Robin_PHD/submission_thesis/CH7_Evaluation/copy.tex

\label{sec:chap7}
%
\section*{Metrics}
%
%
%
This chapter defines %begins by defining 
a metric for  the complexity of an FMEA analysis task.
%
This  concept is called `comparison~complexity' and is a means to assess
the performance of FMMD against current FMEA methodologies. This
concept was introduced as reasoning distance in section~\ref{reasoningdistance}.
\fmmdglossRD
%
This metric is developed using set theory % formally 
and then formulae are presented for calculating the
complexity of applying FMEA to a group of components.
%
These formulae are then used for a hypothetical example, which is analysed by both FMEA and FMMD.
%
%After analysing hypothetical examples, the 
The hypothetical example gives a general formula, which shows that the reasoning distance
goes from a polynomial to a logarithmic order comparing XFMEA with FMMD.
%
%This means that for 
%
The reasoning distances obtained from the FMMD examples (see chapter~\ref{sec:chap5}) are
compared against {\XFMEA}.
\fmmdglossXFMEA
%
Following on from the formal definitions, `unitary state failure modes' are defined. In short these
ensure that component failure modes are mutually exclusive. % Using the unitary state failure mode definition
%
Standard formulae for combinations are then used to develop the concept of 
the cardinality constrained power-set.
%
Using this in combination with unitary state failure modes
an expression for calculating the number of failure scenarios to
check for in double failure analysis is presented.
%
% MOVE TO CH5 FMMD makes the claim that it can perform double simultaneous failure mode analysis without an undue
% MOVE TO CH5 state explosion drawback.
% MOVE TO CH5 To support this, an example of single and double failure analysis is provided, using the four wire Pt100
% MOVE TO CH5 temperature measurement sensor circuit. This example is also used to show how component failure rate statistics can be 
% MOVE TO CH5 used with FMMD.
%
%
% MIGHT MOVE TO CONCLUSIONS?
%FDefining a function that
This is followed by some critiques of FMMD. % in use.%i.e. possible areas of difficulty when performing FMMD, and then 
%a general evaluation. % comparing it with traditional FMEA.

%
% Moving Pt100 to metrics
%Sections~\ref{sec:Pt100}~and~\ref{sec:Pt100d} demonstrate both statistical 
%failure mode classification %  analysis for top level events traced back to {\bc} failure modes
%and the analysis of double simultaneous failure modes.
%



\section{Defining the concept of `comparison~complexity' in FMEA}
\fmmdglossRD
\label{sec:cc}
%
% DOMAIN == INPUTS
% RANGE == OUTPUTS
%
% When pisshear of a safety critical system pisstypically think of it in terms of
% the physical plant---or in terms of its safety functionality.
When discussing safety critical systems they are usually thought of in terms of
the physical plant---or in terms of their safety functionality.
%
When performing FMEA  the system under investigation is considered to be
a collection of components which have associated failure modes.
%
The object of FMEA is to determine cause and effect. % in the sphere of failure analyis.
%We apply reasoning  to calculate, using the failure modes, the effects
%from these failure modes (the causes, {\fms} of {\bcs}) to the effects
%(or symptoms of failure) at the top level.
%
FMEA can be viewed as a process, taking each component in the system and for each of its failure modes 
applying analysis with respect to the whole system.
%
This however entails a problem: which other components in the system must be
checked against  %current failure mode.
each particular failure mode?
%
Often a component failing will have obvious effects on functionally adjacent components.
Sometimes %though, perhaps in the case of de-coupling capacitors in a digital ciruit,
side effects of failure may manifest due to interaction with other components not obviously functionally related.
%% CONTEXT OF SYSTEM FAILURE: PERHAPS NOT RELEVANT HERE
%
% The symptoms of failure are dependent upon the context, or environment that the system operates in.
% We can trace all base component failure modes to corresponding system failures: but the effect
% of the system failure depends upon how the system is used.
% %
% A resistor failure could, for instance, make a process reading go out of range.
% This could cause the process to be stopped or simply one reading out of many would
% be marked faulty and be dealt with in the next maintenance phase of the plant.
% %
% Another resistor failing could cause a dangerous control problem.
%
%The context of the system failures is the important thingy bob dooo dah.
%
%
%Also a particular component failure mode may  affect the performance of another.
The temptation with FMEA can be to follow direct lines of failure effect reasoning without considering
side effects.
%%
To perform FMEA exhaustively, % rigorously
it could be stipulated that every failure mode must be checked for effects
against all the components in the system.
%
This would mean  %looking 
examining for all possible side effects that a base component failure could cause.
%
This is termed `exhaustive~FMEA'~({\XFMEA}).
\fmmdglossXFMEA
\fmmdglossRD
The number of checks  to make to achieve this, gives an indication of the complexity of the analysis task.
%
%This is described in section~\ref{sec:rd}, where the reasoning distance, or complexity to
%analyse a single FMEA failure scenario, is given in equation~\ref{eqn:complexity}.
%
%
%It is desirable to be able to measure the complexity of an analysis task.
%
Comparison~complexity (or reasoning~distance) is defined as the count  of 
paths (and thus reasoning checks applied) between failure modes and components 
necessary to achieve {\XFMEA} for a given group 
of components $G$. %system or {\fg}.

% (except its self of course, that component is already considered to be in a failed state!).
%
%Obviously, f
%For a small number of components and failure modes, pisshave a smaller number
%of checks to make than for a complicated larger system.
%
%
\subsection{Formal definitions of entities used in FMEA}
\label{sec:formal7}
%
%\paragraph{Considering a system as a group of Components.}
Using the language developed in the previous chapters,
a system for analysis is considered as a collection %{\fg} 
of components.
%
This is a set of components as $G$, and the number of components in it  
$ | G | $. %,
%(an indexing and sub-scripting notation to identify particular {\fgs}
%within an FMMD hierarchy is given in section~\ref{sec:indexsub}).
%
%\paragraph{Defining Components} 
$G$ is simply a sub-set of all possible components.
%
The set of all components is $\mathcal{C}$; it can be can stated that is $G \subset \mathcal{C}$.
%
Individual components are denoted as $c$
with additional indexing where appropriate.

%\paragraph{Defining a function to return the failure modes of a component.}
The function $fm$ returns the failure modes of a component,
its signature is %has a component as its domain and the components failure modes % , $fms$, 
%as its range. % (see equation~\ref{eqn:fm}).
$ fm: \mathcal{C} \rightarrow \mathcal{F},$ where $\mathcal{F}$ is the set of all failures. 
The number of potential failure modes of a component, $c$, is $ | fm(c) | .$

%\paragraph{Indexing components with the group $G$.}
%If pissindex all 
Indexing the components in the system under investigation $ c_1, c_2 \ldots c_{|G|} $ allows expression of 
the number of checks required to exhaustively % rigorously 
examine every
failure mode against all the other components in a system in equation~\ref{eqn:CC}.
%
Comparison Complexity can be represented by a function $CC$, with its domain as $G$, and
its range as the number of checks---or reasoning stages---to perform to satisfy an XFMEA inspection.

Let $\mathcal{G}$ represent the set of all {\fgs} %, and $ \mathbb{Z}^{+} $, 
then $CC$ is defined by,
\begin{equation}
%$$
 CC:\mathcal{G} \rightarrow \mathbb{Z}^{ }. % could be zero, one component like an op-amp used as a NIBUFF
%$$
\end{equation}
%
%and, where n is the number of components in the system/{\fg},   
%and $|fm(c_i)|$ is the number of failure modes
%in component ${c_i}$. 
Comparison complexity, $CC$, for a group of $n$ components $G$, is given by

\begin{equation}
\label{eqn:CC}
%$$
 %%% when it was called reasoning distance -- 19NOV2011 -- RD(fg) = \sum_{n=1}^{|fg|} |fm(c_n)|.(|fg|-1) 
 CC(G) = (n-1) \sum_{1 \le i \le n} |fm(c_i)|.
%$$
\end{equation}
% 
% J Howse requires justification for the CC equation above 10MAR2013.
%
Equation~\ref{eqn:CC} says that for every failure mode in the group $G$, it must be checked against all other
components in the group (except itself). 
%
This gives a count of the number of reasoning paths to perform {\XFMEA}.
%
These reasoning distance concepts are discussed in section~\ref{sec:reasoningdistance}. % from CH3
%
Equation~\ref{eqn:CC} can be simplified if the total number of 
failure modes in the system $K$ can be determined, (i.e. $ K = \sum_{n=1}^{|G|} {|fm(c_n)|}$);
%equation~\ref{eqn:CC} 
the equation becomes 
%$$
\begin{equation}
\label{eqn:rd2}
 CC(G) = K.(|G|-1).
\end{equation}

\subsection{A general formula for counting Comparison Complexity in an FMMD hierarchy}
An FMMD hierarchy consists of many {\fgs} which are subsets of $G$.
%We define the set of all {\fgs} as $\mathcal{FG}$.
%Using $FG$ to represent individual {\fgs} 
%i.e. FG \subset G.
%piss%can therefore 
%state 
%$$ \forall FG \in \mathcal{FG} | FG \subset \mathcal{G} .$$
%
FMMD analysis creates a hierarchy $\hh$ of {\fgs}. % where $\hh \subset \mathcal{FG}$.
\fmmdgloss
%
Individual {\fgs} can be defined using  with an index 
$i$ for identification and a superscript for  the $\alpha$~level i.e. $FG^{\alpha}_{i}$ (see section~\ref{sec:alpha}).
%
%---
%o identify the hierarchy. 
For example  the first {\fg} in a hierarchy containing base components only
i.e. at the zeroth level of an FMMD hierarchy where $\alpha=0$, 
would have the superscript 0 and a subscript of 1: $FG^{0}_{1}$.
%
The {\fg} representing the potential divider in section~\ref{subsec:potdiv}
has an $\alpha$ level of 0 (as it contains only {\bcs}). 
%
The {\fg} with the potential divider and the operational amplifier has an $\alpha$ level of 1.
%$$
%Equation~\ref{eqn:rd} can also be expressed as
% 
% \begin{equation}
% \label{eqn:rd2}
% %$$
%  CC(G) = {|G|}.{|fm(c_n)|}.{(|fg|-1)} .
% %$$
% \end{equation}


An FMMD hierarchy will have reducing numbers of {\fgs}  the hierarchy is traversed upwards.
%
In order to calculate its comparison~complexity, equation~\ref{eqn:CC} must be applied to
all {\fgs} on each level.
%
An FMMD hierarchy defined as a set of {\fgs}, $\hh$.
% We define a helper function $g$ with a domain of the level $Level$ in an FMMD hierarchy $\hh$, and a 
% co-domain of a set of {\fgs} (specifically all the {\fgs} on the given level),
% that returns 
% the sum of all complexity comparison 
% applied to {\fgs} at a particular hierarchy level in \hh,
A helper function, $g$, is used 
that applies $CC$ to all {\fgs} at a particular level, $\xi$, in an FMMD hierarchy, {\hh},
and returns the sum of the comparison complexities,
\begin{equation}
g: \hh \times \mathbb{N} \rightarrow \mathbb{N} .
\end{equation}
%
%$$
%g(H, i) \rightarrow \forall {\FG}^{\xi} \;where\; ({\xi} = {i}) \wedge ({\FG}^{\xi} \in H) .
%$$
%
%IN ENGLISH: A helper function $g$ 
%
Let $L$ represent the number of levels in the FMMD hierarchy {\hh} and 
$g(\hh,\xi)$ represent the comparison complexity of {\fgs} on the level $\xi$.
%and $\hh$ represents an FMMD hierarchy,
The comparison complexity function $CC$ is overloaded, to obtain the comparison complexity of an entire hierarchy thus:
%$$
\begin{equation}
     \label{eqn:gf}
     %% CC(\hh) = \sum_{\xi=0}^{L} \sum_{j=1}^{|g(\hh,\xi)|} CC({\FG}_{j}^{\xi}).
     CC(\hh) =  \sum_{\xi=0}^{L} g(\hh,\xi).
%$$
\end{equation}

\subsection{Complexity Comparison Examples}
\label{sec:theoreticalperfmodel}
\fmmdglossRD
%\pagebreak[4]
The  amplifier example from chapter~\ref{sec:chap4}, which has two
stages, the potential divider and then the amplifier is chosen as an example for comparison complexity.
%
The complexities are added from
both these stages to determine how many reasoning paths there were to perform FMMD analysis on the 
non-inverting amplifier.

The potential divider discussed in section~\ref{subsec:potdiv} has  
four failure modes and two components and therefore has $CC$ of 4.
This using equation~\ref{eqn:CC} is calculated thus,
$$CC(potdiv) = \sum_{n=1}^{2} \big( |2| \times (|1|) \big) = 4. $$
%
The potential divider {\dc} is formed into a {\fg} with an op-amp which has four failure modes
i.e. a {\fg} with  two components, one with four failure modes and the other (the potential divider) with two,
$$CC(invamp) = 2 \times 1 + 4 \times 1   = 6 . $$
%
The two calculated complexities are added to determine the 
amount of reasoning paths to analyse the amplifier using FMMD.
%
The potential divider has a $CC$ of four and the amplifier section a $CC$ of six.
%
To analyse the inverting amplifier with FMMD it required 10 reasoning stages.
%
Using traditional FMEA employing exhaustive checking ({\XFMEA})
$ 2 \times (3-1) + 2 \times (3-1) + 4 \times (3-1)  = 16$ was obtained.
%
Even with this very trivial example, benefits of taking a modular approach to FMEA are seen.

\paragraph{Complexity Comparison for a hypothetical 81 component system.}

%Even considering  a $example$ 
A system, $example$, with just 81 components, with these components
having 3 failure modes each would, using equation~\ref{eqn:rd2} have a $CC$ of 

$$CC(example) = \sum_{n=1}^{81} |3|.(|80|) = 19440 .$$
%
%Ensuring all component failure modes are checked against all other components in a system
%-- applying FMEA exhaustively
%rigorously 
%-- could be termed
%exhaustive FMEA ({\XFMEA}). 
The computational order for {\XFMEA} would be polynomial ($O((N)(N-1)f) \approx O(N^2.f)$) (where $f$ is the variable number of failure modes)
as discussed in section~\ref{eqn:fmea_single}.
%
This order may be acceptable in a computational environment. 
%
However, the choosing of {\fgs} and the analysis process are by-hand/human activities. 
%
It can be seen that it is practically impossible to achieve {\XFMEA} for anything but trivial systems.
%
% Next statement needs alot of justification
%
%It is the author's belief that FMMD reduces the comparison complexity enough to make
%exhaustive checking (within {\fgs}) entirely feasible. 


%\pagebreak[4]
\clearpage
%\subsection{Using the concept of Complexity Comparison to compare {\XFMEA} with FMMD}

% \begin{figure}
%  \centering
%  \includegraphics[width=400pt,keepaspectratio=true]{CH5_Examples/three_tree.png}
%  % three_tree.png: 851x385 pixel, 72dpi, 30.02x13.58 cm, bb=0 0 851 385
%  \caption{FMMD Hierarchy with number of components in {\fg} fixed to 3 $(|G| = 3)$ } % \wedge (|fm(c)| = 3)$}
%  \label{fig:three_tree}
% \end{figure}

\begin{figure}[h]
 \centering
 \includegraphics[width=400pt]{./CH7_Evaluation/components_81_euler.png}
 % components_81_euler.png: 3056x2532 pixel, 72dpi, 107.81x89.32 cm, bb=0 0 3056 2532
 \caption{Euler diagram of a hypothetical FMMD Hierarchy with 81 base components with the number of components in each $FG$ fixed to three ($|FG|=3$)}
 \label{fig:three_tree}
\end{figure}


\subsection{Comparing FMMD and {\XFMEA} Comparison Complexity}
\fmmdglossRD
Because components have variable numbers of failure modes,
and {\fgs} have variable numbers of components, it is difficult to
use the general formula for comparing the number of checks to make for
{\XFMEA} and FMMD.
%
If an example is created by fixing the number of components in a {\fg}
and the number of failure modes per component, formulae can be determined
to compare the number of checks to make from an FMMD hierarchy to {\XFMEA}.
%
%% HEALTH WARNING
%
While real-world analysis models have variable 
numbers of failure modes per component type and
different numbers of components in their {\fgs},
a fixed model provides indicative estimates of complexity performance.
%applied to
%all components in a system.
 
Consider $k$ to be the number of components in a {\fg} (i.e. $k=|{\FG}|$), 
$f$ is the number of failure modes per component (i.e. $f=|fm(c)|$), and 
$L$ to be the number of levels in the hierarchy of an FMMD analysis.
The number of failure scenarios to check in a (fixed parameter for $|{\FG}|$ and $|fm(c_i)|$) FMMD hierarchy
is represented with equation~\ref{eqn:anscen}.
 
\begin{equation}
  \label{eqn:anscen}
 \sum_{n=0}^{L} {k}^{n}.k.f.(k-1)   
\end{equation}
 
The thinking behind equation~\ref{eqn:anscen}, is that for each level of analysis -- counting down from the top --
there are ${k}^{n}$ {\fgs} within each level; {\XFMEA} is applied to each {\fg} on the level.
%
The number of checks to make for {\XFMEA}, is the number of components $k$ multiplied by the number of failure modes $f$
checked against the remaining components in the {\fg} $(k-1)$.
%
If, for the sake of example, the number of components in a {\fg} is fixed to three and 
the number of failure modes per component to three, an FMMD hierarchy
would look like figure~\ref{fig:three_tree}.

\subsection{Comparing {\XFMEA} and  FMMD: an Example}
\fmmdglossXFMEA
Using the diagram in figure~\ref{fig:three_tree}, there are three levels of analysis.
%
Starting at the top, there is a {\fg} with three derived components, each of which has
three failure modes.
%
Thus the number of checks to make in the top level is $3^0\times3\times2\times3 = 18$. 
%
On the level below that, there are three {\fgs} each with
an identical number of checks, $3^1 \times 3 \times 2 \times 3 = 56$. %{\fg}
%
On the level below that there are nine {\fgs}, $3^2 \times 3\times2\times3=168$.
Adding these together gives $242$ checks to make to perform FMMD (i.e. {\XFMEA} {\em{within the}}
{\fgs}).

To take the system represented in  figure~\ref{fig:three_tree}, and 
apply {\XFMEA} on it as a whole system, using equation~\ref{eqn:CC},
$CC(G) = \sum_{n=1}^{|G|} |fm(c_n)|.(|G|-1)$, where $|G|$ is 27, $fm(c_n)$ is 3
and $(|G|-1)$ is 26,
this gives:
$CC(G) = \sum_{n=1}^{27} |3|.(|27|-1) = 2106$.

In order to get general equations with which to compare {\XFMEA} with FMMD,
equation~\ref{eqn:CC} can be re-written in terms of the number of levels 
in an FMMD hierarchy. 
%
The number of components in the system, is the number of components
in a {\fg} raised to the power of the level plus one.
The equation~\ref{eqn:CC} is re-written as:
 

\begin{equation}
  \label{eqn:fmea_state_exp21}
  \sum_{n=1}^{k^{L+1}} (k^{L+1}-1).f  \; , % \\
  %(N^2 - N).f 
\end{equation}

or

\begin{equation}
  \label{eqn:fmea_state_exp22}
  k^{L+1}.(k^{L+1}-1).f  \;. % \\
  %(N^2 - N).f 
\end{equation}

Equation~\ref{eqn:anscen} (FMMD) and \ref{eqn:CC} can be used
to compare (for fixed sizes of $|G|$ and $|fm(c)|$)
the two approaches, for the work required to perform exhaustive checking.


For instance, having four levels 
of FMMD analysis, with these fixed numbers,
%(in addition to the top zeroth level)
will require 81 base level components.
%
%$$
Applying equation~\ref{eqn:fmea_state_exp22}, gives
\begin{equation}
  \label{eqn:fmea_state_exp22_example}
  3^4.(3^4-1).3 = 81.(81-1).3 = 19440 .% \\
  %(N^2 - N).f 
\end{equation}
%$$

Equation \ref{eqn:fmea_state_exp22} shows that applying XFMEA where components all have three failure modes
and there are 81 components, would involve 19,440 reasoning paths.
Applying equation~\ref{eqn:fmea_state_exp21},
$$
%\begin{equation}
 % \label{eqn:anscen}
  \sum_{n=0}^{3} {3}^{n}.3.3.(2) = 720 .
%\end{equation}
$$
%
For FMMD (where within {\fgs} the analysis \textbf{is exhaustive}) it only requires
720 reasoning paths.



\subsubsection{Plotting XFMEA and FMMD reasoning distance}

Using the gnuplot utility~\cite{gnuplot,Janert:2009:GAU:1631269} and implementing equation~\ref{eqn:fmea_state_exp22} for
XFMEA and equation~\ref{eqn:anscen} for FMMD reasoning distances and using a logarithmic axis for reasoning distance
comparison is performed graphically. 
%
The gnuplot script used to
produce figure~\ref{fig:xfmeafmmdcomp} may be found in section~\ref{sec:gnuplotxfmeafmmdcomp}.

\begin{figure}[h]
 \centering
 \includegraphics[width=400pt]{./CH7_Evaluation/xfmea_fmmd_comp.png}
 % xfmea_fmmd_comp.png: 640x480 pixel, 72dpi, 22.58x16.93 cm, bb=0 0 640 480
 \caption{XFMEA and FMMD reasoning distance comparison graph.}
 \label{fig:xfmeafmmdcomp}
\end{figure}

Looking at the graph in figure~\ref{fig:xfmeafmmdcomp} it is seen that the reasoning distance
for large numbers of components becomes extremely difficult to achieve
for traditional FMEA.
%
It can be seen that the reasoning distance has gone from a polynomial to a logarithmic order.
%
By applying FMMD large group for analysis has be decimated into
a hierarchy of much smaller groups and applied XFMEA {\em within} these.
%
In mathematical terms this means the polynomial order has been converted 
to logarithmic by being able to take exponentiation values out 
to become instead constants of integration. %% YEEEEEE HARRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
%
This process can be viewed as similar to the order of processing
that occurs in the decimation in time FFT~\cite{fftoriginal} when
compared to the DFT algorithm.
%
%We have been able to successively take constants of integration
%out of the equations in the process of de-composition, resulting
%in a saving in the number of processing steps (here hand analysis FMEA stages).










%\clearpage
\section{Complexity Comparison applied to FMMD electronic circuits analysed in chapter~\ref{sec:chap5}.}

All the FMMD examples in chapters \ref{sec:chap5} 
and \ref{sec:chap6} showed a marked reduction in comparison 
complexity compared to the {\XFMEA} worst case figures. 
To calculate {\XFMEA} comparison complexity equation~\ref{eqn:CC} is used.
%
%
Complexity comparison vs. {\XFMEA} for the first three examples
are presented in table~\ref{tbl:firstcc}.
%
%\usepackage{multirow}
\begin{table}
 \label{tbl:firstcc}

\begin{tabular}{ |c|l|l|c| }
\hline 
\textbf{Hierarchy}   & \textbf{Derived}      & \textbf{Complexity} & $|fm(c)|$: \textbf{number}     \\
\textbf{Level}       & \textbf{Component}    & \textbf{Comparison} & \textbf{of derived}                  \\
                     &                       &                     & \textbf{failure modes}            \\
%\hline \hline
%\multicolumn{3}{ |c| }{Complexity Comparison against {\XFMEA} for examples in Chapter~\ref{sec:chap5}} \\
%\hline \hline


%Goalkeeper & GK & Paul Robinson \\ \hline

\hline

\multicolumn{3}{ |c| }{Inverting Amplifier Two stage FMMD Hierarchy: section~\ref{sec:invamp}} \\ \hline
%\multirow{3}{*} {Inverting Amplifier Two stage FMMD Hierarchy: section~\ref{sec:invamp}}  & & \\
\hline
0 & PD                  & 4        & 2 \\
1 & INVAMP              & 8        & 3 \\
2 & Total for INVAMP: &  10 (FMMD)  &   \\  
0 & Total for INVAMP: &  16 ({\XFMEA}) &   \\
% & $(3-1) \times (4 + 2 +2)$ &     &   \\
  \hline \hline
 
\multicolumn{3}{ |c| } {Inverting Amplifier One stage FMMD Hierarchy: section~\ref{sec:invamp}}  \\ \hline
0 & INVAMP & 16 & 3 \\
1 & Total for INVAMP: & 16 (FMMD) & \\  
0 & Total for INVAMP: & 16 ({\XFMEA}) & \\  
  \hline
  
  \hline
\multicolumn{3}{ |c| } {Differencing Amplifier Three stage FMMD Hierarchy: section~\ref{sec:diffamp}}  \\ \hline
%\multirow{4}{*} {Differencing Amplifier FMMD Hierarchy: section~\ref{sec:diffamp}}  & & \\
2 & NonInvAMP reused~\footnote{Reused analysed of NonInvAMP: see section~\ref{sec:invamp}.} & 10 & 3  \\
0 & SEC\_AMP                                                                                & 16 & 4  \\
3 & DiffAMP                                                                                 & 7  & 4  \\ 
3 & Total for DiffAMP &  33 (FMMD)& \\
0 & Total for DiffAMP: &  80 ({\XFMEA}) & \\  
% & Differencing Amplifier: & {\XFMEA} 80-16 = 74 & \\
% &                         &  & \\ 
  \hline
  \hline
%  \footnote{if pissdiscount the comparison complexity for the pre-analysed INVAMP.}\hline
 
\multicolumn{3}{ |c| } {Five Pole Sallen Key Low Pass Filter: Three stage FMMD Hierarchy: section~\ref{sec:fivepolelp}}  \\ \hline
%\multirow{4}{*} {Differencing Amplifier FMMD Hierarchy: section~\ref{sec:diffamp}}  & & \\
0 & FirstOrderLP & 4 & 2       \\
1 & LP1          & 10 & 4      \\
2 & SKLP          & 48 & 4     \\
3 & FivePoleLP    & 20 & 4     \\
3 & Total for FivePoleLP &  82 (FMMD)& \\
% & 20+48+10+4              &         &  \\
0 & Total for FivePoleLP &  384 ({\XFMEA}) & \\ 
% & $(13-1) \times (3 \times 4 + 10 \times 2)$ & & \\ \hline
\hline 

\end{tabular}
\caption{Comparison Complexity figures for the first three examples in Chapter~\ref{sec:chap5}.}
\end{table}
 % end table
The complexity comparison figures for the example circuits in chapter~\ref{sec:chap5} show 
that for the non trival examples, as 
more levels in the FMMD hierarchy are used, the performance
gain over {\XFMEA} becomes apparent. %for increasing complexity the performance benefits from FMMD are apparent.




\clearpage
\subsection{Comparison Complexity for the Bubba Oscillator Example.}
The Bubba oscillator example (see section~\ref{sec:bubba}) was chosen because it had a circular
signal path. It was also analysed twice, once by 
{na\"{\i}vely} using the first {\fgs} identified, and secondly by de-composing 
the circuit further.
%
These two analyses are used to compare the effect on comparison complexity (see table~\ref{tbl:bubbacc}) with that of {\XFMEA}.
%
\begin{table}
 \label{tbl:bubbacc}


\begin{tabular}{ |c|l|l|c| }
\hline 
\textbf{Hierarchy}   & \textbf{Derived}      & \textbf{Complexity} & $|fm(c)|$: \textbf{number}     \\
\textbf{Level}       & \textbf{Component}    & \textbf{Comparison} & \textbf{of derived}            \\
                     &                       &                     & \textbf{failure modes}       \\
%\hline \hline
%\multicolumn{3}{ |c| }{Complexity Comparison against {\XFMEA} for examples in Chapter~\ref{sec:chap5}} \\
%\hline \hline


%Goalkeeper & GK & Paul Robinson \\ \hline

\hline

\multicolumn{3}{ |c| }{Bubba Oscillator one stage ({na\"{\i}ve}) FMMD Hierarchy: section~\ref{sec:bubba1}} \\ \hline
%\multirow{3}{*} {Inverting Amplifier Two stage FMMD Hierarchy: section~\ref{sec:invamp}}  & & \\
\hline
1 & PHS45               & 4        & 2 \\
1 & INVAMP              & 16        & 3 \\
0 & NIBUFF              & 0        & 4 \\
%
% final one has 8 components 3* NIBUFF +  1 * INVAMP + 4 * PHS45
%                    (8-1) * ( (3*4) + (1*16) +    (4 *  4) )
2 & BUBBA               & 308      & 2 \\
%                                 NIBUFF  PHS45
% 8 components so LEVEL 2 (8-1) \times ( (3*4) +  (4*2) + 3 ) + LEVEL 0 16 for the INVAMP
2 & Total for BUBBA: &   328 (FMMD)  &   \\  
%                               R&C     OPAMPS
% 14 components so 13 \times ( (10*2)   (4*4) )
0 & Total for BUBBA: &  468  ({\XFMEA}) &   \\
% & $(3-1) \times (4 + 2 +2)$ &     &   \\
  \hline \hline
 
\multicolumn{3}{ |c| } {Inverting Amplifier Multiple stage FMMD Hierarchy: section~\ref{sec:bubba2}}  \\ \hline
1 & PHS45               & 4        & 2 \\
1 & INVAMP & 16 & 3 \\
0 & NIBUFF & 0  & 4 \\
2 & BUFF45 & 6  & 2 \\
3 & PHS135BUFFERED & 4 & 2 \\


2 & PHS225AMP & 5 & 2 \\

4 & BUBBA & 2 & 2 \\
%
%Level 1: 16 + 4 == 20
%Level 2: 6 + 5 == 11
%Level 3: 4 == 4
%Level 4: 2 == 2
%
1 & Total for BUBBA: & 37  (FMMD) & \\  
0 & Total for BUBBA: & 468 ({\XFMEA}) & \\  
  \hline
  
  \hline

\end{tabular}
\caption{Complexity Comparison figures for the Bubba Oscillator FMMD example (see section~\ref{sec:bubba}).}
\end{table}
%
The initial {na\"{\i}ve} FMMD analysis reduces the number of checks by around a third, the more de-composed analysis
by more than  a factor of ten.



\subsection{Sigma Delta Example: Comparison Complexity Results}


\label{sec:bubbaCC}

\begin{table}
 \label{tbl:bubbacc}


\begin{tabular}{ |c|l|l|c| }
\hline 
\textbf{Hierarchy}   & \textbf{Derived}      & \textbf{Complexity} & $|fm(c)|$: \textbf{number}     \\
\textbf{Level}       & \textbf{Component}    & \textbf{Comparison} & \textbf{of derived}            \\
                     &                       &                     & \textbf{failure modes}   \\
%\hline \hline
%\multicolumn{3}{ |c| }{Complexity Comparison against {\XFMEA} for examples in Chapter~\ref{sec:chap5}} \\
%\hline \hline


%Goalkeeper & GK & Paul Robinson \\ \hline

\hline

\multicolumn{3}{ |c| }{{\sd} FMMD Hierarchy: section~\ref{sec:sigmadelta}} \\ \hline
%\multirow{3}{*} {Inverting Amplifier Two stage FMMD Hierarchy: section~\ref{sec:invamp}}  & & \\
\hline

1 & SUMJINT & 30 & 4 \\
0 & HISB    & 0  & 4 \\
2 & BISJ    & 8  & 2 \\ \hline

1 & DIGBUF  & 2 & 4 \\
1 & PD      & 4 & 2 \\
2 & DL2AL   & 6 & 3 \\
3 & FFB     & 5 & 2 \\ \hline 
%                  
2 & {\sd}              & 4      & 2 \\ \hline
%                               
%  
2 & Total for {\sd}: &   55 (FMMD)  &   \\  
%                               R&C     OPAMPS
% 14 components so (10-1) * 
0 & Total for {\sd}: &  225  ({\XFMEA}) &   \\

  \hline \hline

\end{tabular}
\caption{Complexity Comparison figures for the {\sd} FMMD example (see section~\ref{sec:sigmadelta}).}
\end{table}
%
The complexity figures for this mixed analogue to digital circuit are not adversely affected by the digital to
analogue level interfacing circuitry. 
%
This is where the modular approach aids understanding and analysis.
%
When following this circuit through in a traditional way, following signal paths that
are level shifted, adds to the complication of analysing it for failures.
%
% \subsection{Exponential squared to Exponential}
% 
% can I say that ?
%
\section{Unitary State Component Failure Mode Sets}
\label{sec:unitarystate}
%\label{ch7:mutex}
\label{ch7:mutex}
\paragraph{Design Decision/Constraint}
%
An important factor in defining a set of failure modes is that they
should represent the failure modes as simply and minimally as possible.
%
\fmmdglossMUTEX
%
It should not be possible, for instance, for
a component to have two or more failure modes active at once.
%
Were this to be the case,  additional combinations of 
failure modes would have to be considered within the component.
%
Having a set of failure modes where $N$ modes could be active simultaneously
would mean having to consider an additional $2^N-1$ failure mode scenarios.
%
Should a component be analysed and simultaneous failure mode cases exist,
the combinations could be represented by new failure modes, or
the component should be considered from a fresh perspective,
perhaps considering it as several smaller components
within one package.
%
This property, failure modes being mutually exclusive, is termed `unitary state failure modes'
in this study.
%
This corresponds to the `mutually exclusive' definition in 
probability theory~\cite{probstat}.


% \begin{definition}
% A set of failure modes where only one failure mode
% can be active at one time is termed a {\textbf{unitary~state}} failure mode set.
% \end{definition}
% 
% Let the set of all possible components be $ \mathcal{C}$
% and let the set of all possible failure modes be $ \mathcal{F}$.
% The set of failure modes of a particular component are of interest 
% here. 

What is required is to define a property for
a set of failure modes $F$ where only one failure mode can be active at a time;
or borrowing from the terms of  statistics, the failure mode being an event that is mutually exclusive
within the set $F$.
%
A set of failure mode sets called $\mathcal{U}$ is defined to represent this
property. % for a set of failure modes.
% 
% \begin{definition}
% We can define a set $\mathcal{U}$ which is a set of sets of failure modes, where
% the component failure modes in each of its members are unitary~state.
% Thus if the failure modes of  a component $F$ are unitary~state, pisscan say $F \in \mathcal{U}$ is true.
% \end{definition}

\subsection{Example of unitary state component failure modes}

An example of a component with an obvious set of  ``unitary~state'' failure modes is the electrical resistor.
%
The EN298~\cite{en298}[Ann.A] failure mode definition for  resistors: OPEN or SHORTED, is used.
% 
For a given resistor R the 
function $fm$ can be applied to find its set of failure modes thus  $ fm(R) =  \{R_{SHORTED}, R_{OPEN}\} $.
%
A resistor cannot fail with the conditions open and short active at the same time,
that would be physically impossible!
%
The conditions
OPEN and SHORT are thus mutually exclusive.
%
Because of this, the failure mode set $F=fm(R)$ is `unitary~state'.
%
%
%Thus because both fault modes cannot be active at the same time, the intersection of $ R_{SHORTED} $ and $ R_{OPEN} $ cannot exist.
% 
%The intersection of these failure modes is therefore the empty set, $ R_{SHORTED} \cap R_{OPEN} = \emptyset $,
%therefore
%$ fm(R) \in \mathcal{U} $. 
These concepts are expanded in section~\ref{sec:usprob}.
\fmmdglossMUTEX


A general case can be made by taking a set $F$ (with $f_1, f_2 \in F$) representing a collection
of component failure modes.
%
A Boolean function {\ensuremath{\mathcal{ACTIVE}}} is defined that returns 
whether a fault mode is active (true) or dormant (false).
%
It can be said that if any pair of fault modes is active at the same time, then the failure mode set is not
unitary state:
formally;
%
%
 \begin{equation}
  \exists f_1,f_2 \in F \dot ( f_1 \neq f_2 \wedge \mathcal{ACTIVE}({f_1}) \wedge \mathcal{ACTIVE}({f_2}) ) \implies F \not\in \mathcal{U} .
 \end{equation}
%
%
% 
% \begin{equation}
%  c1 \cap c2 \neq \emptyset  | c1 \neq c2 \wedge c1,c2 \in C \wedge C \not\in U
% \end{equation}
%
That is to say that it is impossible that any pair of failure modes can be active at the same time
for the failure mode set $F$ to exist in the family of sets $\mathcal{U}$.
%
Note where there are more than two failure~modes, 
by banning any pairs from being active at the same time,
larger combinations are banned as well.

%\subsection{Design Rule: Unitary State}


\paragraph{Design Rule: Unitary State}

All components must have unitary state failure modes to be used with the FMMD methodology and
for base~components this is usually the case.
%
Most simple components fail in one
clearly defined way and generally stay in that state. 
%
Traditional FMEA has problems dealing with non unitary state failure modes.
%
This is mainly because combinations of failure modes could cause
effects very difficult to predict (as they are in effect new failure modes of the component).
%
However, where a complex component is used, for instance a micro-controller
with several modules that could all fail simultaneously, a process
of reduction into smaller theoretical components will have to be made.
This can be termed `heuristic~de-composition'.
%
A modern micro-controller will typically have several modules which are configured to operate on
pre-assigned pins on the device. 
%
Typically voltage inputs (\adcten / \adctw), digital input and outputs,
PWM (pulse width modulation), UARTs and other modules will be found on simple cheap micro-controllers~\cite{pic18f2523}.
%
For instance, the voltage reading functions which consist
of a multiplexer and ADC---which must work together to channel readings--- could be considered to be components
inside the micro-controller package.
%
\fmmdglossMUTEX
%
The micro-controller thus becomes a collection of smaller components
that can be analysed separately~\footnote{It is common for the signal paths
in a safety critical product to be traced, and when entering a complex
component like a micro-controller, the process of heuristic de-compostion
is then applied to it.}.
%
%\paragraph{Reason for FMMD unitary failure mode constraint.} 
Were this constraint not to be applied,
each component would not contribute $N$ failure modes, % to consider 
but potentially
$2^N$. 
%
\fmmdglossSTATEEX
This would make the job of analysing the failure modes
in a {\fg} impractical due to state explosion. %the sheer size of the task.
%Note that the `unitary state' conditions apply to failure modes within a component.
%%- Need some refs here because that is the way gastec treat the ADC on microcontroller on the servos

\section{Handling Simultaneous Component Faults}

For some integrity levels of static analysis, there is a need to consider not only single
failure modes in isolation, but cases where more than one failure mode may occur
simultaneously.
%
Note that the `unitary state' conditions apply to failure modes within a component.
%
This does not preclude the possibility of two or more components failing simultaneously.
%
%The scenarios presented deal with possibility of two or more components failing simultaneously.
%
It is an implied requirement of EN298~\cite{en298} for instance, to 
consider double simultaneous faults\footnote{Under the conditions
of LOCKOUT~\cite{en298} in an industrial burner controller that has detected one fault already.
However, from the perspective of static failure mode analysis, this amounts
to dealing with double simultaneous failure modes.}.
%
To generalise, it may be necessary to consider $N$ simultaneous 
failure modes when analysing a functional group.
%
This involves finding
all combinations of failures modes of size $N$ and less.
%The Powerset concept from Set theory is useful to model this.
%
The power-set, when applied to a set S is the set of all subsets of S, including the empty set
\footnote{The empty set ( $\emptyset$ ) is a special case for FMMD analysis, it simply means there
is no fault active in the functional~group under analysis.}
and S itself.
%
The power-set concept is augmented here to deal with counting the number of
combinations of failures to consider, under the conditions of simultaneous failures.
%
In order to consider combinations for the set S where the number of elements in 
each subset of S is $N$ or less, a concept of the `cardinality constrained power-set'
is proposed and described in the next section. 

%\pagebreak[1] 
\section{Cardinality Constrained Power-set }
\label{ccp}

A Cardinality Constrained power-set is one where subsets of a cardinality greater than a threshold
are not included. 
%
This threshold is called the cardinality constraint.
%
To indicate this, the cardinality constraint $\le cc$ is subscripted to the power-set symbol thus $\mathcal{P}_{\le cc}$.
Consider the set $S = \{a,b,c\}$. 

The power-set of S: 

$$ \mathcal{P} S = \{ \emptyset, \{a,b,c\}, \{a,b\},\{b,c\},\{c,a\},\{a\},\{b\},\{c\} \} .$$


$\mathcal{P}_{\le 2} S $ means all non-empty subsets of S where the cardinality of the subsets is 
less than or equal to 2.

$$ \mathcal{P}_{\le 2} S = \{ \{a,b\},\{b,c\},\{c,a\},\{a\},\{b\},\{c\} \} . $$

Note that $\mathcal{P}_{\le 1} S $ (non-empty subsets where cardinality $\leq 1$) for this example is:

$$ \mathcal{P}_{\le 1} S = \{ \{a\},\{b\},\{c\} \} .$$

\paragraph{Calculating the number of elements in a Cardinality Constrained power-set}

A $k$ combination is a subset with $k$ elements.  
%
The number of $k$ combinations (each of size $k$) from a set $S$ 
with $n$ elements (size $n$) is the binomial coefficient~\cite{probstat} shown in equation \ref{bico}.
%
\begin{equation}
C^n_k = {n \choose k} = \frac{n!}{k!(n-k)!} .
\label{bico}
\end{equation} 
%
To find the number of elements in a cardinality constrained subset S with up to $cc$ elements
in each combination sub-set,
sum the combinations must be added, 
%subtracting $cc$ from the final result 
%(repeated empty set counts)
from $1$ to $cc$ thus
%
%
% $$ {\sum}_{k = 1..cc} {\#S \choose k} = \frac{\#S!}{k!(\#S-k)!} $$
%
%
\begin{equation}
 |{\mathcal{P}_{\le cc}S}| = \sum^{cc}_{k=1} \frac{|{S}|!}{ cc! ( |{S}| - cc)!} . % was k in the frac part now cc
 \label{eqn:ccps}
\end{equation} 
%
%
%
\subsection{Actual Number of combinations to check with Unitary State Fault mode sets}
%
If all of the fault modes in $S$ were independent,
the cardinality constrained power-set
calculation (in equation \ref {eqn:ccps}) would give the correct number of test case combinations to check.
%
Because  sets of failure modes in FMMD analysis are constrained to be unitary state,
the actual number of test cases to check will usually 
be less than this.
% 
This is because certain combinations of faults within a components failure mode set
are impossible under the conditions of  unitary state failure mode.
%
To modify equation \ref{eqn:ccps} for unitary state conditions, the number of component `internal combinations'
for each component must be subtracted from the total for the {\fg} under analysis.
%
Note it is necessary to sequentially subtract using combinations above 1 up to the cardinality constraint. 
%
For example, say 
the cardinality constraint was 3, it would be necessary to subtract both
$|{n \choose 2}|$ and $|{n \choose 3}|$ for each component in the {\fg}.

\subsubsection{Example: Two Component {\fg} Cardinality Constraint of 2}

For example: given a simple {\fg} with two components R and T, of which
$$fm(R) = \{R_o, R_s\}$$ and $$fm(T) = \{T_o, T_s, T_h\}.$$

This means that the {\fg} $FG=\{R,T\}$ will have a component failure mode set 
of $fm(FG) = \{R_o, R_s, T_o, T_s, T_h\}$. 
%
Note this set of failure modes
is as would be used for single failure analysis. 
% Did J Howse actually read this? 06APR2013
% This set does not contain
% mutually exclusive failure modes, because both $R$ and $T$ could fail.
% The failure modes of $R$ and $T$ are mutually exclusive though, and so some
% combinations of the failure mode set $\{R_o, R_s, T_o, T_s, T_h\}$ cannot occur.
% We use equation~\ref{eqn:ccps} to determine the number of valid combinations.
%
For a cardinality constrained powerset of 2, because there are 5 error modes ( $|fm(FG)|=5$),
applying equation \ref{eqn:ccps} gives:
%
$$ | P_{\le 2} (fm(FG)) |  = \frac{5!}{1!(5-1)!} + \frac{5!}{2!(5-2)!}  = 15.$$
%
This is composed of ${5 \choose 1}$,
five single fault modes, and ${5 \choose 2}$, ten double fault modes.
%
However the {\fms} are mutually exclusive within a component.
%
It is necessary then, to subtract the number of `internal' component fault combinations 
for each component in the {\fg}.
%
For component R there is only one internal component fault that cannot exist
$R_o \wedge R_s$. As a combination ${2 \choose 2} = 1$. 
%
For the component $T$ which has three  fault modes ${3 \choose 2} = 3$.
  %
Thus for $cc = 2$, under the conditions of unitary state failure modes in the components $R$ and $T$, it is necessary to subtract $(3+1)$.
%
The number of combinations to check is thus 11, $|\mathcal{P}_{\le 2}(fm(FG))| = 11$, for this example, and this can be verified
by listing all the required combinations:
%
% Because there are only two components, this is simply the cross product
% of fm(R) and fm(T) but this does not hold for larger {\fgs}...
%
$$ \mathcal{P}_{\le 2}(fm(FG)) =  \{
 \{R_o T_o\}, \{R_o T_s\}, \{R_o T_h\}, \{R_s T_o\}, \{R_s T_s\}, \{R_s T_h\}, \{R_o \}, \{R_s \}, \{T_o \}, \{T_s \}, \{T_h \}
 \}
$$
%
whose cardinality is indeed, 11. % by inspection
%$$ 
%| 
%\{
%    \{R_o T_o\}, \{R_o T_s\}, \{R_o T_h\}, \{R_s T_o\}, \{R_s T_s\}, \{R_s T_h\}, \{R_o \}, \{R_s \}, \{T_o \}, \{T_s \}, \{T_h \}
%\}
%| = 11 
%$$


\pagebreak[1]
\subsubsection{Establishing Formulae for unitary state failure mode cardinality calculation}
%
The cardinality constrained power-set in equation \ref{eqn:ccps}, can be modified for % corrected for 
unitary state failure modes.
%This is written as a general formula in equation \ref{eqn:correctedccps}. 
%
%\indent{
%To define terms :
%\begin{itemize}
%\item 
Let $C$ be a set of components (indexed by $j \in  J$)
that are members of the functional group $FG$
i.e. $ \forall j \in J , C_j \in FG $.

%\item 
Let $|fm({C}_{j})|$
indicate the number of mutually exclusive fault modes of component $C_j$.
%\item 

Let $fm(FG)$ be the collection of all failure modes
from all the components in the functional group. 
%\item 

Let $SU$ be the set of failure modes from the {\fg} where all $FG$   is such that
components $C_j$ are in
`unitary state' i.e. $(SU = fm(FG)) \wedge (\forall j \in J , fm(C_j) \in \mathcal{U}) $, then 
%\end{itemize}
%}

\begin{equation}
  |{\mathcal{P}_{cc}SU}| = {\sum^{cc}_{k=1}  \frac{|{SU}|!}{k!(|{SU}| - k)!}}  
 - {\sum_{j \in J} {|FM({C_{j})}| \choose 2}} .
  \label{eqn:correctedccps}
\end{equation} 

Expanding the combination in equation \ref{eqn:correctedccps}


\begin{equation}
 |{\mathcal{P}_{cc}SU}| = {\sum^{cc}_{k=1}  \frac{|{SU}|!}{k!(|{SU}| - k)!}}   
- {{\sum_{j \in J}   \frac{|FM({C_j})|!}{2!(|FM({C_j})| - 2)!}}  } .
 \label{eqn:correctedccps2}
\end{equation} 

%\paragraph{Use of Equation \ref{eqn:correctedccps2} }
Equation \ref{eqn:correctedccps2} is useful for an automated tool that
would verify that a single or double simultaneous failures model has complete failure mode coverage.
%
By knowing how many test cases should be covered, and checking the cardinality
associated with the test cases, complete coverage would be verified.

\subsection{Example: Pt100 Verifying complete coverage for a cardinality constrained power-set of 2}

\fmodegloss

The Pt100 example in~\ref{sec:Pt100} which performs double failure mode FMMD analysis is used as an example.
%
It is important to check that  all possible double fault combinations have been covered.
%
Using the equation \ref{eqn:correctedccps2} to determine the number of failure scenarios, or checks, 
necessary for complete failure coverage.
\ifthenelse {\boolean{paper}}
{
from the definitions paper
\ref{pap:compdef}
,
reproduced below to verify this.

\indent{
 where:
 \begin{itemize}
  \item The set $SU$ represents the components in the functional~group, where all components are guaranteed to have unitary state failure modes,
  \item The indexed set $C_j$ represents all components in set $SU$,
  \item The function $FM$ takes a component as an argument and returns its set of failure modes,
  \item $cc$ is the cardinality constraint, here 2 (for double and single faults).
 \end{itemize}
}
\begin{equation}
 |{\mathcal{P}_{\le cc}SU}| = {\sum^{k}_{1..cc}  \frac{|{SU}|!}{k!(|{SU}| - k)!}}   
- {{\sum_{j \in J}   \frac{|FM({C_j})|!}{2!(|FM({C_j})| - 2)!}}  } ,
 \label{eqn:correctedccps2}
\end{equation}

}
{
\begin{equation}
 |{\mathcal{P}_{\le cc}SU}| = {\sum^{cc}_{k=1}  \frac{|{SU}|!}{k!(|{SU}| - k)!}}
- {{\sum_{j \in J}   \frac{|FM({C_j})|!}{2!(|FM({C_j})| - 2)!}}  } .
 %\label{eqn:correctedccps2}
\end{equation}
}
%
%
$|FM(C_j)|$ will always be 2 here,  as all the components are resistors and have two failure modes.
%
%
% Factorial of zero is one ! You can only arrange an empty set one way !
%
Populating this equation with $|SU| = 6$ and $|FM(C_j)|$ = 2.
%is always 2 for this circuit, as all the components are resistors and have two failure modes.
%
\begin{equation}
 |{\mathcal{P}_{\le 2}SU}| = {\sum^{k}_{1..2}  \frac{6!}{k!(6 - k)!}}   
- {{\sum_{1..3}   \frac{2!}{2!(2 - 2)!}}  }
 %\label{eqn:correctedccps2}
\end{equation}
%
$|{\mathcal{P}_{2}SU}|$ is the number of valid combinations of faults to check
under the conditions of unitary state failure modes for the components (a resistor cannot fail by being shorted and open at the same time).
%
Expanding the summations:
%
%
$$ NoOfTestCasesToCheck = \frac{6!}{1!(6-1)!} + \frac{6!}{2!(6-2)!} - 
\Big( \frac{2!}{2!(2 - 2)!} + \frac{2!}{2!(2 - 2)!} + \frac{2!}{2!(2 - 2)!} \Big) , $$
%
$$ NoOfTestCasesToCheck = 6 + 15 - ( 1 + 1 + 1 )  = 18 .$$
%
As the test cases are all different and are of the correct cardinalities (6 single faults and (15-3) double)
there is confidence that all `double combinations' of the possible faults
have been checked in the Pt100 circuit.
%The next task is to investigate
%these test cases in more detail to prove the failure mode hypothesis set out in table \ref{tab:ptfmea2}.



%\paragraph{Multiple simultaneous failure modes disallowed combinations}
%The general case of equation \ref{eqn:correctedccps2}, involves not just dis-allowing pairs
%of failure modes within components, but also ensuring that combinations across components
%do not involve any pairs of failure modes within the same component.
%%%%- NOT SURE ABOUT THAT !!!!! 
%%%-      A recursive algorithm and proof is described in appendix \ref{chap:vennccps}.
 
%%\paragraph{Practicality}
%%Functional Group may consist, typically of four or five components, which typically
%%have two or three failure modes each. Taking a worst case of mutiplying these
%%by a factor of five (the number of failure modes and components) would give
%%$25 \times 15 = 375$
%%
%%
%%
%%\begin{verbatim}
%%
%%# define a factorial function
%%# gives 1 for negative values as well
%%define f(x) {
%%  if (x>1) {
%%    return (x * f (x-1))
%%  }
%%  return (1)
%%
%%}
%%define u1(c,x) {
%% return f(c*x)/(f(1)*f(c*x-1))
%%}
%%define u2(c,x) {
%% return f(c*x)/(f(2)*f(c*x-2))
%%}
%%
%%define uc(c,x) {
%% return c * f(x)/(f(2)*f(x-2))
%%}
%%
%%# where c is number of components, and x is number of failure modes
%%# define function u to calculate combinations to check for double sim failure modes
%%define u(c,x) {
%%f(c*x)/(f(1)*f(c*x-1)) + f(c*x)/(f(2)*f(c*x-2)) - c * f(c)/(f(2)*f(c-2))
%%}
%%
%%
%%\end{verbatim}
%%

\pagebreak[1]
\section{Component Failure Modes  and Statistical Sample Space}
\label{sec:usprob}
%\paragraph{NOT WRITTEN YET PLEASE IGNORE}
A sample space is defined as the set of all possible outcomes.
%
For a component in FMMD analysis, this set of all possible outcomes is its normal (or `correct')
operating state and all its failure modes.
%
Failure modes can be considered as events in the sample space.
%
When dealing with failure modes,  
the state where the component is working correctly or `OK' (i.e. operating with no error) is not useful.
%
For FMEA the analyst is interested only in ways in which it can fail.
%
By definition, while all components in a system are `working~correctly',
that system will not exhibit faulty behaviour.
%
%We can say that the OK state corresponds to the empty set.
%
Thus the statistical sample space $\Omega$ for a component or derived~component $C$ is
%$$ \Omega = {OK, failure\_mode_{1},failure\_mode_{2},failure\_mode_{3} ... failure\_mode_{N} $$
$$ \Omega(C) = \{OK, failure\_mode_{1},failure\_mode_{2},failure\_mode_{3}, \ldots ,failure\_mode_{N}\} . $$
The failure mode set $F$ for a given component or derived~component $C$
is therefore
$ fm(C) = \Omega(C) \backslash \{OK\} $
(or expressed as
$ \Omega(C) = fm(C) \cup \{OK\} $).

The $OK$ statistical case is usually the largest in probability, and is therefore
of interest when analysing systems from a statistical perspective.
%
For these examples, the OK state is not represented area proportionately, but is included
in the diagrams.
%
This type of diagram is germane to the application of conditional probability calculations
such as Bayes theorem~\cite{probstat}. 
%
The current failure modelling methodologies 
(FMECA~\cite{fmeca}, FTA~\cite{nucfta}\cite{nasafta}, FMEDA~\cite{en61508}) 
use Bayesian
statistics to justify their methodologies.
%
That is to say, a base component or a sub-system failure
has a probability of causing given system level failures\footnote{FMECA has a $\beta$ value that directly corresponds 
to the probability that a given part failure mode will cause a given system level failure/event.}.
%
Another way to view this is to consider the failure modes of a
component, with the $OK$ state, as a universal set $\Omega$, where
all sets within $\Omega$ are partitioned.
%
Figure \ref{fig:combco} shows a partitioned set representing 
component failure modes $\{ B_1 ... B_3, OK \}$: partitioned sets
where the OK or empty set condition is included, obey unitary state conditions.
%
Because the subsets of $\Omega$ are partitioned, it can be stated that these 
failure modes are unitary state.
% 
% \begin{figure}[h]
%  \centering
%  \includegraphics[width=350pt,keepaspectratio=true]{./CH4_FMMD/partitioncfm.png}
%  % partition.png: 510x264 pixel, 72dpi, 17.99x9.31 cm, bb=0 0 510 264
%  \caption{Base Component Failure Modes with OK mode as partitioned set}
%  \label{fig:partitioncfm}
% \end{figure}

\section{Components with Independent failure modes}
\label{ch7:indfm}
%
Suppose that a component that can fail simultaneously
with more than one failure mode is included in an analysis.
%
This would make it seemingly impossible to model as  `unitary state'.
%
%
\paragraph{De-composition of complex component.}
%
There are two ways in which this can be dealt with.
%
The component could be considered a composite
of two simpler components, and their interaction modelled to
create a derived component (i.e. use FMMD).
%
The second way to do this would be to consider the combinations of non-mutually
exclusive {\fms} as new {\fms}: this approach is discussed below.

\ifthenelse {\boolean{paper}}
{
This technique is outside the scope of this paper.
}
{
%This technique is dealt in section \ref{sec:symtomabstraction} which shows how derived components may be assembled.
}

\begin{figure}[h]
 \centering
 \includegraphics[width=200pt,bb=0 0 353 247,keepaspectratio=true]{./CH4_FMMD/compco.png}
 % compco.png: 353x247 pixel, 72dpi, 12.45x8.71 cm, bb=0 0 353 247
 \caption{Component with three failure modes as partitioned sets}
 \label{fig:combco}
\end{figure}

\paragraph{Combinations become new failure modes.}
% FUCK OFF
 the combinations
of the non-mutually exclusive failure modes could be considered  as new failure modes.
%
An Euler diagram representation of
an example component with three failure modes\footnote{OK is really the empty set, but the term OK is more meaningful in
the context of component failure modes} $\{ B_1, B_2, B_3, OK \}$  is presented in figure \ref{fig:combco}.
%
For the purpose of example consider $\{ B_2, B_3 \}$
to be intrinsically mutually exclusive, but $B_1$ to be independent.
%
This means there is the possibility of two new combinations
$ B_1 \cap B_2$ and $ B_1 \cap B_3$.
%
These are represented as shaded sections of figure \ref{fig:combco2}.

\begin{figure}[h]
 \centering
 \includegraphics[width=200pt,bb=0 0 353 247,keepaspectratio=true]{./CH4_FMMD/compco2.png}
 % compco.png: 353x247 pixel, 72dpi, 12.45x8.71 cm, bb=0 0 353 247
 \caption{Component with three failure modes where $B_1$ is independent}
 \label{fig:combco2}
\end{figure}



The probabilities for the shaded areas can be calculated,
assuming the failure modes are statistically independent,
by multiplying the probabilities of the members of the intersection.
%
The function $P$ is used to return the probability of a 
failure mode, or combination thereof.
Thus for $P(B_1 \cap B_2) = P(B_1)P(B_2)$ and  $P(B_1 \cap B_3) = P(B_1)P(B_3)$.


\begin{figure}[h]
 \centering
 \includegraphics[width=200pt,bb=0 0 353 247,keepaspectratio=true]{./CH4_FMMD/compco3.png}
 % compco.png: 353x247 pixel, 72dpi, 12.45x8.71 cm, bb=0 0 353 247
 \caption{Component with two new failure modes}
 \label{fig:combco3}
\end{figure}

%OH FUCCCCKKKKKKKKKKKKKKKKK OFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
Consider the shaded areas as new failure modes of the component (see figure \ref{fig:combco3}).
Because of the combinations, the probabilities for the failure modes
$B_1, B_2$ and $B_3$ will now reduce.
%
The prime character ($\; \prime \;$), to represent the altered value for a failure mode, i.e.
$B_1^\prime$ represents the altered value for $B_1$.
Thus
$$ P(B_1^\prime) = P(B_1) - P(B_1 \cap B_2) - P(B_1 \cap B_3)\; , $$
$$ P(B_2^\prime) = P(B_2) - P(B_1 \cap B_2) \; and $$ 
$$ P(B_3^\prime) = P(B_3) - P(B_1 \cap B_3) \; . $$

Two new component failure modes $B_4$ and $B_5$ have been created as shown in figure \ref{fig:combco3}.
Their probabilities expressed as $P(B_4) = P(B_1 \cap B_3)$ and $P(B_5) = P(B_1 \cap B_2)$.





\section{Critiques}

\subsection{Problems in choosing membership of {\fgs}}

The choice of components for {\fgs} is one to be made by the analyst.
%
The guiding principle it to choose components that are functionally adjacent
and try to create the smallest groups possible.
%
There are some mistakes that an analyst could make when choosing the members 
of functional groups. These are:
\begin{itemize}
 \item Choosing components that are not functionally adjacent --- i.e. components that do not work together to perform a specific function,
 \item Not including components that may have side effects on the {\fg}, but are not obviously connected.
\end{itemize}
%
If a deliberately `bad' {\fg} were chosen it would be found that,
on analysis, the component failure modes would not aggregate--i.e. be collectable as---common
symptoms. 
%
This would be because, with non-functionally adjacent
components, their failures often cause non-common failure symptoms. % for the {\fg}.
%
That is a well defined  module will typically have a larger number of component failures than failure symptoms.
%
With components that are not interacting, it is unlikely to see good
aggregation of symptoms.
%
%
This property could be of use in future automated FMMD tools
to warn of potentially poorly chosen {\fgs}.


\subsubsection{Side Effects: A Problem for FMMD analysis}
\label{sec:sideeffects}
A problem with modularising according to functionality is that it could 
have cause failures that would % poss split infinitive
intuitively be associated with one {\fg} 
that could cause unintended side effects in other
{\fgs}.
%
For instance to have a component that on failing $SHORT$ could bring down 
a voltage supply rail, could have drastic consequences for other 
functional groups in the system. % pissare examining.

\pagebreak[3]
\subsubsection{Example de-coupling capacitors in logic circuits}

A good example of a component failure that can 
induce side effects in other components, are de-coupling capacitors, often used 
over the power supply pins of all chips in a digital logic circuit.
%
Were any of these capacitors to fail $SHORT$, they could bring down 
the supply voltage to the other logic chips.
%
To a power-supply, shorted capacitors on the supply rails 
are a potential source of the symptom, $SUPPLY\_SHORT$.
%
In a logic chip/digital circuit {\fg} open capacitors are a potential 
source of symptoms caused by the failure mode $INTERFERENCE$.
%
So  a `symptom' of the power-supply, and a `failure~mode' of
the logic chip to consider.
%
A possible solution to this is to include the de-coupling capacitors
in the power-supply {\fg}.
% decision, could they be included in both places ????
% I think so 


Because the capacitor has two potential failure modes (EN298),
this raises another issue for FMMD. 
%
A de-coupling capacitor going $OPEN$ might not be considered relevant to
a power-supply module (but there might be additional noise on its output rails).
%
But in {\fg} terms, the power supply now has a new symptom that of  $INTERFERENCE$.
%
Some logic chips are more susceptible to  $INTERFERENCE$ than others.
%
A logic chip with de-coupling capacitor failing, may operate correctly 
but interfere with other chips in the circuit.
%
%%% There is no reason why the de-coupling capacitors 
%%% could not be included % {\em in the {\fg} they would intuitively be associated with as well}.% poss split infinitive
%%% in {\fgs} that they would not intuitively be associated with.
%
There is no reason why de-coupling capacitors cannot be included in each {\fg}
that could be affected by $INTERFERENCE$, meaning that the same 
de-coupling capacitors can be members of different {\fgs}.
%
This allows for the general principle of a component failure affecting more than one {\fg} in a circuit.
%
This allows functional groups to share components where necessary.
%
This does not break the modularity of the FMMD technique, because, as {\irl},
one component failure may affect more than one sub-system.
%
It does uncover a weakness in the FMMD methodology though.
%
It could be very easy to miss the side effect and include
the component causing the side effect into the wrong {\fg}, or only one germane {\fg}.


%\section{Evaluation}

%TO DO