robin/Robin_PHD
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Think hats the bulk of this paper

Browse Source
This commit is contained in:
Your Name 2012-04-03 18:38:51 +01:00
parent c0b9a7358e
commit 2305f58a37
4 changed files with 260 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
papers/software_fmea/Makefile
View File

@ -1,5 +1,5 @@
PNG = fmmdh.png
PNG = fmmdh.png ct1.png hd.png
%.png:%.dia
dia -t png $<

BIN
papers/software_fmea/ct1.dia Normal file
View File

Binary file not shown.

BIN
papers/software_fmea/hd.dia Normal file
View File

Binary file not shown.

269
papers/software_fmea/software_fmea.tex
View File

@ -297,7 +297,7 @@ of typical modern safety critical systems.
With modular FMEA (FMMD) we have the concepts of failure~modes
of components, {\fgs} and symptoms of failure for a functional group.
A programatic function is very similar to a functional group.
A programmatic function is very similar to a functional group.
It calls other functions, and uses data sources, which could be viewed as its `components'.
It has outputs which will be used by functions that may call it.
@ -387,6 +387,16 @@ int read_4_20_input ( int * value ) {
}
}
Note that the function above calls another, `read\_ADC', which returns a
voltage for a given ADC channel. This function
deals directly with the hardware in the micro-controller we are running the software on.
Its job is to select the correct channel (ADC multiplexer) and then to initiate a
conversion by setting an ADC 'go' bit.
{\vbox{
@ -400,8 +410,9 @@ int read_4_20_input ( int * value ) {
/* returns voltage read as double precision */
double read_ADC( int channel ) {
int timeout = 0;
/* require: input channel from ADC to be
in valid ADC range */
/* require: a) input channel from ADC to be
in valid ADC range
b) voltage ref is 0.1% of 5V */
/* return out of range result */
/* if invalid channel selected */
@ -423,6 +434,9 @@ double read_ADC( int channel ) {
dval = -1.0; /* indicate invalid reading */
/* return voltage as a floating point value */
/* ensure: value is voltage input to within 0.1% */
return dval;
}
\end{verbatim}
@ -430,33 +444,268 @@ double read_ADC( int channel ) {
}
We now have a very simple software structure, a call tree, shown in figure~\ref{fig:ct1}.
\begin{figure}[h]
\centering
\includegraphics[width=100pt]{./ct1.png}
% ct1.png: 151x224 pixel, 72dpi, 5.33x7.90 cm, bb=0 0 151 224
\caption{Call tree for software example}
\label{fig:ct1}
\end{figure}
This software is above the hardware in the call tree.
FMEA is always a bottom-up process and so we must being with the hardware.
The hardware is simply a load resistor, connected across an ADC input
pin on the micro-controller and ground.
We can identify the resistor and the ADC module of the micro-controller as
the base components in this design.
We now apply FMMD starting with the hardware.
\subsection{FMMD Process}
\paragraph{Functional Group - Convert mA to Voltage - CMATV}
This functional group contains the load resistor
and the physical Analogue to Digital Converter (ADC).
Our functional group, G is thus the set of base components $G = \{R, ADC\}$.
For the resistor we can use a failure mode set from the literature~\cite{en298}.
Where the function $fm$ returns a set of failure modes for a given component we can state:
$$ fm(R) = \{OPEN,SHORT\}. $$
For the ADC we can determine the following failure modes:
$$ fm(ADC) = \{ STUCKAT, MUXFAIL, LOWOUT, HIGHOUT \}. $$
With these failure modes, we can analyse our first functional group.
{
\tiny
\begin{table}[h+]
\caption{CMATV: Failure Mode Effects Analysis} % title of Table
\label{tbl:phs225amp}
\begin{tabular}{|| l | c | l ||} \hline
\textbf{Failure} & \textbf{failure} & \textbf{Symptom} \\
\textbf{Scenario} & \textbf{effect} & \textbf{ADC } \\ \hline
\hline
1: $R_{OPEN}$ & resistor open, & $HIGH$ \\
& voltage on pin high & \\ \hline
2: $R_{SHORT}$ & resistor shorted, & $LOW$ \\
& voltage on pin low & \\ \hline \hline
3: $ADC_{STUCKAT}$ & ADC reads out & $V\_ERR$ \\
& fixed value & \\ \hline
4: $ADC_{MUXFAIL}$ & ADC may read & $V\_ERR$ \\
& wrong channel & \\ \hline
5: $ADC_{LOWOUT}$ & output low & $LOW$ \\
6: $ADC_{HIGHOUT}$ & output high & $HIGH$ \\ \hline
\hline
\hline
\end{tabular}
\end{table}
}
We now have the symptoms for the hardware functional group, $\{ HIGH , LOW, V\_ERR \} $.
We can now create a {\dc} to represent this called $CMATV$.
As its failure modes, are the symptoms of failure from the functional group we can now state:
$$fm ( CMATV ) = \{ HIGH , LOW, V\_ERR \} $$
\paragraph{Functional Group - Software - Read\_ADC - RADC}
The software function $Read\_ADC$ uses the ADC hardware analysed
as the {\dc} CMATV above.
We know from the contractual programming requirements, that
the function needs to be sent the correct channel number.
%
A violation of this can be considered a {\fm} of the function,
which we can call $ CHAN\_NO $.
%
The reference voltage for the ADC has a 0.1\% requirement.
%
If the reference value is outside of this, it is also a {\fm}
of this function, which we can call $V\_REF$.
Taken as a component for use in FMEA/FMMD our function has
two failure modes. We can therefore treat it as a generic component, $RA$,
by stating:
$$ fm(RA) = \{ CHAN\_NO, VREF \} $$
As we have a failure mode model for our function, we can now use it in conjunction with
with the ADC hardware {\dc} CMATV, to form a {\fg}, where $G=\{ CMSTV, Read\_ADC \}$.
We can now analyse this hardware/software combined {\fg}.
{
\tiny
\begin{table}[h+]
\caption{RADC: Failure Mode Effects Analysis} % title of Table
\label{tbl:phs225amp}
\begin{tabular}{|| l | c | l ||} \hline
\textbf{Failure} & \textbf{failure} & \textbf{Symptom} \\
\textbf{Scenario} & \textbf{effect} & \textbf{RADC } \\ \hline
\hline
1: $RA_{CHAN\_NO}$ & wrong voltage & $VV\_ERR$ \\
& read & \\ \hline
2: $RA_{VREF}$ & voltage & $VV\_ERR$ \\
& incorrect & \\ \hline \hline
3: $CMATV_{V\_ERR}$ & voltage value & $VV\_ERR$ \\
& incorrect & \\ \hline
4: $CMATV_{HIGH}$ & ADC may read & $HIGH$ \\
& wrong channel & \\ \hline
5: $CMATV_{LOW}$ & output low & $LOW$ \\ \hline
\hline
\hline
\end{tabular}
\end{table}
}
We can now see that the symptoms of failure for the {\fg} analysed
as $\{ VV\_ERR, HIGH, LOW \}$. We can add as well the violation of the postcondition
for the function.
This postcondition, {\em /* ensure: value is voltage input to within 0.1\% */ },
corresponds to $VV\_ERR$, and is already in the {\fm} set for this {\fg}.
We can now create a {\dc} called $RADC$ which has the following
{\fms}:
$$ fm(RADC) = \{ VV\_ERR, HIGH, LOW \} .$$
\paragraph{Functional Group - Software - voltage to per mil - VTPM }
This function sits on top of the $RADC$ {\dc} determined above.
We look at the pre-conditions for the function $read\_4\_20\_input$ $(RI)$, % which we can call $RI$
to determine its {\fms}.
Its pre-condition is, {\em /* require: input from ADC to be between 0.88 and 4.4 volts */}.
We can call a violation of this the {\fm} VRNGE; %As this function has one pre-condition
we can state,
$$ fm(RI) = \{ VRNGE \} .$$
We can now form a functional group with the {\dc} $RADC$ and the software component $RI$, i.e. $G=\{RI, RADC\}$.
{
\tiny
\begin{table}[h+]
\caption{Read\_4\_20: Failure Mode Effects Analysis} % title of Table
\label{tbl:phs225amp}
\begin{tabular}{|| l | c | l ||} \hline
\textbf{Failure} & \textbf{failure} & \textbf{Symptom} \\
\textbf{Scenario} & \textbf{effect} & \textbf{RADC } \\ \hline
\hline
1: $RI_{VRGE}$ & voltage & $OUT\_OF\_RANGE$ \\
& outside range & \\ \hline
2: $RADC_{VV_ERR}$ & voltage & $VAL\_ERR$ \\
& incorrect & \\ \hline \hline
3: $RADC_{HIGH}$ & voltage value & $VAL\_ERR$ \\
& incorrect & \\ \hline
4: $RADC_{LOW}$ & ADC may read & $OUT\_OF\_RANGE$ \\
& wrong channel & \\ \hline
\hline
\hline
\end{tabular}
\end{table}
}
The failure symptoms for the {\fg} are $\{OUT\_OF\_RANGE, VAL\_ERR\}$.
The postcondition for the function $read\_4\_20\_input$ ($R420I$), {\em /* ensure: value is proportional (0-999) to the
4 to 20mA input */} corresponds to the $VAL\_ERR$ and is already in the set of failure modes.
% \paragraph{Final Functional Group}
For single failures these are the two ways in which this function
can fail. An $OUT\_OF\_RANGE$ will be flagged by the error flag variable.
The $VAL\_ERR$ will simply mean that the value read is simply wrong.
We can now finally make a {\dc} to represent a failure mode model for our function $read\_4\_20\_input$ thus:
$$fm(R420I) = \{OUT\_OF\_RANGE, VAL\_ERR\}$$
%
% Using the derived components, CMATV and VTPM we create
% a new functional group. This
% integrates FMEA's from software and eletronics
% into the same failure mode model.
We can now represent the software/hardware FMMD analysis
as a hierarchical diagram, see figure~\ref{fig:hd}.
\begin{figure}[h]
\centering
\includegraphics[width=200pt]{./hd.png}
% hd.png: 363x520 pixel, 72dpi, 12.81x18.34 cm, bb=0 0 363 520
\caption{FMMD hierarchy with hardware and software elements}
\label{fig:hd}
\end{figure}
\paragraph{Final Functional Group}
Using the derived components, CMATV and VTPM we create
a new functional group. This
integrates FMEA's from software and eletronics
into the same failure mode model.
%\clearpage
\section{Conclusion}
The derived component representing the {\ft} reader
in software shows that by taking a modular approach, we can integrate
in software shows that by taking a modular approach for FMEA, we can integrate
software and electro-mechanical FMEA models.
The unsolved symptoms, or unobservable errors, could be addressed
The unsolved symptoms, or unobservable errors, i.e. $VAL\_ERR$ could be addressed
by another software function to read other known signals
via the MUX (i.e. voltage references). This strategy would
detect ADC STUCK AT and MUX FAIL failure modes.