Robin_PHD/fmmd_design_aide/fmmd_design_aide.tex

\ifthenelse {\boolean{paper}}
{
\abstract{ This 
paper 
describes how the FMMD methodology can be used to refine
safety critical designs and identify undetectable and dormant faults.
%
As a working example, an industry standard mill-volt amplifier, intended for reading thermocouples,
circuit is analysed. 
It has an inbuilt `safety~resistor' which allows it 
to detect the thermocouple becoming disconnected/going OPEN.
%
This circuit is analysed from an FMMD perspective and 
and two undetectable failure modes are identified.
%
An additional `safety check' circuit is then proposed and analysed.
This has no undetectable failure modes, but does have one
`dormant' failure mode.
%
This paper shows that once undetectable faults or dormant faults are discovered
the design can be altered (or have a safety feature added), and the FMMD analysis process can then be re-applied.
This can be an iterative process applied until the 
design has an acceptable level safety. % of dormant or undetectable failure modes.
%
Used in this way, its is a design aide, giving the user
the possibility to refine a {\dc} from the perspective
of its failure mode behaviour.
}
}
{
\section{Introduction}
This chapter 
describes how the FMMD methodology can be used to refine
safety critical designs and identify undetectable and dormant faults.
%
As a working example, an industry standard mill-volt amplifier, intended for reading thermocouples,
circuit is analysed. 
It has an inbuilt `safety~resistor' which allows it 
to detect the thermocouple becoming disconnected/going OPEN.
%
This circuit is analysed from an FMMD perspective and 
and two undetectable failure modes are identified.
%
An additional `safety check' circuit is then proposed and analysed.
This has no undetectable failure modes, but does have one
`dormant' failure mode.
%
This paper shows that once undetectable faults or dormant faults are discovered
the design can be altered (or have a safety feature added), and the FMMD analysis process can then be re-applied.
This can be an iterative process applied until the 
design has an acceptable level safety. % of dormant or undetectable failure modes.
%
Used in this way, its is a design aide, giving the user
the possibility to refine a {\dc} from the perspective
of its failure mode behaviour.

}

 
\section{How FMMD Analysis can reveal design flaws w.r.t. failure behaviour }

\ifthenelse {\boolean{paper}}
{
\paragraph{Overview of FMMD Methodology}
The principle of FMMD analysis is a five stage process, 
the collection of components into {\fg}s, 
which are analysed  w.r.t. their failure mode behaviour, 
the failure mode behaviour is then viewed from the 
{\fg} perspective (i.e. as a symptoms of the {\fg}) and
common  symptoms are then collected. The final stage
is to create a {\dc} which has the symptoms of the {\fg}
it was sourced from, as its failure modes.
%
%From the failure mode behaviour of the {\fg} common symptoms are collected.
These common symptoms are % in effect 
the failure mode behaviour of
the {\fg} viewed as an % single 
entity, or a `black box' component.
%
From the analysis of the {\fg} we can create a {\dc}, where the failure modes
are the symptoms of the {\fg} we derived it from.
}
{
\paragraph{Overview of FMMD Methodology}
To re-cap from chapter \ref{symptomex},
the principle of FMMD analysis is a five stage process,
the collection of components into {\fg}s,
which are analysed  w.r.t. their failure mode behaviour,
the failure mode behaviour is then viewed from the
{\fg} perspective (i.e. as a symptoms of the {\fg}),
common  symptoms are then collected. The final stage
is to create a {\dc} which has the symptoms of the {\fg}
it was sourced from, as its failure modes.
%
%From the failure mode behaviour of the {\fg} common symptoms are collected.
These common symptoms are % in effect 
the failure mode behaviour of
the {\fg} viewed as an % single 
entity, or a `black box' component.
%
From the analysis of the {\fg} we can create a {\dc}, where the failure modes
are the symptoms of the {\fg} we derived it from.
}
%
\paragraph{Undetectable failure modes.}
Within a functional group failure  symptoms will be detectable  
or undetectable.
The `undetectable' failure modes understandably, are the most worrying for the safety critical designer.
EN61058~\cite{en61508}, the statistically based failure mode European Norm, using ratios
of detected and undetected system failure modes to
classify the systems safety levels and describes sub-clasifications
for detected and undetected failure modes.
%\gloss{DU}
%\gloss{DD}

%It is these that are, generally the ones that stand out as single 
%failure modes. 
For instance, out of range values, are easy to detect by
systems using the {\dc} supplying them.
Undetectable faults are ones that supply incorrect information or states
where we have no way of knowing whether they are correct or not.
% we know we can cope with; they
%are an obvious error condition that will be detected by any modules
%using the {\dc}. 
%
Undetectable failure modes can introduce serious
errors into a SYSTEM.



\paragraph{Dormant faults.} 
A dormant fault is one
which can manifest its-self in conjunction with
another failure mode becoming active, or an environmental
condition changing (for instance temperature). 
Some
component failure modes may lead to dormant failure modes.
For instance a transistor failing OPEN when it is meant
to be in an OFF state would be a dormant fault.
Even though the fault is active, the transistor
is, for the time being, behaving correctly.
%
If we examine the circuit from both operational states,
i.e. the transistor when is is both meant to be ON and OFF
we can determine all the consequences of that particular failure.
%
More generally, by examining test cases from a functional group against all
operational states and germane environmental conditions
we can determine all the failure modes of the {\fg}.

\subsection{Iterative Design Example}

By applying FMMD analysis to a {\fg} we can determine which failure
modes of a {\dc} are undetectable or dormant.
We can then either modify the circuit and iteratively
apply FMMD to the design again, or we could add another {\fg}
that specifically tests for the undetectable/dormant conditions.

This
\ifthenelse {\boolean{paper}}
{
paper
}
{
chapter
}
describes a milli-volt amplifier (see  figure \ref{fig:mv1}), with an inbuilt safety\footnote{The `safety resistor' also acts 
as a potential divider to provide a mill-volt offset. An offset is often required to allow for negative readings from the 
milli-volt source.}
resistor (R18). The circuit is analysed and it is found that all but one component failure modes
are detectable.
We then design a circuit to test for the `undetectable' failure modes
and analyse this with FMMD.
The test circuit addition can now be represented by a {\dc}.
With both {\dcs} we then use them to form a {\fg} which we can call our `self testing milli-volt amplifier'.
We then analsye the {\fg} and the resultant {\dc} failure modes/symptoms are discussed.
\section{An example: A Millivolt Amplifier}

\begin{figure}[h]
 \centering
 \includegraphics[width=200pt,bb=0 0 678 690,keepaspectratio=true]{./fmmd_design_aide/mv_opamp_circuit.png}
 % mv_opamp_circuit.png: 678x690 pixel, 72dpi, 23.92x24.34 cm, bb=0 0 678 690
 \caption{Milli-Volt Amplifier with Safety/Offset Resistor}
 \label{fig:mv1}
\end{figure}

\subsection{Brief Circuit Description}

This circuit amplifies a milli-volt input by a gain of $\approx$ 184 ($\frac{150E3}{820}+1$)
\footnote{The resistors used to program the gain of the op-amp would typically be of a $ \le 1\%$ guaranteed
tolerance. In practise, the small variations would be corrected with software constants programmed during production
test/calibration.}.
An offset is applied to the input by R18 and R22 forming a potential divider
of $\frac{820}{2.2E6+820}$. With 5V applied as Vcc this gives an input offset of $1.86\,mV$.
This amplified offset
can be termed a $\Delta V$, an addition to the mV value provided by the sensor.
So the amplified offset is $\approx 342 \, mV$. 
We can determine the output of the amplifier
by subtracting this amount from the reading. We can also define an acceptable 
range for the readings. This would depend on the characteristics of milli-volt source, and also on the 
thresholds of the voltages considered out of range. For the sake of example let us
consider this to be a type K thermocouple amplifier, with a range of temperatures 
expected to be within {{0}\oc} and {{300}\oc}.

\paragraph{Voltage range for {{0}\oc} to {{300}\oc}.}
Choosing the common Nickel-Chromium v. Nickel Aluminium `K' type thermocouple,
{{0}\oc} provides an EMF of 0mV, and {{300}\oc} 12.207.
Multiplying these by 184 and adding the 1.86mV offset gives
342.24mV and 2563.12mV. This is now in a suitable range to be read by
an analogue digital converter, which will have a voltage span
typically between 3.3V and 5V~\cite{pic18f2523}.% on modern micro-controllers/ADC (Analogue Digital Converter) chips.
Note that this also leaves a margin or error on both sides of the range.
If the thermocouple were to become colder than {{0}\oc} it would supply
a negative voltage, which would subtract from the offset.
At around {{-47}\oc} the amplifier output would be zero;
but anything under say 10mV is considered out of range\footnote{We need some negative range 
to cope with cold junction compensation~\cite{aoe},
which is a subject beyond the scope of this paper}.
Thus the ADC can comfortably read out of range values
but controlling software can determine it as invalid.
Similarly anything over 2563.12mV would be considered out of range
but would be still within comfortable reading range for an ADC.
 
\section{FMMD Analysis}




\begin{table}[h+]
\caption{Milli Volt Amplifier Single Fault FMMD} % title of Table
\centering % used for centering table
\begin{tabular}{||l|c|l|c||}
\hline \hline
 \textbf{Test} & \textbf{Failure } & \textbf{Symptom } & \textbf{MTTF}   \\
 \textbf{Case} &  \textbf{mode} & \textbf{       } &    \\ % \textbf{per $10^9$ hours of operation}   \\
%   R         &    wire        & res +         & res -    & description
\hline
\hline
TC:1 $R18$ SHORT    &  Amp plus input high        &  Out of range       &  1.38  \\ \hline
TC:2 $R18$  OPEN     &  No Offset Voltage         & \textbf{Low reading}     &  12.42\\ \hline
 \hline
TC:3 $R22$  SHORT    &  No offset voltage       & \textbf{Low reading}      & 1.38  \\ \hline
TC:4 $R22$  OPEN     &  Amp plus high input       & Out of Range      & 1.38  \\ \hline
\hline
TC:5 $R26$ SHORT     &  No gain from amp         &  Out of Range   &  1.38  \\
TC:6 $R26$ OPEN     &  Very high amp gain     & Out of Range     & 12.42 \\ \hline
\hline
TC:5 $R30$ SHORT     &  Very high amp gain         &  Out of range   &  1.38  \\
TC:6 $R30$ OPEN     &  No gain from amp            &  Out of Range     & 12.42 \\ \hline
\hline
TC:7 $OP\_AMP$ LATCH UP     &   high amp output         &  Out of range   &  1.38  \\
TC:8 $OP\_AMP$ LATCH DOWN     &  low amp output            &  Out of Range     & 12.42 \\ \hline

\end{tabular}
\label{tab:fmmdaide1}
\end{table}


This analysis process, which given the components R18,R22,R26,R30,IC1, has derived 
the component "milli-volt amplifier" with two failure modes, `Out of Range' and 
`Low reading'.
we can represent this in an FMMD hierarchy diagram, see figure \ref{fig:mvamp_fmmd}.

\begin{figure}[h]
 \centering
 \includegraphics[width=200pt,keepaspectratio=true]{./fmmd_design_aide/mvamp_fmmd.jpg}
 % mvamp_fmmd.jpg: 281x344 pixel, 72dpi, 9.91x12.14 cm, bb=0 0 281 344
 \caption{FMMD analysis Hierarchy for Milli-Volt Amplifier}
 \label{fig:mvamp_fmmd}
\end{figure}

The table \ref{tab:fmmdaide1} shows two possible causes for an undetectable
error, that of a low reading due to the loss of the offset millivolt signal.
The loss of the $\Delta V$ would mean an incorrect temperature
reading would be made.
Typically this type of circuit would be used to read a thermocouple
and this error symptom, `low\_reading' would mean our plant could 
beleive that the temperature reading is lower than it actually is.
To take an example from a K type thermocouple, the offset of 1.86mV
%from the potential divider represents amplified to 
would represent  $\approx \; 46\,^{\circ}{\rm C}$~\cite{eurothermtables}~\cite{aoe}.

%\clearpage
\subsection{Undetected Failure Mode: Incorrect Reading}

Although statistically, this failure is unlikely (get stats for R short FIT etc from pt100 doc)
if the reading is considered critical, or we are aiming for a high integrity level
this may be unacceptable.
We will need to add some type of detection mechanism to the circuit to
test $R_{off}$ periodically.
%For instance were we to check $R_{off}$ every $\tau = 20mS$ work out detection
%allowance according to EN61508~\cite{en61508}.


\section{Proposed Checking Method}

Were we to able to switch a second resistor in series with the 
820R resistor (R22) and switch it out again, we could test 
that the safety resistor (R18) still functioning correctly.

With the new resistor switched in we would expect
the voltage added by the potential divider
to increase.

The circuit in figure \ref{fig:mvamp2} shows an bi-polar transistor % yes its menally ill and goes on mad shopping spreees etc
controlled by the `test line' connection, which can switch in the resitor R36
also with a value of \ohms{820}.

We could detect the effect on the reading with the potential divider
according to the following formula.

%% check figures
The potential divider is now $\frac{820R+820R}{2M2+820R+820R}$ over 5V ci this gives
3.724mV, amplified by 184 this is 0.685V \adcten{140}.
%
The potential divider with the second resistor
switched out is $\frac{820R}{2M2+820R}$ over 5V gives 1.86mV,
amplified by 184 gives 0.342V \adcten{70}.

This is a difference of \adcten{70} in the readings.

So periodically, perhaps even as frequently as once every few seconds
we can apply the checking resistor and look for a corresponding
change in the reading.

Lets us analyse this in more detail to prove that we are indeed checking for
the failure of the safety resistor, and that we are not introducing
any new problems.

First let us look at the new transistor and resistor and 
treat these as a functional group.

\begin{figure}[h]
 \centering
 \includegraphics[width=200pt,keepaspectratio=true]{./fmmd_design_aide/test_circuit.png}
 % test_circuit.png: 239x144 pixel, 72dpi, 8.43x5.08 cm, bb=0 0 239 144
 \caption{Test circuit functional group}
 \label{fig:test_circuit}
\end{figure}


In our analysis of the failure modes we have to consider the operational
states of this circuit, which are
the transistor being switched ON and OFF.







\begin{figure}[h]
 \centering
 \includegraphics[width=200pt,keepaspectratio=true]{./fmmd_design_aide/mv_opamp_circuit2.png}
 % mv_opamp_circuit2.png: 577x479 pixel, 72dpi, 20.35x16.90 cm, bb=0 0 577 479
 \caption{Amplifier with check circuit addition}
 \label{fig:mvamp2}
\end{figure}




\section{FMMD analysis of Safety Addition}


This test circuit has two operational states, in that it
can be switched on to apply the test series resistance, and 
off to obtain the correct reading.
%
We must examine each test case from these two perspectives.
For $\overline{TEST\_LINE}$  ON the transistor is turned OFF
and we are in a test mode and expect the reading to go up by around \adcten{70}.
For $\overline{TEST\_LINE}$ OFF the tranistor is on and R36 is by-passed,
and the reading is assumed to be valid.

\begin{table}[h+]
\caption{Test Addition Single Fault FMMD} % title of Table
\centering % used for centering table
\begin{tabular}{||l|l|c|l|c||}
\hline \hline
 \textbf{test line } & \textbf{Test} & \textbf{Failure } & \textbf{Symptom } &  \\ %\textbf{MTTF}   \\
 \textbf{status}     & \textbf{Case} &  \textbf{mode} & \textbf{       } &    \\ % \textbf{per $10^9$ hours of operation}   \\
%   R         &    wire        & res +         & res -    & description
\hline
\hline
%% OK TR1 OFF , and so 36 in series. R36 has shorted so
$\overline{TEST\_LINE}$ ON  & TC:1 $R36$ SHORT     & No added resistance               &  NO TEST EFFECT           &  1.38  \\ \hline
%%
$\overline{TEST\_LINE}$ OFF  & TC:1 $R36$ SHORT      & dormant failure        &  NO SYMPTOM       & 1.38  \\ \hline
%% here TR1 should be OFF, as R36 is open we now have an open circuit
$\overline{TEST\_LINE}$ ON  & TC:2 $R36$  OPEN      & open circuit              &  OPEN CIRCUIT               & 12.42\\ \hline
%% here TR1 should be ON and R36 by-passed, the fact it has gone OPEN means no symptom here, a dormant failure.
$\overline{TEST\_LINE}$ OFF  & TC:2 $R36$  OPEN     & dormant failure              &  NO SYMPTOM               &  12.42\\ \hline
 \hline
%
%% TR1 OFF so R36 should be in series. Because TR1 is ON because it is faulty, R36 is not in series
$\overline{TEST\_LINE}$ LINE ON & TC:3   $TR1$  ALWAYS ON    &  No added resistance   &  NO TEST EFFECT      & 3  \\ \hline
%%
%% TR1 ON R36 should be bypassed by TR1, and it is, but as TR1 is always on we have a dormant failure.
$\overline{TEST\_LINE}$ OFF & TC:3   $TR1$  ALWAYS ON    &  dormant failure    &   NO SYMPTOM & 3  \\ \hline
%%
%% TR1 should be off as overline{TEST\_LINE}$ is ON. As TR1 is faulty it is always off and we have a dormant failure.
$\overline{TEST\_LINE}$ LINE ON & TC:4   $TR1$  ALWAYS OFF    &  dormant failure    &   NO SYMPTOM   & 8  \\ \hline
%%
%% TR1 should be ON, but is off due to TR1 failure. The resistance R36 will always be in series therefore
$\overline{TEST\_LINE}$ OFF & TC:4 $TR1$  ALWAYS OFF    & resistance always added       &    NO TEST EFFECT   &  8  \\ \hline
\hline
\end{tabular}
\label{tab:testaddition}
\end{table}








\subsection{Test Cases Analysis in detail}

The purpose of this circuit is to switch a resistance in when we want to test the circuit
and to switch it out for normal operation.
The control is provided by a line called $\overline{TEST\_LINE}$.
Thus to apply the test conditions we set $\overline{TEST\_LINE}$ to OFF or false
and to order normal operation we set it to ON or true.

\subsubsection{TC 1}
This test case looks at the shorted resistor failure mode of R36.
\paragraph{$\overline{TEST\_LINE}$ ON}
Here TR1 should be off and R36 should be in series. As R36 is shorted, this means that
no resistance will be contributed to the circuit by R36. 
In the terms of the behaviour
of the functional group, this means that it will provide no test effect.
\paragraph{$\overline{TEST\_LINE}$ OFF}
Here TR1 will be on and by-pass R36, so it does not make any difference if
R36 is shorted. This is a dormant failure, we can only detect this failure
when $\overline{TEST\_LINE}$ is ON.



\subsubsection{TC 2}
This test case looks at the open circuit resistor failure mode of R36.
\paragraph{$\overline{TEST\_LINE}$ ON}
Here TR1 should be off and R36 should be in series. As R36 is open, this means that
the test circuit is no open.
In the terms of the behaviour
of the functional group, this means that it will cause an open circuit failure.
\paragraph{$\overline{TEST\_LINE}$ OFF}
Here TR1 will be on and by-pass R36, so it does not make any difference if
R36 is open. This is a dormant failure, we can only detect this failure
when $\overline{TEST\_LINE}$ is ON.


\subsubsection{TC 3}
This test case looks at the transistor failure mode where TR1 is always ON.
\footnote{The transistor is being used as a switch, and so we can model it as having two failure modes ALWAYS ON or ALWAYS OFF.}
\paragraph{$\overline{TEST\_LINE}$ ON}
Here TR1 should be off and R36 should be in series. As TR1 is always ON, this means that
R36 will always be by-passed. Thus there will be no test effect.
\paragraph{$\overline{TEST\_LINE}$ OFF}
Here TR1 should be on and by-pass R36.
This is a dormant failure, we can only detect this failure
when $\overline{TEST\_LINE}$ is ON.

\subsubsection{TC 4}
This test case looks at the transistor failure mode where TR1 is always OFF.
\paragraph{$\overline{TEST\_LINE}$ ON}
Here TR1 should be OFF and R36 should be in series.
This is a dormant failure, we can only detect this failure
when the $\overline{TEST\_LINE}$ is OFF.
\paragraph{$\overline{TEST\_LINE}$ OFF}
Here TR1 should be ON, but is OFF due to failure.
The resistance R36 will always be in series.
As a symptom for this circuit, it means that there would be no test effect.


\subsection{conclusion of FMMD analysis on safety addition}

This test circuit has from its four component failure modes, 
3 failure symptoms $\{ NO TEST EFFECT,  NO SYMPTOM, OPEN CIRCUIT \}$
For the FMMD analysis in table \ref{tab:testaddition} we have two failure modes for its derived component
`no~test~effect' or `open~circuit'. There 
$NO SYMPTOM$ failure mode is dormant, but will be revealed when the test~line changes state.

The next stage is to combine the two derived components we have made into
a higher level functional group, see figure \ref{fig:testable_mvamp}. 

\section{FMMD Hierarchy, with milli-volt amp and safety addition}

We have created two derived components, the amplifier, and the test~circuit, we
now place them into a new functional group.
We can now analyse this functional
group w.r.t the failure modes of the two derived components.

\begin{figure}[h]
 \centering
 \includegraphics[width=300pt,bb=0 0 698 631,keepaspectratio=true]{./fmmd_design_aide/testable_mvamp.jpg}
 % testable_mvamp.jpg: 698x631 pixel, 72dpi, 24.62x22.26 cm, bb=0 0 698 631
 \caption{Testable milli-volt amplifier}
 \label{fig:testable_mvamp}
\end{figure}

\subsection{Analysis of FMMD Derived component `testable milli-volt amp'}

The failure mode of most concern is the undetectable failure `low~reading'. This has two potential
causes in the unmodified circuit, R22\_SHORT and R18\_OPEN.

\paragraph{R22\_SHORT with safety addition}
With the modified circuit, in the $\overline{TEST\_LINE}$ ON condition
TR1 will be off and we will have a reading + test $\Delta V$.
However with  $\overline{TEST\_LINE}$ OFF we have no potential divider.
R18 will pull the +ve terminal on the op-amp up, pushing the result out of range.
The failure is thus detectable.

\paragraph{R18\_OPEN with safety addition}
Here there is no potential divider. The $\overline{TEST\_LINE}$ will have no effect
which ever way it is switched. The failure mode is thus detectable.

\paragraph{Symptom Extraction for the Functional Group `testable mill-volt amplifier'}

We have four failure modes to consider in the functional group `testable mill-volt amplifier'.
These are 
\begin{itemize}
\item failure mode: open~potential~divider
\item failure mode: no~test~effect
\item failure mode: out~of~range
\item failure mode: low~reading
\end{itemize}

We can now collect symptoms; `open~potential~divider' from test will cause R18 to pull the +ve input of the opamp high
giving an out of range reading from the op-amp output.
We can group `low~reading' with `out~of~range'.
The `low~reading' will now becomes either `no~test~effect' or `out~of~range' depending on the $\overline{TEST\_LINE}$ state.


%
% NB: the calculate MTTF here we have to traverse down the DAG
% adding XOR conditions and multiplying AND conditions
% 16MAR2011
%

\begin{table}[h+]
\caption{Testable Milli Volt Amplifier Single Fault FMMD} % title of Table
\centering % used for centering table
\begin{tabular}{||l|c|l|c||}
\hline \hline
 \textbf{Test} & \textbf{Failure } & \textbf{Symptom } &  \\ % \textbf{MTTF}   \\
 \textbf{Case} &  \textbf{mode} & \textbf{       } &    \\ % \textbf{per $10^9$ hours of operation}   \\
%   R         &    wire        & res +         & res -    & description
\hline
\hline
TC:1 $testcircuit$ &  open potential divider       &  Out of range        &   \\ \hline % XX 1.38  \\ \hline
 \hline
TC:2 $testcircuit$ &  no test effect               &  no test effect &  \\ \hline % XX 1.38  \\ \hline
\hline
TC:3 $mvamp$       &  out of range                 &  Out of Range   &   \\ \hline % XX 1.38  \\
\hline
TC:4 $mvamp$       &  low reading                  &  Out of range \& no test effect  &   \\ \hline % XX 1.38  \\
\hline

\end{tabular}
\label{tab:fmmdaide2}
\end{table}



We now have two symptoms, `out~of~range' or `no~test~effect'. So for single component failures
we now have a circuit where there are no undetectable failure modes.

We can surmise the symptoms in a list.

\begin{itemize}
\item symptom: \textbf{out~of~range} caused by the failure modes: open~potential~divider, low~reading. 
\item symptom: \textbf{no~test~effect} caused by the failure modes: no~test~effect, low~reading.
\end{itemize}

\section{MTTF Reliability statistics}


%\clearpage
\subsection{OP-AMP FIT Calculations}
The DOD electronic reliability of components
document  MIL-HDBK-217F~\cite{mil1991}[5.1] gives formulae for calculating
the 
%$\frac{failures}{{10}^6}$ 
${failures}/{{10}^6}$ % looks better
hours for a wide range of generic components.
These figures are based on components from the 1980's and MIL-HDBK-217F
gives very conservative reliability figures when applied to
modern components. The formula for a generic packaged micro~circuit
is reproduced in equation \ref{microcircuitfit}. 
The meanings of and values assigned to its co-efficients are described in table \ref{tab:opamp}.

\begin{equation}
 {\lambda}_p = (C_1{\pi}_T+C_2{\pi}_E){\pi}_Q{\pi}_L 
 \label{microcircuitfit}
\end{equation}

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% SIL assessment 8 PIN GENERAL OP-AMP
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 
\begin{table}[ht]
\caption{OP AMP FIT assessment} % title of Table
\centering % used for centering table
\begin{tabular}{||c|c|l||}
\hline \hline
 \em{Parameter}      &  \em{Value}    &   \em{Comments} \\
                     &                &      \\ \hline \hline
 $C_1$     &  0.040    &   $300 \ge 1000$  BiCMOS transistors \\ \hline
 ${\pi}_T$ &  1.4         & max temp of $60^o$ C\\ \hline
 $C_2$     &  0.0026   &  number of functional pins(8) \\ \hline
 ${\pi}_E$ &  2.0         & ground fixed environment (not benign)\\ \hline
 ${\pi}_Q$ &  2.0         & Non-Mil spec component\\ \hline
 ${\pi}_L$ &  1.0         & More than 2 years in production\\ \hline

\hline \hline
\end{tabular}
\label{tab:opamp}
\end{table} 

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

Taking these parameters and applying equation \ref{microcircuitfit},
$$ 0.04 \times 1.4 \times 0.0026 \times 2.0 \times 2.0 \times 1.0 =  .0005824 $$
we get a value of $0.0005824 \times {10}^6$ failures per hour.
This is a worst case FIT\footnote{where FIT (Failure in Time) is defined as 
failures per Billion (${10}^9$) hours of operation} of 1. 

\subsection{Switching Transistor}

The switching transistor will be operating at a low frequency
and well within  50\% of its maximum voltage. We can also assume a benign
temperature environment of $ < 60^{o}C$.
MIL-HDBK-217F\cite{mil1992}[6-25]  gives an exmaple
transistor in these environmental conditions, and assigns an FIT value of 11.
%
The RAC failure mode distributuions manual~\cite{fmd91}[2-25] entry for 
bi-polar transistors, gives a 0.73 probability of them failing shorted, and a 0.23 probability of them failing OPEN.
%
For this exmaple, we can therefore use a FIT value of 8 ($0.73 \times 11$) the transistor failing
SHORT and a FIT of 3 ($0.27 \times 11$) failing OPEN.



\subsection{Resistors}
\ifthenelse {\boolean{paper}}
{
The formula for given in MIL-HDBK-217F\cite{mil1991}[9.2] for a generic fixed film non-power resistor
is reproduced in equation \ref{resistorfit}. The meanings 
and values assigned to its co-efficients are described in table \ref{tab:resistor}.

\glossary{name={FIT}, description={Failure in Time (FIT). The number of times a particular failure is expected to occur in a $10^{9}$ hour time period.}}
\fmodegloss

\begin{equation}
% fixed comp resistor{\lambda}_p = {\lambda}_{b}{\pi}_{R}{\pi}_Q{\pi}_E
resistor{\lambda}_p = {\lambda}_{b}{\pi}_{R}{\pi}_Q{\pi}_E
 \label{resistorfit}
\end{equation}

\begin{table}[ht]
\caption{Fixed film resistor Failure in time assessment} % title of Table
\centering % used for centering table
\begin{tabular}{||c|c|l||}
\hline \hline
 \em{Parameter}      &  \em{Value}    &   \em{Comments} \\
                     &                &      \\ \hline \hline
 ${\lambda}_{b}$ &  0.00092        & stress/temp base failure rate  $60^o$ C  \\   \hline
 %${\pi}_T$ &  4.2         & max temp of $60^o$ C\\ \hline
 ${\pi}_R$ &  1.0         & Resistance range $< 0.1M\Omega$\\ \hline
 ${\pi}_Q$ &  15.0         & Non-Mil spec component\\ \hline
 ${\pi}_E$ &  1.0         & benign ground environment\\ \hline

\hline \hline
\end{tabular}
\label{tab:resistor}
\end{table}

Applying equation \ref{resistorfit} with the parameters from table \ref{tab:resistor}
give the following failures in ${10}^6$ hours:

\begin{equation}
 0.00092 \times 1.0 \times 15.0 \times 1.0 = 0.0138  \;{failures}/{{10}^{6} Hours}
 \label{eqn:resistor}
\end{equation}

While MIL-HDBK-217F gives MTTF for a wide range of common components,
it does not specify how the components will fail (in this case OPEN or SHORT). {Some standards, notably EN298 only consider resistors failing in OPEN mode}.
%FMD-97 gives 27\% OPEN and 3\% SHORTED, for resistors under certain electrical and environmental stresses. 
% FMD-91 gives parameter change as a third failure mode, luvvverly 08FEB2011
This example 
compromises and uses a 90:10 ratio, for resistor failure. 
Thus for this example resistors are expected to fail OPEN in 90\% of cases and SHORTED 
in the other 10\%.
A standard fixed film resistor, for use in a benign environment, non military spec at
temperatures up to 60\oc is given a probability of 13.8 failures per billion ($10^9$)
hours of operation (see equation \ref{eqn:resistor}). 
This figure is referred to as a FIT\footnote{FIT values are measured as the number of 
failures per Billion (${10}^9$) hours of operation, (roughly 114,000 years). The smaller the 
FIT number the more reliable the fault~mode} Failure in time.
}
{ % CHAPTER
Resistors for this example are considered to have a FIT of 13.8, and  are expected to fail OPEN in 90\% of cases and SHORTED 
in the other 10\%.
This is described in detail with supporting references in \ref{resistorfit}.
}


\section{Conclusions}

With the safety addition the undetectable failure mode of \textbf{low~reading}
disappears. 
However, the overall reliability though goes down !
This is simply because we have more components that {\em can} fail.
%% Safety vs. reliability paradox.
%The sum of the MTTF's for the original circuit is DAH, and for the new one
%DAH. 
The circuit is arguably safer now
but statistically less reliable.

\paragraph{Practical side effect of checking for thermocouple disconnection}

Because the potential divider provides an offset as a side effect of detecting a disconnection
resistance in the thermocouple extension or compensation cable will have an effect.
For a `k' type thermocouple this would be of the order of $0.5 { }^{o}C$ for $10\Omega$ of
cable loop impedance. Therefore, accuracy constraints and cable impedance should be considered
to determine specified maximum compensation/extension lengths.



%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%