robin/Robin_PHD
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

red pen proof read

Browse Source
This commit is contained in:
Robin Clark 2013-01-01 21:39:57 +00:00
parent 2c57afb5b4
commit 6aa6dbe71b
2 changed files with 69 additions and 55 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

63
submission_thesis/CH5_Examples/copy.tex
View File

@ -36,9 +36,8 @@ a variety of typical embedded system components including analogue/digital and e
\item The first example applies FMMD to an operational amplifier inverting amplifier (see section~\ref{sec:invamp}); \item The first example applies FMMD to an operational amplifier inverting amplifier (see section~\ref{sec:invamp});
%using an op-amp and two resistors; %using an op-amp and two resistors;
this demonstrates re-use of a potential divider {\dc} from section~\ref{subsec:potdiv}. this demonstrates re-use of a potential divider {\dc} from section~\ref{subsec:potdiv}.
This inverting amplifier %is analysed again, but this time with a different This amplifier is analysed twice, using different compositions of {\fgs}.
re-analysed with a different The two approaches, i.e. choice of membership for {\fgs}, are then discussed.
composition of {\fgs}. The two approaches, i.e. choice of membership for {\fgs}, are then discussed.
% %
\item Section~\ref{sec:diffamp} analyses a circuit where two op-amps are used \item Section~\ref{sec:diffamp} analyses a circuit where two op-amps are used
to create a differencing amplifier. to create a differencing amplifier.
@ -625,14 +624,12 @@ Both approaches are followed in the next two sub-sections.
\subsection{First Approach: Inverting OPAMP using a Potential Divider {\dc}} \subsection{First Approach: Inverting OPAMP using a Potential Divider {\dc}}
Ideally we would like to re-use {\dcs} the the $PD$ from section~\ref{subsec:potdiv}, at first Ideally we would like to re-use {\dcs} from the $PD$ from section~\ref{subsec:potdiv}, which on initial inspection, %at first glance,
glance, looks a good candidate for this. looks a good candidate for this.
% %
However, However,
We cannot directly re-use $PD$ , and not just because we cannot directly re-use $PD$ , and not just because
the potential divider is floating. the potential divider is floating i.e. that the polarity of
%
By floating, we mean that the polarity of
the R2 side of the potential divider is determined by the output from the op-amp. the R2 side of the potential divider is determined by the output from the op-amp.
% %
The circuit schematic stipulates that the input is positive. The circuit schematic stipulates that the input is positive.
@ -646,6 +643,7 @@ What we have then, in normal operation, is an inverted potential divider.
%Were the input to be guaranteed % the input will only be %Were the input to be guaranteed % the input will only be
We can therefore view it as an inverted potential divider We can therefore view it as an inverted potential divider
and analyse it as such; see table~\ref{tbl:pdneg}. and analyse it as such; see table~\ref{tbl:pdneg}.
%
We assume a valid range for the output value of this circuit. We assume a valid range for the output value of this circuit.
Thus negative or low voltages can be considered as LOW Thus negative or low voltages can be considered as LOW
and voltages higher than this range considered as HIGH. and voltages higher than this range considered as HIGH.
@ -710,7 +708,8 @@ and voltages higher than this range considered as HIGH.
We can form a {\dc} from the analysis results in table~\ref{tbl:pdneg} %this, We can form a {\dc} from the analysis results in table~\ref{tbl:pdneg} %this,
and call it an inverted potential divider $INVPD$. and call it an inverted potential divider $INVPD$.
We can now progress the the final stage of analysis for this amplifier, by forming a {\fg} with the OpAmp and out new {\dc} $INVPD$. We can now progress to the final stage of analysis for this amplifier,
by forming a {\fg} with the OpAmp and our new {\dc} $INVPD$.
\begin{table}[h+] \begin{table}[h+]
\caption{Inverting Amplifier: Single failure analysis using the $PD$ {\dc}} \caption{Inverting Amplifier: Single failure analysis using the $PD$ {\dc}}
@ -968,7 +967,7 @@ ensuring that they will not
electrically load the previous stage. electrically load the previous stage.
%over-load and/or unduly influence %over-load and/or unduly influence
%the sensors or circuitry supplying the voltage signals used for measurement. %the sensors or circuitry supplying the voltage signals used for measurement.
Because this differencing amplifier present high impedance to both inputs, and only uses two amplifiers, Because this differencing amplifier presents high impedance to both inputs, and only uses two amplifiers,
this is a useful circuit wherever a high impedance differencing amplifier is required. this is a useful circuit wherever a high impedance differencing amplifier is required.
It is a configuration that will be used in many electronic circuits. It is a configuration that will be used in many electronic circuits.
It would therefore, be desirable to represent this circuit as a {\dc} called say $DiffAMP$. It would therefore, be desirable to represent this circuit as a {\dc} called say $DiffAMP$.
@ -1196,13 +1195,14 @@ $$ fm(SEC\_AMP) = \{ AMPHigh, AMPLow, LowPass, AMPIncorrectOutput \} .$$
%the derived component for $NI\_AMP$ %the derived component for $NI\_AMP$
\pagebreak[4] \pagebreak[4]
\subsection{Finishing stage of the $DiffAmp$ Analysis} \subsection{Final stage of the $DiffAmp$ Analysis}
For the final stage we create a functional group consisting of For the final stage we create a functional group consisting of
two derived components of the type $NI\_AMP$ and $SEC\_AMP$. two derived components of the type $NI\_AMP$ and $SEC\_AMP$.
We apply FMMD analysis to this {\fg} in table~\ref{tblampfmea}. We apply FMMD analysis to this {\fg} in table~\ref{tbl:diffampfinal}.
% %
\begin{table}[h+] \begin{table}[h+]
\label{tbl:diffampfinal}
\caption{Difference Amplifier $DiffAMP$ : Failure Mode Effects Analysis: Single Faults} % title of Table \caption{Difference Amplifier $DiffAMP$ : Failure Mode Effects Analysis: Single Faults} % title of Table
\centering % used for centering table \centering % used for centering table
\begin{tabular}{||l|c|c|l|l||} \begin{tabular}{||l|c|c|l|l||}
@ -1231,14 +1231,15 @@ We apply FMMD analysis to this {\fg} in table~\ref{tblampfmea}.
\label{tbl:ampfmea} \label{tbl:ampfmea}
\end{table} \end{table}
% %
Collecting symptoms we determine the failure modes for this circuit, %$\{DiffAMPLow, DiffAMPHigh, DiffAMP\_LP, DiffAMPIncorrect \}$. Collecting common symptoms of failure we determine the failure modes for this circuit.
we create a derived component to represent the failure modes of the circuit in figure~\ref{fig:circuit1}. %$\{DiffAMPLow, DiffAMPHigh, DiffAMP\_LP, DiffAMPIncorrect \}$.
We create a derived component to represent the failure mode behaviour of the differencing amplifier circuit (see figure~\ref{fig:circuit1}).
$$ fm (DiffAMP) = \{DiffAMPLow, DiffAMPHigh, DiffAMP\_LP, DiffAMPIncorrect\} $$ $$ fm (DiffAMP) = \{DiffAMPLow, DiffAMPHigh, DiffAMP\_LP, DiffAMPIncorrect\} $$
We draw a directed graph (figure~\ref{fig:circuit1_dag}) We can represent the failure analysis performed as a directed graph (see figure~\ref{fig:circuit1_dag}).
of the failure modes and derived components. %of the failure modes and derived components.
% %
Using this we can trace any top level fault back to Using this we can trace any top level fault back to
a component failure mode that could have caused it\footnote{ In fact we can a component failure mode that could have caused it\footnote{ In fact we can
@ -1263,15 +1264,15 @@ terminology is called an undetectable fault.
% %
Were this failure to have safety implications, this FMMD analysis will have revealed Were this failure to have safety implications, this FMMD analysis will have revealed
the un-observability and would likely prompt re-design of this the un-observability and would likely prompt re-design of this
circuit (a typical way to solve an un-observability such as this is circuit. A typical way to solve an un-observability such as this is
to periodically switch in test signals in place of the input signal). to periodically switch in test signals in place of the input signal.
%\footnote{A typical way to solve an un-observability such as this is %\footnote{A typical way to solve an un-observability such as this is
%to periodically switch in test signals in place of the input signal.}. %to periodically switch in test signals in place of the input signal.}.
\subsection{Conclusion} \subsection{Conclusion}
This example shows a three stages hierarchy, and a graph tracing the base~component failure modes to the This example shows a three stages hierarchy, and a graph tracing the base~component failure modes to the
top level event. It also re-visits the the decisions about membership of {\fgs}, due to the context top level event. It also re-visits the decisions about membership of {\fgs}, due to the context
of the circuit raised in section~\ref{subsec:invamp2}. of the circuit raised in section~\ref{subsec:invamp2}.
\clearpage \clearpage
@ -1469,7 +1470,7 @@ and this follows the signal flow in the filter circuit (see figure~\ref{fig:bloc
As the signal has to pass though each block/stage As the signal has to pass through each block/stage
in order to be `five~pole' filtered, we need to bring these three blocks together into a {\fg} in order to be `five~pole' filtered, we need to bring these three blocks together into a {\fg}
in order to get a failure mode model for the whole circuit. in order to get a failure mode model for the whole circuit.
We can index the Sallen Key stages, and these are marked on the circuit schematic in figure~\ref{fig:circuit2002_FIVEPOLE}. We can index the Sallen Key stages, and these are marked on the circuit schematic in figure~\ref{fig:circuit2002_FIVEPOLE}.
@ -1652,7 +1653,7 @@ $$ fm (G_0) = \{ nosignal, 0\_phaseshift \} $$
The non-inverting buffer {\fg}, is comprised of one component, an op-amp. The non-inverting buffer {\fg}, is comprised of one component, an op-amp.
We use the failure modes for an op-amp~\cite{fmd91}[p.3-116] to represent this group. We use the failure modes for an op-amp~\cite{fmd91}[p.3-116] to represent this group.
% GARK % GARK
We can express the failure modes for the ono-inverting buffer ($NIBUFF$) thus: We can express the failure modes for the non-inverting buffer ($NIBUFF$) thus:
$$ fm(NIBUFF) = fm(OPAMP) = \{L\_{up}, L\_{dn}, Noop, L\_slew \} . $$ $$ fm(NIBUFF) = fm(OPAMP) = \{L\_{up}, L\_{dn}, Noop, L\_slew \} . $$
%Because we obtain the failure modes for $NIBUFF$ from the literature, %Because we obtain the failure modes for $NIBUFF$ from the literature,
@ -1696,8 +1697,8 @@ or in Euler diagram format as in figure~\ref{fig:bubbaeuler1}.
% %
The detail of the FMMD analysis can be found in section~\ref{detail:BUBOSC1}. The detail of the FMMD analysis can be found in section~\ref{detail:BUBOSC1}.
Applying $fm$ to the bubba oscillator Applying $fm$ to the Bubba oscillator
returns three failure modes, returns two failure modes,
% %
$$ fm(BubbaOscillator) = \{ NO_{osc}, HI_{fosc}\} . $$ %, LO_{fosc} \} . $$ $$ fm(BubbaOscillator) = \{ NO_{osc}, HI_{fosc}\} . $$ %, LO_{fosc} \} . $$
% %
@ -1715,7 +1716,7 @@ $$ fm(BubbaOscillator) = \{ NO_{osc}, HI_{fosc}\} . $$ %, LO_{fosc} \} . $$
%of $468$ failure modes to check against components. %of $468$ failure modes to check against components.
%However, %However,
The analysis here appears top-heavy; we should be able to refine the model more The analysis here appears top-heavy; we should be able to refine the model more
and break this down into smaller functional groups, by allowing more stages of hierarchy. and break this down into smaller functional groups by allowing more stages of hierarchy.
%and hopefully %and hopefully
%this should lead a further reduction in the complexity comparison figure. %this should lead a further reduction in the complexity comparison figure.
By decreasing the size of the modules with further refinement, By decreasing the size of the modules with further refinement,
@ -1869,7 +1870,7 @@ gives a valid result.
However, it involves a large reasoning distance, the final stage However, it involves a large reasoning distance, the final stage
having 24 failure modes to consider against each of the other seven {\dcs}. having 24 failure modes to consider against each of the other seven {\dcs}.
A finer grained approach produces more potentially re-usable {\dcs} and A finer grained approach produces more potentially re-usable {\dcs} and
involves a several stages with lower reasoning distances. involves several stages with lower reasoning distances.
@ -2005,7 +2006,7 @@ It therefore has the failure modes of an Op-amp.
% \end{table} % \end{table}
This is an OpAmp in a signal buffer configuration. This is an OpAmp in a signal buffer configuration.
As it is performing one particular function As it is performing one particular function
we my consider it as a derived component, that of a High Impedance Signal Buffer (HISB). we may consider it as a derived component, that of a High Impedance Signal Buffer (HISB).
This is analysed using FMMD in section~\ref{detail:HISB}. This is analysed using FMMD in section~\ref{detail:HISB}.
% %
We create the {\dc} $HISB$ and its failure modes may be stated as $$fm(HISB) = \{HIGH, LOW, NOOP, LOW_{SLEW} \}.$$ We create the {\dc} $HISB$ and its failure modes may be stated as $$fm(HISB) = \{HIGH, LOW, NOOP, LOW_{SLEW} \}.$$
@ -2017,7 +2018,7 @@ Digital level to analogue level conversion is performed by IC3 in conjunction wi
The potential divider provides a mid rail reference voltage The potential divider provides a mid rail reference voltage
to the inverting input of IC3. to the inverting input of IC3.
\paragraph{Potential divider Formed by R3,R4.} \paragraph{Potential divider formed by R3,R4.}
We re-use the analysis from table~\ref{tbl:pdfmea}, and use the derived component $PD$ We re-use the analysis from table~\ref{tbl:pdfmea}, and use the derived component $PD$
to represent the potential divider formed by R3 and R4. to represent the potential divider formed by R3 and R4.
%Because PD is a derived component, we can denote this %Because PD is a derived component, we can denote this
@ -2115,7 +2116,7 @@ and make a complete failure mode for the {\sd}.
\subsubsection{{\fg} $HISB$ and $SUMJINT$} \subsubsection{Buffered Integrating Summing Junction (BISJ): {\fg} of $HISB$ and $SUMJINT$}
We now form a {\fg} with the two derived components $HISB$ and $SUMJINT$. We now form a {\fg} with the two derived components $HISB$ and $SUMJINT$.
This forms a buffered integrating summing junction. We analyse this using FMMD This forms a buffered integrating summing junction. We analyse this using FMMD
@ -2136,7 +2137,7 @@ $$ fm(BISJ) = \{ OUTPUT STUCK , REDUCED\_INTEGRATION \} . $$
\subsubsection{{\fg} $DL2AL$ and $DIGBUF$} \subsubsection{Flip Flop Buffer (FFB): {\fg} of $DL2AL$ and $DIGBUF$}
%$$ fm (DL2AL^2) = \{ LOW, HIGH, LOW\_SLEW \} $$ %$$ fm (DL2AL^2) = \{ LOW, HIGH, LOW\_SLEW \} $$
%$$ fm ( CD4013B) = \{ HIGH, LOW, NOOP \} $$ %$$ fm ( CD4013B) = \{ HIGH, LOW, NOOP \} $$

61
submission_thesis/CH5_Examples/software.tex
View File

@ -72,7 +72,7 @@ we form a complete failure mode hierarchy of the system under investigation.
Software written for safety critical systems is usually constrained to Software written for safety critical systems is usually constrained to
be modular~\cite{en61508}[3] and non recursive~\cite{misra}[15.2]. %{iec61511}. be modular~\cite{en61508}[3] and non recursive~\cite{misra}[15.2]. %{iec61511}.
Because of this we can assume direct call trees~\footnote{A typical embedded system Because of this we can assume direct call trees~\footnote{A typical embedded system
will have a run time call tree, and (possibly multiple) interrupt sourced call tress.}. Functions call functions will have a run time call tree, and (possibly multiple) interrupt sourced call trees.}. Functions call functions
from the top down and eventually call the lowest level library or IO from the top down and eventually call the lowest level library or IO
functions that interact with hardware/electronics. functions that interact with hardware/electronics.
@ -137,19 +137,22 @@ In pure contract programming, a violation of a pre-condition would cause the fun
In implementation code, a pre-condition violation should cause In implementation code, a pre-condition violation should cause
an error to be generated, and thus a post condition to fail. an error to be generated, and thus a post condition to fail.
% %
A function can fail for reasons other than the A function can fail for reasons other than corruption of its input data (i.e.
failure of one the variables/inputs or functions that it calls. failure caused by variables it uses or return values from functions it calls).
%
Variables can become corrupted, by radiation affecting RAM~\cite{5488118,5963919} or Variables can become corrupted, by radiation affecting RAM~\cite{5488118,5963919} or
by another software function erroneously overwriting variables~\cite{swseatbelt}. by another software function erroneously overwriting variables~\cite{swseatbelt}.
%
Current work on software FMEA generally focuses on mapping Current work on software FMEA generally focuses on mapping
variable corruption to failure modes~\cite{procsfmea,procsfmeadb,sfmeaauto,sfmea}. variable corruption to failure modes~\cite{procsfmea,procsfmeadb,sfmeaauto,sfmea}.
However, errors other than variable corruption can occur, However, errors other than variable corruption can occur.
for instance a microprocessor may have subtle bugs in its instruction set, or For instance a microprocessor may have subtle bugs in its instruction set, or
incorrectly handled incorrectly handled
interrupt contention which could cause side effects in software. interrupt contention which could cause side effects in software.
For the failure mode model of any software function, For the failure mode model of any software function,
we must consider all failure modes of post condition we must consider that all failure modes defined by post condition
violations as well as those caused by `components'. violations could simply occur.
%`components'.
\paragraph{Mapping contract `invariant' violations to symptoms and failure modes.} \paragraph{Mapping contract `invariant' violations to symptoms and failure modes.}
@ -169,7 +172,7 @@ and this is referred to as {\ft} signalling.
% %
{\ft} signalling has intrinsic electrical safety advantages. {\ft} signalling has intrinsic electrical safety advantages.
% %
Because the current in a loop is constant~\cite{aoe}[p.20] Because the current in a loop is constant~\cite{aoe}[p.20],
resistance in the wires between the source and receiving end is not an issue resistance in the wires between the source and receiving end is not an issue
that can alter the accuracy of the signal. that can alter the accuracy of the signal.
% %
@ -201,7 +204,7 @@ The diagram in figure~\ref{fig:ftcontext}, shows some equipment which is sending
signal to a micro-controller system. signal to a micro-controller system.
The signal is locally driven over a load resistor, and then read into the micro-controller via The signal is locally driven over a load resistor, and then read into the micro-controller via
an ADC and its multiplexer. an ADC and its multiplexer.
With the voltage determined at the ADC we read the intended quantitative With the voltage determined at the ADC, we read the intended quantitative
value from the external equipment. value from the external equipment.
\section{Simple Software Example: Reading a \ft input into software} \section{Simple Software Example: Reading a \ft input into software}
@ -214,7 +217,7 @@ Let us assume the {\ft} detection is via a \ohms{220} resistor, and that we read
from an ADC into the software. from an ADC into the software.
Let us define any value outside the 4mA to 20mA range as an error condition. Let us define any value outside the 4mA to 20mA range as an error condition.
% %
As we read a voltage voltage, we use Ohms law~\cite{aoe} to determine the mA current detected: $V=IR$, $0.004A * \ohms{220} = 0.88V$ As we read a voltage, we use Ohms law~\cite{aoe} to determine the mA current detected: $V=IR$, $0.004A * \ohms{220} = 0.88V$
and $0.020A * \ohms{220} = 4.4V$. and $0.020A * \ohms{220} = 4.4V$.
% %
Our acceptable voltage range is therefore Our acceptable voltage range is therefore
@ -452,7 +455,7 @@ create a {\dc} to represent this called, $CMATV$.
%We can express this using the `$\derivec$' function thus: %We can express this using the `$\derivec$' function thus:
%$$ CMATV = \; \derivec (G_1) .$$ %$$ CMATV = \; \derivec (G_1) .$$
As its failure modes, are the symptoms of failure from the functional group we state: As its failure modes are the symptoms of failure from the functional group we state:
$$fm ( CMATV ) = \{ HIGH , LOW, V\_ERR \} .$$ $$fm ( CMATV ) = \{ HIGH , LOW, V\_ERR \} .$$
@ -484,7 +487,7 @@ by stating:
$$ fm(Read\_ADC) = \{ CHAN\_NO, VREF \} $$ $$ fm(Read\_ADC) = \{ CHAN\_NO, VREF \} $$
As we have a failure mode model for our function, we use it in conjunction with As we have a failure mode model for our function, we use it in conjunction
with the ADC hardware {\dc} CMATV, to form a {\fg} $G_2$, where $G_2 =\{ CMSTV, Read\_ADC \}$. with the ADC hardware {\dc} CMATV, to form a {\fg} $G_2$, where $G_2 =\{ CMSTV, Read\_ADC \}$.
% %
We analyse this hardware/software combined {\fg}. We analyse this hardware/software combined {\fg}.
@ -668,7 +671,8 @@ reasoning stage.
Each reasoning stage will have an associated analysis report. Each reasoning stage will have an associated analysis report.
% %
With traditional FMEA methods the reasoning~distance is large, because With traditional FMEA methods the reasoning~distance is large, because
it stretches from the component failure mode to the top---or---system level failure. it stretches from the component failure mode to the %top---or---system
top or system level failure.
For this reason applying traditional FMEA to software stretches For this reason applying traditional FMEA to software stretches
the reasoning distance even further. This is exacerbated by the fact that traditional SFMEA is the reasoning distance even further. This is exacerbated by the fact that traditional SFMEA is
performed separately from HFMEA~\cite{sfmea,sfmeaa}, additionally even the software/hardware performed separately from HFMEA~\cite{sfmea,sfmeaa}, additionally even the software/hardware
@ -720,7 +724,7 @@ Using FMMD we can determine an accurate failure model for the interface as well~
It is desirable to model a complete standalone system with FMMD. It is desirable to model a complete standalone system with FMMD.
Not only a standalone system, but ideally a hybrid software/hardware system. Not only a standalone system, but ideally a hybrid software/hardware system.
Temperature control is a first order differential problem, and is often Temperature control is a first order differential problem, and is often
addressed using the Proportional Integral differential (PID) algorithm~\cite{dcods}[p.66]. addressed using the Proportional Integral Differential (PID) algorithm~\cite{dcods}[p.66].
Traditionally this was performed in analogue electronics Traditionally this was performed in analogue electronics
with trimmer potentiometers providing the P and I parameters. with trimmer potentiometers providing the P and I parameters.
Since the introduction of micro-processors, it has been possible to Since the introduction of micro-processors, it has been possible to
@ -822,9 +826,11 @@ this is clearly going to be the monitor function.
\paragraph{Software Algorithm.} \paragraph{Software Algorithm.}
The monitor function will orchestrate the control process. The monitor function will orchestrate the control process.
Firstly it will examine the timer value, and when appropriate, call the PID function, which will call first Firstly it will examine the timer value, and when appropriate, call the PID function.
the determine\_set\_point\_error function with that calling convert\_ADC\_to\_T The PID function call
which calls Read\_ADC (the function developed in the earlier example). determine\_set\_point\_error and that calls convert\_ADC\_to\_T
which calls Read\_ADC (the function developed in the earlier example)
which reads from physical hardware.
% %
With the set point error value the PID function will return With the set point error value the PID function will return
output control value to its calling output control value to its calling
@ -835,7 +841,7 @@ demand which will be returned to the monitor function).
The PID demand value will be applied via the PWM. The PID demand value will be applied via the PWM.
We now have a rudimentary closed loop control system incorporating both hardware and software. We now have a rudimentary closed loop control system incorporating both hardware and software.
% %
By using the Yourdon methodology we the programmatic design --- or call tree --- defined. By using the Yourdon methodology we obtain a the programmatic design i.e. we define a call tree structure.
% %
We now have all the components, i.e. hardware elements and software functions We now have all the components, i.e. hardware elements and software functions
that will be used in the temperature controller. that will be used in the temperature controller.
@ -874,7 +880,7 @@ The internal timer in use is a register which when read
returns an incremented time value. returns an incremented time value.
Using two's complement mathematics, by subtracting Using two's complement mathematics, by subtracting
the time we last read it, we can calculate the interval the time we last read it, we can calculate the interval
between readings (assuming the timer has not completely wrapped around). between readings (assuming the timer has not wrapped around more then once).
We can say that a timer can fail by We can say that a timer can fail by
incrementing its value at an incorrect rate, or can stop incrementing. incrementing its value at an incorrect rate, or can stop incrementing.
$$ fm(TIMER) = \{ STOPPED, INCORRECT\_INTERVAL \}$$ $$ fm(TIMER) = \{ STOPPED, INCORRECT\_INTERVAL \}$$
@ -896,7 +902,7 @@ an unsigned magnitude value to~\cite{pic182523}[Ch.15].
The PWM hardware module The PWM hardware module
applies this using a mark space ratio proportional to that value, providing applies this using a mark space ratio proportional to that value, providing
a means of varying the amount of power supplied. a means of varying the amount of power supplied.
When the PWM action is halted, or fails, the digital output pin associated with it, When the PWM action is halted, or fails, the digital output pin associated with it
will typically be held in a high or low state. will typically be held in a high or low state.
We therefore state: We therefore state:
$$ fm(PWM) = \{ HIGH, LOW \}.$$ $$ fm(PWM) = \{ HIGH, LOW \}.$$
@ -905,7 +911,7 @@ $$ fm(PWM) = \{ HIGH, LOW \}.$$
The Micro controller is a complex piece of highly integrated electronics. The Micro controller is a complex piece of highly integrated electronics.
Typically, along with a micro-processor with PROM and RAM, they have many I/O modules including UARTS, PWM, ADCMUX, CAN Typically, along with a micro-processor with PROM and RAM, they have many I/O modules including UARTS, PWM, ADCMUX, CAN
General I/O and interrupt lines to name but a few. General I/O and interrupt lines to name but a few.
In this project we are using the ADCMUX, TIMER, PWM and the general purpose computing facilities. In this project we are using the ADCMUX, TIMER, PWM and general purpose computing facilities.
We have to therefore consider the general~computing, CLOCK, PROM and RAM failure modes. We have to therefore consider the general~computing, CLOCK, PROM and RAM failure modes.
$$fm (micro-controller) =\{ PROM\_FAULT, RAM\_FAULT, CPU\_FAULT, ALU\_FAULT, CLOCK\_STOPPED \}.$$ $$fm (micro-controller) =\{ PROM\_FAULT, RAM\_FAULT, CPU\_FAULT, ALU\_FAULT, CLOCK\_STOPPED \}.$$
@ -934,6 +940,7 @@ This gives us a {\dc} which we call ReadPt100.
{ {
\tiny \tiny
\begin{table}[h+] \begin{table}[h+]
\center
\caption{ Read\_Pt100: Failure Mode Effects Analysis} % title of Table \caption{ Read\_Pt100: Failure Mode Effects Analysis} % title of Table
\label{tbl:readPt100} \label{tbl:readPt100}
@ -977,13 +984,13 @@ $$ fm (Read\_Pt100) = \{ VOLTAGE\_HIGH, VAL\_ERR, VOLTAGE\_LOW \}. $$
We move along the afferent flow, and we come to the convert\_ADC\_to\_T function. We move along the afferent flow, and we come to the convert\_ADC\_to\_T function.
This will call Read\_ADC twice, one for the high Pt100 value, again for the lower. % and once for to read a current sense. This will call Read\_ADC twice, one for the high Pt100 value, again for the lower. % and once for to read a current sense.
We then, calculate the resistance of the Pt100 element, and with this---using a We then, calculate the resistance of the Pt100 element, and with this---using a
polynomial or a lookup table~\cite{eurothermtables}---and calculate the temperature. polynomial or a lookup table~\cite{eurothermtables}---calculate the temperature.
The pre-conditions for the function are that: The pre-conditions for the function are that:
\begin{itemize} \begin{itemize}
% \item The current calculated is within pre-defined bounds i.e. Pt100\_current, % \item The current calculated is within pre-defined bounds i.e. Pt100\_current,
\item The lower Pt100 value is within an acceptable voltage range i.e. Pt100\_lower\_voltage, \item The lower Pt100 value is within an acceptable voltage range i.e. Pt100\_lower\_voltage,
\item The higher Pt100 value is within an acceptable voltage range i.e. Pt100\_higher\_voltage, \item The higher Pt100 value is within an acceptable voltage range i.e. Pt100\_higher\_voltage,
\item The Lower and higher values agree to within a given tolerance i.e. Pt100\_high\_low\_mismatch. \item The lower and higher values agree to within a given tolerance i.e. Pt100\_high\_low\_mismatch.
\end{itemize} \end{itemize}
Any violation of these pre-conditions is equivalent to a failure mode. Any violation of these pre-conditions is equivalent to a failure mode.
Note that a temperature outside the pre-defined range will also cause these errors. Note that a temperature outside the pre-defined range will also cause these errors.
@ -996,6 +1003,7 @@ We can call the resulting {\dc} Get\_Temperature.
{ {
\tiny \tiny
\begin{table}[h+] \begin{table}[h+]
\center
\caption{ Get\_Temperature: Failure Mode Effects Analysis} % title of Table \caption{ Get\_Temperature: Failure Mode Effects Analysis} % title of Table
\label{tbl:gettemperature} \label{tbl:gettemperature}
@ -1066,6 +1074,7 @@ an incorrect error value.
{ {
\tiny \tiny
\begin{table}[h+] \begin{table}[h+]
\center
\caption{ GetError: Failure Mode Effects Analysis} % title of Table \caption{ GetError: Failure Mode Effects Analysis} % title of Table
\label{tbl:geterror} \label{tbl:geterror}
@ -1129,6 +1138,7 @@ being the logic and process of the failure mode analysis.
{ {
\tiny \tiny
\begin{table}[h+] \begin{table}[h+]
\center
\caption{ PID: Failure Mode Effects Analysis} % title of Table \caption{ PID: Failure Mode Effects Analysis} % title of Table
\label{tbl:pidfunction} \label{tbl:pidfunction}
@ -1191,6 +1201,7 @@ to implement the power output demand.
{ {
\tiny \tiny
\begin{table}[h+] \begin{table}[h+]
\center
\caption{ HeaterOutput: Failure Mode Effects Analysis} % title of Table \caption{ HeaterOutput: Failure Mode Effects Analysis} % title of Table
\label{tbl:heateroutput} \label{tbl:heateroutput}
@ -1269,6 +1280,7 @@ We apply FMMD analysis to this {\fg} in table~\ref{tbl:ledoutput}.
{ {
\tiny \tiny
\begin{table}[h+] \begin{table}[h+]
\center
\caption{ LEDOutput: Failure Mode Effects Analysis} % title of Table \caption{ LEDOutput: Failure Mode Effects Analysis} % title of Table
\label{tbl:ledoutput} \label{tbl:ledoutput}
@ -1355,6 +1367,7 @@ The post condition for the monitor function is that it implements the PID contro
{ {
\tiny \tiny
\begin{table}[h+] \begin{table}[h+]
\center
\caption{ standalone temperature controller: Failure Mode Effects Analysis} % title of Table \caption{ standalone temperature controller: Failure Mode Effects Analysis} % title of Table
\label{tbl:pid} \label{tbl:pid}
@ -1445,7 +1458,7 @@ by electronics we can apply reliability statistics.
% %
For software errors, we could, if necessary provide extra functions to provide self checking. For software errors, we could, if necessary provide extra functions to provide self checking.
We could follow EN61508 high reliability software measures such as We could follow EN61508 high reliability software measures such as
duplication of functions whith checking functions arbitrating them (diverse programming~\cite{en61508}[C.3.5]). duplication of functions with checking functions arbitrating them (diverse programming~\cite{en61508}[C.3.5]).
% %
We could for instance validate the processor clocking with an external watchdog and a simple We could for instance validate the processor clocking with an external watchdog and a simple
communications protocol. For PROM and RAM faults we can implement measures such as checksums communications protocol. For PROM and RAM faults we can implement measures such as checksums