure Mode sets} \label{sec:unitarystate} \paragraph{Design Descision/Constraint} An important factor in defining a set of failure modes is that they should represent the failure modes as simply and minimally as possible. It should not be possible, for instance, for a component to have two or more failure modes active at once. Were this to be the case, we would have to consider additional combinations of failure modes within the component. Having a set of failure modes where $N$ modes could be active simultaneously would mean having to consider an additional $2^N-1$ failure mode scenarios. Should a component be analysed and simultaneous failure mode cases exist, the combinations could be represented by new failure modes, or the component should be considered from a fresh perspective, perhaps considering it as several smaller components within one package. This property, failure modes being mutually exclusive, is termed `unitary state failure modes' in this study. This corresponds to the `mutually exclusive' definition in probability theory~\cite{probstat}. \begin{definition} A set of failure modes where only one failure mode can be active at one time is termed a {\textbf{unitary~state}} failure mode set. \end{definition} Let the set of all possible components be $ \mathcal{C}$ and let the set of all possible failure modes be $ \mathcal{F}$. The set of failure modes of a particular component are of interest here. What is required is to define a property for a set of failure modes where only one failure mode can be active at a time; or borrowing from the terms of statistics, the failure mode being an event that is mutually exclusive with a set $F$. We can define a set of failure mode sets called $\mathcal{U}$ to represent this property for a set of failure modes. \begin{definition} We can define a set $\mathcal{U}$ which is a set of sets of failure modes, where the component failure modes in each of its members are unitary~state. Thus if the failure modes of a component $F$ are unitary~state, we can say $F \in \mathcal{U}$ is true. \end{definition} \section{Component failure modes: Unitary State example} An example of a component with an obvious set of ``unitary~state'' failure modes is the electrical resistor. Electrical resistors can fail by going OPEN or SHORTED. For a given resistor R we can apply the function $fm$ to find its set of failure modes thus $ fm(R) = \{R_{SHORTED}, R_{OPEN}\} $. A resistor cannot fail with the conditions open and short active at the same time, that would be physically impossible! The conditions OPEN and SHORT are thus mutually exclusive. Because of this, the failure mode set $F=fm(R)$ is `unitary~state'. % % %Thus because both fault modes cannot be active at the same time, the intersection of $ R_{SHORTED} $ and $ R_{OPEN} $ cannot exist. % The intersection of these is therefore the empty set, $ R_{SHORTED} \cap R_{OPEN} = \emptyset $, therefore $ fm(R) \in \mathcal{U} $. We can make this a general case by taking a set $F$ (with $f_1, f_2 \in F$) representing a collection of component failure modes. We can define a boolean function {\ensuremath{\mathcal{ACTIVE}}} that returns whether a fault mode is active (true) or dormant (false). We can say that if any pair of fault modes is active at the same time, then the failure mode set is not unitary state: we state this formally \begin{equation} \exists f_1,f_2 \in F \dot ( f_1 \neq f_2 \wedge \mathcal{ACTIVE}({f_1}) \wedge \mathcal{ACTIVE}({f_2}) ) \implies F \not\in \mathcal{U} \end{equation} % % \begin{equation} % c1 \cap c2 \neq \emptyset | c1 \neq c2 \wedge c1,c2 \in C \wedge C \not\in U % \end{equation} That is to say that it is impossible that any pair of failure modes can be active at the same time for the failure mode set $F$ to exist in the family of sets $\mathcal{U}$. Note where there are more than two failure~modes, by banning any pairs from being active at the same time, we have banned larger combinations as well. \subsection{Design Rule: Unitary State} All components must have unitary state failure modes to be used with the FMMD methodology and for base~components this is usually the case. Most simple components fail in one clearly defined way and generally stay in that state. However, where a complex component is used, for instance a microcontroller with several modules that could all fail simultaneously, a process of reduction into smaller theoretical components will have to be made. We can term this `heuristic~de-composition'. A modern micro-controller will typically have several modules, which are configured to operate on pre-assigned pins on the device. Typically voltage inputs (\adcten / \adctw), digital input and outputs, PWM (pulse width modulation), UARTs and other modules will be found on simple cheap microcontrollers~\cite{pic18f2523}. For instance the voltage reading functions which consist of an ADC multiplexer and ADC can be considered to be components inside the micro-controller package. The micro-controller thus becomes a collection of smaller components that can be analysed separately~\footnote{It is common for the signal paths in a safety critical product to be traced, and when entering a complex component like a micro-controller, the process of heuristic de-compostion is then applied to it.}. \paragraph{Reason for Constraint.} Were this constraint to not be applied each component would not contribute $N$ failure modes to consider but potentially $2^N$. % This would make the job of analysing the failure modes in a {\fg} impractical due to the sheer size of the task. %Note that the `unitary state' conditions apply to failure modes within a component. %%- Need some refs here because that is the way gastec treat the ADC on microcontroller on the servos \section{Handling Simultaneous Component Faults} For some integrity levels of static analysis, there is a need to consider not only single failure modes in isolation, but cases where more then one failure mode may occur simultaneously. % Note that the `unitary state' conditions apply to failure modes within a component. This does not preclude the possibility of two or more components failing simultaneously. % %The scenarios presented deal with possibility of two or more components failing simultaneously. % It is an implied requirement of EN298~\cite{en298} for instance to consider double simultaneous faults\footnote{Under the conditions of LOCKOUT~\cite{en298} in an industrial burner controller that has detected one fault already. However, from the perspective of static failure mode analysis, this amounts to dealing with double simultaneous failure modes.}. % To generalise, we may need to consider $N$ simultaneous failure modes when analysing a functional group. % This involves finding all combinations of failures modes of size $N$ and less. %The Powerset concept from Set theory is useful to model this. % The power-set, when applied to a set S is the set of all subsets of S, including the empty set \footnote{The empty set ( $\emptyset$ ) is a special case for FMMD analysis, it simply means there is no fault active in the functional~group under analysis.} and S itself. % We augment the power-set concept here to deal with counting the number of combinations of failures to consider, under the conditions of simultaneous failures. % In order to consider combinations for the set S where the number of elements in each subset of S is $N$ or less, a concept of the `cardinality constrained power-set' is proposed and described in the next section. %\pagebreak[1] \section{Cardinality Constrained Power-set } \label{ccp} A Cardinality Constrained power-set is one where subsets of a cardinality greater than a threshold are not included. This threshold is called the cardinality constraint. To indicate this, the cardinality constraint $cc$ is subscripted to the powerset symbol thus $\mathcal{P}_{cc}$. Consider the set $S = \{a,b,c\}$. The power-set of S: $$ \mathcal{P} S = \{ \emptyset, \{a,b,c\}, \{a,b\},\{b,c\},\{c,a\},\{a\},\{b\},\{c\} \} .$$ $\mathcal{P}_{\le 2} S $ means all non-empty subsets of S where the cardinality of the subsets is less than or equal to 2. $$ \mathcal{P}_{\le 2} S = \{ \{a,b\},\{b,c\},\{c,a\},\{a\},\{b\},\{c\} \} . $$ Note that $\mathcal{P}_{1} S $ (non-empty subsets where cardinality $\leq 1$) for this example is: $$ \mathcal{P}_{1} S = \{ \{a\},\{b\},\{c\} \} $$. \paragraph{Calculating the number of elements in a cardinality constrained power-set} A $k$ combination is a subset with $k$ elements. The number of $k$ combinations (each of size $k$) from a set $S$ with $n$ elements (size $n$) is the binomial coefficient~\cite{probstat} shown in equation \ref{bico}. \begin{equation} C^n_k = {n \choose k} = \frac{n!}{k!(n-k)!} . \label{bico} \end{equation} To find the number of elements in a cardinality constrained subset S with up to $cc$ elements in each combination sub-set, we need to sum the combinations, %subtracting $cc$ from the final result %(repeated empty set counts) from $1$ to $cc$ thus % % $$ {\sum}_{k = 1..cc} {\#S \choose k} = \frac{\#S!}{k!(\#S-k)!} $$ % \begin{equation} |{\mathcal{P}_{cc}S}| = \sum^{cc}_{k=1} \frac{|{S}|!}{ cc! ( |{S}| - cc)!} . % was k in the frac part now cc \label{eqn:ccps} \end{equation} \subsection{Actual Number of combinations to check with Unitary State Fault mode sets} If all of the fault modes in $S$ were independent, the cardinality constrained power-set calculation (in equation \ref {eqn:ccps}) would give the correct number of test case combinations to check. Because sets of failure modes in FMMD analysis are constrained to be unitary state, the actual number of test cases to check will usually be less than this. This is because combinations of faults within a components failure mode set are impossible under the conditions of unitary state failure mode. To modify equation \ref{eqn:ccps} for unitary state conditions, we must subtract the number of component `internal combinations' for each component in the functional group under analysis. Note we must sequentially subtract using combinations above 1 up to the cardinality constraint. For example, say the cardinality constraint was 3, we would need to subtract both $|{n \choose 2}|$ and $|{n \choose 3}|$ for each component in the functional~group. \subsubsection{Example: Two Component functional group cardinality Constraint of 2} For example: suppose we have a simple functional group with two components R and T, of which $$fm(R) = \{R_o, R_s\}$$ and $$fm(T) = \{T_o, T_s, T_h\}.$$ This means that the functional~group $FG=\{R,T\}$ will have a component failure mode set of $fm(FG) = \{R_o, R_s, T_o, T_s, T_h\}$ For a cardinality constrained powerset of 2, because there are 5 error modes ( $|fm(FG)|=5$), applying equation \ref{eqn:ccps} gives :- $$ | P_2 (fm(FG)) | = \frac{5!}{1!(5-1)!} + \frac{5!}{2!(5-2)!} = 15.$$ This is composed of ${5 \choose 1}$ five single fault modes, and ${5 \choose 2}$ ten double fault modes. However we know that the faults are mutually exclusive within a component. We must then subtract the number of `internal' component fault combinations for each component in the functional~group. For component R there is only one internal component fault that cannot exist $R_o \wedge R_s$. As a combination ${2 \choose 2} = 1$. For the component $T$ which has three fault modes ${3 \choose 2} = 3$. Thus for $cc = 2$, under the conditions of unitary state failure modes in the components $R$ and $T$, we must subtract $(3+1)$. The number of combinations to check is thus 11, $|\mathcal{P}_{2}(fm(FG))| = 11$, for this example and this can be verified by listing all the required combinations: $$ \mathcal{P}_{2}(fm(FG)) = \{ \{R_o T_o\}, \{R_o T_s\}, \{R_o T_h\}, \{R_s T_o\}, \{R_s T_s\}, \{R_s T_h\}, \{R_o \}, \{R_s \}, \{T_o \}, \{T_s \}, \{T_h \} \} $$ and whose cardinality is 11. % by inspection %$$ %| %\{ % \{R_o T_o\}, \{R_o T_s\}, \{R_o T_h\}, \{R_s T_o\}, \{R_s T_s\}, \{R_s T_h\}, \{R_o \}, \{R_s \}, \{T_o \}, \{T_s \}, \{T_h \} %\} %| = 11 %$$ \pagebreak[1] \subsubsection{Establishing Formulae for unitary state failure mode cardinality calculation} The cardinality constrained power-set in equation \ref{eqn:ccps}, can be modified for % corrected for unitary state failure modes. %This is written as a general formula in equation \ref{eqn:correctedccps}. %\indent{ %To define terms : %\begin{itemize} %\item Let $C$ be a set of components (indexed by $j \in J$) that are members of the functional group $FG$ i.e. $ \forall j \in J | C_j \in FG $. %\item Let $|fm({C}_{j})|$ indicate the number of mutually exclusive fault modes of component $C_j$. %\item Let $fm(FG)$ be the collection of all failure modes from all the components in the functional group. %\item Let $SU$ be the set of failure modes from the {\fg} where all $FG$ is such that components $C_j$ are in `unitary state' i.e. $(SU = fm(FG)) \wedge (\forall j \in J | fm(C_j) \in \mathcal{U}) $, then %\end{itemize} %} \begin{equation} |{\mathcal{P}_{cc}SU}| = {\sum^{cc}_{k=1} \frac{|{SU}|!}{k!(|{SU}| - k)!}} - {\sum_{j \in J} {|FM({C_{j})}| \choose 2}} . \label{eqn:correctedccps} \end{equation} Expanding the combination in equation \ref{eqn:correctedccps} \begin{equation} |{\mathcal{P}_{cc}SU}| = {\sum^{cc}_{k=1} \frac{|{SU}|!}{k!(|{SU}| - k)!}} - {{\sum_{j \in J} \frac{|FM({C_j})|!}{2!(|FM({C_j})| - 2)!}} } . \label{eqn:correctedccps2} \end{equation} \paragraph{Use of Equation \ref{eqn:correctedccps2} } Equation \ref{eqn:correctedccps2} is useful for an automated tool that would verify that a single or double simultaneous failures model has complete failure mode coverage. By knowing how many test cases should be covered, and checking the cardinality associated with the test cases, complete coverage would be verified. %\paragraph{Multiple simultaneous failure modes disallowed combinations} %The general case of equation \ref{eqn:correctedccps2}, involves not just dis-allowing pairs %of failure modes within components, but also ensuring that combinations across components %do not involve any pairs of failure modes within the same component. %%%%- NOT SURE ABOUT THAT !!!!! %%%- A recursive algorithm and proof is described in appendix \ref{chap:vennccps}. %%\paragraph{Practicality} %%Functional Group may consist, typically of four or five components, which typically %%have two or three failure modes each. Taking a worst case of mutiplying these %%by a factor of five (the number of failure modes and components) would give %%$25 \times 15 = 375$ %% %% %% %%\begin{verbatim} %% %%# define a factorial function %%# gives 1 for negative values as well %%define f(x) { %% if (x>1) { %% return (x * f (x-1)) %% } %% return (1) %% %%} %%define u1(c,x) { %% return f(c*x)/(f(1)*f(c*x-1)) %%} %%define u2(c,x) { %% return f(c*x)/(f(2)*f(c*x-2)) %%} %% %%define uc(c,x) { %% return c * f(x)/(f(2)*f(x-2)) %%} %% %%# where c is number of components, and x is number of failure modes %%# define function u to calculate combinations to check for double sim failure modes %%define u(c,x) { %%f(c*x)/(f(1)*f(c*x-1)) + f(c*x)/(f(2)*f(c*x-2)) - c * f(c)/(f(2)*f(c-2)) %%} %% %% %%\end{verbatim} %% \pagebreak[1] \section{Component Failure Modes and Statistical Sample Space} %\paragraph{NOT WRITTEN YET PLEASE IGNORE} A sample space is defined as the set of all possible outcomes. For a component in FMMD analysis, this set of all possible outcomes is its normal (or `correct') operating state and all its failure modes. We can consider failure modes as events in the sample space. % When dealing with failure modes, we are not interested in the state where the component is working correctly or `OK' (i.e. operating with no error). % We are interested only in ways in which it can fail. By definition, while all components in a system are `working~correctly', that system will not exhibit faulty behaviour. % We can say that the OK state corresponds to the empty set. % Thus the statistical sample space $\Omega$ for a component or derived~component $C$ is %$$ \Omega = {OK, failure\_mode_{1},failure\_mode_{2},failure\_mode_{3} ... failure\_mode_{N} $$ $$ \Omega(C) = \{OK, failure\_mode_{1},failure\_mode_{2},failure\_mode_{3}, \ldots ,failure\_mode_{N}\} . $$ The failure mode set $F$ for a given component or derived~component $C$ is therefore $ fm(C) = \Omega(C) \backslash \{OK\} $ (or expressed as $ \Omega(C) = fm(C) \cup \{OK\} $). The $OK$ statistical case is the (usually) largest in probability, and is therefore of interest when analysing systems from a statistical perspective. This is of interest for the application of conditional probability calculations such as Bayes theorem~\cite{probstat}. The current failure modelling methodologies (FMEA, FMECA, FTA, FMEDA) all use Bayesian statistics to justify their methodologies~\cite{nucfta}\cite{nasafta}. That is to say, a base component or a sub-system failure has a probability of causing given system level failures\footnote{FMECA has a $\beta$ value that directly corresponds to the probability that a given part failure mode will cause a given system level failure/event.}. Another way to view this is to consider the failure modes of a component, with the $OK$ state, as a universal set $\Omega$, where all sets within $\Omega$ are partitioned. Figure \ref{fig:partitioncfm} shows a partitioned set representing component failure modes $\{ B_1 ... B_8, OK \}$ : partitioned sets where the OK or empty set condition is included, obey unitary state conditions. Because the subsets of $\Omega$ are partitioned, we can say these failure modes are unitary state. \begin{figure}[h] \centering \includegraphics[width=350pt,keepaspectratio=true]{./CH4_FMMD/partitioncfm.png} % partition.png: 510x264 pixel, 72dpi, 17.99x9.31 cm, bb=0 0 510 264 \caption{Base Component Failure Modes with OK mode as partitioned set} \label{fig:partitioncfm} \end{figure} \section{Components with Independent failure modes} Suppose that we have a component that can fail simultaneously with more than one failure mode. This would make it seemingly impossible to model as `unitary state'. \paragraph{De-composition of complex component.} There are two ways in which we can deal with this. We could consider the component a composite of two simpler components, and model their interaction to create a derived component. \ifthenelse {\boolean{paper}} { This technique is outside the scope of this paper. } { %This technique is dealt in section \ref{sec:symtomabstraction} which shows how derived components may be assembled. } \begin{figure}[h] \centering \includegraphics[width=200pt,bb=0 0 353 247,keepaspectratio=true]{./CH4_FMMD/compco.png} % compco.png: 353x247 pixel, 72dpi, 12.45x8.71 cm, bb=0 0 353 247 \caption{Component with three failure modes as partitioned sets} \label{fig:combco} \end{figure} \paragraph{Combinations become new failure modes.} Alternatively, we could consider the combinations of the failure modes as new failure modes. We can model this using an Euler diagram representation of an example component with three failure modes\footnote{OK is really the empty set, but the term OK is more meaningful in the context of component failure modes} $\{ B_1, B_2, B_3, OK \}$ see figure \ref{fig:combco}. For the purpose of example let us consider $\{ B_2, B_3 \}$ to be intrinsically mutually exclusive, but $B_1$ to be independent. This means the we have the possibility of two new combinations $ B_1 \cap B_2$ and $ B_1 \cap B_3$. We can represent these as shaded sections of figure \ref{fig:combco2}. \begin{figure}[h] \centering \includegraphics[width=200pt,bb=0 0 353 247,keepaspectratio=true]{./CH4_FMMD/compco2.png} % compco.png: 353x247 pixel, 72dpi, 12.45x8.71 cm, bb=0 0 353 247 \caption{Component with three failure modes where $B_1$ is independent} \label{fig:combco2} \end{figure} We can calculate the probabilities for the shaded areas assuming the failure modes are statistically independent by multiplying the probabilities of the members of the intersection. We can use the function $P$ to return the probability of a failure mode, or combination thereof. Thus for $P(B_1 \cap B_2) = P(B_1)P(B_2)$ and $P(B_1 \cap B_3) = P(B_1)P(B_3)$. \begin{figure}[h] \centering \includegraphics[width=200pt,bb=0 0 353 247,keepaspectratio=true]{./CH4_FMMD/compco3.png} % compco.png: 353x247 pixel, 72dpi, 12.45x8.71 cm, bb=0 0 353 247 \caption{Component with two new failure modes} \label{fig:combco3} \end{figure} We can now consider the shaded areas as new failure modes of the component (see figure \ref{fig:combco3}). Because of the combinations, the probabilities for the failure modes $B_1, B_2$ and $B_3$ will now reduce. We can use the prime character ($\; \prime \;$), to represent the altered value for a failure mode, i.e. $B_1^\prime$ represents the altered value for $B_1$. Thus $$ P(B_1^\prime) = B_1 - P(B_1 \cap B_2) - P(B_1 \cap B_3)\; , $$ $$ P(B_2^\prime) = B_2 - P(B_1 \cap B_2) \; and $$ $$ P(B_3^\prime) = B_3 - P(B_1 \cap B_3) \; . $$ We now have two new component failure mode $B_4$ and $B_5$, shown in figure \ref{fig:combco3}. We can express their probabilities as $P(B_4) = P(B_1 \cap B_3)$ and $P(B_5) = P(B_1 \cap B_2)$.