From 0baf6b3e0b0d7b16ecca49c97c9f010b81d86bf8 Mon Sep 17 00:00:00 2001 From: Robin Clark Date: Sat, 23 Jun 2012 10:23:48 +0100 Subject: [PATCH] AF and JH comments on paper --- mybib.bib | 38 +++ papers/fmmd_software_hardware/fmmdh.dia | Bin 2785 -> 2621 bytes papers/fmmd_software_hardware/hd.dia | Bin 2384 -> 2464 bytes .../fmmd_software_hardware/software_fmmd.tex | 228 +++++++++++------- 4 files changed, 175 insertions(+), 91 deletions(-) diff --git a/mybib.bib b/mybib.bib index b1e5c9b..d886fcb 100644 --- a/mybib.bib +++ b/mybib.bib @@ -121,6 +121,37 @@ Database keywords = "fault-tolerance" } +@article{syssafe2011, + title = "Developing a rigorous bottom-up modular static failure modelling methodology", + journal = "6th IET International Conference on System Safety, 2011", + volume = "", + number = "", + pages = "", + year = "2011", + note = "6th IET International Conference on System Safety, 2011", + issn = "", + doi = "", + url = "", + author = "R.P. Clark et all", + keywords = "Failsafe", + keywords = "EN298", + keywords = "gas-safety", + keywords = "burner", + keywords = "control", + keywords = "fault", + keywords = "double-fault", + keywords = "single-fault", + keywords = "fault-tolerance" +} + +Developing a rigorous bottom-up modular static failure modelling methdology +Author: + +Clark, R +Publication: + +6th IET International Conference on System Safety, 2011 + @ARTICLE{ontfmea, AUTHOR = "Lars Dittman et all", TITLE = "FMEA using Ontologies", @@ -225,6 +256,13 @@ Database YEAR = "1992" } +@BOOK{dbcbe, + AUTHOR = "R. Mitchel", + TITLE = "Design By Contract by Example", + PUBLISHER = "Adisson-Wesley", + YEAR = "2002" +} + @BOOK{opmanage, AUTHOR = "Roger Schroeder", TITLE = "Operations Management: Contemporary Concepts and Cases ISBN: 978-0073403380", diff --git a/papers/fmmd_software_hardware/fmmdh.dia b/papers/fmmd_software_hardware/fmmdh.dia index 6f3f040cd0a41c684d02e45f87521e9b4628424b..eb21d8fb0aec29cfc1e6c9d6a41c54caf06f50b0 100644 GIT binary patch literal 2621 zcmV-D3c~dtiwFP!000021MQtzZ{s);fZzL981B~$!}}OdGT6alu@4LE06Y5}$hO+i zj4T~JL?xP$f$p^342wm5sw$R>^iMy3U#6qyc)dyT>~4$z9FO8` zmd}%HaX0?&Z~yo~j(@)Y^3yzte$;;!>u5RBzmaXsySwpYQLKKvy?uFk0qN@|D)Kc* zlP9o=Z~qsiX>_X_-Hz|Sj7Ga1%%dVQpOv3RMX^q%PenY+qGfzHo<_4j7VG>en~zz(8V*^<*$5 z6%W^(4>oEPIHvxz(tap5CSe3t{fGolyO{ab-`-+3IjOK5ulYQ=^=o zLw&(FM?Px%Kch#Dh_Q`mJSuW)*GBLEdpDNH2Ku1WD?#*IQ{0q81}M2f7>JP8lmQ~G z5Hyj1X?fZZ;gH6(saBU5Qvx9C%$Op;^gXfjl6^F$euhc&h(I8FwJ8f45^!#$aK$G2 zheQ@*$ifB%4K*7;?hs_!I4B@MQggi}2^kO&Ae5y_P7nu*T98#pjvFgBaNK2d%bJ2r z0i_V#UYEQKhDr3|f*=`&Ri3WXPsuh_1Ye4u%LeD@Q%$kQ#47l@P*87BI9o z5f^(CJVbHc$&}$gLA5L1PUqNi*Q0P^GNh zKoU903XAY?`1SO|ft`J0RQ4DS+`^L?uDXE(0VrWP>Gr{lpo%*-MEK`2el7iIl!0i^ zol4_OGoo%P!aEf$2?}Dp3Rg@U4h9%2BT*IHsZ^=yX{uMcWh^Rs9g8B`0vu{PYdka@ zQZHfcq(h1<9A!AlF;wB{@ayTPql`y;PDkUEsGbV7%|8WpE9P-4a?3+Vn91=&s+?rS zS!g<{^z_p~d$o@JE&g8Y(1Esew2&5MoZ%a+y>if;=vE4ZZ1Vn2u)4EfmOqLDeBNt!P$XSZB7LH+u&PKk&kCO)^ZDpov`o@hJ)S7rj7OW|)f9PXGvI#ppK6uYBWl0e@h%gVL6VFWG?f{LNCX;z~%yDMyO5Xaq2)+T!vqe z`}OqKR3hTaHXs#!Ly>$CimHVWo-&urlRB~v9Ks_aEQ(SJyTF6oS}8>k4?WgQgZ$9iYn$~FdVE6Tc964pB-&7wsSA!SiSOt|V;-oY*gubL-GM7)0_ zevosmtv5c#?D5H;)1JCeFDH@XCw8HYE~>`65Xfut~hQO+cj zNH!OJoNm5?(|RI(Y3Bb^m%^SG44HDHryM0i?JS zuWRzc3@}sQq#c`b4@aP4-MHNMQFKaNC%kZwy_}+Uu%6?P{06c8C)ao4L~e=!UpAc^K=}uGmsw4z3wi zyMxy~<8@E)I(Xe)dEF}yl|#+XFhUgD-IyZq5k^osIb5&_1;RYD#|WU>yM!(~ldA>& zE;*IUY*@r}=b)^*g@P9y%LM`9yV6A6V#!Z=P+|+Ged?ua2TW@@NW3x4wCRPNFx`TF z1Jm6yO_z2GJ_(#9BD+g4hLwIXNioVHc!a zs4&dRgHWtkEbw5S2J>{9$H6-F(K_+w+t(E>ofQkZDA)=zv6D7W=8J>2vD09i2HSL+ z#=$uC(Kw0b$JTP}JQc)Yzp(_nz=@i`$<&9I*@_`>8jRB!8VA$VN7K~GaVrdV5jed` zDkCR^%~29V=rmZT%YYmVR38mg^Fw&dmu|Z-2CAU;X)6c$e&Du&=`Fi&T2 f9IVraS||73ezEoam%VSkzW?%nq-`$=9fJS>lt2Rn literal 2785 zcmV<73Lf z>^h$&+3aHcpU=OasqruGPkx>z(NE^jY!Tg#%r~;7eRnawDT?_|=jUI)ensiSGAi-~ zN|QUZjL-iUrD=3-8l8{dpNvM&JD5gAWRF!xqoPqwje%i?0@O^ml#N*u1oE()B!EY<7D)&zFg5 zQasGJn$+}T|9;k{YPB?tvf2B0zrwrnl&S+yefdtb)<|(1EoMo!ZO4pFS`Gw7ic)F@ zgKMR+1W8t7@^W)m{hCYrHMi*3T(Z2J=Zj(yCB?SMt2|HRC@ZZNi@UhFo#l0u8i?(3 ztA!U|lA_4>od1_7T^`~FyLCWx;gn2BSA@E=JQdoWDfV%TC!Xz4HpS_MS1wLmnr9E`Qa zvw;`~>Y#=(ZD#p8&$7!nn>vpg`RQ%SFjMwKxo$|V+1>5+eDidC0oATft#f7!&4e$v z!mQONqZITse6n#uo$xSgi(!t;Y!N`bDKQ>| zUt@(iD~wMR0%K7i0zs*`wPS~nF+-U57Ef3**3Vz+$B8GPeLNwAn{F92pb*3vp)R5j z4#q5OK+(>v0mMCmn70ln7?Rpfx8Nb!*qQ-n2AfbqAf+vkDGAEQ?R^`t+#{An`@jN> zfI|ls+M$ZOz(RuqvIremwDfJjau6(kj=vSpz)UJI>$YGvtD#d0 zC}_f>vOz75Invy`YiO>pqp+vax6!6
{UwRRi3C~`bHJ3A{s`0(qe-$wuV`0u|y z{`uRVpFf!+<|CZfY_r%=o2)Bz=UL%97khm4CAv-02Xo3%wj7U^#Y2^4E5G`$IK7XH z#OOLS4}@nEL+kb09h-VEZf7V;lUa5f`)4!G?ry7* zJkW}_8vC+K=H8vs=0)>#Dy*0C0BK#QWoE5=N{uE4Br1lu)XW8pio(P! zE(~}a+-_tu3yP6)Wd=u66IkW-Mc}-C9r{T71vtf6fSn&MNYFJnVGJq=N&`VbxFpuD zpel52s?JLv4mqe*h5+b*!^3dcx=L!t9XmJ#O==1R3b>nHrY#X_0@x9uz&tb&`hE1Z zQ(S>;m8E)n5NuuKlt_|_B!GpaLW!`HrPMLt6KO>lO1m1Xz#y#i($|tOp(`e20}Ky? zVe1;DGQ(Z6gb0X1V}+7Rj*Sve2sX;7m@_L>XeRXf=t#U8NiX zrBrsq9L6OFVoE~qm-GARZK$~m7c^~}<9&M=lpXBbRIFMXP!e|ACLyxoLFTq?DqV`B zA`pJprq@evOCl95ame(5!^3dczA6WZGUjFoBnirfU}hN8a$%x~t!WTp>CrG0105QP zb$)u9niIpkEE{6-Dl6oU(9ycgWrkukYMh2ehZ%H5%4MsduHpqmy38(@!D*__O>a{s zT#84Nqf4Hsb(Ru6u@r4x#jslgDNr{-nnG9{azdbFDYt=uDkuev)6m(IS~tBo7M!KS^O9LttS{kEeEu_a-U!!x&x(#?ZkM zmT_3^2xeiI4paa*bPxcygvDHx+k!>-C9K~~f71%Y;^;7}T40#J((;$L-#ehCoiTg! zGN_k8$cvy7tpbE@% zdFwKVz!eWpl>@O>uI@&)1+~3}S%@AURN?j0-xQc=^GKN212G&Sh-C-W5(cokZ#if% zLCs1@mmro*PK-q$;GQNSWYatGUs5gc`{`*)5v7=xTnyycV9dW`7}sS?TNnM#?4x_M z3lSLKnSso_2|r({`-{)q46boBdO=B6@APwbs+^W~6K4V_f2 zh3Sx3{hkx6b+n~Bpe^F?07wR>t(7HWY0Lbh>@tWWaWu4*I@+4Xi{w6@o;XXHLFK?( zeejkarvq;tA#X9<0dLvo-k-Xyc%gZ#w1g42yd@EHyk#GrcnrKnvuVX!UmnA)kqfs5 z*6M+^{3sn*>lj&!bQNvcY60yf+Ol#fDV-=pFcroy2zm^x^*NufM_Z%EXltOYzJjeS zm=3h{J+P&_EyG-CE z5dkVDZfApH*1E*3#m{}r%^+QFrEd>**0<%)r68%AS--_zi;dPMRwBaH&ZteLXBZZ06XhuCUK?6iN_> zXF>Z|>F#jWcl(CGtHyL+V`1W9*VxFe{Bf7Mx*Ny|MazMu{Xnj=XJ%BJ#jbop0gz#_ nJIL-H+1-KHL3WQrcFVW!H|gJ>to>;H`;-3z`MWri*oFWAlt*LX diff --git a/papers/fmmd_software_hardware/hd.dia b/papers/fmmd_software_hardware/hd.dia index 9d8a7300d47fd025e62733cf2cc0a704aa7e446a..f0acfbefbd8dacf9ce0ef462a58b8bc7799d59c2 100644 GIT binary patch literal 2464 zcmV;R319XfiwFP!000021MOW~bK|xZe&1iA(Y~}Z3XJ9DB51X^tTrPY3o8#7lKgCEw!`qScY(Lz>nVt92|h(egEY?9zBNHCQ6grF#>Qr z3X?^;jFQ#u_+Ov?@{JsS|KZ(t%P9C(|6gUn{YZZ!*_hvM$9H+Y{`ThP>FEi?&zm4m zGZ04)U=!Z_H;CilMi;sne|R?aFhi1;q7=HEPh{Q=|i#{ z7p2N_i!@HN(PI$bj^BT_uklS;&COmtN9tY&t8ku$!SBsgL;X^!P1Wl#JFND8oo*ss zB!6C4iZs+?-gnBBr8c@yvik7;BYj^qsr+DDS6xFJjpX-1wu+Lf9o;u^(GeI(jIr(v zrlf*`3iQ$^mz$ek*IayEbJ=yxMVr|=&GIaW@~X*sn#N&}6jt->A#87Fvj}1hv14vI zc=0*P^YldfKL_#V90!VzU+=a{@7z@uEsx*0dnFobd5V_#-Rz5}?kZ}3_Eh_0w29_% zSl9X}$vdn5xtr<_ua0H!?bjXAP}J5a4@()ckXp|ShpkMH$_rdF&L~*q(c{Z+JAIPQ{}V3q(%FCJL9z_8<>;Hy z59ycjb_}9NAkp%6{CBwDS%>cF$}|sFdTX7&LP`LlAetzk4*Q_WAWatL^Fsrfb|FYs zarkP4S|gH85dwm|kmQ=?H9Xe*MSVpNj_rfL=5KN`ozL$Fb}qj(>@gum;H37046_rU;*41h7)vBbX`RdYH{8 zNCKuwY|4R>Tqt9iaMhAE7ip5r!enVZYUO9OsBReIRGEfyq;R{2B@g$D^#Y?Mls+1+IwnjN(QwzdjVJ9-^4KqPUZbb|#7i6-1d4 zg+Q1ZHs*?9Ygu6I8OM!&))kcyQfwQ_8SNd8o1u6b$Efih@Csw*PR3jkO^U_Pm3f`% zaYTql2LVjssRB$uW(TkYa_?l^;AOR_ZkK5y=a}^kz{rJ%k!K$M6n@Ef0E|iibN5j( zGLw0X0rff}F03F;acru`$Anp%jJ1VHZu;XyWbU9$(`?5sW$cwZSoQd=VbSAAq_8RM zoF;jlCG+{{b8sKU&$>ZDvKfyy`Ev=*;;VlR`9bPt2;;kKEY zVd^yuZmlrDspTX)86>I?jP&ELA3yzj;3VIiRExubl6pu<%9WB3dL1} zgS3c^3e8d4vLejyC%FRYgZhAH$=_IsHWf&M==K2o&@gj@a5EXsX{S(=@8- z6f)6=2|p9yWltUkwxXdCc1YmjD!!eNgVA?-Al&M=%s z$@(E5X0unA&DJ7wklQ}Wt#iT}QUD`r(`pe_!Y5N9+a@=^ zI<+NlT5g+g%sPn5xL>uiaV#*KFl~uLYNIj~8Os7m#QaBP>iw)ON~Pesp`w4;!^9=) zlJ9?+ca7qPJxRQaxesP&LIFgcCq6=(AwY4n@F5IDgwIV$?v4$+>%8nrYMTCt4p#A~ z*}}_rMkeVABjJIOuCNYULE%71JtQOyJD9z3&L#>V&yzP}#cag4$xTuUW0SysP!bs^ z=?XKqDh>xudJCLn!d2@%!%Zypk2HQ>rAgi4H|W%{Y*nhN(=B1M52ax3Pt&UqR^uQF znN7ZC5r9HzQrd_;6NdmnA#QJftvhK}iTs0(9HLpp zUQ0#9T>wo1Z1Y^{HIP;q!$2Wy#_OUm&548Mdg(hUke5j0fk^(;D3M2*^?aFh7Rom5 zs1?f^xfB9PVcsZbl1U`pO;;uJe3-VgSf`w4YG)gBP5OCCL60kSy^3CZ;_9K29@Ekb zIIZ|(M^L*HSkeXW=}{Of*PNv~SabG4eKuY{F?#`Vv8ICrGRy1q@T4Ix3VX!cn!*I2 zvM@Pa*klgq!dy$OQ$N0Kt)-n{4g)A`$I|OyuC!+kw$eDWSse@&7nXB1i0&Y|M@9Dt zUI*R%|I=O81qX6~UJu!$6np1D4xpYg3V_UJLjfcdurRJ%2=H9pJ>qTcIhrqpnL1UN z1IcY+0kCrE$G5G!yc^7MUUn?K4(9mFwUH((Sfh`kmkW!;pu2Z`SKX{m!zX!fx<$eGsfyKf5!tVi`m=$JU-8XDU7_liP`d!OS>)j(~?n`oW>ztd0A7;(? zeN<96#)g~5o($!_oevd*Cxn^b{d}lAri)F@DXYx$K&=DE&bf7%p3?8>jo eWVm%+A6sc3QTgHB-ZLyey!#&@b@USFdH?{ek-@kC literal 2384 zcmV-W39t4aiwFP!000021MOW~Z{xTXexF}qcwSn-VR(4wdNYgJU36Pu7cI8az8Z?H zanyAr!&Z{XOMiPwNuKyZ`68N5)R6}hzz)q%hx+uL3y+lVfB14g>pjMcWs;>geL%S1 zi_>v7Nz&;}|6iZ}a;5q|e0cZ$B#FK=|EG)SzGuFXF73OU{#~BWzq`JEdU`^$=Vg>< z3p7g}&@#UMZ#0`l*JjXl|HHdpZ+(JElt=cn>eDFC7s>5I9{1AdKECPSM&m!Gi|iqt z^vhAzxN$bi7QM%4cGG|Vxp?)jt7)z`=Gim%JetP0i#YnDerjx9S~r<`9xt}1y`N{x z#0<%w=Q~4c=CME5##E!0W>7l)@ctuvUmjBR!OL8(1FZ$g@1w;uNq2F~+RVy@AV?8H z%wlk@G?q-lYE4duyS*&j?6Po+%fcng(L7t^izvx=A#by67Ds7`nlB#W<~Yl7G&2<2 zXO@Q*pOZY#4jljIXtq4Yfb!$7SKFyq?sSn%_FuRgBWh-ON+$W;=u4pGDrbKVH2Y(+ zOm1hf>*$j-Kil-r=b3){>=f$#@^w!(l(W^khlz@L%uja@(}!ddFAvacb4<-lch#`# zL#w_$?%0JXKiYEE1;i|Rju+MRKfbu>UUh;i#py-kJb7HbTU(Rt_CN7BuZ;a?9;K6L zG3j0Pe$2k~Ut$mwfh3cg{@?NDVr`peCNny?vs&})E2T6d48uSm$+s6_S3>F_Zf~~{ z7RH7sozCJF3g{AL2owq61BEy=1B_?!{b-ym(%mrOoOTs3g`(`*wo(&@C}B#!ynL|k z;$(W4*Mk9)Sg*etuHW)5dm1_7$HUIieIZ}Ju(mOc!Jo#84*(DiN@8Up2p4YZ&GWWSwwTj zmphTx>NmYR!x8J@4JGodkhR{+Z*Tf)$5h96q53Ya{q8D6**c)J2r=~~F-O#>Btu+< zj3*2VEl?;Q8WI~sfq(_oVsFEaQDchmrb5cVYP=CpsQ;gUf}MxQ+VCtqk4>zqDjpMz zl)eCuJq+u3e95SS`x2QVWfLJ{Pf0)~QzV6E1%FLwF|=|_l(Miunx6fmBMP^TyW<4H zl0bEpG1``JVigjwz#%~m1%)pK1>!dQCj{w$3^XW|sgiu^{3a#tcPftT41Qvu0qfG{v=%UV(@HUx}_0_M1IS$#8l z-!=+U4+=wI3V({f=#9Z-nuKR=*omQ2(8*nL7{qhQry9*N@I z**xuJ?36nfs2xJHfu`-g*gMTVfk;0ndKtD!^;q_FRr)^{$cNFRUxsnev; zn&hNmCrNFTB=D~{7nvhRO_Q=C>&*oULz>xwGnN)n=(n#&KmGRc)4w}K3av;^7Iuo% zMn&>(N5Ef0=AgY{YdB!iHX}|%m2X?1OXg~wj7+ffr$2Y%6k42W2-(TgTb8Gqswj9j zngBtRl{+pXaI2KktSE|VPHgKR)l3(#Ja|#mZKS(TiZN1lBw}dWw$dxrHG!SMM{-QW zKpI5~>?1225CsLXA%(5ix1f~pdsj=ijB|7`v2%`Z**VrU!+ZDq07cyH+z}LXx7)&y z5(b7K5Hqf4zz`04V~4+OU0eJm8`wacA<_e?xxJSML(uY=LBc|lfk{27#?({;OJ&$7dW=Ds^Z;j1`5%tk2S1DapP$fSWnBbt@-0Q=cgL9BqExnBB5(#{V5nq+D~za8f}1qP5R++} zUT|o759aYabXw^iry58*O5GZK7;)I-~3^9qpGVG|E+GwCanfUqG* zM7cfLga*x|{f+A$k`N@7u1P@%oIzHL$6^?6X&zQrOB_I)@nLa8gwZ(zt6EU7W(5DO zOFV)n9&RpniAM{&O$hOC$py^qZE+Cx9ziJYlH%HS<3MR69g0Rp?C^deldVA=#`Maa%& zbuNhqvfKY1^pdCe$t_R$bFH7;tFFiUN^fu3^OLK=Tpt=NOaxI3mWXJdb$ru)m*VqqPKat@*=0B< zR_8`ZkcM`^pgOV2C*14&?l<9g_wcpzyY2A1<=f(~ntgb;@n_FIy!#)$N(?O;bpQY+ CYnMv^ diff --git a/papers/fmmd_software_hardware/software_fmmd.tex b/papers/fmmd_software_hardware/software_fmmd.tex index b86975a..8a7d310 100644 --- a/papers/fmmd_software_hardware/software_fmmd.tex +++ b/papers/fmmd_software_hardware/software_fmmd.tex @@ -99,9 +99,9 @@ failure mode of the component or sub-system}}} \setlength{\topmargin}{0in} \setlength{\headheight}{0in} \setlength{\headsep}{0in} -%\setlength{\textheight}{22cm} +\setlength{\textheight}{22cm} \setlength{\textwidth}{18cm} -\setlength{\textheight}{24.35cm} +%\setlength{\textheight}{24.35cm} %\setlength{\textwidth}{20cm} \setlength{\oddsidemargin}{0in} \setlength{\evensidemargin}{0in} @@ -120,8 +120,8 @@ failure mode of the component or sub-system}}} % {subsection}{2}{0mm}% % {-\baslineskip} % {0.5\baselineskip} -% {\normalfont\normalsize\itshape}} -\linespread{0.6} +% {\normalfont\normalsize\itshape}}% +\linespread{0.95} \begin{document} %\pagestyle{fancy} @@ -155,23 +155,37 @@ failure mode of the component or sub-system}}} %endurance and Electro Magnetic Compatibility (EMC) testing. Theoretical, or 'static testing', %is often also required. % -Failure Mode Effects Analysis (FMEA), is a bottom-up technique that aims to assess the effect all -component failure modes on a system. -It is used both as a design tool (to determine weaknesses), and is a requirement of certification of safety critical products. -FMEA has been successfully applied to mechanical, electrical and hybrid electro-mechanical systems. +%Failure Mode Effects Analysis (FMEA), is a bottom-up technique that aims to assess the effect all +%component failure modes on a system. +%It is used both as a design tool (to determine weaknesses), and is a requirement of certification of safety critical products. +%FMEA has been successfully applied to mechanical, electrical and hybrid electro-mechanical systems. % -Work on software FMEA (SFMEA) is beginning, but -at present no technique for SFMEA that -integrates hardware and software models % known to the authors -exists. +%Work on software FMEA (SFMEA) is beginning, but +%at present no technique for SFMEA that +%integrates hardware and software models % known to the authors +%exists. % % + +% +%Failure modes in components in say a sensor, could be traced +%up through the electronics and then through the controlling software. +% +%Presently Failure Mode Effects Analysis (FMEA), stops at the glass ceiling of the computer program. +% +This paper presents a modular variant of Failure Mode Effects Analysis (FMEA), +Failure Mode Modular De-Composition (FMMD), a methodology which +can be applied to software, and is compatible +and integrable with FMMD performed on mechanical and electronic systems. +% Software generally sits on top of most modern safety critical control systems and defines its most important system wide behaviour and communications. +% Currently standards that demand FMEA for hardware (e.g. EN298, EN61508), do not specify it for software, but instead specify, good practise, review processes and language feature constraints. % This is a weakness. +% Where FMEA % scientifically traces component {\fms} to resultant system failures, software has been left in a non-analytical @@ -180,16 +194,9 @@ limbo of best practises and constraints. If software and hardware integrated FMEA were possible, electro-mechanical-software hybrids could be modelled, and could thus be `complete' failure mode models. % -Failure modes in components in say a sensor, could be traced -up through the electronics and then through the controlling software. -% -Presently FMEA, stops at the glass ceiling of the computer program. -% -This paper presents a modular variant of FMEA, Failure Mode Modular De-Composition (FMMD), a methodology which -can be applied to software, and is compatible -and integrable with FMMD performed on mechanical and electronic systems. +Presently FMEA, stops at the glass ceiling of the computer program: FMMD seeks to address +this, and offers additional test efficiency benefits. } - %\today \nocite{en298} \nocite{en61508} @@ -246,15 +253,17 @@ is a cause for criticism~\cite{safeware}. \subsection{Current work on Software FMEA} -Work on SFMEA usually does not seek to integrate +SFMEA usually does not seek to integrate hardware and software models, but to perform FMEA on the software in isolation~\cite{procsfmea}. -Some work has been performed using databases +% +Work has been performed using databases to track the relationships between variables -and system failure modes~\cite{procsfmeadb}, work has been performed to -introduce automation into the FMEA process~\cite{appswfmea} and code analysis +and system failure modes~\cite{procsfmeadb}, to %work has been performed to +introduce automation into the FMEA process~\cite{appswfmea} and to provide code analysis automation~\cite{modelsfmea}. Although the SFMEA and hardware FMEAs are performed separately -some schools of thought aim for FTA~\cite{nasafta,nucfta} (top down - deductive) and FMEA (bottom-up inductive) +some schools of thought aim for Fault Tree Analysis (FTA)~\cite{nasafta,nucfta} (top down - deductive) +and FMEA (bottom-up inductive) to be performed on the same system to provide insight into the software hardware/interface~\cite{embedsfmea}. % @@ -267,9 +276,11 @@ through the top (and therefore ultimately controlling) layer of software. The main FMEA methodologies are all based on the concept of taking base component {\fms}, and translating them into system level events/failures~\cite{sfmea,sfmeaa}. +% In a complicated system, mapping a component failure mode to a system level failure -will mean a long reasoning distance; that is to say the actions of the failed component will have to be traced through -several sub-systems and the effects of other components on the way. +will mean a long reasoning distance; that is to say the actions of the +failed component will have to be traced through +several sub-systems, gauging its effects with other components. % With software at the higher levels of these sub-systems, we have yet another layer of complication. @@ -296,7 +307,9 @@ failure mode model for it, modelling the software to hardware interface becomes far simpler. % The failure mode model, would give us the ways in which the signal conditioning -and multiplexer could fail. We can use this to work out how our software +and multiplexer could fail. +% +We can use this to work out how our software could fail, and with this create a modular FMEA model of the software. @@ -305,9 +318,9 @@ could fail, and with this create a modular FMEA model of the software. In outline, in order to modularise FMEA, we must create small modules from the bottom-up. We can do this by taking collections of base~components that -perform (ideally) a simple and well defined task. +perform (ideally) a simple and well defined task called {\fgs}. % -We can call these {\fgs}. We can then analyse the failure mode behaviour of a {\fg} +We can then analyse the failure mode behaviour of a {\fg} using all the failure modes of all its components. % When we have its failure mode behaviour, or the symptoms of failure from the perspective of the {\fg}, @@ -375,8 +388,9 @@ of the {\fg} from which it was derived. % in a specific configuration. This specific configuration corresponds to % a {\fg}. Our use of it as a building block corresponds to a {\dc}. -We can use the symbol `$\derivec$' to represent the creation of a derived component -from a {\fg}. This symbol is convenient for drawn hierarchy diagrams. % (see figure~\ref{fmmdh}). +We use the symbol `$\derivec$' to represent the creation of a derived component +from a {\fg}. This symbol is convenient for drawn hierarchy diagrams. +% % (see figure~\ref{fmmdh}). We define the $\derivec$ function, where $\FG$ is the set of all {\fgs} and $\DC$ is the set of all {\dcs}, $ \derivec ( {\FG} ) \mapsto {\DC} .$ We show an FMMD hierarchy in figure~\ref{fig:fmmdh}. @@ -395,21 +409,37 @@ Now that we have {\dcs}, we can use them to form a higher level functional group We apply the same FMEA process to this and can derive a top level derived component (which has the system---or top---level failure modes). -\begin{figure} +\begin{figure}[h] \centering - \includegraphics[width=150pt]{./fmmdh.png} - % fmmdh.png: 365x405 pixel, 72dpi, 12.88x14.29 cm, bb=0 0 365 405 + \includegraphics[width=150pt,keepaspectratio=true]{./fmmdh.png} + % fmmdh.png: 256x289 pixel, 72dpi, 9.03x10.20 cm, bb=0 0 256 289 \caption{FMMD Hierarchy} \label{fig:fmmdh} \end{figure} +% \begin{figure}[h] +% \centering +% \includegraphics[width=120pt,keepaspectratio=true]{./fmmdh.png} +% % fmmdh.png: 256x289 pixel, 72dpi, 9.03x10.20 cm, bb=0 0 256 289 +% \caption{FMMD Hierarchy} +% \label{fig:fmmdh} +% \end{figure} + +% \begin{figure} +% \centering +% \includegraphics[width=150pt]{./fmmdh.png} +% % fmmdh.png: 365x405 pixel, 72dpi, 12.88x14.29 cm, bb=0 0 365 405 +% \caption{FMMD Hierarchy} +% \label{fig:fmmdh} +% \end{figure} + Note the diagram of the FMMD hierarchy is very similar to a simple non-recursive programmatic function call tree. \section{Software: How can we apply FMEA} -If FMEA can be applied to software we can build complete failure models -of typical modern safety critical systems. +%If FMEA can be applied to software we can build complete failure models +%of typical modern safety critical systems. With modular FMEA i.e. FMMD %(FMMD) we have the concepts of failure~modes of components, {\fgs} and symptoms of failure for a functional group. @@ -417,7 +447,9 @@ of components, {\fgs} and symptoms of failure for a functional group. A programmatic function has similarities with a {\fg} as defined by the FMMD process. % An FMMD {\fg} is placed into a hierarchy. +% A software function is placed into a hierarchy, that of its call-tree. +% A software function typically calls other functions and uses data sources via hardware interaction, which could be viewed as its `components'. It has outputs, i.e. it can perform actions on data or hardware @@ -431,13 +463,14 @@ and the hardware from which it reads values.% from. % Its outputs are the data it changes, or the hardware actions it performs. -When we have analysed a software function---using failure conditions -of its inputs as failure modes---we can -determine its symptoms of failure (i.e. how calling functions will see its failure mode behaviour). +When we have analysed a software function---treating failure conditions +of its inputs as `{\fms}'---we can +determine its symptoms of failure. % (i.e. how calling functions will see its failure mode behaviour). % We can thus apply the $\derivec$ function to software functions, by viewing them in terms of their failure -mode behaviour. To simplify things as well, software already fits into a hierarchy. -For Electronics and Mechanical systems, although we may be guided by the original designers +mode behaviour. To simplify things, software already fits into a hierarchy. +% +For electronic and mechanical systems, although we may be guided by the original designers concepts of modularity and sub-systems in design, applying FMMD means deciding on the members for {\fgs} and the subsequent hierarchy. With software already written, that hierarchy is fixed/given. @@ -452,7 +485,7 @@ and the subsequent hierarchy. With software already written, that hierarchy is f \subsection{Software, a natural hierarchy} Software written for safety critical systems is usually constrained to -be modular~\cite{en61508}[3] and non recursive~\cite{misra}[15.2]. %{iec61511}. +be modular~\cite{en61508}[vol.3] and non recursive~\cite{misra}[15.2]. %{iec61511}. Because of this we can assume a direct call tree. % Functions call functions @@ -477,7 +510,7 @@ Contract programming is a discipline~\cite{dbcbe} for building software function and traceable way. Each function is subject to pre-conditions (constraints on its inputs), post-conditions (constraints on its outputs) and function wide invariants (rules). % -\paragraph{Mapping contract `pre-condition' violations to failure modes} +%\paragraph{Mapping contract `pre-condition' violations to failure modes.} % A precondition, or requirement for a contract software function defines the correct ranges of input conditions for the function @@ -486,13 +519,14 @@ to operate successfully. For a software function, a violation of a pre-condition is in effect a failure mode of `one of its components'. % -\paragraph{Mapping contract `post-condition' violations to symptoms} +%\paragraph +{Mapping contract `post-condition' violations to symptoms} % A post condition is a definition of correct behaviour by a function. A violated post condition is a symptom of failure of a function. Post conditions could be either actions performed (i.e. the state of hardware changed) or an output value of a function. % -\paragraph{Mapping contract `invariant' violations to symptoms and failure modes} +%\paragraph{Mapping contract `invariant' violations to symptoms and failure modes} % Invariants in contract programming may apply to inputs to the function (where they can be considered {\fms} in FMMD terminology), and to outputs (where they can be considered {failure symptoms} in FMMD terminology). @@ -619,7 +653,8 @@ Its job is to select the correct channel (ADC multiplexer) and then to initiate conversion by setting an ADC 'go' bit (see code sample in figure~\ref{fig:code_read_ADC}). % It takes the raw ADC reading and converts it into a -floating point\footnote{the type, `double' or `double precision', is a standard C language floating point type~\cite{kandr}.} +floating point\footnote{the type, `double' or `double precision', is a +standard C language floating point type~\cite{DBLP:books/ph/KernighanR88}.} voltage value. @@ -825,7 +860,7 @@ We now analyse this hardware/software combined {\fg}. & read & \\ \hline 2: ${VREF}$ & ADC volt-ref & $VV\_ERR$ \\ - & incorrect & \\ \hline \hline + & incorrect & \\ \hline @@ -896,8 +931,7 @@ software component $read\_4\_20\_input$, i.e. $G_3 = \{read\_4\_20\_input, RADC\ & outside range & $RANGE$ \\ \hline 2: $RADC_{VV_ERR}$ & voltage & $VAL\_ERR$ \\ - & incorrect & \\ \hline \hline - + & incorrect & \\ \hline 3: $RADC_{HIGH}$ & voltage value & $VAL\_ERR$ \\ @@ -934,33 +968,41 @@ $fm(R420I) = \{OUT\_OF\_RANGE, VAL\_ERR\} .$ We can now represent the software/hardware FMMD analysis as a hierarchical diagram, see figure~\ref{fig:hd}. +% \begin{figure}[h] +% \centering +% \includegraphics[width=60pt]{./hd.png} +% % hd.png: 363x520 pixel, 72dpi, 12.81x18.34 cm, bb=0 0 363 520 +% \caption{FMMD hierarchy with hardware and software elements} +% \label{fig:hd} +% \end{figure} + \begin{figure}[h] \centering - \includegraphics[width=60pt]{./hd.png} - % hd.png: 363x520 pixel, 72dpi, 12.81x18.34 cm, bb=0 0 363 520 - \caption{FMMD hierarchy with hardware and software elements} + \includegraphics[width=150pt,keepaspectratio=true]{./hd.png} + % hd.png: 416x381 pixel, 72dpi, 14.68x13.44 cm, bb=0 0 416 381 + \caption{FMMD Hierarchy for {\ft} input} \label{fig:hd} \end{figure} -We can represent the hierarchy in figure~\ref{fig:hd} algebraically, using the `$\derivec$' function -using the groups as intermediate stages: -% \begin{eqnarray*} -% G_1 &=& \{R,ADC\} \\ -% CMATV &=& \;\derivec (G_1) \\ -% G_2 &=& \{CMATV, read\_ADC \} \\ -% RADC &=& \; \derivec (G_2) \\ -% G_3 &=& \{ RADC, read\_4\_20\_input \} \\ -% R420I &=& \; \derivec (G_3) \\ -% \end{eqnarray*} -%or, -with a nested definition, -$ \derivec \Big( \derivec \big( \derivec(R,ADC), read\_4\_20\_input \big), read\_4\_20\_input \Big). $ -% -This nested structure means that we have multiple traceable -stages of failure mode reasoning in our analysis. Traditional FMEA would have only one stage -of reasoning for each component failure mode. +% We can represent the hierarchy in figure~\ref{fig:hd} algebraically, using the `$\derivec$' function +% using the groups as intermediate stages: +% % \begin{eqnarray*} +% % G_1 &=& \{R,ADC\} \\ +% % CMATV &=& \;\derivec (G_1) \\ +% % G_2 &=& \{CMATV, read\_ADC \} \\ +% % RADC &=& \; \derivec (G_2) \\ +% % G_3 &=& \{ RADC, read\_4\_20\_input \} \\ +% % R420I &=& \; \derivec (G_3) \\ +% % \end{eqnarray*} +% %or, +% with a nested definition, +% $ \derivec \Big( \derivec \big( \derivec(R,ADC), read\_4\_20\_input \big), read\_4\_20\_input \Big). $ +% % +% This nested structure means that we have multiple traceable +% stages of failure mode reasoning in our analysis. Traditional FMEA would have only one stage +% of reasoning for each component failure mode. % \section{Heuristic Comments on {\ft} Input Circuit} @@ -995,37 +1037,40 @@ of reasoning for each component failure mode. %\clearpage \section{Conclusion} % +The FMMD method has been demonstrated, using an the industry stanbdard {\ft} +input circuit and software. +% The {\dc} representing the {\ft} reader -in software shows that by taking a modular approach for FMEA, we can integrate -software and electro-mechanical FMEA models. +shows that by taking a modular approach for FMEA, i.e. FMMD, we can integrate +software and electro-mechanical models. % With this analysis -we have a complete `reasoning~path' linking the failures modes from the +we have stages along the `reasoning~path' linking the failures modes from the electronics to those in the software. -Each functional group to {\dc} transition represents a +Each {\fg} to {\dc} transition represents a reasoning stage. % With traditional FMEA methods the reasoning~distance is large, because it stretches from the component failure mode to the top---or---system level failure. -For this reason applying traditional FMEA to software stretches -the reasoning distance even further. +%For this reason applying traditional FMEA to software stretches +%the reasoning distance even further. % -We now have a {\dc} for a {\ft} input in software. -Typically, more than one such input could be present in a real-world system. -Not only have we integrated electronics and software in an FMEA, we can also -re-use the analysis for each {\ft} input in the system. +We now have a {\dc} for a {\ft} input. % in software. +Typically, more than one such input could be present in a real-world system: we can thus +%Not only have we integrated electronics and software in an FMEA, we can also +re-use this analysis for each {\ft} input in the system. % -The unsolved symptoms, or unobservable errors, i.e. $VAL\_ERR$ could be addressed -by another software function to read other known signals -via the MUX (i.e. voltage references). This strategy would -detect ADC\_STUCK\_AT and MUX\_FAIL failure modes. +%The unsolved symptoms, or unobservable errors, i.e. $VAL\_ERR$ could be addressed +%by another software function to read other known signals +%via the MUX (i.e. voltage references). This strategy would +%detect ADC\_STUCK\_AT and MUX\_FAIL failure modes. % -Detailing this however, is beyond the scope %and page-count -of this paper. +%Detailing this however, is beyond the scope %and page-count +%of this paper. % -A software specification for a hardware interface will concentrate on -how to interpret raw readings, or what signals to apply for actuators. -Using FMMD we can determine an accurate failure model for the interface as well. +%A software specification for a hardware interface will concentrate on +%how to interpret raw readings, or what signals to apply for actuators. +Additionally, using FMMD we can determine a failure model for the hardware/software interface. % interface as well. %Its solved. Hoooo-ray !!!!!!!!!!!!!!!!!!!!!!!! @@ -1040,7 +1085,8 @@ Using FMMD we can determine an accurate failure model for the interface as well. % %\today % % { %\tiny % -\tiny +%\tiny +\footnotesize \bibliographystyle{plain} \bibliography{../../vmgbibliography,../../mybib} }