\ifthenelse {\boolean{paper}} { \abstract{ This chapter defines what is meant by the terms components, derived~components, functional~groups, component fault modes and `unitary~state' component fault modes. %The application of Bayes theorem in current methodologies, and %the suitability of the `null hypothesis' or `P' value statistical approach %are discussed. Data types and their relationships are described using UML. Mathematical constraints and definitions are made using set theory.} } \section{Introduction} This chapter describes the data types and concepts for the Failure Mode Modular De-composition (FMMD) method. When analysing a safety critical system using this technique, we need clearly defined failure modes for all the components that are used to model the system. These failure modes have a constraint such that the component failure modes must be mutually exclusive. When this constraint is complied with we can use the FMMD process to build hierarchical bottom-up models of failure mode behaviour. %This and the definition of a component are %described in this chapter. %When building a system from components, %we should be able to find all known failure modes for each component. %For most common electrical and mechanical components, the failure modes %for a given type of part can be obtained from standard literature\cite{mil1991} %\cite{mech}. %The failure modes for a given component $K$ form a set $F$. %% %% Paragraph component and its relationship to its failure modes %% \section{ Defining the term `Component' } \begin{figure}[h] \centering \includegraphics[width=300pt,bb=0 0 437 141,keepaspectratio=true]{component_failure_modes_definition/component.jpg} % component.jpg: 437x141 pixel, 72dpi, 15.42x4.97 cm, bb=0 0 437 141 \caption{A Component and its Failure Modes} \label{fig:component} \end{figure} Let us first define a component. This is anything we use to build a product or system with. This could be something quite complicated like an integrated microcontroller, or quite simple like the humble resistor. We can define a component by its name, a manufacturers part number and perhaps a vendors reference number. What these components all have in common is that they can fail, and fail in a number of well defined ways. For common components there is established literature for the failure modes for the system designer consider (often with accompanying statistical failure rates)\cite{mil1991}. For instance, a simple resistor is generally considered to fail in two ways, it can go open circuit or it can short. Thus we can associate a set of faults to this component $ResistorFaultModes=\{OPEN, SHORT\}$. The UML diagram in figure \ref{fig:component} shows a component as a data structure with its associated failure modes. From this diagram we see that each component must have at least one failure mode. Also to clearly show that the failure modes are unique events associated with one component, each failure mode is referenced back to only one component. This modelling constraint is due to the fact that even generic components with the same failure mode types, may have different statistical MTTF properties within the same circuitry\footnote{For example, consider resistors one of high resistance and one low. The generic failure modes for a resistor will be the same for both. The lower resistance part will draw more current and therefore have a statistically higher chance of failure.}. %% sharing failure modes arrrgghh so irrelevant %% wrong as well perhaps, as each component will have environmental constraints %% that determine its statistical behaviour. A 1 Meg ohm resistor %% is less stressed than a 100 ohm in the same circuit etc % Perhaps talk here about the failure modes being shared, but by being referenced % by the component ? A product naturally consists of many components and these are traditionally kept in a `parts list'. For safety critical product this is usually a formal document and is used by quality inspectors to ensure the correct parts are being fitted. For our UML diagram the parts list is simply a collection of components as shown in figure \ref{fig:componentpl}. \begin{figure}[h] \centering \includegraphics[width=400pt,bb=0 0 712 68,keepaspectratio=true]{component_failure_modes_definition/componentpl.jpg} % componentpl.jpg: 712x68 pixel, 72dpi, 25.12x2.40 cm, bb=0 0 712 68 \caption{Parts List of Components} \label{fig:componentpl} \end{figure} Components in the parts list (bought in parts) will be termed `base~comonents'. Components derived from base~components may not require parts~numbers\footnote{It is common practise for sub assemblies, PCB's, mechanical parts, software modules and some collections of components to have part numbers}, and will not require a vendor reference, but must be named. %% %% Paragraph using failure modes to build from bottom up %% \section{Fault Mode Analysis, top down or bottom up?} Traditional static fault analysis methods work from the top down. They identify faults that can occur in a system, and then work down to see how they could be caused. Some apply statistical tequniques to determine the likelihood of component failures causing specific system level errors. For example, Bayes theorem \ref{bayes}, the relation between a conditional probability and its inverse, can be applied to specific failure modes in components and the probability of them causing given system level errors. Another top down technique is to apply cost benifit analysis to determine which faults are the highest priority to fix\cite{FMEA}. The aim of FMMD analysis is to produce complete failure models of safety critical systems from the bottom-up, starting, where possible with known base~component failure~modes. An advantage of working from the bottom up is that we can ensure that all component failure modes must be considered. A top down approach could miss individual failure modes of components. In order to analyse from the bottom-up, we need to take small groups of components from the parts~list that naturally work together to perform a simple function. The components to include in a functional group are chosen by a human, the analyst. %We can represent the `Functional~Group' as a class. When we have a `Functional~Group' we can look at the components it contains, and from this determine the failure modes of all the components that belong to it. % % and determine a failure mode model for that group. The `Functional~Group' as used by the analyst is a collection of component failures modes. Each of these failure modes, and optionally combinations of them, are analsyed for their effect on the failure mode behaviour of the `Functional~Group'. % From this we can determine a new set of failure modes, the failure modes of the `Functional~Group'. % Or in other words we can determine how the `Functional~Group' can fail. We can now consider the functional group as a sort of super component with a known set of failure modes. \subsection{From functional group to newly derived component} The process for taking a functional~group, considering all the failure modes of all the components in the group, and analysing it is called `symptom abstraction' and is dealt with in detail in chapter \ref{symptom_abstraction}. In terms of our UML model the symptom abstraction process takes a functional~group, and creates a new derived component from it. %To do this it first creates %a new set of failure modes, representing the fault behaviour %of the functional group. This is a human process and to do this the analyst %must consider all the failure modes of the components in the functional %group. The newly created derived~component requires a set of failure modes of its own. These failure modes are the failure mode behaviour of the functional group that it was derived from. Because these new failure modes were determined from a derived component we can call these `derived~failure~modes'. %It then creates a new derived~component object, and associates it to this new set of derived~failure~modes. We thus have a `new' component, or system building block, but with a known and traceable fault behaviour. The UML representation shows a `functional group' having a one to one relationship with a derived~component. We can represent this using an UML diagram in figure \ref{fig:cfg}. Using the symbol $\bowtie$ to indicate the analysis process that takes a functional group and converts it into a new component. $$ \bowtie ( FG ) \mapsto DerivedComponent $$ \begin{figure}[h] \centering \includegraphics[width=400pt,bb=0 0 712 286,keepaspectratio=true]{component_failure_modes_definition/cfg.jpg} % cfg.jpg: 712x286 pixel, 72dpi, 25.12x10.09 cm, bb=0 0 712 286 \caption{UML Meta model for FMMD hierarchy} \label{fig:cfg} \end{figure} \subsection{Keeping track of the derived \\ components position in the hierarchy} The UML meta model in figure \ref{fig:cfg}, shows the relationships between the classes and sub-classes. In use we will build a hierarchy of objects, with derived~components forming functional~groups, and creating derived components higher up in the structure. The level variable in each Component, indicates the position in the hierarchy. Base or parts~list components have a `level' of 0. % I do not know how to make this simpler Derived~components take a level based on the highest level component used to build the functional group it was derived from plus 1. So a derived component built from base level or parts list components would have a level of 1. %\clearpage % \section{Set Theory Description} % % $$ System \stackrel{has}{\longrightarrow} PartsList $$ % % $$ PartsList \stackrel{has}{\longrightarrow} Components $$ % % $$ Component \stackrel{has}{\longrightarrow} FailureModes $$ % % $$ FunctionalGroup \stackrel{has}{\longrightarrow} Components $$ % % Using the symbol $\bowtie$ to indicate an analysis process that takes a % functional group and converts it into a new component. % % $$ \bowtie ( FG ) \mapsto DerivedComponent $$ % \section{Unitary State Component Failure Mode sets} \paragraph{Design Descision/Constraint} An important factor in defining a set of failure modes is that they should be as clearly defined as possible. It should not be possible for instance for a component to have two or more failure modes active at once. Having a set of failure modes where $N$ modes could be active simultaneously would mean having to consider an additional $2^N-1$ failure mode scenarios. Should a component be analysed and simultaneous failure mode cases exit, the combinations could be represented by new failure modes, or the component should be considered from a fresh perspective, perhaps considering it as several smaller components within one package. \begin{definition} A set of failure modes where only one fault mode can be active at a time is termed a `unitary~state' failure mode set. %This is termed the $U$ set thoughout this study. This corresponds to the `mutually exclusive' definition in probability theory\cite{probandstat}. \end{definition} Let the set of all possible tomponents to be $\mathcal{C}$ and let the set of all possible failure modes be $\mathcal{F}$. We can define a function $FM$ \begin{equation} FM : \mathcal{C} \mapsto \mathcal{F} \end{equation} defined by $$ FM ( C ) = F $$ i.e. take a given component $C$ and return its set of failure modes $F$. \begin{definition} We can define a set $\mathcal{U}$ which is a set of sets of failure modes, where the component failure modes in each of its members are unitary~state. Thus if the failure modes of $F$ are unitary~state, we can say $F \in \mathcal{U}$. \end{definition} \section{Component failure modes:\\ Unitary State example} An example of a component with an obvious set of ``unitary~state'' failure modes is the electrical resistor. Electrical resistors can fail by going OPEN or SHORTED. For a given resistor R we can apply the the function $FM$ to find its set of failure modes thus $ FM(R) = \{R_{SHORTED},R_{OPEN}\} $. A resistor cannot fail with both conditions open and short active at the same time ! The conditions OPEN and SHORT are thus mutually exclusive. Because of this the failure mode set $F=FM(R)$ is `unitary~state'. Thus because both fault modes cannot be active at the same time, the intersection of $ R_{SHORTED} $ and $ R_{OPEN} $ cannot exist. $$ R_{SHORTED} \cap R_{OPEN} = \emptyset $$ therefore $$ FM(R) \in \mathcal{U} $$ We can make this a general case by taking a set $F$ (where $f_1, f_2 \in F$) representing a collection of component failure modes. We can define a boolean function {\ensuremath{\mathcal{ACTIVE}}} that returns whether a fault mode is active (true) or dormant (false). We can say that if any pair of fault modes is active at the same time, then the failure mode set is not unitary state: we state this formally \begin{equation} \forall f_1,f_2 \in F \dot ( f_1 \neq f_2 \wedge \mathcal{ACTIVE}({f_1}) \wedge \mathcal{ACTIVE}({f_2}) ) \implies F \not\in \mathcal{U} \end{equation} % % \begin{equation} % c1 \cap c2 \neq \emptyset | c1 \neq c2 \wedge c1,c2 \in C \wedge C \not\in U % \end{equation} That is to say that it is impossible that any pair of failure modes can be active at the same time for the failure mode set $F$ to exist in the family of sets $\mathcal{U}$. Note where there are more than two failure~modes, by banning any pairs from being active at the same time, we have banned larger combinations as well. \section{Handling Simultaneous Component Faults} For some integrity levels of static analysis there is a need to consider not only single failure modes in isolation, but cases where more then one failure mode may occur simultaneously. It is an implied requirement of EN298 for instance to consider double simultaneous faults. To generalise, we may need to consider $N$ simultaneous failure modes when analysing a functional group. This involves finding all combinations of failures modes of size $N$ and less. The Powerset concept from Set theory is useful to model this. The powerset, when applied to a set S is the set of all subsets of S, including the empty set \footnote{The empty set ( $\emptyset$ ) is a special case for FMMD analysis, it simply means there is no fault active in the functional~group under analysis} and S itself. In order to consider combinations for the set S where the number of elements in each sub-set of S is $N$ or less, a concept of the `cardinality constrained powerset' is proposed and described in the next section. \pagebreak[4] \subsection{Cardinality Constrained Powerset } \label{ccp} A Cardinality Constrained powerset is one where sub-sets of a cardinality greater than a threshold are not included. This theshold is called the cardinality constraint. To indicate this the cardinality constraint $cc$, is subscripted to the powerset symbol thus $\mathcal{P}_{cc}$. Consider the set $S = \{a,b,c\}$. The powerset of S: $$ \mathcal{P} S = \{ \emptyset, \{a,b,c\}, \{a,b\},\{b,c\},\{c,a\},\{a\},\{b\},\{c\} \} $$ $\mathcal{P}_{2} S $ means all subsets of S where the cardinality of the subsets is less than or equal to 2 or less. $$ \mathcal{P}_{2} S = \{ \{a,b\},\{b,c\},\{c,a\},\{a\},\{b\},\{c\} \} $$ Note that $\mathcal{P}_{1} S $ for this example is: $$ \mathcal{P}_{1} S = \{ \{a\},\{b\},\{c\} \} $$ \paragraph{Calculating the number of elements in a cardinality constrained powerset} A $k$ combination is a subset with $k$ elements. The number of $k$ combinations (each of size $k$) from a set $S$ with $n$ elements (size $n$) is the binomial coefficient $$ C^n_k = {n \choose k} = \frac{n!}{k!(n-k)!}$$ To find the number of elements in a cardinality constrained subset S with up to $cc$ elements in each combination sub-set, we need to sum the combinations, %subtracting $cc$ from the final result %(repeated empty set counts) from $1$ to $cc$ thus % % $$ {\sum}_{k = 1..cc} {\#S \choose k} = \frac{\#S!}{k!(\#S-k)!} $$ % \begin{equation} |{\mathcal{P}_{cc}S}| = \sum^{k}_{1..cc} \frac{|{S}|!}{ k! ( |{S}| - k)!} \label{eqn:ccps} \end{equation} \subsection{Actual Number of combinations to check \\ with Unitary State Fault mode sets} Where all the fault modes in $S$ were to be independent, the cardinality constrained powerset calculation (in equation \ref {eqn:ccps}) would give the correct number of test case combinations to check. Because sets of failure modes in FMMD analysis are constrained to be unitary state, the actual number of test cases to check will usually be less than this. This is because combinations of faults within a components failure mode set, are impossible under the conditions of unitary state failure mode. To correct equation \ref{eqn:ccps} we must subtract the number of component `internal combinations' for each component in the functional group under analysis. Note we must sequentially subtract using combinations above 1 up to the cardinality constraint. For example, say the cardinality constraint was 3, we would need to subtract both $|{n \choose 2}|$ and $|{n \choose 3}|$. \subsubsection{Example: Two Component functional group \\ cardinality Constraint of 2} For example: were we to have a simple functional group with two components R and T, of which $$FM(R) = \{R_o, R_s\}$$ and $$FM(T) = \{T_o, T_s, T_h\}$$. This means that the functional~group $FG=\{R,T\}$ will have a component failure mode set of $FG_{cfg} = \{R_o, R_s, T_o, T_s, T_h\}$ For a cardinality constrained powerset of 2, because there are 5 error modes ( $|{FG_{cfg}}|=5$), applying equation \ref{eqn:ccps} gives :- $$\frac{5!}{1!(5-1)!} + \frac{5!}{2!(5-2)!} = 15$$ This is composed of ${5 \choose 1}$ five single fault modes, and ${5 \choose 2}$ ten double fault modes. However we know that the faults are mutually exclusive within a component. We must then subtract the number of `internal' component fault combinations for each component in the functional~group. For component R there is only one internal component fault that cannot exist $R_o \wedge R_s$. As a combination ${2 \choose 2} = 1$. For the component $T$ which has three fault modes ${3 \choose 2} = 3$. Thus for $cc == 2$, under the conditions of unitary state failure modes in the components $R$ and $T$, we must subtract $(3+1)$. The number of combinations to check is thus 11, $|\mathcal{P}_{2}(FG_{cfg})| = 11$, for this example and this can be verified by listing all the required combinations: $$ \mathcal{P}_{2}(FG_{cfg}) = \{ \{R_o T_o\}, \{R_o T_s\}, \{R_o T_h\}, \{R_s T_o\}, \{R_s T_s\}, \{R_s T_h\}, \{R_o \}, \{R_s \}, \{T_o \}, \{T_s \}, \{T_h \} \} $$ And by inspection $$ | \{ \{R_o T_o\}, \{R_o T_s\}, \{R_o T_h\}, \{R_s T_o\}, \{R_s T_s\}, \{R_s T_h\}, \{R_o \}, \{R_s \}, \{T_o \}, \{T_s \}, \{T_h \} \} | = 11 $$ \subsubsection{Establishing Formulae for unitary state failure mode \\ cardinality calculation} The cardinality constrained powerset in equation \ref{eqn:ccps}, can be corrected for unitary state failure modes. This is written as a general formula in equation \ref{eqn:correctedccps}. %\indent{ where : \begin{itemize} \item Let $C$ be a set of components (indexed by $j \in J$) that are members of the functional group $FG$ i.e. $ \forall j \in J | C_j \in FG $ \item Let $|FM({C}_{j})|$ indicate the number of mutually exclusive fault modes of each component \item Let $FG_{cfg}$ be the collection of all failure modes from all the components in the functional group. \item Let $SU$ be a set of failure modes from the functional group, where all contributing components $C_j$ are guaranteed to be `unitary state' i.e. $(SU = FG_{cfg}) \wedge (\forall j \in J | FM(C_j) \in \mathcal{U}) $ \end{itemize} %} \begin{equation} |{\mathcal{P}_{cc}SU}| = {\sum^{k}_{1..cc} \frac{|{SU}|!}{k!(|{SU}| - k)!}} - \sum^{p}_{2..cc}{{\sum^{j}_{j \in J} {|FM({C_{j})}| \choose p}}} \label{eqn:correctedccps} \end{equation} Expanding the combination in equation \ref{eqn:correctedccps} \begin{equation} |{\mathcal{P}_{cc}SU}| = {\sum^{k}_{1..cc} \frac{|{SU}|!}{k!(|{SU}| - k)!}} - \sum^{p}_{2..cc}{{\sum^{j}_{j \in J} \frac{|FM({C_j})|!}{p!(|FM({C_j})| - p)!}} } \label{eqn:correctedccps2} \end{equation} Equation \ref{eqn:correctedccps2} is useful for an automated tool that would verify that a `N' simultaneous failures model had complete failure mode coverage. By knowing how many test cases should be covered, and checking the cardinality associated with the test cases, complete coverage would be confirmed. \pagebreak[4] \section{Component Failure Modes and Statistical Sample Space} %\paragraph{NOT WRITTEN YET PLEASE IGNORE} A sample space is defined as the set of all possible outcomes. For a component in FMMD analysis, this set of all possible outcomes is its normal correct operating state and all its failure modes. When dealing with failure modes, we are not interested in the state where the component is working perfectly or `OK' (i.e. operating with no error). We are interested only in ways in which it can fail. By definition while all components in a system are `working perfectly' that system will not exhibit faulty behaviour. Thus the statistical sample space $\Omega$ for a component or derived~component $C$ is %$$ \Omega = {OK, failure\_mode_{1},failure\_mode_{2},failure\_mode_{3} ... failure\_mode_{N} $$ $$ \Omega(C) = \{OK, failure\_mode_{1},failure\_mode_{2},failure\_mode_{3}, \ldots ,failure\_mode_{N}\} $$ The failure mode set $F$ for a given component or derived~component $C$ is therefore $$ F = \Omega(C) \backslash OK $$ The $OK$ statistical case is the largest in probability, and is therefore of interest when analysing systems from a statistical perspective. This is of interest for the application of conditional probability calculations such as Bayes theorem. \vspace{40pt}