Robin_PHD/submission_thesis/CH7_Conclusion/copy.tex

\section{Further Work}

\subsection{Environment, operational states and inhibit gates: additions to the UML model.}

FTA~\cite{nasafta,nucfta} models environmental, operational state and inhibit gates, and these can be incorporated into
the FMMD model.

A  system will be expected to perform in a given environment.
%
Environment in the context of this study
means external influences under which the System could be expected to work. % under.
%
A typical data sheet for an electrical component will give 
a working temperature range, for instance.
Mechanical components could  be specified for stress and loading limits.


Systems may have distinct operational states. For instance, a safety critical controller
may have a LOCKOUT state where it has detected a serious problem and will not continue to operate until 
authorised human intervention takes place.
A safety critical circuit may have a self test mode which could be operated externally.
%
Operational states and environmental conditions must be factored into the UML model.

\paragraph{Environmental Modelling.} The external influences/environment could typically be temperature ranges,
levels of electrical interference, high voltage contamination on supply
lines, radiation levels etc.
Environmental influences will affect specific components in specific ways.\footnote{A good example of a part 
affected by environmental conditions, in this case temperature, is the opto-isolator~\cite{tlp181}
which is typically affected at around {60 \oc}. Most electrical components are more robust to temperature variations.}.
Environmental analysis is thus applicable to components.
Environmental influences, such as over stress due to voltage
can be eliminated by down-rating of components as discussed in section~\ref{sec:determine_fms}.
With given environmental constraints, we can therefore eliminate some failure modes from the model.


\paragraph{Operational states.}
Within the field of safety critical engineering, we often encounter 
elements that include test or self-test facilities. 
%
We also encounter degraded performance
(such as only performing functions in an emergency) and lockout/emergency conditions.
These can be broadly termed operational states. %, and apply to the 
%functional groups.
%
We need to determine which UML class is most appropriate to hold a relationship
to operational states.
%
Consider for instance an electrical circuit that has a TEST line.
When the TEST line is activated, it supplies a test signal
which will validate the circuit. This circuit will have two operational states,
NORMAL and TEST mode.
%
It seems better to apply the operational states to {\fgs}.
%
Functional groupings by definition implement functionality, or purpose, and therefore are the best objects to model
operational states.% with.

\paragraph{Inhibit Conditions.}
A third data class may be required if modelling of inhibit conditions~\cite{nasatfa}[p.40] is desired.
Some failure modes may only be active given specific environmental conditions
or when other failures are already active.
To model this, an `inhibit' class has been added.
This is an optional attribute of 
a failure mode. This inhibit class can be triggered
on a combination of environmental or failure modes.






\paragraph{UML Diagram Additional Objects.}
The additional objects System, Environment and Operational States
are added to  UML diagram in figure \ref{fig:cfg} are represented in figure \ref{fig:cfg2}.

\label{completeumlfurtherwork}

\begin{figure}[h]
 \centering
 \includegraphics[width=400pt,keepaspectratio=true]{./CH7_Conclusion/master_uml_further_work.png}
 % cfg2.png: 702x464 pixel, 72dpi, 24.76x16.37 cm, bb=0 0 702 464
 \caption{FMMD UML diagram, incorporating Environmental, Operational State and Inhibit gates}
 \label{fig:cfg2}
\end{figure}