From 2305f58a3726305c062900adce1ee997dd671a36 Mon Sep 17 00:00:00 2001
From: Your Name <robin48gx@gmail.com>
Date: Tue, 3 Apr 2012 18:38:51 +0100
Subject: [PATCH] Think hats the bulk of this paper

---
 papers/software_fmea/Makefile          |   2 +-
 papers/software_fmea/ct1.dia           | Bin 0 -> 1197 bytes
 papers/software_fmea/hd.dia            | Bin 0 -> 2203 bytes
 papers/software_fmea/software_fmea.tex | 269 ++++++++++++++++++++++++-
 4 files changed, 260 insertions(+), 11 deletions(-)
 create mode 100644 papers/software_fmea/ct1.dia
 create mode 100644 papers/software_fmea/hd.dia

diff --git a/papers/software_fmea/Makefile b/papers/software_fmea/Makefile
index 395b906..01fc0d4 100644
--- a/papers/software_fmea/Makefile
+++ b/papers/software_fmea/Makefile
@@ -1,5 +1,5 @@
 
-PNG = fmmdh.png
+PNG = fmmdh.png ct1.png hd.png
 
 %.png:%.dia
 	dia -t png $<
diff --git a/papers/software_fmea/ct1.dia b/papers/software_fmea/ct1.dia
new file mode 100644
index 0000000000000000000000000000000000000000..ab266f8aa81d049a2c9be6599cdc2b4b574b4382
GIT binary patch
literal 1197
zcmV;e1XBASiwFP!000021MON(kK#BGz4xz((pM(LP8^cyfzi&cR&!Ws4m*2}3~>kV
z1RFU9n#=z7wUe-ceDDznJ1vn`BM9YscBS5PmBpveZ;QlO6OmHR#wM_A(;#fdBg*2j
z`PcW~KltY7$<wEZ;*aV-7I<N(5iHf8#^zkg<;UT0v)Ne5HpP+)E1@eZCBuJklHj2-
z8k&<Q!`OEaVTtv<;x3j_(CJDNgW&}kn^Qdd5evRzk(pZ+b~B!EVXSd7HlJU!%N!PN
zh6jF*_+H|eOa;L|+Fje~3W6@Kmqb+EE|xr{%0zCLHIo)U`gPByuu7E?izm;&xX<~N
ziW{Y`rir$K$ORTLWpx}Cn<Nhew0sDm3I+=Nz#h3Hu#3s%aMSz3CHI9B_l2Wrxa2|#
zOl2K%%6URC%Tc9Rk?uI@3@0kZjxFnoRlHIu`HA_z;v_w10r~C!*mfy%V?m?i#67TR
z@v@<joQH2cg)8^I?aBL^rgWN+rrA>_Z{~h`8~4?xlc{$({K{;|y|r!+kxvjomv0a8
zibf<ok!FWBEuQ9u+3-}<t9IuGCcjnLtTTuNZ;2?}e<`<Vqj<oD;uv@)>3a8RFD88Y
zH<`&|v42X;A}k`~gYkvGnPm;4Di9it&2RQ$u&T>b&Xf+;qP65@N<j;t0YDb0#-Oes
zZ3xq86+oyZU=}B&1ko5adI5pu41jOB-QY+<7U7HwR<99mxTp*zQ<M6_c1kj`fW3c#
zYgRNTG@i?LFvo(ZoBJsj5fR}bVH+q5u>R|Yk<R%hY^X?2Z@10TFf4h{nHb;(#BkgJ
zv@JJ4{Za!48H}5e!$Sk;sMnt9apls^BM3yn{^j>d5MZNyI=T<KG}Glfd6Rp50R>;+
z)qHU*SLLqP??#e?Aj|bV=S6KJzy(l)LceTBFT<5O9w&;YicQ;d&AQD4yJ}<l+poq~
z^%yo-kd_wpNL|;~Byc91K=pm&6)$MARdd5EHH}nmbpfI@G9UVtBx@q+4DZ)Tm(QR^
z&IW?omTw<k?scGt*?4Y7c0sC&!C8XP1xU4$F<X%4$4S^~QH1hLl*Ur_GIFf5DOKrF
zPQ|&4HaR!Yrje2fz3q)qzw)GUfHgu;?dG24dm0t}{K}+=8ih)p9;$Q)Rcgw`hcLZE
zVRCOEOi(qdo)z@1OF4|=>!Jz40Z{EL9K9D|azki`lr2~Cp-*?vr-qb#$kWd(Pk&HG
z8qPq_)$)X_k&m+DI@@;o6ewgN$96T6+7^9XI)MN<`iuf0&+CRf<BWxbMcIP7EVI$l
z_x(|EUej$_DhX!G>TH^h_%Csqs0`@$)ItR^#6s{*dsf3MJ%<Tl@v$Q%yK5<3LYz3X
zIvYVJm&#$qx3m`U-8aTuF|^n^B+pLkjq=;E>DN-NVJs-dg4VG+y{b&;HX7pHKtlrG
z39?g7x9b_;xgz3uuA`Aq5V%@I9OwakT;u`Z_b(#N>ufOf^qd~@@sN+p<fCs1Xz6lB
zH|TN#o$*1>Jx&JVAoP;IS2ctU-$9G>=xOfI)6^31(b4>`9Zmi@`>n*}>EOo{lc#?H
L8~wQKa47%)><(69

literal 0
HcmV?d00001

diff --git a/papers/software_fmea/hd.dia b/papers/software_fmea/hd.dia
new file mode 100644
index 0000000000000000000000000000000000000000..3e38609f60c1859ed5f96195c0b9e49064320f97
GIT binary patch
literal 2203
zcmV;M2xRvkiwFP!000021MOT}Z`(!|e$THEl$S0bkLG@<Y8Po2i!QK57u&S20wpmr
zw-hN*v>m_fZ{IT{72SrGOlssXkb>9{eKg;k;m32EGy37j&x^SC7-p*|O>X-H;eIbn
zrs*t7=C}PnKK|oI_kX;5_roj-zK8$wELim56UoZHyY1iS`SSbW@agFZ#m}oCPcsxp
z4`>w*{};q@Fa)7t|L$F{w>`it$OC(=x*Ftp7EK=Vu$Kgj@U}k*rhm<|^dXt`OQ}k3
zn#O6?dko^+{`*hGt3RxU8Saep!r04T9!|0__^W<s3@>Av4807q{b3i&bQOU}{=7U8
zsTs%q+>)uJRv?tj@7{ml@5?Dw7dB(LCRz)UFM@0yC5Je$HgUNS6lqE+EQT=JV8s<#
zugUA-CYObaFAJAl7A{(imuZ$~L6jdtPSP|EgQP^wvxl%b&T1OOK(Uw9YN5raD9_U)
z^ZyjYt5XyxFMoO3Ui;+EvuO76gS#V9Gs;sm%kRgZJuO!``m?9eAEQ+?i9^@yqa;7u
z@XzNNe*f+i)_e2umTV|Tt91`E9g0xA-aX78qFJ~)LbF|&nvw1+vEi{*-<LaeVaiK;
z&bokzgXb`-hW}~frhC;5t}IS3nC8*r`rX!=q?7-K)4Wpl_dG~uK{o5%^nOY|_ct*J
zL?F@Zw*MR6U95feU@)+Q2dlMAzfj5`$}t&8q{RLr9GZ|ih{<FhAp;$PWFCiW6k<x0
z5n)IYG0;emW`JQFF2>U|OAf<?bLv&V6c*)Bx3x9lh*7T1=G6x4K8)t~c|90G3Y+a$
z!}VL;r%z)?{CM0sx*z1>hP91pOxn{}ivb~sc_p#75LAo^MT!C*L@dHDiCbxP3WaUZ
zCGh6OrB@1XLt)Hh7b*O&C<z@LrfoTFxuumVIfki6CR+q12^e866lWuN&#90F)iBY`
zkf&*qjKgGBXw*ngrzlh0PE=rR8cr;ESWK7u^Kr#gFAZw7gGGcpzB-7s)_>{U14pcf
z2TJ5=Vb*$^zuxxsfvS$rlIpX#_Ot5{Wp6@fF~qDbi3MU{B{>q>XFLHYtUzI61SAGT
zi3s;<i(4ypiZx~k?^;OZ*&6Qz6#Cl<DEN7JY=CF}c?_|tu6Rr_(&hp@ZlTzf$Cr#M
zL|Y;=q-`QZ?Je=hWQLS9yx=c{79(qpsn!;j(583)<cPwp<Dr~HSW!|vWt?>-oLGkh
z+;d1!LqXY=f)WXv{ZopJM+O24<GQ3EGXf~66~?-N6@q!Dpi@Vem?m7)ih=6Nz+DFZ
zJB^>`Y2qNEYMotSBr%Z#aJH2Dw1fa8Aguu)LYX#2a>W(o@o-(LhCE!t!i<k+Ry8`h
zB?<5lenSeVkL6%eTYZ!fvXe!pdRpn$w4w-COU?;Vev@`am@Igu3AIHiER7iyHys<V
zysA^uExIO_I>JFvNOJ?Df;#kD3ffG2k7=+d6N9D&xf6Y+7Q!aa*a!|D(+E-K22D|4
z;V+#U)(RH+J?~lph_@&JvA2o#Nb4;ng^VJiEYEQ5k-Y$f30JlbuaxE^usKu-Vv!~0
zzRQ?(YC4@Q#pQMZ1gKr(Fl)hK@@DZOA?<B2QH09@QD7aF_G*P8M<&+B8KdY3@QC6A
zq9Ja?+NWQyRnaM`HDPvEj1hXoVzWY2At|-_wgN^%+nYzRUUWjdW+LF-HM1UF+3-yO
zu_QCPWR~L8C$nmmbc%jq7C%Np2vc-HEG;^@cla^<oNuv;tXaj{m-%E>0@HrWd}|mg
z#E2uT!QWE&jcG&J+^)!x=A}KEx;tBRd+x~XHHQADrZ4n`W~#c*yfn#ONcMW~Q?Q8Q
zXP8istoprG{#?1!@}s|m@ne`r(_owFub;s|Roqb-$4KMd7jFl;%fZum*aU00$E>E)
zj0E;yJD?zr=E)*--_Q^OuWB(*L~(YIz3!QKET**oRBWcgE@PB<`w$AR$>7z^tx+J#
z1}DdflJ=buU9d?X{{HjTD*3ibP9k27QWuSqXuq>x)Vu_0T24A~XTLz<$Z)&0kCjD~
zrVAG7=U+d3{PSv)eA^@^53e?<i#AD~V{@`{P|EY(<Qj)S{s!iW>hi7WL;?p7>}(7X
z(|3Qn+9%)ksfLqR3-vWysJcxZb%uRz#>)m5>A5pq8(wVbK>lVoxtZanfEC`iblgh1
zcdj|7<pB^(y4J<xdsn8;P3kkaNr9;xD6mMrTX;$wA`1#)Acfs+R9z@?UMmWh@s2Jk
zUcKYj>>X<kAGU7SAq)xIctDZYZXF9lOBgaD5^?Z71CFrQgS72+yB<Tl=rKfmhER_%
zBkb8}OuQD!$`(dCfb^3Y%xpf&u`m`{5q*JZ&#k9Jl-u(%!ai)+u+E)B#BEx5%-ckZ
zv~>dy*{b?`jTW~ypqOMMO2C-evoF9FW=uz_Dtt`wI7*fe`L(!mf$-7I&1?AB!Qu*S
zfAU`=R-GR5YpDeITTQIL71-8)ZHu8Qsw<G&diS?(Eggaa5ei{|^|rd{G1WILub8*#
z+@`IY$n18dw#^fs^B90(iVtouVp>aE<^y7KW0MR)ntt=e={$65>6SCv6w_pyi_U%f
z#2ydH<+`saKLZshm0|#EuM}3?FCB@^aP8><$z{n#McIHLMU3&<CtI(kTb45d(~<-;
zb(Ffys${q(P0t*Btv%SZbq|Q`#i*9uS|aY-*l7zzH6*)wRP=$^E@q^fpN~0_UA1bu
zWh-`3h1C&JNQ1Rym*iUTZ|7@6s60dQ#8_i;Ly$3kODD$G0&ggI&Jj_F3G1jR^I8jR
zuiW)(^)7j?fU0x&VVkG|w~X*>CQBTG1Q(;?NGil=0IN(VcHKC||Gd^syw^?KbiCG0
d-n4E~zAwJ`_U_%zH{;&D`#-(-r)xc5003VUJwyNi

literal 0
HcmV?d00001

diff --git a/papers/software_fmea/software_fmea.tex b/papers/software_fmea/software_fmea.tex
index 6f33f56..d673e48 100644
--- a/papers/software_fmea/software_fmea.tex
+++ b/papers/software_fmea/software_fmea.tex
@@ -297,7 +297,7 @@ of typical modern safety critical systems.
 With modular FMEA (FMMD) we have the concepts of failure~modes
 of components, {\fgs} and symptoms of failure for a functional group.
 
-A  programatic function is very similar to a functional group.
+A  programmatic function is very similar to a functional group.
 It calls other functions, and uses data sources, which could be viewed as its `components'.
 It has outputs which will be used by functions that may call it.
 
@@ -387,6 +387,16 @@ int  read_4_20_input ( int * value ) {
 }
 }
 
+Note that the function above calls another, `read\_ADC', which returns a 
+voltage for a given ADC channel. This function
+deals directly with the hardware in the micro-controller we are running the software on.
+Its job is to select the correct channel (ADC multiplexer) and then to initiate a 
+conversion by setting an ADC 'go' bit.
+
+
+
+
+
 
 
 {\vbox{
@@ -400,8 +410,9 @@ int  read_4_20_input ( int * value ) {
 /* returns voltage read as double precision    */
 double  read_ADC( int  channel ) {
   int timeout = 0;
-  /* require: input channel from ADC to be 
-              in valid ADC range         */
+  /* require: a) input channel from ADC to be 
+              in valid ADC range 
+              b) voltage ref is 0.1% of 5V     */
 
   /* return out of range result  */
   /* if invalid channel selected */
@@ -423,6 +434,9 @@ double  read_ADC( int  channel ) {
        dval = -1.0; /* indicate invalid reading */ 
 
   /* return voltage as a floating point value */
+
+  /* ensure: value is voltage input to within 0.1% */
+
   return dval; 
 }
 \end{verbatim}
@@ -430,33 +444,268 @@ double  read_ADC( int  channel ) {
 }
 
 
+We now have a very simple software structure, a call tree, shown in figure~\ref{fig:ct1}.
+
+\begin{figure}[h]
+ \centering
+ \includegraphics[width=100pt]{./ct1.png}
+ % ct1.png: 151x224 pixel, 72dpi, 5.33x7.90 cm, bb=0 0 151 224
+ \caption{Call tree for software example}
+ \label{fig:ct1}
+\end{figure}
+
+This software is above the hardware in the call tree.
+FMEA is always a bottom-up process and so we must being with the hardware.
+The hardware is simply a load resistor, connected across an ADC input
+pin on the micro-controller and ground.
+We can identify the resistor and the ADC module of the micro-controller as 
+the base components in this design.
+We now apply FMMD starting with the hardware.
+
+
 \subsection{FMMD Process}
 
 \paragraph{Functional Group - Convert mA to Voltage - CMATV}
 
 This functional group contains the load resistor 
 and the physical Analogue to Digital Converter (ADC).
+Our functional group, G is thus the set of base components $G = \{R, ADC\}$.
+For the resistor we can use a failure mode set from the literature~\cite{en298}.
+Where the function $fm$ returns a set of failure modes for a given component we can state:
+
+$$ fm(R) = \{OPEN,SHORT\}. $$
+
+For the ADC we can determine the following failure modes:
+
+$$ fm(ADC) = \{ STUCKAT, MUXFAIL, LOWOUT, HIGHOUT \}. $$
+
+With these failure modes, we can analyse our first functional group.
+
+{
+\tiny
+\begin{table}[h+]
+\caption{CMATV: Failure Mode Effects Analysis} % title of Table
+\label{tbl:phs225amp}
+
+\begin{tabular}{|| l   | c |   l ||} \hline
+ \textbf{Failure}   &  \textbf{failure}     & \textbf{Symptom}          \\ 
+ \textbf{Scenario}  &  \textbf{effect}      &     \textbf{ADC }                     \\ \hline 
+               \hline
+    1: $R_{OPEN}$           &  resistor open,               &      $HIGH$       \\  
+                                &   voltage on pin high         &                 \\ \hline 
+
+     2: $R_{SHORT}$               &  resistor shorted,         &    $LOW$          \\ 
+                                   &   voltage on pin low         &                   \\   \hline \hline 
+
+
+ 
+     3: $ADC_{STUCKAT}$            &  ADC reads out         &      $V\_ERR$          \\   
+                                      &  fixed value          &                 \\ \hline 
+
+
+
+     4: $ADC_{MUXFAIL}$        & ADC may read      &         $V\_ERR$           \\  
+                                  &   wrong channel   &                  \\ \hline 
+
+     5: $ADC_{LOWOUT}$        &  output low   &       $LOW$              \\       
+     6: $ADC_{HIGHOUT}$      &  output high   &       $HIGH$                \\  \hline 
+ 
+
+\hline
+
+
+\hline
+
+\end{tabular}
+\end{table} 
+}
+
+
+We now have the symptoms for the hardware functional group, $\{ HIGH , LOW, V\_ERR \} $.
+We can now create a {\dc} to represent this called $CMATV$.
+As its failure modes, are the symptoms of failure from the functional group we can now state:
+
+$$fm ( CMATV ) =  \{ HIGH , LOW, V\_ERR \} $$
+
+
+\paragraph{Functional Group - Software -  Read\_ADC - RADC}
+
+The software function $Read\_ADC$ uses the ADC hardware analysed
+as the {\dc} CMATV above.
+
+We know from the contractual programming requirements, that
+the function needs to be sent the correct channel number.
+%
+A violation  of this  can be considered a {\fm} of the function,
+which we can call $ CHAN\_NO $.
+%
+The reference voltage for the ADC has a 0.1\% requirement.
+%
+If the reference value is outside of this, it is also a {\fm}
+of this function, which we can call $V\_REF$.
+
+Taken as a component for use in FMEA/FMMD our function has
+two failure modes. We can therefore treat it as a generic component, $RA$,
+by stating:
+
+$$ fm(RA) = \{ CHAN\_NO, VREF \} $$
+
+As we have a failure mode model for our function, we can now use it in conjunction with
+with the ADC hardware {\dc} CMATV, to form a {\fg}, where $G=\{ CMSTV, Read\_ADC \}$.
+
+We can now analyse this hardware/software combined {\fg}.
+
+
+
+{
+\tiny
+\begin{table}[h+]
+\caption{RADC: Failure Mode Effects Analysis} % title of Table
+\label{tbl:phs225amp}
+
+\begin{tabular}{|| l   | c |   l ||} \hline
+ \textbf{Failure}   &  \textbf{failure}     & \textbf{Symptom}          \\ 
+ \textbf{Scenario}  &  \textbf{effect}      &     \textbf{RADC }                     \\ \hline 
+               \hline
+    1: $RA_{CHAN\_NO}$           &  wrong voltage               &      $VV\_ERR$       \\  
+                                &   read         &                 \\ \hline 
+
+     2: $RA_{VREF}$          &  voltage           &    $VV\_ERR$          \\ 
+                             &  incorrect         &                   \\    \hline  \hline 
+
+
+ 
+     3: $CMATV_{V\_ERR}$      &  voltage value     &      $VV\_ERR$          \\   
+                             &  incorrect          &                 \\ \hline 
+
+
+
+     4: $CMATV_{HIGH}$        & ADC may read      &         $HIGH$           \\  
+                               &   wrong channel  &                  \\ \hline 
+
+     5: $CMATV_{LOW}$        &  output low   &       $LOW$              \\  \hline     
+    
+\hline
+
+
+\hline
+
+\end{tabular}
+\end{table} 
+}
+
+
+
+We can now see that the symptoms of failure for the {\fg} analysed 
+as $\{ VV\_ERR, HIGH, LOW \}$. We can add as well the violation of the postcondition
+for the function.
+This postcondition, {\em /* ensure: value is voltage input to within 0.1\% */ },
+corresponds to $VV\_ERR$, and is already in the {\fm} set for this {\fg}.
+
+We can now create a {\dc} called $RADC$ which has the following
+{\fms}:
+
+$$ fm(RADC) = \{ VV\_ERR, HIGH, LOW \} .$$
+
+
+
 
 
 \paragraph{Functional Group - Software - voltage to per mil - VTPM }
 
+This function sits on top of the $RADC$ {\dc} determined above.
+We look at the pre-conditions for the function $read\_4\_20\_input$ $(RI)$, % which we can call $RI$
+to determine its {\fms}.
+Its pre-condition is, {\em  /* require: input from ADC to be between 0.88 and 4.4 volts */}.
+We can call a violation of this the {\fm} VRNGE; %As this function has one pre-condition
+we can state,
+
+$$ fm(RI) = \{ VRNGE \} .$$
+
+We can now form a functional group with the {\dc} $RADC$ and the software component $RI$, i.e. $G=\{RI, RADC\}$.
+
+
+
+{
+\tiny
+\begin{table}[h+]
+\caption{Read\_4\_20: Failure Mode Effects Analysis} % title of Table
+\label{tbl:phs225amp}
+
+\begin{tabular}{|| l   | c |   l ||} \hline
+ \textbf{Failure}   &  \textbf{failure}     & \textbf{Symptom}          \\ 
+ \textbf{Scenario}  &  \textbf{effect}      &     \textbf{RADC }                     \\ \hline 
+               \hline
+    1: $RI_{VRGE}$           &  voltage     &      $OUT\_OF\_RANGE$       \\  
+                                & outside range           &                 \\ \hline 
+
+     2: $RADC_{VV_ERR}$          &  voltage           &    $VAL\_ERR$          \\ 
+                             &  incorrect         &                   \\    \hline  \hline 
+
+
+ 
+     3: $RADC_{HIGH}$      &  voltage value     &      $VAL\_ERR$          \\   
+                             &  incorrect          &                 \\ \hline 
+
+
+
+     4: $RADC_{LOW}$        & ADC may read      &         $OUT\_OF\_RANGE$           \\  
+                               &   wrong channel  &                  \\ \hline
+    
+\hline
+
+
+\hline
+
+\end{tabular}
+\end{table} 
+}
+
+The failure symptoms for the {\fg} are $\{OUT\_OF\_RANGE, VAL\_ERR\}$.
+The postcondition for the function $read\_4\_20\_input$ ($R420I$), {\em /* ensure: value is proportional (0-999) to the 
+             4 to 20mA input                      */} corresponds to the $VAL\_ERR$ and is already in the set of failure modes.
+% \paragraph{Final Functional Group}
+For single failures these are the two ways in which this function
+can fail. An $OUT\_OF\_RANGE$ will be flagged by the error flag variable.
+The $VAL\_ERR$ will simply mean that the value read is simply wrong.
+
+We can now finally make a {\dc} to represent a failure mode model for our function $read\_4\_20\_input$ thus:
+
+$$fm(R420I) = \{OUT\_OF\_RANGE, VAL\_ERR\}$$
+
+% 
+% Using the derived components, CMATV and VTPM we create
+% a new functional group. This
+% integrates FMEA's from software and eletronics
+% into the same failure mode model.
+
+
+
+We can now represent the software/hardware FMMD analysis 
+as a hierarchical diagram, see figure~\ref{fig:hd}.
+
+\begin{figure}[h]
+ \centering
+ \includegraphics[width=200pt]{./hd.png}
+ % hd.png: 363x520 pixel, 72dpi, 12.81x18.34 cm, bb=0 0 363 520
+ \caption{FMMD hierarchy with hardware and software elements}
+ \label{fig:hd}
+\end{figure}
+
+
+
 
 
-\paragraph{Final Functional Group}
 
-Using the derived components, CMATV and VTPM we create
-a new functional group. This
-integrates FMEA's from software and eletronics
-into the same failure mode model.
 
 %\clearpage
 \section{Conclusion}
 
 The derived component representing the {\ft} reader
-in software shows that by taking a modular approach, we can integrate
+in software shows that by taking a modular approach for FMEA, we can integrate
 software and electro-mechanical FMEA models.
 
-The unsolved symptoms, or unobservable errors, could be addressed
+The unsolved symptoms, or unobservable errors, i.e. $VAL\_ERR$ could be addressed
 by another software function to read other known signals
 via the MUX (i.e. voltage references). This strategy would
 detect ADC STUCK AT and MUX FAIL failure modes.