\ifthenelse {\boolean{paper}} { \abstract{ This paper describes how the FMMD methodology can be used to refine safety critical designs and identify undetectable faults. Used in this way, its is a design aide, giving the user the possibility to model a system from the perspective of its failure mode behaviour. } } { \section{Introduction} This chapter describes how the FMMD methodology can be used to refine safety critical designs and identify undetectable faults. Used in this way, its is a design aide, giving the user the possibility to model a system from the perspective of its failure mode behaviour. } \section{How FMMD Analysis can reveal design flaws in failure mode detection } A feature of FMMD analysis is symptom collection. Common symptoms are collected after analysis, and this means that the failure modes of the {\fg} are examined. The symptoms will be detectable (like a value of of range) or undetectable (like a logic state of value being incorrect). The `undetectable' failure modes are the most worrying for thesafety critical designer. It is these that are, generally the ones that stand out as single failure modes. For instance, out of range values, we know we can cope with; they are an obvious error condition that will be detected by any modules using the {\fg}. i \subsection{iterative design} By applying FMMD analysis to a {\fg} we can determine which failure modes are detectable, and which are undetectable. We can then either modifiy the circuit and iteratively apply FMMD to the design again, or we could add another {\fg} that specifically tests for the undetectable conditions. This \ifthenelse {\boolean{paper}} { paper } { chapter } describes a milli-volt amplifier, with an inbuilt safety\footnote{The `safety resistor also acts as a potential divider to provide a mill-volt offset} resistor. The circuit is analysed and it is found that all but one component failure modes are detectable. We then design a circuit to test for the `undetectable' failure mode and analyse this with FMMD. With both {\dcs} we then use them to form a {\fg} which we can call our `self testing milli-volt amplifier'. We then analsye the {\fg} and the resultant {\dc} failure modes descussed. \section{An example: A Millivolt Amplifier} \section{FMMD Analysis} \subsection{Undetected Failure Mode: Incorrect Reading} Although statistically, this failure is unlikely (get stats for R short FIT etc from pt100 doc) if the reading is considered critical, or we are aiming for a high integrity level this may be unacceptable. We will need to add some type of detection mechanism to the circuit to test $R_{off}$ periodically. For instance were we to check $R_off$ every $\tau = 20mS$ work out detection allowance according to EN61508. \section{Proposed Checking Method} Were we to switch in a a second resistor in parrallel with the safety resistor $R_{safety}$, using a switch (or transistor) we could detect the effect on the reading with the potential divider according to the following formula. \vspace{10pt} Work out a pot div formula, and some typical values \vspace{10pt} \section{FMMD analysis of Safety Addition} \section{FMMD Hierarchy, with milli-volt amp and safety addition} Draw FMMD hierarchy diagram. \subsection{Analysis of FMMD Derived component `added safety milli-volt amp'} \section{conclusions} With safety addition reliability GOES DOWN ! But safety goes UP ! Work it out