From 6aa6dbe71bd94efed2e57d5232450f39be95d259 Mon Sep 17 00:00:00 2001 From: Robin Clark Date: Tue, 1 Jan 2013 21:39:57 +0000 Subject: [PATCH] red pen proof read --- submission_thesis/CH5_Examples/copy.tex | 63 +++++++++++---------- submission_thesis/CH5_Examples/software.tex | 61 ++++++++++++-------- 2 files changed, 69 insertions(+), 55 deletions(-) diff --git a/submission_thesis/CH5_Examples/copy.tex b/submission_thesis/CH5_Examples/copy.tex index 4421da1..3c3bf73 100644 --- a/submission_thesis/CH5_Examples/copy.tex +++ b/submission_thesis/CH5_Examples/copy.tex @@ -36,9 +36,8 @@ a variety of typical embedded system components including analogue/digital and e \item The first example applies FMMD to an operational amplifier inverting amplifier (see section~\ref{sec:invamp}); %using an op-amp and two resistors; this demonstrates re-use of a potential divider {\dc} from section~\ref{subsec:potdiv}. -This inverting amplifier %is analysed again, but this time with a different -re-analysed with a different -composition of {\fgs}. The two approaches, i.e. choice of membership for {\fgs}, are then discussed. +This amplifier is analysed twice, using different compositions of {\fgs}. +The two approaches, i.e. choice of membership for {\fgs}, are then discussed. % \item Section~\ref{sec:diffamp} analyses a circuit where two op-amps are used to create a differencing amplifier. @@ -625,14 +624,12 @@ Both approaches are followed in the next two sub-sections. \subsection{First Approach: Inverting OPAMP using a Potential Divider {\dc}} -Ideally we would like to re-use {\dcs} the the $PD$ from section~\ref{subsec:potdiv}, at first -glance, looks a good candidate for this. +Ideally we would like to re-use {\dcs} from the $PD$ from section~\ref{subsec:potdiv}, which on initial inspection, %at first glance, +looks a good candidate for this. % -However, -We cannot directly re-use $PD$ , and not just because -the potential divider is floating. -% -By floating, we mean that the polarity of +However, +we cannot directly re-use $PD$ , and not just because +the potential divider is floating i.e. that the polarity of the R2 side of the potential divider is determined by the output from the op-amp. % The circuit schematic stipulates that the input is positive. @@ -646,6 +643,7 @@ What we have then, in normal operation, is an inverted potential divider. %Were the input to be guaranteed % the input will only be We can therefore view it as an inverted potential divider and analyse it as such; see table~\ref{tbl:pdneg}. +% We assume a valid range for the output value of this circuit. Thus negative or low voltages can be considered as LOW and voltages higher than this range considered as HIGH. @@ -710,7 +708,8 @@ and voltages higher than this range considered as HIGH. We can form a {\dc} from the analysis results in table~\ref{tbl:pdneg} %this, and call it an inverted potential divider $INVPD$. -We can now progress the the final stage of analysis for this amplifier, by forming a {\fg} with the OpAmp and out new {\dc} $INVPD$. +We can now progress to the final stage of analysis for this amplifier, +by forming a {\fg} with the OpAmp and our new {\dc} $INVPD$. \begin{table}[h+] \caption{Inverting Amplifier: Single failure analysis using the $PD$ {\dc}} @@ -968,7 +967,7 @@ ensuring that they will not electrically load the previous stage. %over-load and/or unduly influence %the sensors or circuitry supplying the voltage signals used for measurement. -Because this differencing amplifier present high impedance to both inputs, and only uses two amplifiers, +Because this differencing amplifier presents high impedance to both inputs, and only uses two amplifiers, this is a useful circuit wherever a high impedance differencing amplifier is required. It is a configuration that will be used in many electronic circuits. It would therefore, be desirable to represent this circuit as a {\dc} called say $DiffAMP$. @@ -1196,13 +1195,14 @@ $$ fm(SEC\_AMP) = \{ AMPHigh, AMPLow, LowPass, AMPIncorrectOutput \} .$$ %the derived component for $NI\_AMP$ \pagebreak[4] -\subsection{Finishing stage of the $DiffAmp$ Analysis} +\subsection{Final stage of the $DiffAmp$ Analysis} For the final stage we create a functional group consisting of two derived components of the type $NI\_AMP$ and $SEC\_AMP$. -We apply FMMD analysis to this {\fg} in table~\ref{tblampfmea}. +We apply FMMD analysis to this {\fg} in table~\ref{tbl:diffampfinal}. % \begin{table}[h+] +\label{tbl:diffampfinal} \caption{Difference Amplifier $DiffAMP$ : Failure Mode Effects Analysis: Single Faults} % title of Table \centering % used for centering table \begin{tabular}{||l|c|c|l|l||} @@ -1231,14 +1231,15 @@ We apply FMMD analysis to this {\fg} in table~\ref{tblampfmea}. \label{tbl:ampfmea} \end{table} % -Collecting symptoms we determine the failure modes for this circuit, %$\{DiffAMPLow, DiffAMPHigh, DiffAMP\_LP, DiffAMPIncorrect \}$. -we create a derived component to represent the failure modes of the circuit in figure~\ref{fig:circuit1}. +Collecting common symptoms of failure we determine the failure modes for this circuit. +%$\{DiffAMPLow, DiffAMPHigh, DiffAMP\_LP, DiffAMPIncorrect \}$. +We create a derived component to represent the failure mode behaviour of the differencing amplifier circuit (see figure~\ref{fig:circuit1}). $$ fm (DiffAMP) = \{DiffAMPLow, DiffAMPHigh, DiffAMP\_LP, DiffAMPIncorrect\} $$ -We draw a directed graph (figure~\ref{fig:circuit1_dag}) -of the failure modes and derived components. +We can represent the failure analysis performed as a directed graph (see figure~\ref{fig:circuit1_dag}). +%of the failure modes and derived components. % Using this we can trace any top level fault back to a component failure mode that could have caused it\footnote{ In fact we can @@ -1263,15 +1264,15 @@ terminology is called an undetectable fault. % Were this failure to have safety implications, this FMMD analysis will have revealed the un-observability and would likely prompt re-design of this -circuit (a typical way to solve an un-observability such as this is -to periodically switch in test signals in place of the input signal). +circuit. A typical way to solve an un-observability such as this is +to periodically switch in test signals in place of the input signal. %\footnote{A typical way to solve an un-observability such as this is %to periodically switch in test signals in place of the input signal.}. \subsection{Conclusion} This example shows a three stages hierarchy, and a graph tracing the base~component failure modes to the -top level event. It also re-visits the the decisions about membership of {\fgs}, due to the context +top level event. It also re-visits the decisions about membership of {\fgs}, due to the context of the circuit raised in section~\ref{subsec:invamp2}. \clearpage @@ -1469,7 +1470,7 @@ and this follows the signal flow in the filter circuit (see figure~\ref{fig:bloc -As the signal has to pass though each block/stage +As the signal has to pass through each block/stage in order to be `five~pole' filtered, we need to bring these three blocks together into a {\fg} in order to get a failure mode model for the whole circuit. We can index the Sallen Key stages, and these are marked on the circuit schematic in figure~\ref{fig:circuit2002_FIVEPOLE}. @@ -1652,7 +1653,7 @@ $$ fm (G_0) = \{ nosignal, 0\_phaseshift \} $$ The non-inverting buffer {\fg}, is comprised of one component, an op-amp. We use the failure modes for an op-amp~\cite{fmd91}[p.3-116] to represent this group. % GARK -We can express the failure modes for the ono-inverting buffer ($NIBUFF$) thus: +We can express the failure modes for the non-inverting buffer ($NIBUFF$) thus: $$ fm(NIBUFF) = fm(OPAMP) = \{L\_{up}, L\_{dn}, Noop, L\_slew \} . $$ %Because we obtain the failure modes for $NIBUFF$ from the literature, @@ -1696,8 +1697,8 @@ or in Euler diagram format as in figure~\ref{fig:bubbaeuler1}. % The detail of the FMMD analysis can be found in section~\ref{detail:BUBOSC1}. -Applying $fm$ to the bubba oscillator -returns three failure modes, +Applying $fm$ to the Bubba oscillator +returns two failure modes, % $$ fm(BubbaOscillator) = \{ NO_{osc}, HI_{fosc}\} . $$ %, LO_{fosc} \} . $$ % @@ -1715,7 +1716,7 @@ $$ fm(BubbaOscillator) = \{ NO_{osc}, HI_{fosc}\} . $$ %, LO_{fosc} \} . $$ %of $468$ failure modes to check against components. %However, The analysis here appears top-heavy; we should be able to refine the model more -and break this down into smaller functional groups, by allowing more stages of hierarchy. +and break this down into smaller functional groups by allowing more stages of hierarchy. %and hopefully %this should lead a further reduction in the complexity comparison figure. By decreasing the size of the modules with further refinement, @@ -1869,7 +1870,7 @@ gives a valid result. However, it involves a large reasoning distance, the final stage having 24 failure modes to consider against each of the other seven {\dcs}. A finer grained approach produces more potentially re-usable {\dcs} and -involves a several stages with lower reasoning distances. +involves several stages with lower reasoning distances. @@ -2005,7 +2006,7 @@ It therefore has the failure modes of an Op-amp. % \end{table} This is an OpAmp in a signal buffer configuration. As it is performing one particular function -we my consider it as a derived component, that of a High Impedance Signal Buffer (HISB). +we may consider it as a derived component, that of a High Impedance Signal Buffer (HISB). This is analysed using FMMD in section~\ref{detail:HISB}. % We create the {\dc} $HISB$ and its failure modes may be stated as $$fm(HISB) = \{HIGH, LOW, NOOP, LOW_{SLEW} \}.$$ @@ -2017,7 +2018,7 @@ Digital level to analogue level conversion is performed by IC3 in conjunction wi The potential divider provides a mid rail reference voltage to the inverting input of IC3. -\paragraph{Potential divider Formed by R3,R4.} +\paragraph{Potential divider formed by R3,R4.} We re-use the analysis from table~\ref{tbl:pdfmea}, and use the derived component $PD$ to represent the potential divider formed by R3 and R4. %Because PD is a derived component, we can denote this @@ -2115,7 +2116,7 @@ and make a complete failure mode for the {\sd}. -\subsubsection{{\fg} $HISB$ and $SUMJINT$} +\subsubsection{Buffered Integrating Summing Junction (BISJ): {\fg} of $HISB$ and $SUMJINT$} We now form a {\fg} with the two derived components $HISB$ and $SUMJINT$. This forms a buffered integrating summing junction. We analyse this using FMMD @@ -2136,7 +2137,7 @@ $$ fm(BISJ) = \{ OUTPUT STUCK , REDUCED\_INTEGRATION \} . $$ -\subsubsection{{\fg} $DL2AL$ and $DIGBUF$} +\subsubsection{Flip Flop Buffer (FFB): {\fg} of $DL2AL$ and $DIGBUF$} %$$ fm (DL2AL^2) = \{ LOW, HIGH, LOW\_SLEW \} $$ %$$ fm ( CD4013B) = \{ HIGH, LOW, NOOP \} $$ diff --git a/submission_thesis/CH5_Examples/software.tex b/submission_thesis/CH5_Examples/software.tex index c78da4b..6f38695 100644 --- a/submission_thesis/CH5_Examples/software.tex +++ b/submission_thesis/CH5_Examples/software.tex @@ -72,7 +72,7 @@ we form a complete failure mode hierarchy of the system under investigation. Software written for safety critical systems is usually constrained to be modular~\cite{en61508}[3] and non recursive~\cite{misra}[15.2]. %{iec61511}. Because of this we can assume direct call trees~\footnote{A typical embedded system -will have a run time call tree, and (possibly multiple) interrupt sourced call tress.}. Functions call functions +will have a run time call tree, and (possibly multiple) interrupt sourced call trees.}. Functions call functions from the top down and eventually call the lowest level library or IO functions that interact with hardware/electronics. @@ -137,19 +137,22 @@ In pure contract programming, a violation of a pre-condition would cause the fun In implementation code, a pre-condition violation should cause an error to be generated, and thus a post condition to fail. % -A function can fail for reasons other than the -failure of one the variables/inputs or functions that it calls. +A function can fail for reasons other than corruption of its input data (i.e. +failure caused by variables it uses or return values from functions it calls). +% Variables can become corrupted, by radiation affecting RAM~\cite{5488118,5963919} or by another software function erroneously overwriting variables~\cite{swseatbelt}. +% Current work on software FMEA generally focuses on mapping variable corruption to failure modes~\cite{procsfmea,procsfmeadb,sfmeaauto,sfmea}. -However, errors other than variable corruption can occur, -for instance a microprocessor may have subtle bugs in its instruction set, or +However, errors other than variable corruption can occur. +For instance a microprocessor may have subtle bugs in its instruction set, or incorrectly handled interrupt contention which could cause side effects in software. For the failure mode model of any software function, -we must consider all failure modes of post condition -violations as well as those caused by `components'. +we must consider that all failure modes defined by post condition +violations could simply occur. +%`components'. \paragraph{Mapping contract `invariant' violations to symptoms and failure modes.} @@ -169,7 +172,7 @@ and this is referred to as {\ft} signalling. % {\ft} signalling has intrinsic electrical safety advantages. % -Because the current in a loop is constant~\cite{aoe}[p.20] +Because the current in a loop is constant~\cite{aoe}[p.20], resistance in the wires between the source and receiving end is not an issue that can alter the accuracy of the signal. % @@ -201,7 +204,7 @@ The diagram in figure~\ref{fig:ftcontext}, shows some equipment which is sending signal to a micro-controller system. The signal is locally driven over a load resistor, and then read into the micro-controller via an ADC and its multiplexer. -With the voltage determined at the ADC we read the intended quantitative +With the voltage determined at the ADC, we read the intended quantitative value from the external equipment. \section{Simple Software Example: Reading a \ft input into software} @@ -214,7 +217,7 @@ Let us assume the {\ft} detection is via a \ohms{220} resistor, and that we read from an ADC into the software. Let us define any value outside the 4mA to 20mA range as an error condition. % -As we read a voltage voltage, we use Ohms law~\cite{aoe} to determine the mA current detected: $V=IR$, $0.004A * \ohms{220} = 0.88V$ +As we read a voltage, we use Ohms law~\cite{aoe} to determine the mA current detected: $V=IR$, $0.004A * \ohms{220} = 0.88V$ and $0.020A * \ohms{220} = 4.4V$. % Our acceptable voltage range is therefore @@ -452,7 +455,7 @@ create a {\dc} to represent this called, $CMATV$. %We can express this using the `$\derivec$' function thus: %$$ CMATV = \; \derivec (G_1) .$$ -As its failure modes, are the symptoms of failure from the functional group we state: +As its failure modes are the symptoms of failure from the functional group we state: $$fm ( CMATV ) = \{ HIGH , LOW, V\_ERR \} .$$ @@ -484,7 +487,7 @@ by stating: $$ fm(Read\_ADC) = \{ CHAN\_NO, VREF \} $$ -As we have a failure mode model for our function, we use it in conjunction with +As we have a failure mode model for our function, we use it in conjunction with the ADC hardware {\dc} CMATV, to form a {\fg} $G_2$, where $G_2 =\{ CMSTV, Read\_ADC \}$. % We analyse this hardware/software combined {\fg}. @@ -668,7 +671,8 @@ reasoning stage. Each reasoning stage will have an associated analysis report. % With traditional FMEA methods the reasoning~distance is large, because -it stretches from the component failure mode to the top---or---system level failure. +it stretches from the component failure mode to the %top---or---system +top or system level failure. For this reason applying traditional FMEA to software stretches the reasoning distance even further. This is exacerbated by the fact that traditional SFMEA is performed separately from HFMEA~\cite{sfmea,sfmeaa}, additionally even the software/hardware @@ -720,7 +724,7 @@ Using FMMD we can determine an accurate failure model for the interface as well~ It is desirable to model a complete standalone system with FMMD. Not only a standalone system, but ideally a hybrid software/hardware system. Temperature control is a first order differential problem, and is often -addressed using the Proportional Integral differential (PID) algorithm~\cite{dcods}[p.66]. +addressed using the Proportional Integral Differential (PID) algorithm~\cite{dcods}[p.66]. Traditionally this was performed in analogue electronics with trimmer potentiometers providing the P and I parameters. Since the introduction of micro-processors, it has been possible to @@ -822,9 +826,11 @@ this is clearly going to be the monitor function. \paragraph{Software Algorithm.} The monitor function will orchestrate the control process. -Firstly it will examine the timer value, and when appropriate, call the PID function, which will call first -the determine\_set\_point\_error function with that calling convert\_ADC\_to\_T -which calls Read\_ADC (the function developed in the earlier example). +Firstly it will examine the timer value, and when appropriate, call the PID function. +The PID function call +determine\_set\_point\_error and that calls convert\_ADC\_to\_T +which calls Read\_ADC (the function developed in the earlier example) +which reads from physical hardware. % With the set point error value the PID function will return output control value to its calling @@ -835,7 +841,7 @@ demand which will be returned to the monitor function). The PID demand value will be applied via the PWM. We now have a rudimentary closed loop control system incorporating both hardware and software. % -By using the Yourdon methodology we the programmatic design --- or call tree --- defined. +By using the Yourdon methodology we obtain a the programmatic design i.e. we define a call tree structure. % We now have all the components, i.e. hardware elements and software functions that will be used in the temperature controller. @@ -874,7 +880,7 @@ The internal timer in use is a register which when read returns an incremented time value. Using two's complement mathematics, by subtracting the time we last read it, we can calculate the interval -between readings (assuming the timer has not completely wrapped around). +between readings (assuming the timer has not wrapped around more then once). We can say that a timer can fail by incrementing its value at an incorrect rate, or can stop incrementing. $$ fm(TIMER) = \{ STOPPED, INCORRECT\_INTERVAL \}$$ @@ -896,7 +902,7 @@ an unsigned magnitude value to~\cite{pic182523}[Ch.15]. The PWM hardware module applies this using a mark space ratio proportional to that value, providing a means of varying the amount of power supplied. -When the PWM action is halted, or fails, the digital output pin associated with it, +When the PWM action is halted, or fails, the digital output pin associated with it will typically be held in a high or low state. We therefore state: $$ fm(PWM) = \{ HIGH, LOW \}.$$ @@ -905,7 +911,7 @@ $$ fm(PWM) = \{ HIGH, LOW \}.$$ The Micro controller is a complex piece of highly integrated electronics. Typically, along with a micro-processor with PROM and RAM, they have many I/O modules including UARTS, PWM, ADCMUX, CAN General I/O and interrupt lines to name but a few. -In this project we are using the ADCMUX, TIMER, PWM and the general purpose computing facilities. +In this project we are using the ADCMUX, TIMER, PWM and general purpose computing facilities. We have to therefore consider the general~computing, CLOCK, PROM and RAM failure modes. $$fm (micro-controller) =\{ PROM\_FAULT, RAM\_FAULT, CPU\_FAULT, ALU\_FAULT, CLOCK\_STOPPED \}.$$ @@ -934,6 +940,7 @@ This gives us a {\dc} which we call ReadPt100. { \tiny \begin{table}[h+] +\center \caption{ Read\_Pt100: Failure Mode Effects Analysis} % title of Table \label{tbl:readPt100} @@ -977,13 +984,13 @@ $$ fm (Read\_Pt100) = \{ VOLTAGE\_HIGH, VAL\_ERR, VOLTAGE\_LOW \}. $$ We move along the afferent flow, and we come to the convert\_ADC\_to\_T function. This will call Read\_ADC twice, one for the high Pt100 value, again for the lower. % and once for to read a current sense. We then, calculate the resistance of the Pt100 element, and with this---using a -polynomial or a lookup table~\cite{eurothermtables}---and calculate the temperature. +polynomial or a lookup table~\cite{eurothermtables}---calculate the temperature. The pre-conditions for the function are that: \begin{itemize} % \item The current calculated is within pre-defined bounds i.e. Pt100\_current, \item The lower Pt100 value is within an acceptable voltage range i.e. Pt100\_lower\_voltage, \item The higher Pt100 value is within an acceptable voltage range i.e. Pt100\_higher\_voltage, - \item The Lower and higher values agree to within a given tolerance i.e. Pt100\_high\_low\_mismatch. + \item The lower and higher values agree to within a given tolerance i.e. Pt100\_high\_low\_mismatch. \end{itemize} Any violation of these pre-conditions is equivalent to a failure mode. Note that a temperature outside the pre-defined range will also cause these errors. @@ -996,6 +1003,7 @@ We can call the resulting {\dc} Get\_Temperature. { \tiny \begin{table}[h+] +\center \caption{ Get\_Temperature: Failure Mode Effects Analysis} % title of Table \label{tbl:gettemperature} @@ -1066,6 +1074,7 @@ an incorrect error value. { \tiny \begin{table}[h+] +\center \caption{ GetError: Failure Mode Effects Analysis} % title of Table \label{tbl:geterror} @@ -1129,6 +1138,7 @@ being the logic and process of the failure mode analysis. { \tiny \begin{table}[h+] +\center \caption{ PID: Failure Mode Effects Analysis} % title of Table \label{tbl:pidfunction} @@ -1191,6 +1201,7 @@ to implement the power output demand. { \tiny \begin{table}[h+] +\center \caption{ HeaterOutput: Failure Mode Effects Analysis} % title of Table \label{tbl:heateroutput} @@ -1269,6 +1280,7 @@ We apply FMMD analysis to this {\fg} in table~\ref{tbl:ledoutput}. { \tiny \begin{table}[h+] +\center \caption{ LEDOutput: Failure Mode Effects Analysis} % title of Table \label{tbl:ledoutput} @@ -1355,6 +1367,7 @@ The post condition for the monitor function is that it implements the PID contro { \tiny \begin{table}[h+] +\center \caption{ standalone temperature controller: Failure Mode Effects Analysis} % title of Table \label{tbl:pid} @@ -1445,7 +1458,7 @@ by electronics we can apply reliability statistics. % For software errors, we could, if necessary provide extra functions to provide self checking. We could follow EN61508 high reliability software measures such as -duplication of functions whith checking functions arbitrating them (diverse programming~\cite{en61508}[C.3.5]). +duplication of functions with checking functions arbitrating them (diverse programming~\cite{en61508}[C.3.5]). % We could for instance validate the processor clocking with an external watchdog and a simple communications protocol. For PROM and RAM faults we can implement measures such as checksums