Robin_PHD/fmmd_concept/System_safety_2011/submission.tex

 \documentclass[twocolumn]{article}
%\documentclass[a4paper,10pt]{report}
\usepackage{graphicx}
\usepackage{fancyhdr}
\usepackage{tikz}
\usepackage{amsfonts,amsmath,amsthm}
\usetikzlibrary{shapes.gates.logic.US,trees,positioning,arrows}
%\input{../style}
\usepackage{ifthen}
\usepackage{lastpage}
\usetikzlibrary{shapes,snakes}



%\newboolean{paper}
%\setboolean{paper}{true} % boolvar=true or false

\newcommand{\oc}{\ensuremath{^{o}{C}}}
\newcommand{\adctw}{{${\mathcal{ADC}}_{12}$}}
\newcommand{\adcten}{{${\mathcal{ADC}}_{10}$}}
\newcommand{\ohms}[1]{\ensuremath{#1\Omega}}
\newcommand{\fg}{\em functional~group}
\newcommand{\fgs}{\em functional~groups}
\newcommand{\dc}{\em derived~component}
\newcommand{\dcs}{\em derived~components}
\newcommand{\bc}{\em base~component}
\newcommand{\bcs}{\em base~components}
\newcommand{\irl}{in real life}
\newcommand{\enc}{\ensuremath{\stackrel{enc}{\longrightarrow}}}
\newcommand{\pin}{\ensuremath{\stackrel{pi}{\longleftrightarrow}}}
%\newcommand{\pic}{\em pure~intersection~chain}
\newcommand{\pic}{\em pair-wise~intersection~chain}
\newcommand{\wrt}{\em with~respect~to} 
\newcommand{\abslevel}{\ensuremath{\Psi}}
\newcommand{\fmmdgloss}{\glossary{name={FMMD},description={Failure Mode Modular De-Composition, a bottom-up methodolgy for incrementally building failure mode models, using a procedure taking functional groups of components and creating derived components representing them, and in turn using the derived components to create higher level functional groups, and so on, that are used to build a failure mode model of a SYSTEM}}}
\newcommand{\fmodegloss}{\glossary{name={failure mode},description={The way in which a failure occurs. A component or sub-system may fail in a number of ways, and each of these is a 
failure mode of the component or sub-system}}}
\newcommand{\fmeagloss}{\glossary{name={FMEA}, description={Failure Mode and Effects analysis (FMEA) is a process where each potential failure mode within a SYSTEM, is analysed to determine SYSTEM level failure modes, and  to then classify them {\wrt} perceived severity}}}
\newcommand{\frategloss}{\glossary{name={failure rate}, description={The number of failure within a population (of size N), divided by N over a given time interval}}}
\newcommand{\pecgloss}{\glossary{name={PEC},description={A Programmable Electronic controller, will typically consist of sensors and actuators interfaced electronically, with some firmware/software component in overall control}}}
\newcommand{\bcfm}{base~component~failure~mode}
\def\layersep{2.5cm}

\begin{document}
\pagestyle{fancy}
\fancyhf{}
\fancyhead[LO]{}
\fancyhead[RE]{\leftmark}

\cfoot{Page \thepage\ of \pageref{LastPage}}
\rfoot{\today}
\lhead{Developing a rigorous bottom-up modular static failure mode modelling methodology}
                                   % numbers at outer edges
\pagenumbering{arabic}                        % Arabic page numbers hereafter
\author{R.P.Clark$^\star$ , A.~Fish$^\dagger$ , C.~Garret$^\dagger$, J.~Howse$^\dagger$  \\     
         $^\star${\em Energy Technology Control, 25 North Street, Lewes, BN7 2PE, UK} \and $^\dagger${\em University of Brighton, UK} 
}

\title{Developing a rigorous bottom-up modular static failure mode modelling methodology}
%\nodate
\maketitle 


\abstract{
The certification process of safety critical products for European and 
other international standards often demand environmental stress, 
endurance and Electro Magnetic Compatibility (EMC) testing. Theoretical, or 'static testing',
is often also required. In general static testing will reveal modifications that must be made to
improve the product safety, or identify theoretical weaknesses in the design.
This paper proposes a new theoretical methodology for creating failure mode models of % safety critical i
systems.
It has a common notation for mechanical, electronic and software domains and is modular and hierarchical.
These properties provide advantages in rigour and efficiency when compared to current methodologies.
}

\section{Introduction}

This paper describes and criticises the four current failure mode methodologies,
presents a table of the deficiencies and advantages, and then presents a new proposed
methodology. A worked example is then provided, which models the failure mode
behaviour of a non inverting op-amp.

 
\paragraph{Current methodologies} 

We briefly analyse the four current methodologies.

\paragraph{Fault Tree Analysis (FTA)}

FTA is a top down methodology in which a hierarchical diagram is drawn for
each undesirable top level failure, presenting the conditions that must arise to cause
the event. 
%
It is suitable for large complicated systems with few undesirable top
level failures and focuses on those events considered most important or most catastrophic.
%
Effects of duplication/redundancy of safety systems can be readily assessed. 
It uses notations that are readily understood by engineers (logic symbols from digital electronics and a fault hierarchy). 
However, it cannot guarantee to model all base component failure modes 
or be used to determine system level errors other than those modelled. 
%
Each FTA diagram models one top level event.
This creates duplication of modelled elements, 
and there is no facility to cross check between diagrams. It has limited 
support for environmental and operational states.


\paragraph{Fault Mode Effects Analysis FMEA)} is used principally in manufacturing. 
Each top level failure is assessed by its cost to repair and its frequency,%, using a 
%failure mode ratio. 
A list of failures and their cost is then calculated. 
It is easy to identify single component failure to system failure scenarios 
and an estimate of product reliability can be calculated. 
%
It cannot focus on 
component interactions that cause system failure modes or determine potential 
problems from simultaneous failure modes. It does not consider environmental 
or operational states in sub-systems or components. It cannot model 
self-checking safety elements or other in-built safety features or 
analyse how particular components may fail.

\subsection{Fault Mode Effects Analysis FMEA)}
FMEA is used principally in manufacturing. 
Each defect is assessed by its cost to repair and its frequency. %, using a 
%failure mode ratio. 
A list of failures and their cost is generated. 
It is easy to identify single component failure to system failure scenarios, 
and an estimate of product reliability can be calculated. It cannot focus on 
component interactions that cause system failure modes or determine potential 
problems from simultaneous failure modes. It does not consider environmental 
or operational states in sub-systems or components. It cannot model 
self-checking safety elements or other in-built safety features or 
analyse how particular components may fail.


\paragraph{Failure Mode Criticality Analysis (FMECA)} is a refinement of FMEA, using 
two extra variables: the probability of a component failure mode occurring 
and the probability that this will cause a top level failure, and the perceived 
criticallity. It gives better estimations of product reliability/safety and the 
occurrence of particular system failure modes than FMEA but has similar deficiencies.


\paragraph{Failure Modes, Effects and Diagnostic Analysis (FMEDA)} is a refinement of 
FMEA and FMECA and models self-checking safety elements. It assigns two 
attributes to component failure modes: detectable/undetectable and safe/dangerous.
 Statistical measures about the system can be made and used to classify a 
safety integrity level. It allows designs with in-built safety features to be assessed. 
Otherwise, it has similar deficiencies to FMEA but has limited support 
for environmental and operational states in sub-systems or components, 
via self checking statistical mitigation. FMEDA is the methodology associated with 
the safety integrity standards IOC5108 and EN61508~\cite{en61508}.

\subsection{Summary of Defeciencies in Current Methods}

\paragraph{Top Down approach: FTA} The top down technique FTA, introduces the possibility of missing base component
level failure modes~\cite{faa}[Ch.9]. Since one FTA tree is drawn for each top level
event, this leads to repeated work, with limited ability for cross checking/model validation.

%\subsection{Bottom-up approach: }

\paragraph{State Explosion problem for FMEA, FMECA, FMEDA.}
The bottom -up techniques all suffer from a problem of state explosion.
To perform the analysis rigorously, we would need to consider the effect
of a component failure against all other components. Adding environmental
and operational states further increases this effect.

Let N be the number of components in our system, and K be the average number of component failure modes
(ways in which a component can fail). The approximate total number of base component failure modes
is $N \times K$. To examine the effect that one failure mode has on all 
the other components\footnote{A %base 
component failure will typically affect the sub-system
it is part of, and create a failure effect at the SYSTEM level.}
will be $(N-1) \times N \times K$. %, in effect a very large set cross product.
If $E$ is the number of environmental conditions to consider
in a system, and $A$ the number of applied/operational states (or modes of the SYSTEM),
the bottom-up analyst is presented with two
additional %cross product 
factors, 
$(N-1) \times N \times K \times E \times A$.
If we put some typical very small embedded system numbers\footnote{these figures would
be typical of a very simple temperature controller, with a micro-controller sensor 
and heater circuit.} into this, say $N=100$, $K=2.5$, $A=2$, and $E=10$
we have $99 \times 100 \times 2.5 \times 10 \times 2 = 495000 $.
To look in detail at a half of a million test cases is obviously impractical.
% Requirements for an improved methodology The deficiencies identified in the 
% current methodologies are used to establish criteria for an improved methodology.

% \paragraph{Reasoning distance - complexity and reach-ability.}
% Tracing a component level failure up to a top level event, without the rigour accompanying state explosion, involves
% working heuristically. A base component failure will typically 
% be conceptually removed by several stages from a top level event.
% The `reasoning~distance' $R_D$ can be calculated by summing the failure modes in each component, for all components
% that must interact to reach the top level event.
% Where $C$ represents the set of components in a failure mode causation chain,
% $c_i$ represents a component in $C$ and
% the function $fm$ returns the  failure modes for a given component, equation
% \ref{eqn:complexity}, returns the `reasoning~distance'.
% \begin{equation}
% R_D = \sum_{i=1}^{|C|} |{fm(c_i)}| %\; where \; c \in C
% \label{eqn:complexity} 
% \end{equation}
% 
% The reasoning distance is a value representing the number of failure modes
% to consider to rigorously determine the causation chain
% from the base component failure to the SYSTEM level event.
% 
% The reasoning distance serves to show that when the causes of a top level
% event are completely determined, a large amount of work not
% typical of heuristic or intuitive interpretation is required.
% % could have a chapter on this.
% % take a circuit or system and follow all the interactions
% % to the components that cause the system level event.

\paragraph{Multiple Events from one base component failure mode}
A base component failure may potentially cause more than one
SYSTEM level failure mode.
It would be possible to identify one top level event associated with
a {\bcfm} and not investigate other possibilities. 
 
%\section{Requirements for a new static failure mode Analysis methodology}

\section{Desireable Criteria for a failure mode methodology}.
From the deficiencies outlined above, ideally  we can form a set of desirable criteria for a better methodology.
{ \small
\begin{enumerate}
%\begin{itemize}
\label{fmmdreq}
\item Address the state explosion problem. % 1
\item Ensure that all component failure modes be considered in the model. % 2
\item Be easy to integrate mechanical, electronic and software models \cite{sccs}[pp.287]. %3
\item Be re-usable, in that commonly used modules can be re-used in other designs/projects. %4
\item It should have a formal basis, that is to say, be able to produce mathematical traceability %5
for its results, such as  error causation trees.%, reliability and safety statistics.
%\item It should be easy to use, ideally using a 
%graphical syntax (as opposed to a formal symbolic/mathematical text based language).
%\item From the top down, the failure mode model should follow a logical de-composition of the functionality
%to smaller and smaller functional groupings \cite{maikowski}.
\item Be able to model multiple (simultaneous) failure modes.% 6 % from the base component level up.
\end{enumerate}
%\end{itemize}
}


% 

% The design process follows this 
%rationale, sub-systems are build t%o perform often basic functions from base components.
%We can term these small groups {\fgs}.
% 
% Components should be collected
% into small functional groups to enable the examination of the effect of a
% component failure mode on the other components in the group.
% Once we have the failure modes, or symptoms of failure of a {\fg}
% it can now be considered as `derived component' with a known set 
% of failure symptoms. We can use this `derived component' to build higher level 
% functional groups.
% 
% This helps with the reasoning distance problem,
% because we can trace failure modes back through complex interactions and have a structure to
% base our reasoning on, at each stage.
% 


%Development of the new methodology 
% 
% \section{An ontology of failure modes}
% In order to address the state explosion problem, the process must be modular
%and deal with small groups of components at a time. This approach should address the state explosion problem : criteria 1.
% An ontology is now developed of  
% failure modes and their relationship to environmental factors, 
% applied/operational states and the hierarchical nature inherent in product design, 
% defining the relationships between the system as a whole, components, 
% failure modes, operational and environmental states. 
% 
% 
% Components have sets of failure modes associated with them.
% Failure modes for common components may be found in 
% the literature~\cite{fmd91,mil1991}.
% We can associate a component with its failure modes.
% This is represented in UML in figure \ref{fig:component_concept}.
% 
% \begin{figure}[h]
%  \centering
%  \includegraphics[width=200pt,keepaspectratio=true]{./component.png}
%  % component.:wq: 467x76 pixel, 72dpi, 16.47x2.68 cm, bb=0 0 467 76
%  \caption{Component with failure modes UML diagram}
%  \label{fig:component_concept}
% \end{figure}

% 
% \subsection{Modular Design}
% 
% When designing a system from the bottom-up, small groups of components are selected to perform
% simple functions. These can be termed {\fgs}.
% When the failure mode behaviour, or symptoms of failure 
% of a {\fg} are determined, it can be treated as a component in its own right.
% 
% % Functional groups
% % are then brought together to form more complex and higher level {\fgs}.
% Used in this way the {\fg} has become a {\dc}. The symptoms of failure
% of the {\fg} can be considered the failure modes of its {\dc}.
% Derived~Components can be used to create higher level {\fgs}.
% Repeating this process will lead to identify-able higher level
% groups, often referred to as sub-systems. We can call the entire collection/hierarchy
% of sub-systems the SYSTEM. 



\section{The proposed Methodology}
\label{fmmdproc}
Any new static failure mode methodology must ensure that it 
represents all component failure modes and it therefore should be bottom-up, 
starting with individual component failure modes.
This seems essential to satisfy criteria 2.
The proposed methodology is therefore a bottom-up process
starting with base~components.
%
Because we are only modelling failure modes, which could arise from
mechanical, electronic or software components,
criteria 3 is satisfied.
%
In order to address the state explosion problem, the process must be modular
and deal with small groups of components at a time. This approach should address the state explosion problem : criteria 1.
In the proposed methodology components are collected into functional groups
and each component failure mode (and optionally combinations) are considered in the 
context of the {\fg}.
%
The component failure modes (and optional combinations) are termed `test~cases'. For each test~case
there will be a corresponding resultant failure, from the perspective of the {\fg}.
% MAYBE NEED TO DESCRIBE WHAT A SYMPTOM IS HERE
A symptom collection stage is then applied. Here common symptoms are collected
from the results of the test~cases. Because optional combinations of failures are possible,
multiple failures can be modelled, satisfying criteria 6.
%
With a collection of the {\fg} failure symptoms, we can now create a {\dc}.
The failure modes of this new {\dc} are the symptoms of the {\fg} it was derived from.
This satisfies criteria 3, as we can now treat {\dcs} as ready analysed
modules to re-use.
 
By using {\dcs} in higher level functional groups, a hierarchy can be built representing
the failure mode behaviour of a SYSTEM. Because the hierarchy maintains information 
linking the symptoms to test~cases to component failure modes, we have traceable
reasoning connections from base component failures to top level failures.
The traceability should satisfy criteria 5.

 
\paragraph{Environmental Conditions, Operational States.}

Any real world sub-system will exist in a variable environment
and may have several modes of operation.
In order to find all possible failures, a sub-system 
must be analysed for each operational state
and environmental condition that could affect it.
%
A question is raised here: which objects should we 
associate  the environmental and the operational states with ?
There are three objects in our model to which these considerations could be applied.
We could apply these conditions  
to {\fgs}, components, or {\dcs}.

\paragraph {Environmental Conditions.}

Environmental conditions are external to the
{\fg} and are often things over which the system has no direct control
( e.g. ambient temperature, pressure or  electrical interference levels).
%
Environmental conditions may affect different components in a {\fg}
in different ways.

For instance, a system may be specified for
$0\oc$  to $85\oc$ operation, but some components
may show failure behaviour between $60\oc$  and $85\oc$ 
\footnote{Opto-isolators typically show marked performance decrease after
$60\oc$ \cite{tlp181}, whereas another common component, say a resistor, will be unaffected.}.
Other components may operate comfortably within that whole temperature range specified.
Environmental conditions will have an effect on the {\fg} and the {\dc},
but they will have specific effects on individual components.

It seems obvious that
environmental conditions should apply to components.
%A component will hold a set of environmental states that
%affect it. 

\paragraph {Operational States}

Sub-systems may have specific operational states.
These could be a general health level, such as 
normal operation, graceful degradation or lockout.
Alternatively they could be self~checking sub-systems that are either in a normal, alarm/lockout or self~check state.

Operational states are conditions that apply to some functional groups, not individual components.


\section{Worked example: Non Inverting Operational Amplifier}

\subsection{FMMD analysis Example: A Voltage/Potential Divider}
\begin{figure}
 \centering
 \includegraphics[width=125pt,keepaspectratio=true]{./pd.png}
 % pd.png: 364x241 pixel, 72dpi, 12.84x8.50 cm, bb=0 0 364 241
 \caption{Potential Divider Circuit}
 \label{fig:pd}
\end{figure}

We consider here an example functional group, the potential divider\footnote{A commonly used configuration in electronics to provide specific voltage levels}
which consists of two resistors used to provide a voltage
intermediate of its supply and ground rails.
%It consists of two resistors.
%
%A functional group, is an ideally small in number collection of components, 
%that interact to provide
%a function or task within a system.
%As the resistors work to provide a specific function, that of a potential divider,
%we can treat them as a functional group. i
The potential divider `functional~group' has two members, $R1$ and $R2$.
Using the EN298 specification for resistor failure ~\cite{en298}[App.A]
we can assign the failure modes of $OPEN$ and $SHORT$ to each of the resistors.
This is shown as a graph in figure \ref{fig:rdag}.

%\ifthenelse {\boolean{dag}}
%{
We can now represent a resistor in terms of its failure modes as a directed acyclic graph (DAG)
(see figure \ref{fig:rdag}).
\begin{figure}[h+]
 \centering
 \begin{tikzpicture}[shorten >=1pt,->,draw=black!50, node distance=\layersep]
     \tikzstyle{every pin edge}=[<-,shorten <=1pt]
     \tikzstyle{fmmde}=[circle,fill=black!25,minimum size=30pt,inner sep=0pt]
     \tikzstyle{component}=[fmmde, fill=green!50];
     \tikzstyle{failure}=[fmmde, fill=red!50];
     \tikzstyle{symptom}=[fmmde, fill=blue!50];
     \tikzstyle{annot} = [text width=4em, text centered]
     \node[component] (R) at (0,-3) {$R$};
     \node[failure] (RSHORT) at (\layersep,-2) {$R_{SHORT}$};
     \node[failure] (ROPEN) at (\layersep,-4) {$R_{OPEN}$};
     \path (R) edge (RSHORT);
     \path (R) edge (ROPEN);
 \end{tikzpicture}
 \caption{DAG representing a resistor and its failure modes}
 \label{fig:rdag}
 \end{figure}
%}section
%{
%}
\vbox{
Thus or the potential divider in the circuit in figure~\ref{fig:pd}, 
$R1$ has failure modes $\{R1\_OPEN, R1\_SHORT\}$ and $R2$ has failure modes $\{R2\_OPEN, R2\_SHORT\}$.
}

%\clearpage
\paragraph{Failure Mode Analysis of the Potential Divider}


%\ifthenelse {\boolean{dag}}
%{
Modelling the two resistors as a functional group, we present this as a directed graph
(see figure \ref{fig:fg1dag}).

\begin{figure}[h+]
 \centering
 \begin{tikzpicture}[shorten >=1pt,->,draw=black!50, node distance=\layersep]
     \tikzstyle{every pin edge}=[<-,shorten <=1pt]
     \tikzstyle{fmmde}=[circle,fill=black!25,minimum size=30pt,inner sep=0pt]
     \tikzstyle{component}=[fmmde, fill=green!50];
     \tikzstyle{failure}=[fmmde, fill=red!50];
     \tikzstyle{symptom}=[fmmde, fill=blue!50];
     \tikzstyle{annot} = [text width=4em, text centered]
 
     \node[component] (R1) at (0,-4) {$R_1$};
     \node[component] (R2) at (0,-6) {$R_2$};

     \node[failure] (R1SHORT) at (\layersep,-2) {$R1_{SHORT}$};
     \node[failure] (R1OPEN) at (\layersep,-4) {$R1_{OPEN}$};

     \node[failure] (R2SHORT) at (\layersep,-6) {$R2_{SHORT}$};
     \node[failure] (R2OPEN) at (\layersep,-8) {$R2_{OPEN}$};
 
     \path (R1) edge (R1SHORT);
     \path (R1) edge (R1OPEN);

     \path (R2) edge (R2SHORT);
     \path (R2) edge (R2OPEN);

     % Potential divider failure modes
     %  
%      \node[symptom]  (PDHIGH) at (\layersep*2,-4) {$PD_{HIGH}$};
%      \node[symptom] (PDLOW) at (\layersep*2,-6) {$PD_{LOW}$};
% 
%      \path (R1OPEN) edge (PDHIGH);
%      \path (R2SHORT) edge (PDHIGH);
% 
%      \path (R2OPEN) edge (PDLOW);
%      \path (R1SHORT) edge (PDLOW);

 \end{tikzpicture}

 \caption{Component Failure Modes  of the  `Potential Divider'}
 \label{fig:fg1dag}
 \end{figure}


We can now look at each of these base component failure modes,
and determine how they will affect the operation of the potential divider.
%Each failure mode scenario we look at will be given a test case number,
%which is represented on the diagram, with an asterisk marking 
%which failure modes is modelling (see figure \ref{fig:fg1a}).




%\ifthenelse {\boolean{dag}}
{
For this example we can look at single failure modes only.
For each failure mode in our {\fg} `potential~divider'
we can assign a test case number (see table \ref{pdfmea}).
Each test case is analysed to determine the `symptom'
on the potential dividers' operation. For instance
were the resistor $R_1$ to go open, the circuit would not be grounded and the 
voltage output from it would be the +ve supply rail.
This would mean the symptom of the failed potential divider, would be that it
gives an output high voltage. We can now consider the {\fg}
as a component in its own right, and its symptoms as its failure modes.

From table  \ref{pdfmea} we can see that resistor 
failures modes lead to some common `symptoms'.
By drawing connecting lines in a graph, from the failure modes to the symptoms
we can show the relationships between the component failure modes and resultant symptoms.
%The {\fg} can now be considered a derived component.
This is represented in the DAG in figure \ref{fig:fg1adag}.

\begin{figure}[h+]
 \centering
 \begin{tikzpicture}[shorten >=1pt,->,draw=black!50, node distance=\layersep]
     \tikzstyle{every pin edge}=[<-,shorten <=1pt]
     \tikzstyle{fmmde}=[circle,fill=black!25,minimum size=30pt,inner sep=0pt]
     \tikzstyle{component}=[fmmde, fill=green!50];
     \tikzstyle{failure}=[fmmde, fill=red!50];
     \tikzstyle{symptom}=[fmmde, fill=blue!50];
     \tikzstyle{annot} = [text width=4em, text centered]
 
     \node[component] (R1) at (0,-4) {$R_1$};
     \node[component] (R2) at (0,-6) {$R_2$};

     \node[failure] (R1SHORT) at (\layersep,-2) {$R1_{SHORT}$};
     \node[failure] (R1OPEN) at (\layersep,-4) {$R1_{OPEN}$};

     \node[failure] (R2SHORT) at (\layersep,-6) {$R2_{SHORT}$};
     \node[failure] (R2OPEN) at (\layersep,-8) {$R2_{OPEN}$};
 
     \path (R1) edge (R1SHORT);
     \path (R1) edge (R1OPEN);

     \path (R2) edge (R2SHORT);
     \path (R2) edge (R2OPEN);

     % Potential divider failure modes
     %  
     \node[symptom]  (PDHIGH) at (\layersep*2,-4) {$PD_{HIGH}$};
     \node[symptom] (PDLOW) at (\layersep*2,-6) {$PD_{LOW}$};

     \path (R1OPEN) edge (PDHIGH);
     \path (R2SHORT) edge (PDHIGH);

     \path (R2OPEN) edge (PDLOW);
     \path (R1SHORT) edge (PDLOW);

 \end{tikzpicture}

 \caption{Failure symptoms of the  `Potential Divider'}
 \label{fig:fg1adag}
 \end{figure}
}
%{
%}

\begin{table}[ht]
\caption{Potential Divider: Failure Mode Effects Analysis: Single Faults} % title of Table
\centering % used for centering table
\begin{tabular}{||l|c|c|l|l||}
\hline \hline
 \textbf{Test} & \textbf{Pot.Div} & \textbf{  } & \textbf{Symptom}   \\
 \textbf{Case} &  \textbf{Effect} & \textbf{  } & \textbf{Description}   \\
%   R         &    wire        & res +         & res -    & description
\hline
\hline
 TC1: $R_1$ SHORT    &  LOW       &       &  LowPD \\ 
 TC2: $R_1$  OPEN    &  HIGH        &       &  HighPD \\ \hline
 TC3: $R_2$ SHORT    &  HIGH        &      &  HighPD \\  
 TC4: $R_2$ OPEN     &  LOW         &      &  LowPD \\ \hline
\hline
\end{tabular} 
\label{pdfmea}
\end{table}



%\ifthenelse {\boolean{dag}}
{
We can now represent the potential divider as a {\dc}.
Because have its symptoms or failure mode behaviour,
we can treat these as the failure modes of a a new {\dc}.
We can represent that as a DAG (see figure \ref{fig:dc1dag}).

\begin{figure}[h+]
 \centering
 \begin{tikzpicture}[shorten >=1pt,->,draw=black!50, node distance=\layersep]
     \tikzstyle{every pin edge}=[<-,shorten <=1pt]
     \tikzstyle{fmmde}=[circle,fill=black!25,minimum size=30pt,inner sep=0pt]
     \tikzstyle{component}=[fmmde, fill=green!50];
     \tikzstyle{failure}=[fmmde, fill=red!50];
     \tikzstyle{symptom}=[fmmde, fill=blue!50];
     \tikzstyle{annot} = [text width=4em, text centered]
     \node[component] (PD) at (0,-3) {$PD$};
     \node[symptom] (PDHIGH) at (\layersep,-2) {$PD_{HIGH}$};
     \node[symptom] (PDLOW) at (\layersep,-4) {$PD_{LOW}$};
     \path (PD) edge (PDHIGH);
     \path (PD) edge (PDLOW);
 \end{tikzpicture}
 \caption{DAG representing a Potential Divider (PD) its failure symptoms}
 \label{fig:dc1dag}
 \end{figure}

}
%{
%}


%Because the derived component is defined by its failure modes and 
%the functional group used to derive it, we can use it
As we have a set of failure modes for the potential divider {\dc},
we can use it
as a building block for other {\fgs}.% in the same way as we used the resistors $R1$ and $R2$.

Note that number of base failure modes, four, is reduced to two in the {\dc}.
We avoided the state explosion problem of having to
check $R1$ and $R2$ against all other components in the system they may belong to.
Also, by modularising the circuit as a {\dc}, we have reduced the number of errors we need to consider at higher levels
of analysis.

Using {\dcs} in higher level {\fgs} we can build a hierarchy to represent the failure mode behaviour
of complete systems.

% \subsection{Re-Factoring the UML Model}
% 
% The UML models thus far % in this 
% have been used to develop the ontology. % data relationships required to perform FMMD analysis.
% We can now re-organise and rationalise the UML model.
% We want to be able to use {\dcs} in functional groups.
% It therefore makes sense for {\dc} to inherit {\em component}.




% \begin{figure}[h]
%  \centering
%  \includegraphics[width=200pt,bb=0 0 702 464]{./master_uml.png}
%  % master_uml.jpg: 702x464 pixel, 72dpi, 24.76x16.37 cm, bb=0 0 702 464
%  \caption{Re-factored UML Diagram}
%  \label{fig:refactored_uml}
% \end{figure}

% \begin{figure}[h]
%  \centering
%  \includegraphics[width=200pt]{./master_uml.png}
%  % master_uml.png: 700x462 pixel, 72dpi, 24.69x16.30 cm, bb=0 0 700 462
%  \caption{Re-factored UML Diagram }
%  \label{fig:refactored_uml}
% \end{figure}
% 
% The re-factored UML diagram is shown in figure \ref{fig:refactored_uml}; with this structure
% {\dcs} can be 
% used to build {\fgs} at a higher level. In this manner we 
% can build a hierarchical model with each layer consisting of 
% components derived from the functional groups of derived components,
% until we arrive at a SYSTEM level.
% The symptoms of the {\fg} at the top represent the SYSTEM failure modes.


%From the ontology, a set of rules for converting  the {\fgs}
%(collecting common symptoms) to {\dcs} as we traverse up the 
%hierarchy is developed. The hierarchical model can have layers added 
%until it converges to a top level single functional group.

%On collecting 
%symptoms from this, we are left with the top level, or system level, failure modes.

% \paragraph{Diagramatic Notation based on Euler Diagrams}
% 
% The model is presented in a diagrammatic notation that has been 
% designed to be intuitive and understandable.
% %
% It uses well tested 
% visual techniques to represent the elements of the model and their 
% relationships. 
% %
% Software support for the development of models in this 
% notation has been designed and proof-of-concept tools have been implemented.


\subsection{Evaluation against Desirable Criteria}

%By applying the methodology in section \ref{fmmdproc}, the wishlist can
%now be evaluated for the proposed FMMD methodology.

We can now evaluate the FMMD method using the criteria in section \ref{fmmdreq}.

{ \small
\begin{itemize}
\item{State Explosion must be reduced.}
Because small collections of components are dealt with in functional groups
the state explosion problem is effectively dealt with.

\item{All component failure modes must be considered in the model.}
The proposed methodology will be bottom-up. 
This ensures that all component failure modes are handled.


\item{ It should be easy to integrate mechanical, electronic and software models.}
Because component failure modes are considered, we have a generic entity to model.
We can describe a mechanical, electrical or software component in terms of its failure modes. 
%
Because of this 
we can model and analyse integrated electromechanical systems, controlled by computers,
using a common notation.

\item{ It should be re-usable, in that commonly used modules can be re-used in other designs/projects.}
The hierarchical nature, taking {\fg}s and deriving components from them, means that 
commonly used {\dcs} can be re-used in a design (for instance self checking digital inputs)
or even in other projects where the same {\dc} is used.



\item{ It should have a formal basis, data should be available to produce mathematical proofs
for its results}
Because the failure mode of a SYSTEM is a hierarchy of {\fg}s and derived components
SYSTEM level failure modes are traceable back down the fault tree to
component level failure modes. This provides causation trees \cite{sccs} or, minimal cut sets~\cite{nasafta}[Ch.1pp3]
for all SYSTEM failure modes.

\item{ It should be capable of producing reliability and danger evaluation statistics.}
The minimal cuts sets for the SYSTEM level failures can have computed MTTF
and danger evaluation statistics sourced from the component failure mode statistics \cite {mil1991}.

% \item{ It should be easy to use, ideally 
% using a graphical syntax (as opposed to a formal mathematical one).}
% A modified form of constraint diagram (an extension of Euler diagrams) has
% been developed to support the FMMD methodology.
% This uses Euler circles to represent failure modes, and spiders to collect symptoms, to
% advance a {\fg} to a {\dc}.


\item{ From the top down the failure mode model should follow a logical de-composition of the functionality
to smaller and smaller functional modules \cite{maikowski}.}
The bottom-up approach fulfils the  logical de-composition requirement, because the {\fg}s
are built from components performing a given task. 


\item{ Multiple failure modes may be modelled from the base component level up.}
By breaking the problem of failure mode analysis into small stages
and building a hierarchy, the problems associated with the cross products of
all failure modes within a system are reduced by an exponential order.
This is because the multiple failure modes are considered
within {\fgs} which have fewer failure modes to consider 
at each FMMD stage.
Where appropriate, multiple simultaneous failures can be modelled by
introducing test~cases where the conjunction of failure modes is considered.
\end{itemize}
}

%\clearpage
\section{Conclusion}

This new approach is called 
Failure Mode Modular De-Composition (FMMD) and is designed 
to be a %superset 
a more rigorous  and `data~complete' model than
the current four approaches, that is to say, 
from an FMMD model, we should be able to 
derive models that the other four methodologies would have been 
able to create. As this approach is modular, many of the results of 
analysed components may be re-used in other projects, so 
test efficiency is improved.
FMMD is based on generic failure modes, so it is not constrained to a 
particular field. It can be applied to mechanical, electrical or software domains. 
It can therefore be used to analyse systems comprised of electrical,
mechanical and software elements in one integrated model.

%\today
%
{ \small
\bibliographystyle{plain}
\bibliography{vmgbibliography,mybib}
}

\today
\end{document}