robin/Robin_PHD
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Think hats the bulk of this paper

Browse Source
This commit is contained in:
Your Name 2012-04-03 18:38:51 +01:00
parent c0b9a7358e
commit 2305f58a37
4 changed files with 260 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
papers/software_fmea/Makefile
View File

@ -1,5 +1,5 @@
PNG = fmmdh.png PNG = fmmdh.png ct1.png hd.png
%.png:%.dia %.png:%.dia
dia -t png $< dia -t png $<

BIN
papers/software_fmea/ct1.dia Normal file
View File

Binary file not shown.

BIN
papers/software_fmea/hd.dia Normal file
View File

Binary file not shown.

269
papers/software_fmea/software_fmea.tex
View File

@ -297,7 +297,7 @@ of typical modern safety critical systems.
With modular FMEA (FMMD) we have the concepts of failure~modes With modular FMEA (FMMD) we have the concepts of failure~modes
of components, {\fgs} and symptoms of failure for a functional group. of components, {\fgs} and symptoms of failure for a functional group.
A programatic function is very similar to a functional group. A programmatic function is very similar to a functional group.
It calls other functions, and uses data sources, which could be viewed as its `components'. It calls other functions, and uses data sources, which could be viewed as its `components'.
It has outputs which will be used by functions that may call it. It has outputs which will be used by functions that may call it.
@ -387,6 +387,16 @@ int read_4_20_input ( int * value ) {
} }
} }
Note that the function above calls another, `read\_ADC', which returns a
voltage for a given ADC channel. This function
deals directly with the hardware in the micro-controller we are running the software on.
Its job is to select the correct channel (ADC multiplexer) and then to initiate a
conversion by setting an ADC 'go' bit.
{\vbox{ {\vbox{
@ -400,8 +410,9 @@ int read_4_20_input ( int * value ) {
/* returns voltage read as double precision */ /* returns voltage read as double precision */
double read_ADC( int channel ) { double read_ADC( int channel ) {
int timeout = 0; int timeout = 0;
/* require: input channel from ADC to be /* require: a) input channel from ADC to be
in valid ADC range */ in valid ADC range
b) voltage ref is 0.1% of 5V */
/* return out of range result */ /* return out of range result */
/* if invalid channel selected */ /* if invalid channel selected */
@ -423,6 +434,9 @@ double read_ADC( int channel ) {
dval = -1.0; /* indicate invalid reading */ dval = -1.0; /* indicate invalid reading */
/* return voltage as a floating point value */ /* return voltage as a floating point value */
/* ensure: value is voltage input to within 0.1% */
return dval; return dval;
} }
\end{verbatim} \end{verbatim}
@ -430,33 +444,268 @@ double read_ADC( int channel ) {
} }
We now have a very simple software structure, a call tree, shown in figure~\ref{fig:ct1}.
\begin{figure}[h]
\centering
\includegraphics[width=100pt]{./ct1.png}
% ct1.png: 151x224 pixel, 72dpi, 5.33x7.90 cm, bb=0 0 151 224
\caption{Call tree for software example}
\label{fig:ct1}
\end{figure}
This software is above the hardware in the call tree.
FMEA is always a bottom-up process and so we must being with the hardware.
The hardware is simply a load resistor, connected across an ADC input
pin on the micro-controller and ground.
We can identify the resistor and the ADC module of the micro-controller as
the base components in this design.
We now apply FMMD starting with the hardware.
\subsection{FMMD Process} \subsection{FMMD Process}
\paragraph{Functional Group - Convert mA to Voltage - CMATV} \paragraph{Functional Group - Convert mA to Voltage - CMATV}
This functional group contains the load resistor This functional group contains the load resistor
and the physical Analogue to Digital Converter (ADC). and the physical Analogue to Digital Converter (ADC).
Our functional group, G is thus the set of base components $G = \{R, ADC\}$.
For the resistor we can use a failure mode set from the literature~\cite{en298}.
Where the function $fm$ returns a set of failure modes for a given component we can state:
$$ fm(R) = \{OPEN,SHORT\}. $$
For the ADC we can determine the following failure modes:
$$ fm(ADC) = \{ STUCKAT, MUXFAIL, LOWOUT, HIGHOUT \}. $$
With these failure modes, we can analyse our first functional group.
{
\tiny
\begin{table}[h+]
\caption{CMATV: Failure Mode Effects Analysis} % title of Table
\label{tbl:phs225amp}
\begin{tabular}{|| l | c | l ||} \hline
\textbf{Failure} & \textbf{failure} & \textbf{Symptom} \\
\textbf{Scenario} & \textbf{effect} & \textbf{ADC } \\ \hline
\hline
1: $R_{OPEN}$ & resistor open, & $HIGH$ \\
& voltage on pin high & \\ \hline
2: $R_{SHORT}$ & resistor shorted, & $LOW$ \\
& voltage on pin low & \\ \hline \hline
3: $ADC_{STUCKAT}$ & ADC reads out & $V\_ERR$ \\
& fixed value & \\ \hline
4: $ADC_{MUXFAIL}$ & ADC may read & $V\_ERR$ \\
& wrong channel & \\ \hline
5: $ADC_{LOWOUT}$ & output low & $LOW$ \\
6: $ADC_{HIGHOUT}$ & output high & $HIGH$ \\ \hline
\hline
\hline
\end{tabular}
\end{table}
}
We now have the symptoms for the hardware functional group, $\{ HIGH , LOW, V\_ERR \} $.
We can now create a {\dc} to represent this called $CMATV$.
As its failure modes, are the symptoms of failure from the functional group we can now state:
$$fm ( CMATV ) = \{ HIGH , LOW, V\_ERR \} $$
\paragraph{Functional Group - Software - Read\_ADC - RADC}
The software function $Read\_ADC$ uses the ADC hardware analysed
as the {\dc} CMATV above.
We know from the contractual programming requirements, that
the function needs to be sent the correct channel number.
%
A violation of this can be considered a {\fm} of the function,
which we can call $ CHAN\_NO $.
%
The reference voltage for the ADC has a 0.1\% requirement.
%
If the reference value is outside of this, it is also a {\fm}
of this function, which we can call $V\_REF$.
Taken as a component for use in FMEA/FMMD our function has
two failure modes. We can therefore treat it as a generic component, $RA$,
by stating:
$$ fm(RA) = \{ CHAN\_NO, VREF \} $$
As we have a failure mode model for our function, we can now use it in conjunction with
with the ADC hardware {\dc} CMATV, to form a {\fg}, where $G=\{ CMSTV, Read\_ADC \}$.
We can now analyse this hardware/software combined {\fg}.
{
\tiny
\begin{table}[h+]
\caption{RADC: Failure Mode Effects Analysis} % title of Table
\label{tbl:phs225amp}
\begin{tabular}{|| l | c | l ||} \hline
\textbf{Failure} & \textbf{failure} & \textbf{Symptom} \\
\textbf{Scenario} & \textbf{effect} & \textbf{RADC } \\ \hline
\hline
1: $RA_{CHAN\_NO}$ & wrong voltage & $VV\_ERR$ \\
& read & \\ \hline
2: $RA_{VREF}$ & voltage & $VV\_ERR$ \\
& incorrect & \\ \hline \hline
3: $CMATV_{V\_ERR}$ & voltage value & $VV\_ERR$ \\
& incorrect & \\ \hline
4: $CMATV_{HIGH}$ & ADC may read & $HIGH$ \\
& wrong channel & \\ \hline
5: $CMATV_{LOW}$ & output low & $LOW$ \\ \hline
\hline
\hline
\end{tabular}
\end{table}
}
We can now see that the symptoms of failure for the {\fg} analysed
as $\{ VV\_ERR, HIGH, LOW \}$. We can add as well the violation of the postcondition
for the function.
This postcondition, {\em /* ensure: value is voltage input to within 0.1\% */ },
corresponds to $VV\_ERR$, and is already in the {\fm} set for this {\fg}.
We can now create a {\dc} called $RADC$ which has the following
{\fms}:
$$ fm(RADC) = \{ VV\_ERR, HIGH, LOW \} .$$
\paragraph{Functional Group - Software - voltage to per mil - VTPM } \paragraph{Functional Group - Software - voltage to per mil - VTPM }
This function sits on top of the $RADC$ {\dc} determined above.
We look at the pre-conditions for the function $read\_4\_20\_input$ $(RI)$, % which we can call $RI$
to determine its {\fms}.
Its pre-condition is, {\em /* require: input from ADC to be between 0.88 and 4.4 volts */}.
We can call a violation of this the {\fm} VRNGE; %As this function has one pre-condition
we can state,
$$ fm(RI) = \{ VRNGE \} .$$
We can now form a functional group with the {\dc} $RADC$ and the software component $RI$, i.e. $G=\{RI, RADC\}$.
{
\tiny
\begin{table}[h+]
\caption{Read\_4\_20: Failure Mode Effects Analysis} % title of Table
\label{tbl:phs225amp}
\begin{tabular}{|| l | c | l ||} \hline
\textbf{Failure} & \textbf{failure} & \textbf{Symptom} \\
\textbf{Scenario} & \textbf{effect} & \textbf{RADC } \\ \hline
\hline
1: $RI_{VRGE}$ & voltage & $OUT\_OF\_RANGE$ \\
& outside range & \\ \hline
2: $RADC_{VV_ERR}$ & voltage & $VAL\_ERR$ \\
& incorrect & \\ \hline \hline
3: $RADC_{HIGH}$ & voltage value & $VAL\_ERR$ \\
& incorrect & \\ \hline
4: $RADC_{LOW}$ & ADC may read & $OUT\_OF\_RANGE$ \\
& wrong channel & \\ \hline
\hline
\hline
\end{tabular}
\end{table}
}
The failure symptoms for the {\fg} are $\{OUT\_OF\_RANGE, VAL\_ERR\}$.
The postcondition for the function $read\_4\_20\_input$ ($R420I$), {\em /* ensure: value is proportional (0-999) to the
4 to 20mA input */} corresponds to the $VAL\_ERR$ and is already in the set of failure modes.
% \paragraph{Final Functional Group}
For single failures these are the two ways in which this function
can fail. An $OUT\_OF\_RANGE$ will be flagged by the error flag variable.
The $VAL\_ERR$ will simply mean that the value read is simply wrong.
We can now finally make a {\dc} to represent a failure mode model for our function $read\_4\_20\_input$ thus:
$$fm(R420I) = \{OUT\_OF\_RANGE, VAL\_ERR\}$$
%
% Using the derived components, CMATV and VTPM we create
% a new functional group. This
% integrates FMEA's from software and eletronics
% into the same failure mode model.
We can now represent the software/hardware FMMD analysis
as a hierarchical diagram, see figure~\ref{fig:hd}.
\begin{figure}[h]
\centering
\includegraphics[width=200pt]{./hd.png}
% hd.png: 363x520 pixel, 72dpi, 12.81x18.34 cm, bb=0 0 363 520
\caption{FMMD hierarchy with hardware and software elements}
\label{fig:hd}
\end{figure}
\paragraph{Final Functional Group}
Using the derived components, CMATV and VTPM we create
a new functional group. This
integrates FMEA's from software and eletronics
into the same failure mode model.
%\clearpage %\clearpage
\section{Conclusion} \section{Conclusion}
The derived component representing the {\ft} reader The derived component representing the {\ft} reader
in software shows that by taking a modular approach, we can integrate in software shows that by taking a modular approach for FMEA, we can integrate
software and electro-mechanical FMEA models. software and electro-mechanical FMEA models.
The unsolved symptoms, or unobservable errors, could be addressed The unsolved symptoms, or unobservable errors, i.e. $VAL\_ERR$ could be addressed
by another software function to read other known signals by another software function to read other known signals
via the MUX (i.e. voltage references). This strategy would via the MUX (i.e. voltage references). This strategy would
detect ADC STUCK AT and MUX FAIL failure modes. detect ADC STUCK AT and MUX FAIL failure modes.