robin/Robin_PHD
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

moved FMMD tables to appendix

Browse Source
This commit is contained in:
Robin Clark 2013-03-15 20:12:21 +00:00
parent 7eec6c8de4
commit 6b27b0f3f2
2 changed files with 330 additions and 301 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

304
submission_thesis/CH6_Software_Examples/software.tex
View File

@ -972,43 +972,7 @@ Starting at the bottom, we form a {\fg} with
the function read\_ADC and the Pt100. the function read\_ADC and the Pt100.
This gives us a {\dc} which we call ReadPt100. This gives us a {\dc} which we call ReadPt100.
% %
{
\tiny
\begin{table}[h+]
\center
\caption{ Read\_Pt100: Failure Mode Effects Analysis} % title of Table
\label{tbl:readPt100}
\begin{tabular}{|| l | c | l ||} \hline
% \textbf{Failure} & \textbf{failure} & \textbf{Symptom} \\
% \textbf{Scenario} & \textbf{effect} & \textbf{RADC } \\ \hline
\hline
\textbf{Failure} & \textbf{Failure } & \textbf{Derived Component} \\
\textbf{cause} & \textbf{Effect} & \textbf{Failure Mode} \\
\hline
FC1: $RI_{VRGE}$ & voltage & $VOLTAGE\_HIGH$ \\
& outside range & \\ \hline
FC2: $RADC_{VV_ERR}$ & voltage & $VAL\_ERR$ \\
& incorrect & \\ \hline \hline
FC3: $RADC_{HIGH}$ & voltage value & $VAL\_ERR$ \\
& incorrect & \\ \hline
FC4: $RADC_{LOW}$ & ADC may read & $VOLTAGE\_LOW$ \\ \hline
FC5: post condition fails & software failure & $VAL\_ERR$ \\
in function read\_ADC & read\_ADC & \\ \hline
\end{tabular}
\end{table}
}
% %
The {\dc} Read\_Pt100 is a failure mode model of the Read\_ADC function and the Pt100 The {\dc} Read\_Pt100 is a failure mode model of the Read\_ADC function and the Pt100
hardware, and has the following failure modes: hardware, and has the following failure modes:
@ -1033,59 +997,9 @@ The postcondition is that it returns a temperature within a given tolerance to t
A failure of this post-condition can be termed temp\_incorrect. A failure of this post-condition can be termed temp\_incorrect.
\clearpage \clearpage
We apply FMMD to the {\fg} formed by Read\_Pt100 and the function convert\_ADC\_to\_T. We apply FMMD to the {\fg} formed by Read\_Pt100 and the function convert\_ADC\_to\_T.
We can call the resulting {\dc} Get\_Temperature. We can call the resulting {\dc} Get\_Temperature. This analysis is presented in table~\ref{tbl:gettemperature}.
The analysis is presented in table~\ref{tbl:readPt100}.
{
\tiny
\begin{table}[h+]
\center
\caption{ Get\_Temperature: Failure Mode Effects Analysis} % title of Table
\label{tbl:gettemperature}
\begin{tabular}{|| l | c | l ||} \hline
% \textbf{Failure} & \textbf{failure} & \textbf{Symptom} \\
% \textbf{Scenario} & \textbf{effect} & \textbf{RADC } \\ \hline
\hline
\textbf{Failure} & \textbf{Failure } & \textbf{Derived Component} \\
\textbf{cause} & \textbf{Effect} & \textbf{Failure Mode} \\
\hline
FC1: $Pt100:Voltage\_High$ & Pt100 voltage too high & Pt100\_out\_of\_range \\
& Pt100\_higher\_voltage & \\
& OR Pt100\_current & \\ \hline
FC2: $Pt100:Voltage\_Low$ & Pt100 voltage too low & Pt100\_out\_of\_range \\
& Pt100\_lower\_voltage & \\
& OR Pt100\_current & \\ \hline
FC3: $Pt100\_high\_low\_mismatch$ & temperature can be calculated & Pt100\_out\_of\_range \\
& from either high or low & \\
& reading, but should correlate & \\ \hline
% FC4: $Pt100\_current$ & the current applied is & Pt100\_out\_of\_range \\
% & necessary to calculate resistance, & \\
% & but should be within given bounds & \\ \hline
%
%
FC4: $Pt100:VAL\_ERR$ & could cause an out of & temp\_incorrect\\
& range error, but may also & \\
& cause us to read an & \\
& incorrect temperature & \\ \hline
FC5: post condition fails & software failure & temp\_incorrect \\
in function convert\_ADC\_to\_T & convert\_ADC\_to\_T & \\ \hline
\hline
\end{tabular}
\end{table}
}
We collect the failure symptoms for the {\dc} Get\_Temperature and can state: We collect the failure symptoms for the {\dc} Get\_Temperature and can state:
@ -1103,40 +1017,9 @@ is accurate, and its post condition is to return the correct control error value
Most failure modes from a Pt100 are observable. Most failure modes from a Pt100 are observable.
we can divide the post condition into two variants, a known incorrect error value, KnownIncorrectErrorValue we can divide the post condition into two variants, a known incorrect error value, KnownIncorrectErrorValue
where we can detect the Pt100 value is suspect, and IncorrectErrorValue where we simply have where we can detect the Pt100 value is suspect, and IncorrectErrorValue where we simply have
an incorrect error value. an incorrect error value. This analysis is presented in table~\ref{tbl:geterror}.
{
\tiny
\begin{table}[h+]
\center
\caption{ GetError: Failure Mode Effects Analysis} % title of Table
\label{tbl:geterror}
\begin{tabular}{|| l | c | l ||} \hline
% \textbf{Failure} & \textbf{failure} & \textbf{Symptom} \\
% \textbf{Scenario} & \textbf{effect} & \textbf{RADC } \\ \hline
\hline
\textbf{Failure} & \textbf{Failure } & \textbf{Derived Component} \\
\textbf{cause} & \textbf{Effect} & \textbf{Failure Mode} \\
\hline
FC1: $ Pt100\_out\_of\_range $ & pre-condition violated & KnownIncorrectErrorValue \\
& observable/detectable & \\
& failure mode & \\ \hline
FC2: $temp\_incorrect$ & pre-condition violated & IncorrectErrorValue \\
& unobservable & \\
& undetectable failure mode & \\ \hline
FC3: post condition fails & software failure & IncorrectErrorValue \\
in function determine\_set\_point\_error & determine\_set\_point\_error & \\ \hline
\end{tabular}
\end{table}
}
We collect failure mode symptoms, and can create a new {\dc} GetError We collect failure mode symptoms, and can create a new {\dc} GetError
@ -1170,38 +1053,6 @@ This harks back to the context of use (see section~\ref{sec:subjectiveobjective}
being the context the {\dc} is used for/in, and the objective being the context the {\dc} is used for/in, and the objective
being the logic and process of the failure mode analysis. being the logic and process of the failure mode analysis.
{
\tiny
\begin{table}[h+]
\center
\caption{ PID: Failure Mode Effects Analysis} % title of Table
\label{tbl:pidfunction}
\begin{tabular}{|| l | c | l ||} \hline
% \textbf{Failure} & \textbf{failure} & \textbf{Symptom} \\
% \textbf{Scenario} & \textbf{effect} & \textbf{RADC } \\ \hline
\hline
\textbf{Failure} & \textbf{Failure } & \textbf{Derived Component} \\
\textbf{cause} & \textbf{Effect} & \textbf{Failure Mode} \\
\hline
FC1: $ KnownIncorrectErrorValue $ & pre-condition violated & KnownControlValueErrorV \\
& observable/detectable & \\
& failure mode & \\ \hline
FC2: $ IncorrectErrorValue $ & pre-condition violated & IncorrectControlErrorV \\
& unobservable & \\
& undetectable failure mode & \\ \hline
FC3: post condition fails & software failure & IncorrectControlErrorV \\
in function PID & PID & \\ \hline
\end{tabular}
\end{table}
}
We now create a PID {\dc}, with the following failure modes: We now create a PID {\dc}, with the following failure modes:
@ -1233,46 +1084,6 @@ configured and working, and has the correct clock frequency.
The post condition is that it sets the correct value into the PWM register The post condition is that it sets the correct value into the PWM register
to implement the power output demand. to implement the power output demand.
{
\tiny
\begin{table}[h+]
\center
\caption{ HeaterOutput: Failure Mode Effects Analysis} % title of Table
\label{tbl:heateroutput}
\begin{tabular}{|| l | c | l ||} \hline
% \textbf{Failure} & \textbf{failure} & \textbf{Symptom} \\
% \textbf{Scenario} & \textbf{effect} & \textbf{RADC } \\ \hline
\hline
\textbf{Failure} & \textbf{Failure } & \textbf{Derived Component} \\
\textbf{cause} & \textbf{Effect} & \textbf{Failure Mode} \\
\hline
FC1: $ PWM stuck HIGH $ & pre-condition violated & HeaterOnFull \\
& PWM module not working & \\ \hline
FC2: $ PWM stuck LOW $ & pre-condition violated & HeaterOff \\
& PWM module not working & \\ \hline
FC3: HEATER $SHORT$ & heating element resistor & HeaterOff \\
& SHORT no heating effect & \\ \hline
FC4: HEATER $OPEN $ & heating element resistor & HeaterOff \\
& OPEN no heating effect & \\ \hline
FC5: $ output\_control$ post & The software supplies the wrong & HeaterOutputIncorrect \\
condition failure & value to the PWM register & \\ \hline
\end{tabular}
\end{table}
}
We now create a {\dc} called HeaterOutput We now create a {\dc} called HeaterOutput
with the following failure modes: with the following failure modes:
@ -1312,46 +1123,6 @@ We form a {\fg} from the GPIO, the LEDs and the software function setLEDs.
% %
We apply FMMD analysis to this {\fg} in table~\ref{tbl:ledoutput}. We apply FMMD analysis to this {\fg} in table~\ref{tbl:ledoutput}.
{
\tiny
\begin{table}[h+]
\center
\caption{ LEDOutput: Failure Mode Effects Analysis} % title of Table
\label{tbl:ledoutput}
\begin{tabular}{|| l | c | l ||} \hline
% \textbf{Failure} & \textbf{failure} & \textbf{Symptom} \\
% \textbf{Scenario} & \textbf{effect} & \textbf{RADC } \\ \hline
\hline
\textbf{Failure} & \textbf{Failure } & \textbf{Derived Component} \\
\textbf{cause} & \textbf{Effect} & \textbf{Failure Mode} \\
\hline
FC1: $ Temp LED fails $ & LED will not light & FailureIndicated \\
& & \\ \hline
FC2: $ Processor LED fails $ & LED will not light & FailureIndicated \\
& & \\ \hline
FC3: $ PWM LED fails $ & LED will not light & FailureIndicated \\
& & \\ \hline
FC4: GPIO stuck HIGH & LED permanently OFF & FailureIndicated \\ \hline
FC5: GPIO stuck Low & LED permanently ON & FailureIndicated \\ \hline
FC6: Software SetLEDs & Incorrect Indication & IndicationError \\
fails to set outputs correctly & Post condition failure & \\ \hline
\end{tabular}
\end{table}
}
@ -1398,75 +1169,6 @@ determined previously:
The post condition for the monitor function is that it implements the PID control task correctly. The post condition for the monitor function is that it implements the PID control task correctly.
{
\tiny
\begin{table}[h+]
\center
\caption{ standalone temperature controller: Failure Mode Effects Analysis} % title of Table
\label{tbl:pid}
\begin{tabular}{|| l | c | l ||} \hline
% \textbf{Failure} & \textbf{failure} & \textbf{Symptom} \\
% \textbf{Scenario} & \textbf{effect} & \textbf{RADC } \\ \hline
\hline
\textbf{Failure} & \textbf{Failure } & \textbf{Derived Component} \\
\textbf{cause} & \textbf{Effect} & \textbf{Failure Mode} \\
\hline
FC1: PID KnownControlValueError & As error is detectable/ & ControlFailureIndicated \\
& observable error can be indicated & \\ \hline
FC2: PID IncorrectControlerrorV & undetectable/unobservable & ControlFailure \\
& failure PID will not control properly & \\ \hline
FC3: HeaterOutput & Heater will constantly & ControlFailureIndicated \\
HeaterOnFULL & apply maximum power & \\ \hline
FC4: HeaterOutput & heater will supply & ControlFailureIndicated \\ \hline
HeaterOFF & no power & \\
FC5: HeaterOutput & with incorrect hower applied & ControlFailure \\ \hline
HeaterOutputIncorrect & control will not be effective & \\
FC6: LEDOutput & failure of LED system & KnownIndicationError \\
FailureIndicated & where failure is observable & \\ \hline
FC7: LEDOutput & failure of LED system & UnknownIndicationError \\
IndicationError & where failure is unobservable & \\ \hline
%% PROM\_FAULT, RAM\_FAULT, CPU\_FAULT, ALU\_FAULT, CLOCK\_STOPPED
FC8: micro-controller & un-defined behaviour & ControlFailure \\
PROM\_FAULT & & \\ \hline
FC9: micro-controller & un-defined behaviour & ControlFailure \\
RAM\_FAULT & & \\ \hline
FC10: micro-controller & un-defined behaviour & ControlFailure \\
CPU\_FAULT & & \\ \hline
FC11: micro-controller & incorrect arithmetic & ControlFailure \\
ALU\_FAULT & performed in processing & \\ \hline
FC12: micro-controller & processor will not run & ControlFailureIndicated \\
CLOCK\_STOPPED & indicator leds will not flash & \\ \hline
FC13: monitor: & postcondition fails & ControlFailure \\
software fails & & \\ \hline
\hline
\end{tabular}
\end{table}
}
We can now create a {\dc} for the standalone temperature controller, and give it the name TempController. We can now create a {\dc} for the standalone temperature controller, and give it the name TempController.
It will have the following failure modes: It will have the following failure modes:

327
submission_thesis/appendixes/detailed_analysis.tex
View File

@ -480,3 +480,330 @@ $$ \; \{OUTPUT\_OUT\_OF\_RANGE, OUTPUT\_INCORRECT\}.$$
We can now create a {\dc} to represent the analogue to digital converter, $SDADC$. We can now create a {\dc} to represent the analogue to digital converter, $SDADC$.
$$fm(SSDADC) = \{OUTPUT\_OUT\_OF\_RANGE, OUTPUT\_INCORRECT\}$$ $$fm(SSDADC) = \{OUTPUT\_OUT\_OF\_RANGE, OUTPUT\_INCORRECT\}$$
\section{Standalone temperature controller}
FMMD analysis tables from chapter~\ref{sec:chap6}.
\subsection{Read\_Pt100: Failure Mode Effects Analysis}
{
\tiny
\begin{table}[h+]
\center
\caption{ Read\_Pt100: Failure Mode Effects Analysis} % title of Table
\label{tbl:readPt100}
\begin{tabular}{|| l | c | l ||} \hline
% \textbf{Failure} & \textbf{failure} & \textbf{Symptom} \\
% \textbf{Scenario} & \textbf{effect} & \textbf{RADC } \\ \hline
\hline
\textbf{Failure} & \textbf{Failure } & \textbf{Derived Component} \\
\textbf{cause} & \textbf{Effect} & \textbf{Failure Mode} \\
\hline
FC1: $RI_{VRGE}$ & voltage & $VOLTAGE\_HIGH$ \\
& outside range & \\ \hline
FC2: $RADC_{VV_ERR}$ & voltage & $VAL\_ERR$ \\
& incorrect & \\ \hline \hline
FC3: $RADC_{HIGH}$ & voltage value & $VAL\_ERR$ \\
& incorrect & \\ \hline
FC4: $RADC_{LOW}$ & ADC may read & $VOLTAGE\_LOW$ \\ \hline
FC5: post condition fails & software failure & $VAL\_ERR$ \\
in function read\_ADC & read\_ADC & \\ \hline
\end{tabular}
\end{table}
}
\subsection{ Get\_Temperature: Failure Mode Effects Analysis }
{
\tiny
\begin{table}[h+]
\center
\caption{ Get\_Temperature: Failure Mode Effects Analysis} % title of Table
\label{tbl:gettemperature}
\begin{tabular}{|| l | c | l ||} \hline
% \textbf{Failure} & \textbf{failure} & \textbf{Symptom} \\
% \textbf{Scenario} & \textbf{effect} & \textbf{RADC } \\ \hline
\hline
\textbf{Failure} & \textbf{Failure } & \textbf{Derived Component} \\
\textbf{cause} & \textbf{Effect} & \textbf{Failure Mode} \\
\hline
FC1: $Pt100:Voltage\_High$ & Pt100 voltage too high & Pt100\_out\_of\_range \\
& Pt100\_higher\_voltage & \\
& OR Pt100\_current & \\ \hline
FC2: $Pt100:Voltage\_Low$ & Pt100 voltage too low & Pt100\_out\_of\_range \\
& Pt100\_lower\_voltage & \\
& OR Pt100\_current & \\ \hline
FC3: $Pt100\_high\_low\_mismatch$ & temperature can be calculated & Pt100\_out\_of\_range \\
& from either high or low & \\
& reading, but should correlate & \\ \hline
% FC4: $Pt100\_current$ & the current applied is & Pt100\_out\_of\_range \\
% & necessary to calculate resistance, & \\
% & but should be within given bounds & \\ \hline
%
%
FC4: $Pt100:VAL\_ERR$ & could cause an out of & temp\_incorrect\\
& range error, but may also & \\
& cause us to read an & \\
& incorrect temperature & \\ \hline
FC5: post condition fails & software failure & temp\_incorrect \\
in function convert\_ADC\_to\_T & convert\_ADC\_to\_T & \\ \hline
\hline
\end{tabular}
\end{table}
}
\subsection{ GetError: Failure Mode Effects Analysis }
{
\tiny
\begin{table}[h+]
\center
\caption{ GetError: Failure Mode Effects Analysis} % title of Table
\label{tbl:geterror}
\begin{tabular}{|| l | c | l ||} \hline
% \textbf{Failure} & \textbf{failure} & \textbf{Symptom} \\
% \textbf{Scenario} & \textbf{effect} & \textbf{RADC } \\ \hline
\hline
\textbf{Failure} & \textbf{Failure } & \textbf{Derived Component} \\
\textbf{cause} & \textbf{Effect} & \textbf{Failure Mode} \\
\hline
FC1: $ Pt100\_out\_of\_range $ & pre-condition violated & KnownIncorrectErrorValue \\
& observable/detectable & \\
& failure mode & \\ \hline
FC2: $temp\_incorrect$ & pre-condition violated & IncorrectErrorValue \\
& unobservable & \\
& undetectable failure mode & \\ \hline
FC3: post condition fails & software failure & IncorrectErrorValue \\
in function determine\_set\_point\_error & determine\_set\_point\_error & \\ \hline
\end{tabular}
\end{table}
}
\subsection{PID: Failure Mode Effects Analysis}
{
\tiny
\begin{table}[h+]
\center
\caption{ PID: Failure Mode Effects Analysis} % title of Table
\label{tbl:pidfunction}
\begin{tabular}{|| l | c | l ||} \hline
% \textbf{Failure} & \textbf{failure} & \textbf{Symptom} \\
% \textbf{Scenario} & \textbf{effect} & \textbf{RADC } \\ \hline
\hline
\textbf{Failure} & \textbf{Failure } & \textbf{Derived Component} \\
\textbf{cause} & \textbf{Effect} & \textbf{Failure Mode} \\
\hline
FC1: $ KnownIncorrectErrorValue $ & pre-condition violated & KnownControlValueErrorV \\
& observable/detectable & \\
& failure mode & \\ \hline
FC2: $ IncorrectErrorValue $ & pre-condition violated & IncorrectControlErrorV \\
& unobservable & \\
& undetectable failure mode & \\ \hline
FC3: post condition fails & software failure & IncorrectControlErrorV \\
in function PID & PID & \\ \hline
\end{tabular}
\end{table}
}
\subsection{ HeaterOutput: Failure Mode Effects Analysis }
{
\tiny
\begin{table}[h+]
\center
\caption{ HeaterOutput: Failure Mode Effects Analysis} % title of Table
\label{tbl:heateroutput}
\begin{tabular}{|| l | c | l ||} \hline
% \textbf{Failure} & \textbf{failure} & \textbf{Symptom} \\
% \textbf{Scenario} & \textbf{effect} & \textbf{RADC } \\ \hline
\hline
\textbf{Failure} & \textbf{Failure } & \textbf{Derived Component} \\
\textbf{cause} & \textbf{Effect} & \textbf{Failure Mode} \\
\hline
FC1: $ PWM stuck HIGH $ & pre-condition violated & HeaterOnFull \\
& PWM module not working & \\ \hline
FC2: $ PWM stuck LOW $ & pre-condition violated & HeaterOff \\
& PWM module not working & \\ \hline
FC3: HEATER $SHORT$ & heating element resistor & HeaterOff \\
& SHORT no heating effect & \\ \hline
FC4: HEATER $OPEN $ & heating element resistor & HeaterOff \\
& OPEN no heating effect & \\ \hline
FC5: $ output\_control$ post & The software supplies the wrong & HeaterOutputIncorrect \\
condition failure & value to the PWM register & \\ \hline
\end{tabular}
\end{table}
}
\subsection{ LEDOutput: Failure Mode Effects Analysis }
{
\tiny
\begin{table}[h+]
\center
\caption{ LEDOutput: Failure Mode Effects Analysis} % title of Table
\label{tbl:ledoutput}
\begin{tabular}{|| l | c | l ||} \hline
% \textbf{Failure} & \textbf{failure} & \textbf{Symptom} \\
% \textbf{Scenario} & \textbf{effect} & \textbf{RADC } \\ \hline
\hline
\textbf{Failure} & \textbf{Failure } & \textbf{Derived Component} \\
\textbf{cause} & \textbf{Effect} & \textbf{Failure Mode} \\
\hline
FC1: $ Temp LED fails $ & LED will not light & FailureIndicated \\
& & \\ \hline
FC2: $ Processor LED fails $ & LED will not light & FailureIndicated \\
& & \\ \hline
FC3: $ PWM LED fails $ & LED will not light & FailureIndicated \\
& & \\ \hline
FC4: GPIO stuck HIGH & LED permanently OFF & FailureIndicated \\ \hline
FC5: GPIO stuck Low & LED permanently ON & FailureIndicated \\ \hline
FC6: Software SetLEDs & Incorrect Indication & IndicationError \\
fails to set outputs correctly & Post condition failure & \\ \hline
\end{tabular}
\end{table}
}
\subsection{ Standalone temperature controller: Failure Mode Effects Analysis}
{
\tiny
\begin{table}[h+]
\center
\caption{ standalone temperature controller: Failure Mode Effects Analysis} % title of Table
\label{tbl:pid}
\begin{tabular}{|| l | c | l ||} \hline
% \textbf{Failure} & \textbf{failure} & \textbf{Symptom} \\
% \textbf{Scenario} & \textbf{effect} & \textbf{RADC } \\ \hline
\hline
\textbf{Failure} & \textbf{Failure } & \textbf{Derived Component} \\
\textbf{cause} & \textbf{Effect} & \textbf{Failure Mode} \\
\hline
FC1: PID KnownControlValueError & As error is detectable/ & ControlFailureIndicated \\
& observable error can be indicated & \\ \hline
FC2: PID IncorrectControlerrorV & undetectable/unobservable & ControlFailure \\
& failure PID will not control properly & \\ \hline
FC3: HeaterOutput & Heater will constantly & ControlFailureIndicated \\
HeaterOnFULL & apply maximum power & \\ \hline
FC4: HeaterOutput & heater will supply & ControlFailureIndicated \\ \hline
HeaterOFF & no power & \\
FC5: HeaterOutput & with incorrect hower applied & ControlFailure \\ \hline
HeaterOutputIncorrect & control will not be effective & \\
FC6: LEDOutput & failure of LED system & KnownIndicationError \\
FailureIndicated & where failure is observable & \\ \hline
FC7: LEDOutput & failure of LED system & UnknownIndicationError \\
IndicationError & where failure is unobservable & \\ \hline
%% PROM\_FAULT, RAM\_FAULT, CPU\_FAULT, ALU\_FAULT, CLOCK\_STOPPED
FC8: micro-controller & un-defined behaviour & ControlFailure \\
PROM\_FAULT & & \\ \hline
FC9: micro-controller & un-defined behaviour & ControlFailure \\
RAM\_FAULT & & \\ \hline
FC10: micro-controller & un-defined behaviour & ControlFailure \\
CPU\_FAULT & & \\ \hline
FC11: micro-controller & incorrect arithmetic & ControlFailure \\
ALU\_FAULT & performed in processing & \\ \hline
FC12: micro-controller & processor will not run & ControlFailureIndicated \\
CLOCK\_STOPPED & indicator leds will not flash & \\ \hline
FC13: monitor: & postcondition fails & ControlFailure \\
software fails & & \\ \hline
\hline
\end{tabular}
\end{table}
}