From 6b27b0f3f27488343be0047d0e409937a6d63a98 Mon Sep 17 00:00:00 2001 From: Robin Clark Date: Fri, 15 Mar 2013 20:12:21 +0000 Subject: [PATCH] moved FMMD tables to appendix --- .../CH6_Software_Examples/software.tex | 304 +--------------- .../appendixes/detailed_analysis.tex | 327 ++++++++++++++++++ 2 files changed, 330 insertions(+), 301 deletions(-) diff --git a/submission_thesis/CH6_Software_Examples/software.tex b/submission_thesis/CH6_Software_Examples/software.tex index f74866c..057385e 100644 --- a/submission_thesis/CH6_Software_Examples/software.tex +++ b/submission_thesis/CH6_Software_Examples/software.tex @@ -972,43 +972,7 @@ Starting at the bottom, we form a {\fg} with the function read\_ADC and the Pt100. This gives us a {\dc} which we call ReadPt100. % -{ -\tiny -\begin{table}[h+] -\center -\caption{ Read\_Pt100: Failure Mode Effects Analysis} % title of Table -\label{tbl:readPt100} -\begin{tabular}{|| l | c | l ||} \hline -% \textbf{Failure} & \textbf{failure} & \textbf{Symptom} \\ -% \textbf{Scenario} & \textbf{effect} & \textbf{RADC } \\ \hline - \hline - \textbf{Failure} & \textbf{Failure } & \textbf{Derived Component} \\ - \textbf{cause} & \textbf{Effect} & \textbf{Failure Mode} \\ - - - \hline - FC1: $RI_{VRGE}$ & voltage & $VOLTAGE\_HIGH$ \\ - & outside range & \\ \hline - - FC2: $RADC_{VV_ERR}$ & voltage & $VAL\_ERR$ \\ - & incorrect & \\ \hline \hline - - - - FC3: $RADC_{HIGH}$ & voltage value & $VAL\_ERR$ \\ - & incorrect & \\ \hline - - - - FC4: $RADC_{LOW}$ & ADC may read & $VOLTAGE\_LOW$ \\ \hline - - FC5: post condition fails & software failure & $VAL\_ERR$ \\ - in function read\_ADC & read\_ADC & \\ \hline - -\end{tabular} -\end{table} -} % The {\dc} Read\_Pt100 is a failure mode model of the Read\_ADC function and the Pt100 hardware, and has the following failure modes: @@ -1033,59 +997,9 @@ The postcondition is that it returns a temperature within a given tolerance to t A failure of this post-condition can be termed temp\_incorrect. \clearpage We apply FMMD to the {\fg} formed by Read\_Pt100 and the function convert\_ADC\_to\_T. -We can call the resulting {\dc} Get\_Temperature. +We can call the resulting {\dc} Get\_Temperature. This analysis is presented in table~\ref{tbl:gettemperature}. +The analysis is presented in table~\ref{tbl:readPt100}. -{ -\tiny -\begin{table}[h+] -\center -\caption{ Get\_Temperature: Failure Mode Effects Analysis} % title of Table -\label{tbl:gettemperature} - -\begin{tabular}{|| l | c | l ||} \hline -% \textbf{Failure} & \textbf{failure} & \textbf{Symptom} \\ -% \textbf{Scenario} & \textbf{effect} & \textbf{RADC } \\ \hline - \hline - \textbf{Failure} & \textbf{Failure } & \textbf{Derived Component} \\ - \textbf{cause} & \textbf{Effect} & \textbf{Failure Mode} \\ - - - \hline - FC1: $Pt100:Voltage\_High$ & Pt100 voltage too high & Pt100\_out\_of\_range \\ - & Pt100\_higher\_voltage & \\ - & OR Pt100\_current & \\ \hline - - FC2: $Pt100:Voltage\_Low$ & Pt100 voltage too low & Pt100\_out\_of\_range \\ - & Pt100\_lower\_voltage & \\ - & OR Pt100\_current & \\ \hline - - - - - FC3: $Pt100\_high\_low\_mismatch$ & temperature can be calculated & Pt100\_out\_of\_range \\ - & from either high or low & \\ - & reading, but should correlate & \\ \hline - - -% FC4: $Pt100\_current$ & the current applied is & Pt100\_out\_of\_range \\ -% & necessary to calculate resistance, & \\ -% & but should be within given bounds & \\ \hline -% -% - - FC4: $Pt100:VAL\_ERR$ & could cause an out of & temp\_incorrect\\ - & range error, but may also & \\ - & cause us to read an & \\ - & incorrect temperature & \\ \hline - - FC5: post condition fails & software failure & temp\_incorrect \\ - in function convert\_ADC\_to\_T & convert\_ADC\_to\_T & \\ \hline - - \hline - -\end{tabular} -\end{table} -} We collect the failure symptoms for the {\dc} Get\_Temperature and can state: @@ -1103,40 +1017,9 @@ is accurate, and its post condition is to return the correct control error value Most failure modes from a Pt100 are observable. we can divide the post condition into two variants, a known incorrect error value, KnownIncorrectErrorValue where we can detect the Pt100 value is suspect, and IncorrectErrorValue where we simply have -an incorrect error value. +an incorrect error value. This analysis is presented in table~\ref{tbl:geterror}. -{ -\tiny -\begin{table}[h+] -\center -\caption{ GetError: Failure Mode Effects Analysis} % title of Table -\label{tbl:geterror} - -\begin{tabular}{|| l | c | l ||} \hline -% \textbf{Failure} & \textbf{failure} & \textbf{Symptom} \\ -% \textbf{Scenario} & \textbf{effect} & \textbf{RADC } \\ \hline - \hline - \textbf{Failure} & \textbf{Failure } & \textbf{Derived Component} \\ - \textbf{cause} & \textbf{Effect} & \textbf{Failure Mode} \\ - - - \hline - FC1: $ Pt100\_out\_of\_range $ & pre-condition violated & KnownIncorrectErrorValue \\ - & observable/detectable & \\ - & failure mode & \\ \hline - - FC2: $temp\_incorrect$ & pre-condition violated & IncorrectErrorValue \\ - & unobservable & \\ - & undetectable failure mode & \\ \hline - - FC3: post condition fails & software failure & IncorrectErrorValue \\ - in function determine\_set\_point\_error & determine\_set\_point\_error & \\ \hline - - -\end{tabular} -\end{table} -} We collect failure mode symptoms, and can create a new {\dc} GetError @@ -1170,38 +1053,6 @@ This harks back to the context of use (see section~\ref{sec:subjectiveobjective} being the context the {\dc} is used for/in, and the objective being the logic and process of the failure mode analysis. -{ -\tiny -\begin{table}[h+] -\center -\caption{ PID: Failure Mode Effects Analysis} % title of Table -\label{tbl:pidfunction} - -\begin{tabular}{|| l | c | l ||} \hline -% \textbf{Failure} & \textbf{failure} & \textbf{Symptom} \\ -% \textbf{Scenario} & \textbf{effect} & \textbf{RADC } \\ \hline - \hline - \textbf{Failure} & \textbf{Failure } & \textbf{Derived Component} \\ - \textbf{cause} & \textbf{Effect} & \textbf{Failure Mode} \\ - - - \hline - FC1: $ KnownIncorrectErrorValue $ & pre-condition violated & KnownControlValueErrorV \\ - & observable/detectable & \\ - & failure mode & \\ \hline - - FC2: $ IncorrectErrorValue $ & pre-condition violated & IncorrectControlErrorV \\ - & unobservable & \\ - & undetectable failure mode & \\ \hline - - - FC3: post condition fails & software failure & IncorrectControlErrorV \\ - in function PID & PID & \\ \hline - - -\end{tabular} -\end{table} -} We now create a PID {\dc}, with the following failure modes: @@ -1233,46 +1084,6 @@ configured and working, and has the correct clock frequency. The post condition is that it sets the correct value into the PWM register to implement the power output demand. -{ -\tiny -\begin{table}[h+] -\center -\caption{ HeaterOutput: Failure Mode Effects Analysis} % title of Table -\label{tbl:heateroutput} - -\begin{tabular}{|| l | c | l ||} \hline -% \textbf{Failure} & \textbf{failure} & \textbf{Symptom} \\ -% \textbf{Scenario} & \textbf{effect} & \textbf{RADC } \\ \hline - \hline - \textbf{Failure} & \textbf{Failure } & \textbf{Derived Component} \\ - \textbf{cause} & \textbf{Effect} & \textbf{Failure Mode} \\ - - - \hline - FC1: $ PWM stuck HIGH $ & pre-condition violated & HeaterOnFull \\ - & PWM module not working & \\ \hline - - - FC2: $ PWM stuck LOW $ & pre-condition violated & HeaterOff \\ - & PWM module not working & \\ \hline - - - - FC3: HEATER $SHORT$ & heating element resistor & HeaterOff \\ - & SHORT no heating effect & \\ \hline - - - FC4: HEATER $OPEN $ & heating element resistor & HeaterOff \\ - & OPEN no heating effect & \\ \hline - - FC5: $ output\_control$ post & The software supplies the wrong & HeaterOutputIncorrect \\ - condition failure & value to the PWM register & \\ \hline - - - -\end{tabular} -\end{table} -} We now create a {\dc} called HeaterOutput with the following failure modes: @@ -1312,46 +1123,6 @@ We form a {\fg} from the GPIO, the LEDs and the software function setLEDs. % We apply FMMD analysis to this {\fg} in table~\ref{tbl:ledoutput}. -{ -\tiny -\begin{table}[h+] -\center -\caption{ LEDOutput: Failure Mode Effects Analysis} % title of Table -\label{tbl:ledoutput} - -\begin{tabular}{|| l | c | l ||} \hline -% \textbf{Failure} & \textbf{failure} & \textbf{Symptom} \\ -% \textbf{Scenario} & \textbf{effect} & \textbf{RADC } \\ \hline - \hline - \textbf{Failure} & \textbf{Failure } & \textbf{Derived Component} \\ - \textbf{cause} & \textbf{Effect} & \textbf{Failure Mode} \\ - - - \hline - FC1: $ Temp LED fails $ & LED will not light & FailureIndicated \\ - & & \\ \hline - - - FC2: $ Processor LED fails $ & LED will not light & FailureIndicated \\ - & & \\ \hline - - FC3: $ PWM LED fails $ & LED will not light & FailureIndicated \\ - & & \\ \hline - - FC4: GPIO stuck HIGH & LED permanently OFF & FailureIndicated \\ \hline - - - FC5: GPIO stuck Low & LED permanently ON & FailureIndicated \\ \hline - - - FC6: Software SetLEDs & Incorrect Indication & IndicationError \\ - fails to set outputs correctly & Post condition failure & \\ \hline - - - -\end{tabular} -\end{table} -} @@ -1398,75 +1169,6 @@ determined previously: The post condition for the monitor function is that it implements the PID control task correctly. - -{ -\tiny -\begin{table}[h+] -\center -\caption{ standalone temperature controller: Failure Mode Effects Analysis} % title of Table -\label{tbl:pid} - -\begin{tabular}{|| l | c | l ||} \hline -% \textbf{Failure} & \textbf{failure} & \textbf{Symptom} \\ -% \textbf{Scenario} & \textbf{effect} & \textbf{RADC } \\ \hline - \hline - \textbf{Failure} & \textbf{Failure } & \textbf{Derived Component} \\ - \textbf{cause} & \textbf{Effect} & \textbf{Failure Mode} \\ - - - \hline - FC1: PID KnownControlValueError & As error is detectable/ & ControlFailureIndicated \\ - & observable error can be indicated & \\ \hline - - - FC2: PID IncorrectControlerrorV & undetectable/unobservable & ControlFailure \\ - & failure PID will not control properly & \\ \hline - - FC3: HeaterOutput & Heater will constantly & ControlFailureIndicated \\ - HeaterOnFULL & apply maximum power & \\ \hline - - FC4: HeaterOutput & heater will supply & ControlFailureIndicated \\ \hline - HeaterOFF & no power & \\ - - FC5: HeaterOutput & with incorrect hower applied & ControlFailure \\ \hline - HeaterOutputIncorrect & control will not be effective & \\ - - FC6: LEDOutput & failure of LED system & KnownIndicationError \\ - FailureIndicated & where failure is observable & \\ \hline - - FC7: LEDOutput & failure of LED system & UnknownIndicationError \\ - IndicationError & where failure is unobservable & \\ \hline - - - %% PROM\_FAULT, RAM\_FAULT, CPU\_FAULT, ALU\_FAULT, CLOCK\_STOPPED - - - FC8: micro-controller & un-defined behaviour & ControlFailure \\ - PROM\_FAULT & & \\ \hline - - FC9: micro-controller & un-defined behaviour & ControlFailure \\ - RAM\_FAULT & & \\ \hline - - FC10: micro-controller & un-defined behaviour & ControlFailure \\ - CPU\_FAULT & & \\ \hline - - FC11: micro-controller & incorrect arithmetic & ControlFailure \\ - ALU\_FAULT & performed in processing & \\ \hline - - FC12: micro-controller & processor will not run & ControlFailureIndicated \\ - CLOCK\_STOPPED & indicator leds will not flash & \\ \hline - - FC13: monitor: & postcondition fails & ControlFailure \\ - software fails & & \\ \hline - - - \hline - - -\end{tabular} -\end{table} -} - We can now create a {\dc} for the standalone temperature controller, and give it the name TempController. It will have the following failure modes: diff --git a/submission_thesis/appendixes/detailed_analysis.tex b/submission_thesis/appendixes/detailed_analysis.tex index 38d397f..3ad93f9 100644 --- a/submission_thesis/appendixes/detailed_analysis.tex +++ b/submission_thesis/appendixes/detailed_analysis.tex @@ -480,3 +480,330 @@ $$ \; \{OUTPUT\_OUT\_OF\_RANGE, OUTPUT\_INCORRECT\}.$$ We can now create a {\dc} to represent the analogue to digital converter, $SDADC$. $$fm(SSDADC) = \{OUTPUT\_OUT\_OF\_RANGE, OUTPUT\_INCORRECT\}$$ + + + + +\section{Standalone temperature controller} +FMMD analysis tables from chapter~\ref{sec:chap6}. + +\subsection{Read\_Pt100: Failure Mode Effects Analysis} +{ +\tiny +\begin{table}[h+] +\center +\caption{ Read\_Pt100: Failure Mode Effects Analysis} % title of Table +\label{tbl:readPt100} + +\begin{tabular}{|| l | c | l ||} \hline +% \textbf{Failure} & \textbf{failure} & \textbf{Symptom} \\ +% \textbf{Scenario} & \textbf{effect} & \textbf{RADC } \\ \hline + \hline + \textbf{Failure} & \textbf{Failure } & \textbf{Derived Component} \\ + \textbf{cause} & \textbf{Effect} & \textbf{Failure Mode} \\ + + + \hline + FC1: $RI_{VRGE}$ & voltage & $VOLTAGE\_HIGH$ \\ + & outside range & \\ \hline + + FC2: $RADC_{VV_ERR}$ & voltage & $VAL\_ERR$ \\ + & incorrect & \\ \hline \hline + + + + FC3: $RADC_{HIGH}$ & voltage value & $VAL\_ERR$ \\ + & incorrect & \\ \hline + + + + FC4: $RADC_{LOW}$ & ADC may read & $VOLTAGE\_LOW$ \\ \hline + + FC5: post condition fails & software failure & $VAL\_ERR$ \\ + in function read\_ADC & read\_ADC & \\ \hline + +\end{tabular} +\end{table} +} + + +\subsection{ Get\_Temperature: Failure Mode Effects Analysis } + +{ +\tiny +\begin{table}[h+] +\center +\caption{ Get\_Temperature: Failure Mode Effects Analysis} % title of Table +\label{tbl:gettemperature} + +\begin{tabular}{|| l | c | l ||} \hline +% \textbf{Failure} & \textbf{failure} & \textbf{Symptom} \\ +% \textbf{Scenario} & \textbf{effect} & \textbf{RADC } \\ \hline + \hline + \textbf{Failure} & \textbf{Failure } & \textbf{Derived Component} \\ + \textbf{cause} & \textbf{Effect} & \textbf{Failure Mode} \\ + + + \hline + FC1: $Pt100:Voltage\_High$ & Pt100 voltage too high & Pt100\_out\_of\_range \\ + & Pt100\_higher\_voltage & \\ + & OR Pt100\_current & \\ \hline + + FC2: $Pt100:Voltage\_Low$ & Pt100 voltage too low & Pt100\_out\_of\_range \\ + & Pt100\_lower\_voltage & \\ + & OR Pt100\_current & \\ \hline + + + + + FC3: $Pt100\_high\_low\_mismatch$ & temperature can be calculated & Pt100\_out\_of\_range \\ + & from either high or low & \\ + & reading, but should correlate & \\ \hline + + +% FC4: $Pt100\_current$ & the current applied is & Pt100\_out\_of\_range \\ +% & necessary to calculate resistance, & \\ +% & but should be within given bounds & \\ \hline +% +% + + FC4: $Pt100:VAL\_ERR$ & could cause an out of & temp\_incorrect\\ + & range error, but may also & \\ + & cause us to read an & \\ + & incorrect temperature & \\ \hline + + FC5: post condition fails & software failure & temp\_incorrect \\ + in function convert\_ADC\_to\_T & convert\_ADC\_to\_T & \\ \hline + + \hline + +\end{tabular} +\end{table} +} +\subsection{ GetError: Failure Mode Effects Analysis } + +{ +\tiny +\begin{table}[h+] +\center +\caption{ GetError: Failure Mode Effects Analysis} % title of Table +\label{tbl:geterror} + +\begin{tabular}{|| l | c | l ||} \hline +% \textbf{Failure} & \textbf{failure} & \textbf{Symptom} \\ +% \textbf{Scenario} & \textbf{effect} & \textbf{RADC } \\ \hline + \hline + \textbf{Failure} & \textbf{Failure } & \textbf{Derived Component} \\ + \textbf{cause} & \textbf{Effect} & \textbf{Failure Mode} \\ + + + \hline + FC1: $ Pt100\_out\_of\_range $ & pre-condition violated & KnownIncorrectErrorValue \\ + & observable/detectable & \\ + & failure mode & \\ \hline + + FC2: $temp\_incorrect$ & pre-condition violated & IncorrectErrorValue \\ + & unobservable & \\ + & undetectable failure mode & \\ \hline + + FC3: post condition fails & software failure & IncorrectErrorValue \\ + in function determine\_set\_point\_error & determine\_set\_point\_error & \\ \hline + + +\end{tabular} +\end{table} +} + +\subsection{PID: Failure Mode Effects Analysis} +{ +\tiny +\begin{table}[h+] +\center +\caption{ PID: Failure Mode Effects Analysis} % title of Table +\label{tbl:pidfunction} + +\begin{tabular}{|| l | c | l ||} \hline +% \textbf{Failure} & \textbf{failure} & \textbf{Symptom} \\ +% \textbf{Scenario} & \textbf{effect} & \textbf{RADC } \\ \hline + \hline + \textbf{Failure} & \textbf{Failure } & \textbf{Derived Component} \\ + \textbf{cause} & \textbf{Effect} & \textbf{Failure Mode} \\ + + + \hline + FC1: $ KnownIncorrectErrorValue $ & pre-condition violated & KnownControlValueErrorV \\ + & observable/detectable & \\ + & failure mode & \\ \hline + + FC2: $ IncorrectErrorValue $ & pre-condition violated & IncorrectControlErrorV \\ + & unobservable & \\ + & undetectable failure mode & \\ \hline + + + FC3: post condition fails & software failure & IncorrectControlErrorV \\ + in function PID & PID & \\ \hline + + +\end{tabular} +\end{table} +} + +\subsection{ HeaterOutput: Failure Mode Effects Analysis } + + +{ +\tiny +\begin{table}[h+] +\center +\caption{ HeaterOutput: Failure Mode Effects Analysis} % title of Table +\label{tbl:heateroutput} + +\begin{tabular}{|| l | c | l ||} \hline +% \textbf{Failure} & \textbf{failure} & \textbf{Symptom} \\ +% \textbf{Scenario} & \textbf{effect} & \textbf{RADC } \\ \hline + \hline + \textbf{Failure} & \textbf{Failure } & \textbf{Derived Component} \\ + \textbf{cause} & \textbf{Effect} & \textbf{Failure Mode} \\ + + + \hline + FC1: $ PWM stuck HIGH $ & pre-condition violated & HeaterOnFull \\ + & PWM module not working & \\ \hline + + + FC2: $ PWM stuck LOW $ & pre-condition violated & HeaterOff \\ + & PWM module not working & \\ \hline + + + + FC3: HEATER $SHORT$ & heating element resistor & HeaterOff \\ + & SHORT no heating effect & \\ \hline + + + FC4: HEATER $OPEN $ & heating element resistor & HeaterOff \\ + & OPEN no heating effect & \\ \hline + + FC5: $ output\_control$ post & The software supplies the wrong & HeaterOutputIncorrect \\ + condition failure & value to the PWM register & \\ \hline + + + +\end{tabular} +\end{table} +} + + +\subsection{ LEDOutput: Failure Mode Effects Analysis } + + +{ +\tiny +\begin{table}[h+] +\center +\caption{ LEDOutput: Failure Mode Effects Analysis} % title of Table +\label{tbl:ledoutput} + +\begin{tabular}{|| l | c | l ||} \hline +% \textbf{Failure} & \textbf{failure} & \textbf{Symptom} \\ +% \textbf{Scenario} & \textbf{effect} & \textbf{RADC } \\ \hline + \hline + \textbf{Failure} & \textbf{Failure } & \textbf{Derived Component} \\ + \textbf{cause} & \textbf{Effect} & \textbf{Failure Mode} \\ + + + \hline + FC1: $ Temp LED fails $ & LED will not light & FailureIndicated \\ + & & \\ \hline + + + FC2: $ Processor LED fails $ & LED will not light & FailureIndicated \\ + & & \\ \hline + + FC3: $ PWM LED fails $ & LED will not light & FailureIndicated \\ + & & \\ \hline + + FC4: GPIO stuck HIGH & LED permanently OFF & FailureIndicated \\ \hline + + + FC5: GPIO stuck Low & LED permanently ON & FailureIndicated \\ \hline + + + FC6: Software SetLEDs & Incorrect Indication & IndicationError \\ + fails to set outputs correctly & Post condition failure & \\ \hline + + + +\end{tabular} +\end{table} +} + +\subsection{ Standalone temperature controller: Failure Mode Effects Analysis} +{ +\tiny +\begin{table}[h+] +\center +\caption{ standalone temperature controller: Failure Mode Effects Analysis} % title of Table +\label{tbl:pid} + +\begin{tabular}{|| l | c | l ||} \hline +% \textbf{Failure} & \textbf{failure} & \textbf{Symptom} \\ +% \textbf{Scenario} & \textbf{effect} & \textbf{RADC } \\ \hline + \hline + \textbf{Failure} & \textbf{Failure } & \textbf{Derived Component} \\ + \textbf{cause} & \textbf{Effect} & \textbf{Failure Mode} \\ + + + \hline + FC1: PID KnownControlValueError & As error is detectable/ & ControlFailureIndicated \\ + & observable error can be indicated & \\ \hline + + + FC2: PID IncorrectControlerrorV & undetectable/unobservable & ControlFailure \\ + & failure PID will not control properly & \\ \hline + + FC3: HeaterOutput & Heater will constantly & ControlFailureIndicated \\ + HeaterOnFULL & apply maximum power & \\ \hline + + FC4: HeaterOutput & heater will supply & ControlFailureIndicated \\ \hline + HeaterOFF & no power & \\ + + FC5: HeaterOutput & with incorrect hower applied & ControlFailure \\ \hline + HeaterOutputIncorrect & control will not be effective & \\ + + FC6: LEDOutput & failure of LED system & KnownIndicationError \\ + FailureIndicated & where failure is observable & \\ \hline + + FC7: LEDOutput & failure of LED system & UnknownIndicationError \\ + IndicationError & where failure is unobservable & \\ \hline + + + %% PROM\_FAULT, RAM\_FAULT, CPU\_FAULT, ALU\_FAULT, CLOCK\_STOPPED + + + FC8: micro-controller & un-defined behaviour & ControlFailure \\ + PROM\_FAULT & & \\ \hline + + FC9: micro-controller & un-defined behaviour & ControlFailure \\ + RAM\_FAULT & & \\ \hline + + FC10: micro-controller & un-defined behaviour & ControlFailure \\ + CPU\_FAULT & & \\ \hline + + FC11: micro-controller & incorrect arithmetic & ControlFailure \\ + ALU\_FAULT & performed in processing & \\ \hline + + FC12: micro-controller & processor will not run & ControlFailureIndicated \\ + CLOCK\_STOPPED & indicator leds will not flash & \\ \hline + + FC13: monitor: & postcondition fails & ControlFailure \\ + software fails & & \\ \hline + + + \hline + + +\end{tabular} +\end{table} +} + +