From 08fad4c2f9b8aae45f5e8a4a0dcc1841dbeb93d1 Mon Sep 17 00:00:00 2001
From: Robin Clark <R.P.Clark@brighton.ac.uk>
Date: Fri, 30 Nov 2012 21:22:31 +0000
Subject: [PATCH] POST CONDITIONS

---
 submission_thesis/CH5_Examples/software.tex | 21 +++++++++++++++++++--
 1 file changed, 19 insertions(+), 2 deletions(-)

diff --git a/submission_thesis/CH5_Examples/software.tex b/submission_thesis/CH5_Examples/software.tex
index 9f12d4e..00fccd5 100644
--- a/submission_thesis/CH5_Examples/software.tex
+++ b/submission_thesis/CH5_Examples/software.tex
@@ -136,6 +136,20 @@ be executed.
 %
 In implementation code, a pre-condition violation should cause
 an error to be generated, and thus a post condition to fail.
+% 
+A function can fail for reasons other than the 
+a failure of one the variables/inputs or functions that it calls.
+Variables can become corrupted, by radiation affecting RAM or 
+by another software function erroneously overwriting variables.
+Current work on software FMEA generally focuses on mapping
+variable corruption to failure modes~\cite{procsfmea,procsfmeadb,sfmeaauto,sfmea}.
+However, errors other than variable corruption can occur,
+for instance a microprocessor may have subtle bugs in its instruction set or
+incorrectly handled
+interrupt contention could cause side effects in software.
+For the failure mode model of any software function
+we must consider all failure modes of post condition
+violations as well as those caused by `components'.
 
 
 \paragraph{Mapping contract `invariant' violations to symptoms and failure modes.}
@@ -419,6 +433,7 @@ With these failure modes, we can analyse our first functional group, see table~\
 
      5: $ADC_{LOW}$        &  output low   &       $LOW$              \\       
      6: $ADC_{HIGH}$      &  output high   &       $HIGH$                \\  \hline 
+     7:  post condition fails                 &  software fails              &          $V\_ERR$                  \\ \hline
  
 
 \hline
@@ -507,8 +522,10 @@ We now analyse this hardware/software combined {\fg}.
      4: $CMATV_{HIGH}$        & ADC may read      &         $HIGH$           \\  
                                &   wrong channel  &                  \\ \hline 
 
-     5: $CMATV_{LOW}$        &  output low   &       $LOW$              \\  \hline     
-    
+     5: $CMATV_{LOW}$        &  output low   &       $LOW$              \\  \hline
+     
+     6:  post condition fails                 &  software fails              &          $VV\_ERR$                  \\ \hline
+ 
 \hline