\section{Further Work} \subsection{Environment, operational states and inhibit gates: additions to the UML model.} FTA~\cite{nasafta,nucfta} models environmental, operational state and inhibit gates, and these can be incorporated into the FMMD model. A system will be expected to perform in a given environment. % Environment in the context of this study means external influences under which the System could be expected to work. % under. % A typical data sheet for an electrical component will give a working temperature range, for instance. Mechanical components could be specified for stress and loading limits. Systems may have distinct operational states. For instance, a safety critical controller may have a LOCKOUT state where it has detected a serious problem and will not continue to operate until authorised human intervention takes place. A safety critical circuit may have a self test mode which could be operated externally. % Operational states and environmental conditions must be factored into the UML model. \paragraph{Environmental Modelling.} The external influences/environment could typically be temperature ranges, levels of electrical interference, high voltage contamination on supply lines, radiation levels etc. Environmental influences will affect specific components in specific ways.\footnote{A good example of a part affected by environmental conditions, in this case temperature, is the opto-isolator~\cite{tlp181} which is typically affected at around {60 \oc}. Most electrical components are more robust to temperature variations.}. Environmental analysis is thus applicable to components. Environmental influences, such as over stress due to voltage can be eliminated by down-rating of components as discussed in section~\ref{sec:determine_fms}. With given environmental constraints, we can therefore eliminate some failure modes from the model. \paragraph{Operational states.} Within the field of safety critical engineering, we often encounter elements that include test or self-test facilities. % We also encounter degraded performance (such as only performing functions in an emergency) and lockout/emergency conditions. These can be broadly termed operational states. %, and apply to the %functional groups. % We need to determine which UML class is most appropriate to hold a relationship to operational states. % Consider for instance an electrical circuit that has a TEST line. When the TEST line is activated, it supplies a test signal which will validate the circuit. This circuit will have two operational states, NORMAL and TEST mode. % It seems better to apply the operational states to {\fgs}. % Functional groupings by definition implement functionality, or purpose, and therefore are the best objects to model operational states.% with. \paragraph{Inhibit Conditions.} A third data class may be required if modelling of inhibit conditions~\cite{nasatfa}[p.40] is desired. Some failure modes may only be active given specific environmental conditions or when other failures are already active. To model this, an `inhibit' class has been added. This is an optional attribute of a failure mode. This inhibit class can be triggered on a combination of environmental or failure modes. \paragraph{UML Diagram Additional Objects.} The additional objects System, Environment and Operational States are added to UML diagram in figure \ref{fig:cfg} are represented in figure \ref{fig:cfg2}. \label{completeumlfurtherwork} \begin{figure}[h] \centering \includegraphics[width=400pt,keepaspectratio=true]{./CH7_Conclusion/master_uml_further_work.png} % cfg2.png: 702x464 pixel, 72dpi, 24.76x16.37 cm, bb=0 0 702 464 \caption{FMMD UML diagram, incorporating Environmental, Operational State and Inhibit gates} \label{fig:cfg2} \end{figure}