Robin_PHD/submission_thesis/CH6_Evaluation/copy.tex

\label{sec:chap7}

\section*{Metrics}

 

%
% Moving Pt100 to metrics
%Sections~\ref{sec:Pt100}~and~\ref{sec:Pt100d} demonstrate both statistical 
%failure mode classification %  analysis for top level events traced back to {\bc} failure modes
%and the analysis of double simultaneous failure modes.
%



\section{Defining the concept of `comparison~complexity' in FMEA}
\label{sec:cc}
%
% DOMAIN == INPUTS
% RANGE == OUTPUTS
%

When performing FMEA, we have a system under investigation, which will be
comprised of a collection of components which have associated failure modes.
The object of FMEA is to determine cause and effect: 
from the failure modes (the causes, {\fms} of {\bcs}) to the effects (or symptoms of failure) at the top level.
%
To perform FMEA rigorously
we could stipulate that every failure mode must be checked for effects
against all the components in the system.
We could term this `rigorous~FMEA'~(RFMEA).
The number of checks we have to make to achieve this, gives an indication of the complexity of the task.
This is described in section~\ref{sec:rd}, where the reasoning distance, or complexity to
analyse a single FMEA failure scenario, is given in equation~\ref{eqn:complexity}.

%
We could term this `comparison~complexity', as  the number of 
paths between failure modes and components necessary to achieve RFMEA for a given system/functional~group.

% (except its self of course, that component is already considered to be in a failed state!).
%
Obviously, for a small number of components and failure modes, we have a smaller number
of checks to make than for a complicated larger system.
%
We can consider the system as a large {\fg} of components.
We represent the number of components in the {\fg} $G$,  by 
$ | G | $,
(an indexing and sub-scripting notation to identify particular {\fgs}
within an FMMD hierarchy is given in section~\ref{sec:indexsub}).

The function $fm$ has a component as its domain and the components failure modes as its range (see equation~\ref{eqn:fm}).
We can represent the number of potential failure modes of a component $c$, to be  $ | fm(c) | .$

If we index all the components in the system under investigation $ c_1, c_2 \ldots c_{|\FG|} $ we can express 
the number of checks required to rigorously examine every
failure mode against all the other components in the system.
We can define this as a function, Comparison Complexity, $CC$, with its domain as the system 
or {\fg}, $\FG$, and
its range as the number of checks to perform to satisfy a rigorous FMEA inspection.

Where $\mathcal{\FG}$ represents the set of all {\fgs}, and $ \mathbb{N} $ any natural integer, $CC$ is defined by,
\begin{equation}
%$$
 CC:\mathcal{\FG} \rightarrow \mathbb{N}, 
%$$
\end{equation}

and, where n is the number of components in the system/{\fg},   $|fm(c_i)|$ is the number of failure modes
in component ${c_i}$, is given by

\begin{equation}
\label{eqn:CC}
%$$
 %%% when it was called reasoning distance -- 19NOV2011 -- RD(fg) = \sum_{n=1}^{|fg|} |fm(c_n)|.(|fg|-1) 
 CC(\FG) = (n-1) \sum_{1 \le i \le n} fm(c_i).
%$$
\end{equation}

This can be simplified if we can determine the total number of failure modes in the system $K$, (i.e. $ K = \sum_{n=1}^{|G|} {|fm(c_n)|}$);
equation~\ref{eqn:CC} becomes 

%$$
\begin{equation}
\label{eqn:rd2}
 CC(\FG) = K.(|\FG|-1).
\end{equation}
%$$
%Equation~\ref{eqn:rd} can also be expressed as
% 
% \begin{equation}
% \label{eqn:rd2}
% %$$
%  CC(G) = {|G|}.{|fm(c_n)|}.{(|fg|-1)} .
% %$$
% \end{equation}
\subsection{A general formula for counting Comparison Complexity in an FMMD hierarchy}

An FMMD Hierarchy will have reducing numbers of functional groups as we progress up the hierarchy.
In order to calculate its comparison~complexity we need to apply equation~\ref{eqn:CC} to
all {\fgs} on each level.

We define a helper function $g$ with a domain of the level $i$ in an FMMD hierarchy $H$, and a co-domain of a set of {\fgs} (specifically all the {\fgs} on the given level),
defined by 

\begin{equation}
%$$
g(H, i) \rightarrow \forall {\FG}^{\xi} \;where\; ({\xi} = {i}) \wedge ({\FG}^{\xi} \in H) .
%$$
\end{equation}

Where $L$ represents the number of levels in the FMMD hierarchy,
$|g(\xi)|$ represents the number of functional groups on the level
and $H$ represents an FMMD hierarchy,
we overload the comparison complexity thus:
%$$
\begin{equation}
     \label{eqn:gf}
      CC(H) = \sum_{\xi=0}^{L} \sum_{j=1}^{|g(H,\xi)|} CC({\FG}_{j}^{\xi}).
%$$
\end{equation}


\pagebreak[4]
\subsection{Complexity Comparison Examples}

The potential divider discussed in section~\ref{potdivfmmd} has  four failure modes and two components and therefore has   $CC$ of 4.
$$CC(potdiv) = \sum_{n=1}^{2} |2|.(|1|) = 4 $$

Even considering  a $example$ system with just 81 components (with these components
having 3 failure modes each) we would have an $CC$ of 

$$CC(example) = \sum_{n=1}^{81} |3|.(|80|) = 19440 .$$

Ensuring all component failure modes are checked against all other components in a system
-- applying FMEA rigorously -- could be termed
Rigorous FMEA (RFMEA). 
The computational order for RFMEA would be polynomial ($O(N^2.K)$) (where $K$ is the variable number of failure modes).

This order may be acceptable in a computational environment: However, the choosing of {\fgs} and the analysis
process are by-hand/human activities. It can be seen that it is practically impossible to achieve 
RFMEA for anything but trivial systems.
%
% Next statement needs alot of justification
%
It is the authors belief that FMMD reduces the comparison complexity enough to make
rigorous checking feasible. 


\pagebreak[4]
%\subsection{Using the concept of Complexity Comparison to compare RFMEA with FMMD}

\begin{figure}
 \centering
 \includegraphics[width=400pt,keepaspectratio=true]{CH5_Examples/three_tree.png}
 % three_tree.png: 851x385 pixel, 72dpi, 30.02x13.58 cm, bb=0 0 851 385
 \caption{FMMD Hierarchy with number of components in {\fg} fixed to 3 $(|G| = 3)$ } % \wedge (|fm(c)| = 3)$}
 \label{fig:three_tree}
\end{figure}



\subsection{Comparing FMMD and RFMEA comparison complexity}

Because components have variable numbers of failure modes,
and {\fgs} have variable numbers of components, it is difficult to
use the general formula for comparing the number of checks to make for
RFMEA and FMMD.
%
If we were to create an example by fixing the number of components in a {\fg}
and the number of failure modes per component, we can derive formulae
to compare the number of checks to make from an FMMD hierarchy to RFMEA applied to
all components in a system.
 
Consider $k$ to be the number of components in a {\fg} (i.e. $k=|{\FG}|$), 
$f$ is the number of failure modes per component (i.e. $f=|fm(c)|$), and 
$L$ to be the number of levels in the hierarchy of an FMMD analysis.
We can represent the number of failure scenarios to check in a (fixed parameter for $|{\FG}|$ and $|fm(c_i)|$) FMMD hierarchy
with equation~\ref{eqn:anscen}.
 
\begin{equation}
  \label{eqn:anscen}
 \sum_{n=0}^{L} {k}^{n}.k.f.(k-1)   
\end{equation}
 
The thinking behind equation~\ref{eqn:anscen}, is that for each level of analysis -- counting down from the top --
there are ${k}^{n}$ {\fgs} within each level; we need to apply RFMEA to each {\fg} on the level.
The number of checks to make for RFMEA is number of components $k$ multiplied by the number of failure modes $f$
checked against the remaining components in the {\fg} $(k-1)$.

If, for the sake of example, we fix the number of components in a {\fg} to three and 
the number of failure modes per component to three, an FMMD hierarchy
would look like figure~\ref{fig:three_tree}.

\subsection{RFMEA FMMD Comparison Example}

Using the diagram in figure~\ref{fig:three_tree}, we have three levels of analysis.
Starting at the top, we have a {\fg} with three derived components, each of which has
three failure modes.
Thus the number of checks to make in the top level is $3^0.3.2.3=18$.
On the level below that, we have three {\fgs} each with a 
an identical number of checks, $3^1.3.2.3=56$.%{\fg}
On the level below that we have nine {\fgs}, $3^2.3.2.3=168$.
Adding these together gives $242$ checks to make to perform FMMD (i.e. RFMEA {\em{within the}}
{\fgs}).

If we were to take the system represented in  figure~\ref{fig:three_tree}, and 
apply RFMEA on it as a whole system, we can use equation~\ref{eqn:CC},
$CC(G) = \sum_{n=1}^{|G|} |fm(c_n)|.(|G|-1)$, where $|G|$ is 27, $fm(c_n)$ is 3
and $(|G|-1)$ is 26.
This gives:
$CC(G) = \sum_{n=1}^{27} |3|.(|27|-1) = 2106$.

In order to get general equations with which to compare RFMEA with FMMD,
we can re-write equation~\ref{eqn:CC} in terms of the number of levels 
in an FMMD hierarchy. 
%
The number of components in the system, is number of components
in a {\fg} raised to the power of the level plus one.
Thus we re-write equation~\ref{eqn:CC} as:
 

\begin{equation}
  \label{eqn:fmea_state_exp21}
  \sum_{n=1}^{k^{L+1}}.(k^{L+1}-1).f  \; , % \\
  %(N^2 - N).f 
\end{equation}

or

\begin{equation}
  \label{eqn:fmea_state_exp22}
  k^{L+1}.(k^{L+1}-1).f  \;. % \\
  %(N^2 - N).f 
\end{equation}

We can now use  equation~\ref{eqn:anscen} and \ref{eqn:fmea_state_exp22} to compare (for fixed sizes of $|G|$ and $|fm(c)|$)
the two approaches, for the work required to perform rigorous checking.


For instance, having four levels 
of FMMD analysis, with these fixed numbers,
%(in addition to the top zeroth level)
will require 81 base level components.

$$
%\begin{equation}
  \label{eqn:fmea_state_exp22}
  3^4.(3^4-1).3 = 81.(81-1).3 = 19440 % \\
  %(N^2 - N).f 
%\end{equation}
$$

$$
%\begin{equation}
 % \label{eqn:anscen}
  \sum_{n=0}^{3} {3}^{n}.3.3.(2) = 720
%\end{equation}
$$

% \subsection{Exponential squared to Exponential}
% 
% can I say that ?
\clearpage
\section{Pt100 Analysis: FMMD and Mean Time to Failure (MTTF) statistics}
\label{sec:Pt100}
{
This section 
% shows a practical example of 
% one `symptom~abstraction' stage in the FMMD process.
% We take a functional group of base components,
% and using their failure modes, analyse the circuit
% to find failure symptoms.
% These failure symptoms are used to define 
% a derived component. 
%
demonstrates FMMDs ability to model multiple simultaneous {\fms}, and shows
how statistics for part {\fms} can be used to determine the statistical likelihood of failure symptoms.


For this example we look at an industry standard temperature measurement circuit,
the Pt100. 
The circuit is described and then analysed using the FMMD methodology.


%A derived component, representing this circuit is then presented.


The Pt100, or platinum wire \ohms{100} sensor is 
a widely used industrial temperature sensor that is
slowly replacing the use of thermocouples in many 
industrial applications below 600\oc, due to high accuracy\cite{aoe}.

This section looks at the most common configuration, the 
four wire circuit, and analyses it from an FMEA perspective twice.
Once considering single faults (cardinality constrained powerset of 1) and then again, considering the 
possibility of double faults (cardinality constrained powerset of 2).

\ifthenelse {\boolean{pld}}
{
The section is performed using Propositional Logic
diagrams to assist the reasoning process.
}
{
}

This chapter describes taking
the failure modes of the components, analysing the circuit using FMEA
and producing a failure mode model for the circuit as a whole.
Thus after the analysis the $Pt100$ temperature sensing circuit, may be viewed 
from an FMEA perspective as a component itself, with a set of known failure modes.
}

\begin{figure}[h]
 \centering
 \includegraphics[width=400pt,bb=0 0 714 180,keepaspectratio=true]{./CH5_Examples/pt100.png}
 % Pt100.jpg: 714x180 pixel, 72dpi, 25.19x6.35 cm, bb=0 0 714 180
 \caption{Pt100 four wire circuit}
 \label{fig:Pt100}
\end{figure}


\subsection{General Description of Pt100 four wire circuit}

The Pt100 four wire circuit uses two wires to supply a small electrical current,
and returns two sense voltages by the other two.
By measuring voltages
from sections of this circuit forming potential dividers, we can determine the 
resistance of the platinum wire sensor. The resistance
of this is directly related to temperature, and may be determined by
look-up tables or a suitable polynomial expression.


\begin{figure}[h]
 \centering
 \includegraphics[width=150pt,bb=0 0 273 483,keepaspectratio=true]{./CH5_Examples/vrange.png}
 % Pt100.jpg: 714x180 pixel, 72dpi, 25.19x6.35 cm, bb=0 0 714 180
 \caption{Pt100 expected voltage ranges}
 \label{fig:Pt100vrange}
\end{figure}


The voltage ranges we expect from this three stage potential divider\footnote{
two stages are required for validation, a third stage is used to measure the current flowing
through the circuit to obtain accurate temperature readings}
are shown in figure \ref{fig:Pt100vrange}. Note that there is
an expected range for each reading, for a given temperature span.
Note that the low reading goes down as temperature increases, and the higher reading goes up.
For this reason the low reading will be referred to as {\em sense-}
and the higher as {\em sense+}.

\paragraph{Accuracy despite variable resistance in cables}

For electronic and accuracy reasons, a four wire circuit is preferred
because of resistance in the cables. Resistance from the supply
 causes a slight voltage 
drop in the supply to the $Pt100$. As no significant current
is carried by the two `sense' lines, the resistance back to the ADC
causes only a negligible voltage drop, and thus the four wire 
configuration is more accurate\footnote{The increased accuracy is because the voltage measured, is the voltage across
the thermistor only and not the voltage across the thermistor and current supply wire resistance.}.

\paragraph{Calculating Temperature from the sense line voltages}

The current flowing though the 
whole circuit can be measured on the PCB by reading a third
sense voltage from one of the load resistors. Knowing the current flowing
through the circuit   
and knowing the voltage drop over the $Pt100$, we can calculate its 
resistance  by Ohms law $V=I.R$, $R=\frac{V}{I}$. 
Thus a little loss of supply current due to resistance in the cables
does not impinge on accuracy.
The resistance to temperature conversion is achieved 
through the published $Pt100$ tables\cite{eurothermtables}.
The standard voltage divider equations (see figure \ref{fig:vd} and 
equation \ref{eqn:vd}) can be used to  calculate
expected voltages for failure mode and temperature reading purposes.

\begin{figure}[h]
 \centering
 \includegraphics[width=100pt,bb=0 0 183 170,keepaspectratio=true]{./CH5_Examples/voltage_divider.png}
 % voltage_divider.png: 183x170 pixel, 72dpi, 6.46x6.00 cm, bb=0 0 183 170
 \caption{Voltage Divider}
 \label{fig:vd}
\end{figure}
%The looking at figure \ref{fig:vd} the standard voltage divider formula (equation \ref{eqn:vd}) is used.

\begin{equation}
\label{eqn:vd}
 V_{out} = V_{in}.\frac{Z2}{Z2+Z1}
\end{equation}

\subsection{Safety case for 4 wire circuit}

This sub-section looks at the behaviour of the $Pt100$ four wire circuit 
for the effects of component failures.
All components have a set of known `failure modes'.
In other words we know that a given component can fail in several distinct ways.
Studies have been published which list common component types 
and their sets of failure modes~\cite{fmd91}, often with MTTF statistics~\cite{mil1991}.
Thus for each component, an analysis is made for each of its failure modes,
with respect to its effect on the 
circuit. Each one of these scenarios is termed a `test case'.
The resultant circuit behaviour for each of these test cases is noted. 
The worst case for this type of
analysis would be a fault that we cannot detect.
Where this occurs a circuit re-design is probably the only sensible course of action.

\fmodegloss

\paragraph{Single Fault FMEA Analysis of $Pt100$ Four wire circuit.}

\label{fmea}
The Pt00 circuit consists of three resistors, two `current~supply'
wires and two `sensor' wires.
Resistors %according to the European Standard EN298:2003~\cite{en298}[App.A]
, are considered to fail by either going OPEN or SHORT (see section~\ref{sec:res_fms}). %circuit\footnote{EN298:2003~\cite{en298} also requires that components are downrated,
%and so in the case of resistors the parameter change failure mode~\cite{fmd-91}[2-23] can be ommitted.}.
%Should wires become disconnected these will have the same effect as
%given resistors going open. 
For the purpose of this analyis;
$R_{1}$ is the \ohms{2k2} from 5V to the thermistor,
$R_3$ is the Pt100 thermistor and $R_{2}$ connects the thermistor to ground.

We can define the terms `High Fault' and `Low Fault' here, with reference to figure
\ref{fig:Pt100vrange}. Should we get a reading outside the safe green zone
in the diagram, we consider this a fault.
Should the reading be above its expected range, this is a `High Fault'
and if below a `Low Fault'.

Table \ref{ptfmea} plays through the scenarios of each of the resistors failing
in both SHORT and OPEN failure modes, and hypothesises an error condition in the readings.
The range {0\oc} to {300\oc} will be analysed using potential divider equations to 
determine out of range voltage limits in section~\ref{sec:ptbounds}.

\begin{table}[ht]
\caption{Pt100 FMEA Single Faults} % title of Table
\centering % used for centering table
\begin{tabular}{||l|c|c|l|l||}
\hline \hline
 \textbf{Test} & \textbf{Result} & \textbf{Result } & \textbf{General}   \\
 \textbf{Case} &  \textbf{sense +} & \textbf{sense -} & \textbf{Symtom Description}   \\
%   R         &    wire        & res +         & res -    & description
\hline
\hline
 $R_1$ SHORT    &  High Fault        &  -       &  Value Out of Range Value \\ \hline
$R_1$  OPEN     &  Low Fault         & Low Fault     &  Both values out of range \\ \hline
 \hline
$R_3$  SHORT    &  Low Fault          & High Fault      &   Both values out of range \\ \hline
 $R_3$  OPEN     &  High Fault         & Low  Fault    &  Both values out of range \\ \hline
\hline
$R_2$ SHORT     &  -         &  Low Fault   &  Value Out of Range Value \\  
 $R_2$ OPEN     &  High Fault         & High Fault     &  Both values out of range \\ \hline
\hline
\end{tabular} 
\label{ptfmea}
\end{table}

From table \ref{ptfmea} it can be seen that any component failure in the circuit
should cause a common symptom, that of one or more of the values being `out of range'.
Temperature range calculations and detailed calculations
on the effects of each test case are found in section \ref{Pt100range}
and \ref{Pt100temp}. 

%\paragraph{Consideration of Resistor Tolerance}
%
%The separate sense lines ensure the voltage read over the Pt100 thermistor are not
%altered due to having to pass any significant current.
%The Pt100 element is a precision part and will be chosen for a specified accuracy/tolerance range.
%One or other of the load resistors (the one we measure current over) should also
%be of this accuracy.
%
%The \ohms{2k2} loading resistors may be ordinary, in that they would have a good temperature co-effecient
%(typically $\leq \; 50(ppm)\Delta R \propto \Delta \oc $), and should be subjected to
%a narrow temperature range anyway, being mounted on a PCB.
%\glossary{{PCB}{Printed Circuit Board}}
%To calculate the resistance of the Pt100 element % (and thus derive its temperature),
%having the voltage over it, we now need the current.
%Lets use, for the sake of example $R_2$ to measure the current flowing in the temperature sensor loop.
%As the voltage over $R_3$ is relative (a design feature to eliminate resistance effects of the cables).
%We can calculate the current by reading
%the voltage over the known resistor $R2$.\footnote{To calculate the resistance of the Pt100 we need the current flowing though it.
%We can determine this via ohms law applied to $R_2$, $V=IR$, $I=\frac{V}{R_2}$, 
%and then using $I$, we can calculate $R_{3} = \frac{V_{R3}}{I}$.}
%As these calculations are performed by ohms law, which is linear, the accuracy of the reading
%will be determined by the accuracy of $R_2$ and $R_{3}$. It is reasonable to
%take the mean square error of these accuracy figures.

\paragraph{Range and $Pt100$ Calculations}
\label{Pt100temp}
$Pt100$ resistors are designed to 
have a resistance of \ohms{100}  at {0\oc} \cite{aoe},\cite{eurothermtables}.
A suitable `wider than to be expected range' was considered to be {0\oc} to {300\oc}
for a given application. 
According to the Eurotherm Pt100
tables \cite{eurothermtables}, this corresponded to the resistances \ohms{100}
and \ohms{212.02} respectively. From this the potential divider circuit can be
analysed and the maximum and minimum acceptable voltages determined.
These can be used as bounds results to apply the findings from the 
Pt100 FMEA analysis in section \ref{fmea}.

As the Pt100 forms a potential divider with the \ohms{2k2}  load resistors,
the upper and lower readings can be calculated thus:


$$ highreading = 5V.\frac{2k2+Pt100}{2k2+2k2+pt100} $$
$$ lowreading = 5V.\frac{2k2}{2k2+2k2+Pt100} $$
So by defining an acceptable measurement/temperature range,
and ensuring the 
values are always within these bounds, we can be confident that none of the
resistors in this circuit has failed.

To convert these to twelve bit ADC (\adctw) counts:

$$ highreading = 2^{12}.\frac{2k2+Pt100}{2k2+2k2+pt100} $$
$$ lowreading = 2^{12}.\frac{2k2}{2k2+2k2+Pt100} $$


\begin{table}[ht]
\caption{Pt100 Maximum and Minimum Values} % title of Table
\centering % used for centering table
\begin{tabular}{||c|c|c|l|l||}
\hline \hline
 \textbf{Temperature} & \textbf{Pt100 resistance} & 
\textbf{Lower} & \textbf{Higher} & \textbf{Description}   \\ 
\hline
% {-100 \oc} &  {\ohms{68.28}} &  2.46V         &   2.53V      & Boundary of   \\ 
%            &                 &  2017\adctw   &   2079\adctw  &   out of range LOW \\ \hline
  {0 \oc}   & {\ohms{100}}    &  2.44V         &   2.56V       & Boundary of         \\
            &                 &  2002\adctw   &   2094\adctw   &  out of range LOW        \\ \hline
 {+300 \oc} & {\ohms{212.02}}  &  2.38V         &   2.62V       & Boundary of                       \\
            &                  &  1954\adctw   &   2142\adctw   &  out of range HIGH  \\ \hline
\hline
\end{tabular} 
\label{ptbounds}
\end{table}

Table \ref{ptbounds} gives ranges that determine correct operation. In fact it can be shown that
for any single error (short or opening of any resistor) this bounds check
will detect it.



\paragraph{Consideration of Resistor Tolerance.}
%
\label{sec:ptbounds}
The separate sense lines ensure the voltage read over the $Pt100$ thermistor is not
altered by having to pass any significant current. The current is supplied 
by separate wires and the resistance in those are effectively cancelled
out by considering the voltage reading over $R_3$ to be relative.
%
The Pt100 element is a precision part and will be chosen for a specified accuracy/tolerance range.
One or other of the load resistors (the one over which we measure current) should also
be of a specified accuracy\footnote{It is common for standard surface mount resistors to have an 
accuracy of $\pm 1\%$. Higher accuracy parts may be specified.}.
%
The \ohms{2k2} loading resistors should have a good temperature co-effecient
(i.e. $\leq \; 50(ppm)\Delta R \propto \Delta \oc $).
%
To calculate the resistance of the Pt100 element % (and thus derive its temperature),
knowing $V_{R3}$  we now need the current flowing in the temperature sensor loop.
%
Lets use, for the sake of example $R_2$ to measure the current.
%
We can calculate the current $I$, by reading
the voltage over the known resistor $R_2$ and using ohms law\footnote{To calculate the resistance of the Pt100 we need the current flowing though it.
We can determine this via ohms law applied to $R_2$, $V=IR$, $I=\frac{V}{R_2}$, 
and then using $I$, we can calculate $R_{3} = \frac{V_{3}}{I}$.} and then use ohms law again to calculate
the resistance of $R_3$.
%
As ohms law is linear, the accuracy of the reading
will be determined by the accuracy of $R_2$ and $R_{3}$. It is reasonable to
take the mean square error of these accuracy figures~\cite{probstat}.


\paragraph{Single Fault FMEA Analysis  of $Pt100$ Four wire circuit}


\ifthenelse{\boolean{pld}}
{
\paragraph{Single Fault Modes as PLD}

The component~failure~modes in table \ref{ptfmea} can be represented as contours
on a PLD diagram. 
Each test case, is defined by the contours that enclose
it. The test cases here deal with single faults only
and are thus enclosed by one contour each.
\fmodegloss
\begin{figure}[h]
 \centering
 \includegraphics[width=400pt,bb=0 0 518 365,keepaspectratio=true]{./CH5_Examples/Pt100_tc.png}
 % Pt100_tc.jpg: 518x365 pixel, 72dpi, 18.27x12.88 cm, bb=0 0 518 365
 \caption{Pt100 Component Failure Modes}
 \label{fig:Pt100_tc}
\end{figure}
} % \ifthenelse {\boolean{pld}}

%ating input Fault  
This circuit supplies two results, the {\em sense+} and {\em sense-} voltage readings.
To establish the valid voltage ranges for these, and knowing our
valid temperature range for this example ({0\oc} .. {300\oc}) we can calculate
valid voltage reading ranges by using the standard voltage divider equation \ref{eqn:vd}
for the circuit shown in figure \ref{fig:vd}.




\paragraph{Proof of Out of Range  Values for Failures}
\label{pt110range}
Using the temperature ranges defined above we can compare the voltages
we would get from the resistor failures to prove that they are
`out of range'. There are six test cases and each will be examined in turn.

\subparagraph{ TC 1 : Voltages $R_1$ SHORT } 
With Pt100 at 0\oc 
$$ highreading = 5V $$
Since the highreading or sense+ is directly connected to the 5V rail,
both temperature readings will be 5V..
$$ lowreading = 5V.\frac{2k2}{2k2+100\Omega} = 4.78V$$
With Pt100 at the high end of the temperature range 300\oc.
$$ highreading = 5V $$
$$ lowreading = 5V.\frac{2k2}{2k2+212.02\Omega} = 4.56V$$

Thus with $R_1$ shorted both readings are outside the 
proscribed range in table \ref{ptbounds}.

\paragraph{ TC 2 : Voltages $R_1$ OPEN } 

In this case the 5V rail is disconnected. All voltages read are 0V, and 
therefore both readings are outside the
proscribed range in table \ref{ptbounds}.


\paragraph{ TC 3 : Voltages $R_2$ SHORT }

With Pt100 at 0\oc 
$$ lowreading = 0V $$
Since the lowreading or sense- is directly connected to the 0V rail,
both temperature readings will be 0V.
$$ lowreading = 5V.\frac{100\Omega}{2k2+100\Omega} = 0.218V$$
With Pt100 at the high end of the temperature range 300\oc.
$$ highreading = 5V.\frac{212.02\Omega}{2k2+212.02\Omega} = 0.44V$$

Thus with $R_2$ shorted both readings are outside the 
proscribed range in table \ref{ptbounds}.

\paragraph{ TC 4 : Voltages $R_2$ OPEN }
Here there is no potential divider operating and both sense lines
will read 5V, outside of the proscribed range.


\paragraph{ TC 5 : Voltages $R_3$ SHORT } 

Here the potential divider is simply between
the two 2k2 load resistors. Thus it will read a nominal;
2.5V.

Assuming the load resistors are 
precision components, and then taking an absolute worst case of 1\% either way.

$$ 5V.\frac{2k2*0.99}{2k2*1.01+2k2*0.99} = 2.475V $$

$$ 5V.\frac{2k2*1.01}{2k2*1.01+2k2*0.99} = 2.525V $$

These readings both lie outside the proscribed range.
Also the sense+ and sense- readings would have the same value.

\paragraph{ TC 6 : Voltages $R_3$ OPEN } 

Here the potential divider is broken. The sense- will read 0V and the sense+ will
read 5V. Both readings are outside the proscribed range.

\subsection{Summary of Analysis}

All six test cases have been analysed and the results agree with the hypothesis
put in table~\ref{ptfmea}. The PLD diagram, can now be used to collect the
symptoms. In this case there is a common and easily detected symptom for all these single 
resistor faults :  Voltage out of range.

A spider can be drawn on the PLD diagram to this effect.

In practical use, by defining an acceptable measurement/temperature range,
and ensuring the 
values are always within these bounds, we can be confident that none of the
resistors in this circuit has failed.

\ifthenelse{\boolean{pld}}
{
\begin{figure}[h]
 \centering
 \includegraphics[width=400pt,bb=0 0 518 365,keepaspectratio=true]{./CH5_Examples/Pt100_tc_sp.png}
 % Pt100_tc.jpg: 518x365 pixel, 72dpi, 18.27x12.88 cm, bb=0 0 518 365
 \caption{Pt100 Component Failure Modes}
 \label{fig:Pt100_tc_sp}
\end{figure}
}


\subsection{Derived Component : The Pt100 Circuit}
The Pt100 circuit can now be treated as a component in its own right, and has one failure mode, 
{\textbf OUT\_OF\_RANGE}. This is a single, detectable failure mode. The observability of a
fault condition is very good with this circuit.This should not be a surprise, as the four wire $Pt100$
has been developed for safety critical temperature measurement.
%
\ifthenelse{\boolean{pld}}
{
It can now be represented as a PLD see figure \ref{fig:Pt100_singlef}.

\begin{figure}[h]
 \centering
 \includegraphics[width=100pt,bb=0 0 167 194,keepaspectratio=true]{./CH5_Examples/Pt100_singlef.png}
 % Pt100_singlef.jpg: 167x194 pixel, 72dpi, 5.89x6.84 cm, bb=0 0 167 194
 \caption{Pt100 Circuit Failure Modes : From Single Faults Analysis}
 \label{fig:Pt100_singlef}
\end{figure}
}

%From the single faults (cardinality constrained powerset of 1) analysis, we can now create
%a new derived component, the {\emPt100circuit}. This has only \{ OUT\_OF\_RANGE \}
%as its single failure mode.


%Interestingly we can calculate the failure statistics for this circuit now.
%Mill 1991 gives resistor stats of ${10}^{11}$ times 6 (can we get special stats for Pt100) ???
%\clearpage
\subsection{Mean Time to Failure}

Now that we have a model for the failure mode behaviour of the Pt100 circuit
we can look at the statistics associated with each of the failure modes.

The DOD electronic reliability of components
document  MIL-HDBK-217F\cite{mil1991} gives formulae for calculating
the
%$\frac{failures}{{10}^6}$
${failures}/{{10}^6}$ % looks better
in hours for a wide range of generic components
\footnote{These figures are based on components from the 1980's and MIL-HDBK-217F
can give conservative reliability figures when applied to
modern components}. 
%
Using the MIL-HDBK-217F\cite{mil1991}  specifications for resistor and thermistor
failure statistics, we calculate the reliability of this circuit.


\paragraph{Resistor FIT Calculations}

The formula for given in MIL-HDBK-217F\cite{mil1991}[9.2] for a generic fixed film non-power resistor
is reproduced in equation \ref{resistorfit}. The meanings 
and values assigned to its co-efficients are described in table \ref{tab:resistor}.
\glossary{name={FIT}, description={Failure in Time (FIT). The number of times a particular failure is expected to occur in a $10^{9}$ hour time period.}}


\fmodegloss

\begin{equation}
% fixed comp resistor{\lambda}_p = {\lambda}_{b}{\pi}_{R}{\pi}_Q{\pi}_E
resistor{\lambda}_p = {\lambda}_{b}{\pi}_{R}{\pi}_Q{\pi}_E
 \label{resistorfit}
\end{equation}

\begin{table}[ht]
\caption{Fixed film resistor Failure in time assessment} % title of Table
\centering % used for centering table
\begin{tabular}{||c|c|l||}
\hline \hline
 \em{Parameter}      &  \em{Value}    &   \em{Comments} \\
                     &                &      \\ \hline \hline
 ${\lambda}_{b}$ &  0.00092        & stress/temp base failure rate  $60^o$ C  \\   \hline
 %${\pi}_T$ &  4.2         & max temp of $60^o$ C\\ \hline
 ${\pi}_R$ &  1.0         & Resistance range $< 0.1M\Omega$\\ \hline
 ${\pi}_Q$ &  15.0         & Non-Mil spec component\\ \hline
 ${\pi}_E$ &  1.0         & benign ground environment\\ \hline

\hline \hline
\end{tabular}
\label{tab:resistor}
\end{table}

Applying equation \ref{resistorfit} with the parameters from table \ref{tab:resistor}
give the following failures in ${10}^6$ hours:

\begin{equation}
 0.00092 \times 1.0 \times 15.0 \times 1.0 = 0.0138  \;{failures}/{{10}^{6} Hours}
 \label{eqn:resistor}
\end{equation}

While MIL-HDBK-217F gives MTTF for a wide range of common components,
it does not specify how the components will fail (in this case OPEN or SHORT). {Some standards, notably EN298 only consider resistors failing in OPEN mode}.
%FMD-97 gives 27\% OPEN and 3\% SHORTED, for resistors under certain electrical and environmental stresses. 
% FMD-91 gives parameter change as a third failure mode, luvvverly 08FEB2011
This example 
compromises and uses a 90:10 ratio, for resistor failure. 
Thus for this example resistors are expected to fail OPEN in 90\% of cases and SHORTED 
in the other 10\%.
A standard fixed film resistor, for use in a benign environment, non military spec at
temperatures up to {60\oc} is given a probability of 13.8 failures per billion ($10^9$)
hours of operation (see equation \ref{eqn:resistor}). 
This figure is referred to as a FIT\footnote{FIT values are measured as the number of 
failures per Billion (${10}^9$) hours of operation, (roughly 114,000 years). The smaller the 
FIT number the more reliable the fault~mode} Failure in time.

The formula given for a thermistor in  MIL-HDBK-217F\cite{mil1991}[9.8] is reproduced in
equation \ref{thermistorfit}. The variable meanings and values are described in table \ref{tab:thermistor}.

\begin{equation}
% fixed comp resistor{\lambda}_p = {\lambda}_{b}{\pi}_{R}{\pi}_Q{\pi}_E
resistor{\lambda}_p = {\lambda}_{b}{\pi}_Q{\pi}_E
 \label{thermistorfit}
\end{equation}

\begin{table}[ht]
\caption{Bead type Thermistor Failure in time assessment} % title of Table
\centering % used for centering table
\begin{tabular}{||c|c|l||}
\hline \hline
 \em{Parameter}      &  \em{Value}    &   \em{Comments} \\
                     &                &      \\ \hline \hline
 ${\lambda}_{b}$ &  0.021        & stress/temp base failure rate bead thermistor \\   \hline
 %${\pi}_T$ &  4.2         & max temp of $60^o$ C\\ \hline
 %${\pi}_R$ &  1.0         & Resistance range $< 0.1M\Omega$\\ \hline
 ${\pi}_Q$ &  15.0         & Non-Mil spec component\\ \hline
 ${\pi}_E$ &  1.0         & benign ground environment\\ \hline

\hline \hline
\end{tabular}
\label{tab:thermistor}
\end{table}


\begin{equation}
 0.021 \times 1.0 \times 15.0 \times 1.0 = 0.315 \; {failures}/{{10}^{6} Hours}
 \label{eqn:thermistor}
\end{equation}


Thus thermistor, bead type, `non~military~spec' is given a FIT of 315.0

Using the RIAC finding we can draw up the following table (table \ref{tab:stat_single}),
showing the FIT values for all faults considered.
\glossary{name={FIT}, description={Failure in Time (FIT). The number of times a particular failure is expected to occur in a $10^{9}$ hour time period.}}




\begin{table}[h+]
\caption{Pt100 FMEA Single // Fault Statistics} % title of Table
\centering % used for centering table
\begin{tabular}{||l|c|c|l|l||}
\hline \hline
 \textbf{Test} & \textbf{Result} & \textbf{Result } & \textbf{MTTF}   \\
 \textbf{Case} &  \textbf{sense +} & \textbf{sense -} & \textbf{per $10^9$ hours of operation}   \\
%   R         &    wire        & res +         & res -    & description
\hline
\hline
TC:1 $R_1$ SHORT    &  High Fault        &  -       &  1.38  \\ \hline
TC:2 $R_1$  OPEN     &  Low Fault         & Low Fault     &  12.42\\ \hline
 \hline
TC:3 $R_3$  SHORT    &  Low Fault          & High Fault      & 31.5  \\ \hline
TC:4 $R_3$  OPEN     &  High Fault         & Low  Fault    &   283.5 \\ \hline
\hline
TC:5 $R_2$ SHORT     &  -         &  Low Fault   &  1.38  \\  
TC:6 $R_2$ OPEN     &  High Fault         & High Fault     & 12.42 \\ \hline
\hline
\end{tabular} 
\label{tab:stat_single}
\end{table}

The FIT for the circuit as a whole is the sum of MTTF values for all the 
test cases. The Pt100 circuit here has a  FIT of 342.6. This is a MTTF of
about 360 years per circuit.

A probabilistic tree can now be drawn, with a FIT value for the Pt100
circuit and FIT values for all the component fault modes from which  it was calculated.
We can see from this that  the most likely fault is the thermistor going OPEN.
This circuit is around 10 times more likely to fail in this way than in any other.
Were we to need a more reliable temperature sensor, this would probably 
be the fault~mode we would scrutinise first.


\begin{figure}[h+]
 \centering
 \includegraphics[width=400pt,bb=0 0 856 327,keepaspectratio=true]{./CH5_Examples/stat_single.png}
 % stat_single.jpg: 856x327 pixel, 72dpi, 30.20x11.54 cm, bb=0 0 856 327
 \caption{Probablistic Fault Tree : Pt100 Single Faults}
 \label{fig:stat_single}
\end{figure}


The Pt100 analysis presents a simple result for single faults. 
The next analysis phase looks at how the circuit will behave under double simultaneous failure
conditions.




\section{Double failure analysis}

CITE PRICE MULTIPLE FAILURE PAPER.

%\clearpage
\section{ Pt100 Double Simultaneous  Fault Analysis}
\label{sec:Pt100d}
In this section we examine the failure mode behaviour for all single 
faults and double simultaneous faults.
This corresponds to the cardinality constrained powerset of one (see section~\ref{ccp}), of
the failure modes in the functional group.
All the single faults have already been proved in the last section.
For the next set of test cases, let us again hypothesise
the failure modes, and then examine each one in detail with
potential divider equation proofs.

Table \ref{tab:ptfmea2} lists all the combinations of double
faults and then hypothesises how the functional~group will react
under those conditions.

\begin{table}[ht]
\caption{Pt100 FMEA Double Faults} % title of Table
\centering % used for centering table
\begin{tabular}{||l|l|c|c|l|l||}
\hline \hline
 \textbf{TC}      &\textbf{Test} & \textbf{Result} & \textbf{Result } & \textbf{General}   \\
 \textbf{number} &\textbf{Case} &  \textbf{sense +} & \textbf{sense -} & \textbf{Symtom Description}   \\
%   R         &    wire        & res +         & res -    & description
\hline
\hline
 TC 7: & $R_1$ OPEN $R_2$ OPEN    &  Floating input Fault        &   Floating input Fault    &  Unknown value readings \\ \hline
 TC 8: & $R_1$ OPEN $R_2$ SHORT   &  low        &   low    &  Both out of range  \\ \hline
\hline
 TC 9: & $R_1$ OPEN $R_3$ OPEN   &  high        &   low     &  Both out of Range \\ \hline
 TC 10: & $R_1$ OPEN $R_3$ SHORT   &  low        &   low    &  Both out of range \\ \hline
\hline

 TC 11: & $R_1$ SHORT $R_2$ OPEN    &  high        &   high    &  Both out of range \\ \hline
TC 12: &  $R_1$ SHORT $R_2$ SHORT   &  high        &   low    &  Both out of range  \\ \hline
\hline
 TC 13: & $R_1$ SHORT $R_3$ OPEN   &  high        &   low     &  Both out of Range \\ \hline
TC 14: &  $R_1$ SHORT $R_3$ SHORT   &  high        &   high    &  Both out of range \\ \hline

\hline
 TC 15: & $R_2$ OPEN $R_3$ OPEN   &  high        &   Floating input Fault    &  sense+ out of range \\ \hline
TC 16: &  $R_2$ OPEN $R_3$ SHORT   &  high        &   high    &  Both out of Range \\ \hline
TC 17: &  $R_2$ SHORT $R_3$ OPEN   &  high        &   low    &  Both out of Range \\ \hline
TC 18: &  $R_2$ SHORT $R_3$ SHORT   &  low        &   low    &  Both out of Range \\ \hline
\hline
\end{tabular}
\label{tab:ptfmea2}
\end{table}

\subsection{Verifying complete coverage for a cardinality constrained powerset of 2}

\fmodegloss


It is important to check that we have covered all possible double fault combinations.
We can use the equation \ref{eqn:correctedccps2} 
\ifthenelse {\boolean{paper}}
{
from the definitions paper
\ref{pap:compdef}
,
reproduced below to verify this.

\indent{
 where:
 \begin{itemize}
  \item The set $SU$ represents the components in the functional~group, where all components are guaranteed to have unitary state failure modes.
  \item The indexed set $C_j$ represents all components in set $SU$.
  \item The function $FM$ takes a component as an argument and returns its set of failure modes.
  \item $cc$ is the cardinality constraint, here 2 as we are interested in double and single faults.
 \end{itemize}
}
\begin{equation}
 |{\mathcal{P}_{cc}SU}| = {\sum^{k}_{1..cc}  \frac{|{SU}|!}{k!(|{SU}| - k)!}}   
- {{\sum^{j}_{j \in J}   \frac{|FM({C_j})|!}{2!(|FM({C_j})| - 2)!}}  }
 \label{eqn:correctedccps2}
\end{equation}

}
{
\begin{equation}
 |{\mathcal{P}_{cc}SU}| = {\sum^{cc}_{k=1}  \frac{|{SU}|!}{k!(|{SU}| - k)!}}
- {{\sum^{j}_{j \in J}   \frac{|FM({C_j})|!}{2!(|FM({C_j})| - 2)!}}  }
 %\label{eqn:correctedccps2}
\end{equation}
}


$|FM(C_j)|$ will always be 2 here,  as all the components are resistors and have two failure modes.

%
% Factorial of zero is one ! You can only arrange an empty set one way !

Populating this equation with $|SU| = 6$ and $|FM(C_j)|$ = 2.
%is always 2 for this circuit, as all the components are resistors and have two failure modes.

\begin{equation}
 |{\mathcal{P}_{2}SU}| = {\sum^{k}_{1..2}  \frac{6!}{k!(6 - k)!}}   
- {{\sum^{j}_{1..3}   \frac{2!}{p!(2 - p)!}}  }
 %\label{eqn:correctedccps2}
\end{equation}

$|{\mathcal{P}_{2}SU}|$ is the number of valid combinations of faults to check
under the conditions of unitary state failure modes for the components (a resistor cannot fail by being shorted and open at the same time).

Expanding the sumations


$$ NoOfTestCasesToCheck = \frac{6!}{1!(6-1)!} + \frac{6!}{2!(6-2)!} - \Big( \frac{2!}{2!(2 - 2)!} + \frac{2!}{2!(2 - 2)!} + \frac{2!}{2!(2 - 2)!} \Big) $$

$$ NoOfTestCasesToCheck = 6 + 15 - ( 1 + 1 + 1 )  = 18 $$

As the test cases are all different and are of the correct cardinalities (6 single faults and (15-3) double)
we can be confident that we have looked at all `double combinations' of the possible faults
in the Pt100 circuit. The next task is to investigate
these test cases in more detail to prove the failure mode hypothesis set out in table \ref{tab:ptfmea2}.


%\paragraph{Proof of Double Faults Hypothesis}

\paragraph{ TC 7 : Voltages $R_1$ OPEN $R_2$ OPEN } 
\label{Pt100:bothfloating}
This double fault mode produces an interesting symptom.
Both sense lines are floating.
We cannot know what the {\adctw} readings on them will be.
%
In practise these would probably float to  low values
but for the purpose of a safety critical analysis,
all we can say is that the values are `floating' and `unknown'.
This is an interesting case, because it is, at this stage an undetectable---or unobservable---
fault. Unobservable faults are generally unacceptable in a safety critical environment~\cite{ACS:ACS1297,721666}.
%that must be handled.


\paragraph{ TC 8 : Voltages $R_1$ OPEN $R_2$ SHORT } 

This cuts the supply from Vcc. Both sense lines will be at zero.
Thus both values will be out of range.


\paragraph{ TC 9 : Voltages $R_1$ OPEN $R_3$ OPEN } 

Sense- will be floating.
Sense+ will be tied to Vcc and will thus be out of range.

\paragraph{ TC 10 : Voltages $R_1$ OPEN $R_3$ SHORT } 

This shorts ground to
both of the sense lines.
Both values will be  out of range.

\paragraph{ TC 11 : Voltages $R_1$ SHORT $R_2$ OPEN } 

This shorts both sense lines to Vcc.
Both values will be out of range.


\paragraph{ TC 12 : Voltages $R_1$ SHORT $R_2$ SHORT }

This shorts the sense+ to Vcc and the sense- to ground.
Both values will be out of range.


\paragraph{ TC 13 : Voltages $R_1$ SHORT $R_3$ OPEN }

This shorts the sense+ to Vcc and the sense- to ground.
Both values will be out of range.

\paragraph{ TC 14 : Voltages $R_1$ SHORT $R_3$ SHORT }

This shorts the sense+ and sense- to Vcc.
Both values will be out of range.

\paragraph{ TC 15 : Voltages $R_2$ OPEN $R_3$ OPEN }

This shorts the sense+ to Vcc and causes sense- to float.
The sense+ value will be out of range.


\paragraph{ TC 16 : Voltages $R_2$ OPEN $R_3$ SHORT }

This shorts the sense+ and sense- to Vcc.
Both values will be out of range.





\paragraph{ TC 17 : Voltages $R_2$ SHORT $R_3$ OPEN }

This shorts the sense- to Ground.
The sense- value will be out of range.


\paragraph{ TC 18 : Voltages $R_2$ SHORT $R_3$ SHORT }

This shorts the sense+ and sense- to Vcc.
Both values will be out of range.

%\clearpage

\ifthenelse{\boolean{pld}}
{
\subsection{Double Faults Represented on a PLD Diagram}

We can show the test cases on a diagram with the double faults residing on regions 
corresponding to overlapping contours see figure \ref{fig:plddouble}.
Thus $TC\_18$ will be enclosed by the $R2\_SHORT$ contour and the $R3\_SHORT$ contour.


\begin{figure}[h]
 \centering
 \includegraphics[width=450pt,bb=0 0 730 641,keepaspectratio=true]{./CH5_Examples/plddouble.png}
 % plddouble.jpg: 730x641 pixel, 72dpi, 25.75x22.61 cm, bb=0 0 730 641
 \caption{Pt100 Double Simultaneous Faults}
 \label{fig:plddouble}
\end{figure}

We use equation \ref{eqn:correctedccps2} to verify complete coverage for
a given cardinality constraint is not visually obvious.
%
From the diagram it is easy to verify
the number of failure modes considered for each test case, but 
not that all for a given cardinality constraint have been included.
}
{
}

\paragraph{Symptom Extraction}

We can now examine the results of the test case analysis and apply symptom abstraction.
In all the test case results we have at least one out of range value, except for
$TC\_7$  
which has two unknown values/floating readings. We can collect all the faults, except $TC\_7$, 
into the symptom $OUT\_OF\_RANGE$. 
As a symptom $TC\_7$ could be described as $FLOATING$. 

\ifthenelse{\boolean{pld}}
{
We can thus draw a PLD diagram representing the
failure modes of this functional~group, the Pt100 circuit from the perspective of double simultaneous failures,
in figure \ref{fig:Pt100_doublef}.

\begin{figure}[h]
 \centering
 \includegraphics[width=450pt,bb=0 0 730 641,keepaspectratio=true]{./CH5_Examples/plddoublesymptom.png}
 % plddouble.jpg: 730x641 pixel, 72dpi, 25.75x22.61 cm, bb=0 0 730 641
 \caption{Pt100 Double Simultaneous Faults}
 \label{fig:plddoublesymptom}
\end{figure}
} %% \ifthenelse {\boolean{pld}}
{
}

%\clearpage
\subsection{Derived Component : The Pt100 Circuit}
The Pt100 circuit again, can now be treated as a component in its own right, and has two failure modes, 
{\textbf{OUT\_OF\_RANGE}} and {\textbf{FLOATING}}. 

\ifthenelse{\boolean{pld}}
{
It can now be represented as a PLD see figure \ref{fig:Pt100_doublef}.
\begin{figure}[h]
 \centering
 \includegraphics[width=100pt,bb=0 0 167 194,keepaspectratio=true]{./CH5_Examples/Pt100_doublef.png}
 % Pt100_singlef.jpg: 167x194 pixel, 72dpi, 5.89x6.84 cm, bb=0 0 167 194
 \caption{Pt100 Circuit Failure Modes : From Double Faults Analysis}
 \label{fig:Pt100_doublef}
\end{figure}
} % \ifthenelse {\boolean{pld}}
{
}


\subsection{Statistics}

%%
%% Need to talk abou the `detection time'
%% or `Safety Relevant Validation Time' ref can book
%% EN61508 gives detection calculations to reduce
%% statistical impacts of failures.
%%

If we consider the failure modes to be statistically independent we can calculate
the FIT values for all the failures. The failure mode of concern, the undetectable {\textbf{FLOATING}} condition
requires that resistors $R_1$ and $R_2$ fail. We can multiply the MTTF
together and find an MTTF for both failing. The FIT value of 12.42 corresponds to
$12.42 \times {10}^{-9}$ failures per hour. Squaring this gives $ 154.3 \times {10}^{-18} $.
This is an astronomically small MTTF, and so small that it would
probably fall below a threshold to sensibly consider.
However, it is very interesting from a failure analysis perspective,
because here we have found a fault that we cannot detect at this
level. This means that should we wish to cope with
this fault, we need to devise a way of detecting this
condition in higher levels of the system.
\glossary{name={FIT}, description={Failure in Time (FIT). The number of times a particular failure is expected to occur in a $10^{9}$ hour time period. Associated with continuous demand systems under EN61508~\cite{en61508}}}




\section{Critiques}

\subsection{Problems in choosing membership of functional groups}

\subsubsection{Side Effects: A Problem for FMMD analysis}
\label{sec:sideeffects}
A problem with modularising according to functionality is that we can have component failures that would 
intuitively be associated with one {\fg} that may cause unintended side effects in other
{\fgs}.
For instance were we to have a component that on failing $SHORT$ could bring down 
a voltage supply rail, this could have drastic consequences for other 
functional groups in the system we are examining.

\pagebreak[3]
\subsubsection{Example de-coupling capacitors in logic circuits}

A good example of this, are de-coupling capacitors, often used 
over the power supply pins of all chips in a digital logic circuit.
Were any of these capacitors to fail $SHORT$, they could bring down 
the supply voltage to the other logic chips.


To a power-supply, shorted capacitors on the supply rails 
are a potential source of the symptom, $SUPPLY\_SHORT$.
In a logic chip/digital circuit {\fg} open capacitors are a potential 
source of symptoms caused by the failure mode $INTERFERENCE$.
So we have a `symptom' of the power-supply, and a `failure~mode' of
 the logic chip to consider.

A possible solution to this is to include the de-coupling capacitors
in the power-supply {\fg}.
% decision, could they be included in both places ????
% I think so 


Because the capacitor has two potential failure modes (EN298),
this raises another issue for FMMD. A de-coupling capacitor going $OPEN$ might not be considered relevant to
a power-supply module (but there might be additional noise on its output rails).
But in {\fg} terms the power supply, now has a new symptom that of  $INTERFERENCE$.

Some logic chips are more susceptible to  $INTERFERENCE$ than others.
A logic chip with de-coupling capacitor failing, may operate correctly 
but interfere with other chips in the circuit.

There is no reason why the de-coupling capacitors could not be included {\em in the {\fg} they would intuitively be associated with as well}.

This allows for the general principle of a component failure affecting more than one {\fg} in a circuit.
This allows functional groups to share components where necessary.
This does not break the modularity of the FMMD technique, because, as {\irl},
one component failure may affect more than one sub-system.
It does uncover a weakness in the FMMD methodology though.
It could be very easy to miss the side effect and include
the component causing the side effect into the wrong {\fg}, or only one germane {\fg}.


\section{Evaluation}