Robin_PHD/component_failure_modes_definition/component_failure_modes_definition.tex

\ifthenelse {\boolean{paper}}
{
\abstract{ 
This paper defines %what is meant by 
the terms
components, derived~components, functional~groups, component fault modes and `unitary~state' component fault modes.
%The application of Bayes theorem  in current methodologies, and
%the suitability of the `null hypothesis' or `P' value statistical approach
%are discussed.
The general concept of the cardinality constrained powerset is introduced
and calculations for it described, and then for
calculations under `unitary state' fault mode conditions.
Data types and their relationships are described using UML.
Mathematical constraints and definitions are made using set theory.}
}
{
\section{Overview}
This chapter defines %what is meant by 
the terms
components, derived~components, functional~groups, component fault modes and `unitary~state' component fault modes.
The general concept of the cardinality constrained powerset is introduced
and calculations for it described, and then for
calculations under `unitary state' fault mode conditions.
Data types and their relationships are described using UML.
Mathematical constraints and definitions are made using set theory.
}

 
\section{Introduction}
This chapter describes the data types and concepts for the Failure Mode Modular De-composition (FMMD) method.
When analysing a safety critical system using 
this technique, we need clearly defined failure modes for
all the components that are used to model the system.
In our model we have  a constraint  that
the component failure modes must be mutually exclusive.
When this constraint is complied with we can use the FMMD method to 
build hierarchical bottom-up models of failure mode behaviour.
%This and the definition of a component are 
%described in this chapter.
%When building a system from components, 
%we should be able to find all known failure modes for each component.
%For most common electrical and mechanical components, the failure modes
%for a given type of part can be obtained from standard literature\cite{mil1991}
%\cite{mech}. %The failure modes for a given component $K$ form a set $F$.


%%
%% Paragraph component and its relationship to its failure modes
%%

\section{ Defining the term Component }


\begin{figure}[h]
 \centering
 \includegraphics[width=300pt,bb=0 0 437 141,keepaspectratio=true]{component_failure_modes_definition/component.jpg}
 % component.jpg: 437x141 pixel, 72dpi, 15.42x4.97 cm, bb=0 0 437 141
 \caption{A Component and its Failure Modes}
 \label{fig:component}
\end{figure}

Let us first define a component. This is anything which we use to build a 
product or system with. 
It could be something quite complicated 
like an integrated microcontroller, or quite simple like the humble resistor.
We can define a 
component by its name, a manufacturers' part number and perhaps
a vendors' reference number.
What these components all have in common is that they can fail, and fail in
a number of well defined ways. For common components
there is established literature for the failure modes for the system designer to consider (often with accompanying statistical
failure rates)\cite{mil1991}. For instance, a simple resistor is generally considered 
to fail in two ways, it can go open circuit or it can short.  
Thus we can associate a set of faults to this component $ResistorFaultModes=\{OPEN, SHORT\}$.
The UML diagram in figure 
\ref{fig:component} shows a component as a data
structure with its associated failure modes.

From this diagram we see that each component must have at least one failure mode.
To clearly show that the failure modes are mutually exclusive states, or unitary states associated with one component,
each failure mode is referenced back to only one component. 

%%-%% MTTF STATS CHAPTER MAYBE ??
%%-%%
%%-%% This modelling constraint is due to the fact that even generic components with the same 
%%-%% failure mode types, may have different statistical MTTF properties within the same 
%%-%% circuitry\footnote{For example, consider resistors one of high resistance and one low.
%%-%% The generic failure modes for a resistor will be the same for both.
%%-%% The lower resistance part will draw more current and therefore have a statistically higher chance of failure.}.


A product naturally consists of many components and these are traditionally
kept in a `parts list'. For a safety critical product this is usually a formal document
and is used by quality inspectors to ensure the correct parts are being fitted.
The parts list is shown for
completeness here, as people involved with PCB and electronics production, verification
and testing would want to know where it lies in the model.
The parts list is not actively used in the FMMD method.
For the UML diagram in figure \ref{fig:componentpl} the parts list is simply a collection of components.
\begin{figure}[h]
 \centering
 \includegraphics[width=400pt,bb=0 0 712 68,keepaspectratio=true]{component_failure_modes_definition/componentpl.jpg}
 % componentpl.jpg: 712x68 pixel, 72dpi, 25.12x2.40 cm, bb=0 0 712 68
 \caption{Parts List of Components}
 \label{fig:componentpl}
\end{figure}

Components in the parts list % (bought in parts) 
will be termed `base~components'.
Components derived from base~components will not always require 
parts~numbers\footnote{It is common practise for sub assemblies, PCB's, mechanical parts,
software modules and some collections of components to have part numbers.
This is a production/configuration~control issue and linked to Bill of Material (BOM)
database structures etc. Parts numbers for derived components are not directly related to the analysis process
we are concerned with here.}, and will
not require a vendor reference, but must be named locally in the FMMD model.

We can term `modularising a system', to mean recursively breaking it into smaller sections for analysis.
When modularising a system from the top~down, as in Fault Tree Analysis\cite{nasafta}\cite{nucfta} (FTA)
it is common to term the modules identified as sub-systems.
When building from the bottom up, it is more meaningful to call them `derived~components'.
 

%%
%% Paragraph using failure modes to build from bottom up
%%

\section{Fault Mode Analysis, \\ top down or bottom up?}

Traditional static fault analysis methods work from the top down.
They identify faults that can occur in a system, and then work down
to see how they could be caused. Some apply statistical techniques to
determine the likelihood of component failures 
causing specific system level errors. For example, Bayes theorem \ref{bayes}, the relation between a conditional probability and its inverse,
can be applied to specific failure modes in components and the probability of them causing given system level errors.
Another top down technique is to apply cost benefit analysis 
to determine which faults are the highest priority to fix\cite{bfmea}.
The aim of FMMD analysis is to produce complete  failure
models of safety critical systems  from the bottom-up,
starting, where possible with known base~component failure~modes.

An advantage of working from the bottom up is that we can ensure that
all component failure modes must be considered. A top down approach
can miss individual failure modes of components\cite{faa}[Ch.~9],
especially where they are non obvious top-level faults.

In order to analyse from the bottom-up, we need to take
small groups of components from the parts~list that naturally
work together to perform a simple function;
the components to include in a  {\fg} are chosen by a human, the analyst.
%We can represent the `Functional~Group' as a class. 
 When we have a 
`{\fg}' we can look at the components it contains,
and from this determine the failure modes of all the components that belong to it.
%
% and determine a failure mode model for that group.
The `{\fg}' as used by the analyst is a collection of component failures modes.
Each of these failure modes, and optionally combinations of them, are
analysed for their effect on the failure mode behaviour of the `{\fg}'.
%
From this we can determine a new set of failure modes, the failure modes of the
`{\fg}'.
% 
Or in other words we can determine how the `{\fg}' can fail.
We can now consider the {\fg} as a sort of super component
with a known set of failure modes.


\subsection{From functional group to newly derived component}

The process for taking a {\fg}, considering
all the failure modes of all the components in the group,
and analysing it is called `symptom abstraction' and 
is dealt with in detail in chapter \ref{symptom_abstraction}.
% define difference between a \fg and a \dc
A {\fg} is a collection of components, a {\dc} is a new `theorectical'
component which has a set of failure modes, which
correspond to the failure modes of the {\fg} is was derived from.
We could consider a {\fg} as a black box, or component 
to use, and in this case it would have a set of failure modes.
Looking at the {\fg} in this way is seeing it as a {\dc}.

In terms of our UML model, the symptom abstraction process takes a {\fg}
and creates a new {\dc} from it.
%To do this it first creates
%a new set of failure modes, representing the fault behaviour
%of the functional group. This is a human process and to do this the analyst
%must consider all the failure modes of the components in the functional
%group.
The newly created {\dc} requires a set of failure modes of its own.
These failure modes are the failure mode behaviour of the {\fg} that it was derived from.
Because these new failure modes were derived from a {\fg} we can call 
these `derived~failure~modes'.
%It then creates a new derived~component object, and associates it to this new set of derived~failure~modes.
We thus have a `new' component, or system building block, but with a known and traceable
fault behaviour.

The UML representation shows a `functional group' having a one to one relationship with a derived~component.
We can represent this using a UML diagram in figure \ref{fig:cfg}.

The symbol $\bowtie$ is used to indicate the analysis process that takes a
functional group and converts it into a new component.

This can be expresed as
\[ \bowtie ( FG ) \mapsto DerivedComponent \].


\begin{figure}[h]
 \centering
 \includegraphics[width=400pt,bb=0 0 712 286,keepaspectratio=true]{component_failure_modes_definition/cfg.jpg}
 % cfg.jpg: 712x286 pixel, 72dpi, 25.12x10.09 cm, bb=0 0 712 286
 \caption{UML Meta model for FMMD hierarchy}
 \label{fig:cfg}
\end{figure}


\subsection{Keeping track of the derived \\ components position in the hierarchy}

The UML meta model in figure \ref{fig:cfg}, shows the relationships
between the classes and sub-classes.
In use we will build a hierarchy of
objects, with derived~components forming functional~groups, and creating
derived components higher up in the structure.
The level variable in each component,
indicates the position in the hierarchy. Base or parts~list components
have a `level' of 0. 
% I do not know how to make this simpler
Derived~components take a level based on the highest level
component used to build the functional group it was derived from plus 1.
So a derived component built from base level or parts list components
would have a level of 1.
%\clearpage



% \section{Set Theory Description}
% 
% $$ System \stackrel{has}{\longrightarrow} PartsList $$
% 
% $$ PartsList  \stackrel{has}{\longrightarrow} Components $$
% 
% $$ Component \stackrel{has}{\longrightarrow} FailureModes $$
% 
% $$ FunctionalGroup  \stackrel{has}{\longrightarrow} Components $$
% 
% Using the symbol $\bowtie$ to indicate an analysis process that takes a
% functional group and converts it into a new component.
% 
% $$ \bowtie ( FG ) \mapsto DerivedComponent $$
% 

\subsection{Relationships between functional~groups and failure modes}




Let the set of all possible components  be $\mathcal{C}$
and let the set of all possible failure modes be $\mathcal{F}$.

We can define a function $FM$  

\begin{equation}
FM : \mathcal{C} \mapsto \mathcal{P}\mathcal{F}
\end{equation}

defined by, where C is a component and F is a set of failure modes.

$$  FM ( C ) = F $$

\paragraph{Finding all failure modes within the functional group}

For FMMD failure mode analysis we need to consider the failure modes
from all the components in a functional~group as a flat set.
Consider the components in a functional group to be $C$  indexed by j thus $C_j$.
The flat set of failure modes we are after can be found by applying function $FM$ to all the components
in the functional~group and taking the union of them thus:

$$ FunctionalGroupAllFailureModes = \bigcup_{j \in \{1...n\}} FM(C_j) $$

We can actually overload the notation for the function FM
and define it for the set components within a functional group $FG$ (i.e. where $FG \subset \mathcal{C} $) thus:

\begin{equation}
FM : FG \mapsto \mathcal{F}
\end{equation}


\section{Unitary State Component \\ Failure Mode sets}

\paragraph{Design Descision/Constraint}
An important factor in defining a set of failure modes is that they
should be as clearly defined as possible.
It should not be possible, for instance for
a component to have two or more failure modes active at once.
Having a set of failure modes where $N$ modes could be active simultaneously
would mean having to consider an additional $2^N-1$ failure mode scenarios.
Should a component be analysed and simultaneous failure mode cases exit,
the combinations could be represented by new failure modes, or
the component should be considered from a fresh perspective,
perhaps considering it as several smaller components
within one package.





\begin{definition}
A set of failure modes where only one fault mode
can be active at a time is termed a `unitary~state' failure mode set.
%This is termed the $U$ set thoughout this study.
This corresponds to the `mutually exclusive' definition in 
probability theory\cite{probstat}.
\end{definition}

Let the set of all possible components to be $\mathcal{C}$
and let the set of all possible failure modes be $\mathcal{F}$.
%
%We can define a function $FM$  
%
%\begin{equation}
%FM : \mathcal{C} \mapsto \mathcal{F}
%\end{equation}
%
%defined by
%
%$$  FM ( C ) = F $$
%
%i.e. take a given component $C$ and return its set of failure modes $F$.
%
\begin{definition}
We can define a set $\mathcal{U}$ which is a set of sets of failure modes, where
the component failure modes in each of its members are unitary~state.
Thus if the failure modes of $F$ are unitary~state, we can say $F \in \mathcal{U}$.
\end{definition}

\section{Component failure modes:\\ Unitary State example}

An example of a component with an obvious set of  ``unitary~state'' failure modes is the electrical resistor.

Electrical resistors can fail by going OPEN or SHORTED.

For a given resistor R we can apply the 
the function $FM$ to find its set of failure modes thus  $ FM(R) =  \{R_{SHORTED},R_{OPEN}\} $.
A resistor cannot fail with both conditions open and short active at the same time! The conditions
OPEN and SHORT are thus mutually exclusive.
Because of this, the failure mode set $F=FM(R)$ is `unitary~state'.


Thus because both fault modes cannot be active at the same time, the intersection of $ R_{SHORTED} $ and $ R_{OPEN} $ cannot exist.

$$ R_{SHORTED} \cap R_{OPEN} = \emptyset $$
therefore
$$ FM(R) \in \mathcal{U} $$


We can make this a general case by taking a set $F$ (where $f_1, f_2 \in F$) representing a collection
of component failure modes.
We can define a boolean function {\ensuremath{\mathcal{ACTIVE}}} that returns 
whether a fault mode is active (true) or dormant (false).

We can say that if any pair of fault modes is active at the same time, then the failure mode set is not
unitary state:
we state this formally


 \begin{equation}
  \forall f_1,f_2 \in F \dot ( f_1 \neq f_2 \wedge \mathcal{ACTIVE}({f_1}) \wedge \mathcal{ACTIVE}({f_2}) ) \implies F \not\in \mathcal{U} 
 \end{equation}


% 
% \begin{equation}
%  c1 \cap c2 \neq \emptyset  | c1 \neq c2 \wedge c1,c2 \in C \wedge C \not\in U
% \end{equation}

That is to say that it is impossible that any pair of failure modes can be active at the same time
for the failure mode set $F$ to exist in the family of sets $\mathcal{U}$.
Note where there are more than two failure~modes, 
by banning any pairs from being active at the same time,
we have banned larger combinations as well.

\section{Handling Simultaneous \\ Component Faults}

For some integrity levels of static analysis, there is a need to consider not only single
failure modes in isolation, but cases where more then one failure mode may occur
simultaneously.
It is an implied requirement of EN298\cite{en298} for instance to consider double simultaneous faults.
To generalise, we may need to consider $N$ simultaneous 
failure modes when analysing a functional group. This involves finding
all combinations of failures modes of size $N$ and less.
The Powerset concept from Set theory is useful to model this.
The powerset, when applied to a set S is the set of all subsets of S, including the empty set 
\footnote{The empty set ( $\emptyset$ ) is a special case for FMMD analysis, it simply means there
is no fault active in the functional~group under analysis.}
and S itself.
In order to consider combinations for the set S where the number of elements in each sub-set of S is $N$ or less, a concept of the `cardinality constrained powerset'
is proposed and described in the next section. 

%\pagebreak[1] 
\subsection{Cardinality Constrained Powerset }
\label{ccp}

A Cardinality Constrained powerset is one where sub-sets of a cardinality greater than a threshold
are not included. This threshold is called the cardinality constraint.
To indicate this, the cardinality constraint $cc$ is subscripted to the powerset symbol thus $\mathcal{P}_{cc}$.
Consider the set $S = \{a,b,c\}$. 

The powerset of S: 

$$ \mathcal{P} S = \{ \emptyset, \{a,b,c\}, \{a,b\},\{b,c\},\{c,a\},\{a\},\{b\},\{c\} \} $$


$\mathcal{P}_{2} S $ means all subsets of S where the cardinality of the subsets is 
less than or equal to 2 or less.

$$ \mathcal{P}_{2} S = \{ \{a,b\},\{b,c\},\{c,a\},\{a\},\{b\},\{c\} \} $$

Note that $\mathcal{P}_{1} S $ for this example is:

$$ \mathcal{P}_{1} S = \{ \{a\},\{b\},\{c\} \} $$

\paragraph{Calculating the number of elements in a cardinality constrained powerset}

A $k$ combination is a subset with $k$ elements.  
The number of $k$ combinations (each of size $k$) from a set $S$ 
with $n$ elements (size $n$) is the binomial coefficient

$$ C^n_k = {n \choose k} = \frac{n!}{k!(n-k)!}$$

To find the number of elements in a cardinality constrained subset S with up to $cc$ elements
in each combination sub-set,
we need to sum the combinations, 
%subtracting $cc$ from the final result 
%(repeated empty set counts)
from $1$ to $cc$ thus

%
% $$ {\sum}_{k = 1..cc} {\#S \choose k} = \frac{\#S!}{k!(\#S-k)!} $$
%

\begin{equation}
 |{\mathcal{P}_{cc}S}| = \sum^{k}_{1..cc} \frac{|{S}|!}{ k! ( |{S}| - k)!}    
 \label{eqn:ccps}
\end{equation}



\subsection{Actual Number of combinations to check \\ with Unitary State Fault mode sets}

Where all the fault modes in $S$ were to be independent,
the cardinality constrained powerset
calculation (in equation \ref {eqn:ccps}) would give the correct number of test case combinations to check.
Because  sets of failure modes in FMMD analysis are constrained to be unitary state,
the actual number of test cases to check will usually 
be less than this. 
This is because combinations of faults within a components failure mode set,
are impossible under the conditions of  unitary state failure mode.
To correct equation \ref{eqn:ccps} we must subtract the number of component `internal combinations'
for each component in the functional group under analysis.
Note we must sequentially subtract using combinations above 1 up to the cardinality constraint. 
For example, say 
the cardinality constraint was 3, we would need to subtract both
$|{n \choose 2}|$ and $|{n \choose 3}|$ for each component in the functional~group.

\subsubsection{Example: Two Component functional group \\ cardinality Constraint of 2}

For example: were we to have a simple functional group with two components R and T, of which
$$FM(R) = \{R_o, R_s\}$$ and $$FM(T) = \{T_o, T_s, T_h\}$$.

This means that the functional~group $FG=\{R,T\}$ will have a component failure mode set 
of $FM(FG) = \{R_o, R_s, T_o, T_s, T_h\}$

For a cardinality constrained powerset of 2, because there are 5 error modes ( $|FM(FG)|=5$),
applying equation \ref{eqn:ccps} gives :-

$$\frac{5!}{1!(5-1)!} + \frac{5!}{2!(5-2)!}  = 15$$

This is composed of ${5 \choose 1}$
five single fault modes, and ${5 \choose 2}$ ten double fault modes.
However we know that the faults are mutually exclusive within a component.
We must then subtract the number of `internal' component fault combinations 
for each component in the functional~group.
For component R there is only one internal component fault that cannot exist
$R_o \wedge R_s$. As a combination ${2 \choose 2} = 1$. For the component $T$ which has 
  three  fault modes ${3 \choose 2} = 3$.
Thus for $cc == 2$, under the conditions of unitary state failure modes in the components $R$ and $T$, we must subtract $(3+1)$.
The number of combinations to check is thus 11, $|\mathcal{P}_{2}(FM(FG))| = 11$, for this example and this can be verified
by listing all the required combinations:



$$ \mathcal{P}_{2}(FM(FG)) =  \{
 \{R_o T_o\}, \{R_o T_s\}, \{R_o T_h\}, \{R_s T_o\}, \{R_s T_s\}, \{R_s T_h\}, \{R_o \}, \{R_s \}, \{T_o \}, \{T_s \}, \{T_h \}
 \}
$$

And by inspection
$$ 
| 
\{
    \{R_o T_o\}, \{R_o T_s\}, \{R_o T_h\}, \{R_s T_o\}, \{R_s T_s\}, \{R_s T_h\}, \{R_o \}, \{R_s \}, \{T_o \}, \{T_s \}, \{T_h \}
\}
| = 11 
$$


\pagebreak[1]
\subsubsection{Establishing Formulae for unitary state failure mode \\
cardinality calculation}

The cardinality constrained powerset in equation \ref{eqn:ccps}, can be corrected for 
unitary state failure modes.
This is written as a general formula in equation \ref{eqn:correctedccps}. 

%\indent{
where :
\begin{itemize}
\item Let $C$ be a set of components (indexed by $j \in  J$)
that are members of the functional group $FG$
i.e. $ \forall j \in J | C_j \in FG $
\item Let $|FM({C}_{j})|$
indicate the number of mutually exclusive fault modes of each component
\item Let $FM(FG)$ be the collection of all failure modes
from all the components in the functional group. 
\item Let $SU$ be a set of failure modes from the functional group,
where all contributing components $C_j$ 
are guaranteed to be `unitary state' i.e. $(SU = FM(FG)) \wedge (\forall j \in J | FM(C_j) \in \mathcal{U}) $
\end{itemize}
%}


\begin{equation}
 |{\mathcal{P}_{cc}SU}| = {\sum^{k}_{1..cc}  \frac{|{SU}|!}{k!(|{SU}| - k)!}}  
- \sum^{p}_{2..cc}{{\sum^{j}_{j \in J} {|FM({C_{j})}| \choose p}}} 
 \label{eqn:correctedccps}
\end{equation}

Expanding the combination in equation \ref{eqn:correctedccps}


\begin{equation}
 |{\mathcal{P}_{cc}SU}| = {\sum^{k}_{1..cc}  \frac{|{SU}|!}{k!(|{SU}| - k)!}}   
- \sum^{p}_{2..cc}{{\sum^{j}_{j \in J}   \frac{|FM({C_j})|!}{p!(|FM({C_j})| - p)!}}  }
 \label{eqn:correctedccps2}
\end{equation}

Equation \ref{eqn:correctedccps2} is useful for an automated tool that
would verify that an `N' simultaneous failures model had complete failure mode coverage.
By knowing how many test cases should be covered, and checking the cardinality
associated with the test cases, complete coverage would be verified.


\pagebreak[1]
\section{Component Failure Modes \\ and Statistical Sample Space}
%\paragraph{NOT WRITTEN YET PLEASE IGNORE}
A sample space is defined as the set of all possible outcomes.
For a component in FMMD analysis, this set of all possible outcomes is its normal correct
operating state and all its failure modes.
When dealing with failure modes, we are not interested in 
the state where the component is working perfectly or `OK' (i.e. operating with no error).
We are interested only in ways in which it can fail.
By definition while all components in a system are `working perfectly' 
that system will not exhibit faulty behaviour.
Thus the statistical sample space $\Omega$ for a component or derived~component $C$ is
%$$ \Omega = {OK, failure\_mode_{1},failure\_mode_{2},failure\_mode_{3} ... failure\_mode_{N} $$
$$ \Omega(C) = \{OK, failure\_mode_{1},failure\_mode_{2},failure\_mode_{3}, \ldots ,failure\_mode_{N}\} $$
The failure mode set $F$ for a given component or derived~component $C$
is therefore
$$ F = \Omega(C) \backslash OK $$

The $OK$ statistical case is the largest in probability, and is therefore
of interest when analysing systems from a statistical perspective.
This is of interest for the application of conditional probability calculations
such as Bayes theorem.

\vspace{40pt}