diff --git a/papers/software_fmea/Makefile b/papers/software_fmea/Makefile index 395b906..01fc0d4 100644 --- a/papers/software_fmea/Makefile +++ b/papers/software_fmea/Makefile @@ -1,5 +1,5 @@ -PNG = fmmdh.png +PNG = fmmdh.png ct1.png hd.png %.png:%.dia dia -t png $< diff --git a/papers/software_fmea/ct1.dia b/papers/software_fmea/ct1.dia new file mode 100644 index 0000000..ab266f8 Binary files /dev/null and b/papers/software_fmea/ct1.dia differ diff --git a/papers/software_fmea/hd.dia b/papers/software_fmea/hd.dia new file mode 100644 index 0000000..3e38609 Binary files /dev/null and b/papers/software_fmea/hd.dia differ diff --git a/papers/software_fmea/software_fmea.tex b/papers/software_fmea/software_fmea.tex index 6f33f56..d673e48 100644 --- a/papers/software_fmea/software_fmea.tex +++ b/papers/software_fmea/software_fmea.tex @@ -297,7 +297,7 @@ of typical modern safety critical systems. With modular FMEA (FMMD) we have the concepts of failure~modes of components, {\fgs} and symptoms of failure for a functional group. -A programatic function is very similar to a functional group. +A programmatic function is very similar to a functional group. It calls other functions, and uses data sources, which could be viewed as its `components'. It has outputs which will be used by functions that may call it. @@ -387,6 +387,16 @@ int read_4_20_input ( int * value ) { } } +Note that the function above calls another, `read\_ADC', which returns a +voltage for a given ADC channel. This function +deals directly with the hardware in the micro-controller we are running the software on. +Its job is to select the correct channel (ADC multiplexer) and then to initiate a +conversion by setting an ADC 'go' bit. + + + + + {\vbox{ @@ -400,8 +410,9 @@ int read_4_20_input ( int * value ) { /* returns voltage read as double precision */ double read_ADC( int channel ) { int timeout = 0; - /* require: input channel from ADC to be - in valid ADC range */ + /* require: a) input channel from ADC to be + in valid ADC range + b) voltage ref is 0.1% of 5V */ /* return out of range result */ /* if invalid channel selected */ @@ -423,6 +434,9 @@ double read_ADC( int channel ) { dval = -1.0; /* indicate invalid reading */ /* return voltage as a floating point value */ + + /* ensure: value is voltage input to within 0.1% */ + return dval; } \end{verbatim} @@ -430,33 +444,268 @@ double read_ADC( int channel ) { } +We now have a very simple software structure, a call tree, shown in figure~\ref{fig:ct1}. + +\begin{figure}[h] + \centering + \includegraphics[width=100pt]{./ct1.png} + % ct1.png: 151x224 pixel, 72dpi, 5.33x7.90 cm, bb=0 0 151 224 + \caption{Call tree for software example} + \label{fig:ct1} +\end{figure} + +This software is above the hardware in the call tree. +FMEA is always a bottom-up process and so we must being with the hardware. +The hardware is simply a load resistor, connected across an ADC input +pin on the micro-controller and ground. +We can identify the resistor and the ADC module of the micro-controller as +the base components in this design. +We now apply FMMD starting with the hardware. + + \subsection{FMMD Process} \paragraph{Functional Group - Convert mA to Voltage - CMATV} This functional group contains the load resistor and the physical Analogue to Digital Converter (ADC). +Our functional group, G is thus the set of base components $G = \{R, ADC\}$. +For the resistor we can use a failure mode set from the literature~\cite{en298}. +Where the function $fm$ returns a set of failure modes for a given component we can state: + +$$ fm(R) = \{OPEN,SHORT\}. $$ + +For the ADC we can determine the following failure modes: + +$$ fm(ADC) = \{ STUCKAT, MUXFAIL, LOWOUT, HIGHOUT \}. $$ + +With these failure modes, we can analyse our first functional group. + +{ +\tiny +\begin{table}[h+] +\caption{CMATV: Failure Mode Effects Analysis} % title of Table +\label{tbl:phs225amp} + +\begin{tabular}{|| l | c | l ||} \hline + \textbf{Failure} & \textbf{failure} & \textbf{Symptom} \\ + \textbf{Scenario} & \textbf{effect} & \textbf{ADC } \\ \hline + \hline + 1: $R_{OPEN}$ & resistor open, & $HIGH$ \\ + & voltage on pin high & \\ \hline + + 2: $R_{SHORT}$ & resistor shorted, & $LOW$ \\ + & voltage on pin low & \\ \hline \hline + + + + 3: $ADC_{STUCKAT}$ & ADC reads out & $V\_ERR$ \\ + & fixed value & \\ \hline + + + + 4: $ADC_{MUXFAIL}$ & ADC may read & $V\_ERR$ \\ + & wrong channel & \\ \hline + + 5: $ADC_{LOWOUT}$ & output low & $LOW$ \\ + 6: $ADC_{HIGHOUT}$ & output high & $HIGH$ \\ \hline + + +\hline + + +\hline + +\end{tabular} +\end{table} +} + + +We now have the symptoms for the hardware functional group, $\{ HIGH , LOW, V\_ERR \} $. +We can now create a {\dc} to represent this called $CMATV$. +As its failure modes, are the symptoms of failure from the functional group we can now state: + +$$fm ( CMATV ) = \{ HIGH , LOW, V\_ERR \} $$ + + +\paragraph{Functional Group - Software - Read\_ADC - RADC} + +The software function $Read\_ADC$ uses the ADC hardware analysed +as the {\dc} CMATV above. + +We know from the contractual programming requirements, that +the function needs to be sent the correct channel number. +% +A violation of this can be considered a {\fm} of the function, +which we can call $ CHAN\_NO $. +% +The reference voltage for the ADC has a 0.1\% requirement. +% +If the reference value is outside of this, it is also a {\fm} +of this function, which we can call $V\_REF$. + +Taken as a component for use in FMEA/FMMD our function has +two failure modes. We can therefore treat it as a generic component, $RA$, +by stating: + +$$ fm(RA) = \{ CHAN\_NO, VREF \} $$ + +As we have a failure mode model for our function, we can now use it in conjunction with +with the ADC hardware {\dc} CMATV, to form a {\fg}, where $G=\{ CMSTV, Read\_ADC \}$. + +We can now analyse this hardware/software combined {\fg}. + + + +{ +\tiny +\begin{table}[h+] +\caption{RADC: Failure Mode Effects Analysis} % title of Table +\label{tbl:phs225amp} + +\begin{tabular}{|| l | c | l ||} \hline + \textbf{Failure} & \textbf{failure} & \textbf{Symptom} \\ + \textbf{Scenario} & \textbf{effect} & \textbf{RADC } \\ \hline + \hline + 1: $RA_{CHAN\_NO}$ & wrong voltage & $VV\_ERR$ \\ + & read & \\ \hline + + 2: $RA_{VREF}$ & voltage & $VV\_ERR$ \\ + & incorrect & \\ \hline \hline + + + + 3: $CMATV_{V\_ERR}$ & voltage value & $VV\_ERR$ \\ + & incorrect & \\ \hline + + + + 4: $CMATV_{HIGH}$ & ADC may read & $HIGH$ \\ + & wrong channel & \\ \hline + + 5: $CMATV_{LOW}$ & output low & $LOW$ \\ \hline + +\hline + + +\hline + +\end{tabular} +\end{table} +} + + + +We can now see that the symptoms of failure for the {\fg} analysed +as $\{ VV\_ERR, HIGH, LOW \}$. We can add as well the violation of the postcondition +for the function. +This postcondition, {\em /* ensure: value is voltage input to within 0.1\% */ }, +corresponds to $VV\_ERR$, and is already in the {\fm} set for this {\fg}. + +We can now create a {\dc} called $RADC$ which has the following +{\fms}: + +$$ fm(RADC) = \{ VV\_ERR, HIGH, LOW \} .$$ + + + \paragraph{Functional Group - Software - voltage to per mil - VTPM } +This function sits on top of the $RADC$ {\dc} determined above. +We look at the pre-conditions for the function $read\_4\_20\_input$ $(RI)$, % which we can call $RI$ +to determine its {\fms}. +Its pre-condition is, {\em /* require: input from ADC to be between 0.88 and 4.4 volts */}. +We can call a violation of this the {\fm} VRNGE; %As this function has one pre-condition +we can state, + +$$ fm(RI) = \{ VRNGE \} .$$ + +We can now form a functional group with the {\dc} $RADC$ and the software component $RI$, i.e. $G=\{RI, RADC\}$. + + + +{ +\tiny +\begin{table}[h+] +\caption{Read\_4\_20: Failure Mode Effects Analysis} % title of Table +\label{tbl:phs225amp} + +\begin{tabular}{|| l | c | l ||} \hline + \textbf{Failure} & \textbf{failure} & \textbf{Symptom} \\ + \textbf{Scenario} & \textbf{effect} & \textbf{RADC } \\ \hline + \hline + 1: $RI_{VRGE}$ & voltage & $OUT\_OF\_RANGE$ \\ + & outside range & \\ \hline + + 2: $RADC_{VV_ERR}$ & voltage & $VAL\_ERR$ \\ + & incorrect & \\ \hline \hline + + + + 3: $RADC_{HIGH}$ & voltage value & $VAL\_ERR$ \\ + & incorrect & \\ \hline + + + + 4: $RADC_{LOW}$ & ADC may read & $OUT\_OF\_RANGE$ \\ + & wrong channel & \\ \hline + +\hline + + +\hline + +\end{tabular} +\end{table} +} + +The failure symptoms for the {\fg} are $\{OUT\_OF\_RANGE, VAL\_ERR\}$. +The postcondition for the function $read\_4\_20\_input$ ($R420I$), {\em /* ensure: value is proportional (0-999) to the + 4 to 20mA input */} corresponds to the $VAL\_ERR$ and is already in the set of failure modes. +% \paragraph{Final Functional Group} +For single failures these are the two ways in which this function +can fail. An $OUT\_OF\_RANGE$ will be flagged by the error flag variable. +The $VAL\_ERR$ will simply mean that the value read is simply wrong. + +We can now finally make a {\dc} to represent a failure mode model for our function $read\_4\_20\_input$ thus: + +$$fm(R420I) = \{OUT\_OF\_RANGE, VAL\_ERR\}$$ + +% +% Using the derived components, CMATV and VTPM we create +% a new functional group. This +% integrates FMEA's from software and eletronics +% into the same failure mode model. + + + +We can now represent the software/hardware FMMD analysis +as a hierarchical diagram, see figure~\ref{fig:hd}. + +\begin{figure}[h] + \centering + \includegraphics[width=200pt]{./hd.png} + % hd.png: 363x520 pixel, 72dpi, 12.81x18.34 cm, bb=0 0 363 520 + \caption{FMMD hierarchy with hardware and software elements} + \label{fig:hd} +\end{figure} + + + -\paragraph{Final Functional Group} -Using the derived components, CMATV and VTPM we create -a new functional group. This -integrates FMEA's from software and eletronics -into the same failure mode model. %\clearpage \section{Conclusion} The derived component representing the {\ft} reader -in software shows that by taking a modular approach, we can integrate +in software shows that by taking a modular approach for FMEA, we can integrate software and electro-mechanical FMEA models. -The unsolved symptoms, or unobservable errors, could be addressed +The unsolved symptoms, or unobservable errors, i.e. $VAL\_ERR$ could be addressed by another software function to read other known signals via the MUX (i.e. voltage references). This strategy would detect ADC STUCK AT and MUX FAIL failure modes.