diff --git a/presentations/System_safety_2012/Makefile b/presentations/System_safety_2012/Makefile index d4ccbe1..a8cab4f 100644 --- a/presentations/System_safety_2012/Makefile +++ b/presentations/System_safety_2012/Makefile @@ -10,4 +10,14 @@ all: $(DIAPNG) bib: + bibtex fmmd_software_pres_pc bibtex fmmd_software_pres + + +pc: $(DIAPNG) + pdflatex fmmd_software_pres_pc + acroread fmmd_software_pres_pc.pdf || evince fmmd_software_pres_pc.pdf + + +bib: + bibtex fmmd_software_pre_pc diff --git a/presentations/System_safety_2012/fmmd_software_pres_pc.tex b/presentations/System_safety_2012/fmmd_software_pres_pc.tex new file mode 100644 index 0000000..b1f0bba --- /dev/null +++ b/presentations/System_safety_2012/fmmd_software_pres_pc.tex @@ -0,0 +1,1177 @@ +\documentclass{beamer} +%\documentclass[handout]{beamer} +\title[Failure Mode Effects Analysis]{Failure Mode Effects Analysis\\A critical view} +\usetheme{Warsaw} +\usepackage[latin1]{inputenc} +\author{Robin Clark -- Energy Technology Control Ltd} +\institute{Brighton University} +\setbeamertemplate{footline}[page number] + + +%%% THIS VERSION IS FOR SENDING TO DELEGATES WHO REQUESTED THE PRESENTATION +%%% TD 18OCT2012 +%%% + +%\newcommand{\fg}{\em functional~group} +%\newcommand{\fgs}{\em functional~groups} +\newcommand{\fg}{\em functional~grouping} +\newcommand{\fgs}{\em functional~groupings} +\newcommand{\fm}{\em failure~mode} +\newcommand{\fms}{\em failure~modes} +\newcommand{\dc}{\em derived~component} +\newcommand{\dcs}{\em derived~components} +\newcommand{\bc}{\em base~component} +\newcommand{\bcs}{\em base~components} +\newcommand{\irl}{in~real~life} +%\newcommand{\derivec}{\ensuremath{\mathcal{\bowtie}}} +\newcommand{\derivec}{\ensuremath{{D}}} +\newcommand{\ft}{\ensuremath{4\!\!\rightarrow\!\!20mA} } +\begin{document} + + + +%\section{Applying failure Mode Modular de-Composition to integrated electronic and software Systems} +\begin{frame} +\frametitle{Failure Mode Modular De-Composition(FMMD)} +\begin{itemize} + \pause \item FMMD is a modularised variant of FMEA + \pause \item FMMD can model integrated mechanical, electrical and software systems. + \pause \item FMMD has efficiency benefits (pre analysed component re-use, over-all reduced complexity of checking) compared to traditional FMEA + \pause \item FMMD models can be used to assist in the production of traditional FMEA based + methodologies (PFMEA, FMECA, FMEDA FTA etc.) +\end{itemize} +%\tableofcontents[currentsection] +\end{frame} + + + +\section{F.M.E.A.} +\begin{frame} +\frametitle{FMEA} +%\tableofcontents[currentsection] +\end{frame} + + + +\begin{frame} +\frametitle{FMEA} +We now talk about Failure Mode Effects Analysis, and the different ways it is applied. +%These techniques are discussed, and then +%a refinement(FMMD) is proposed, which is essentially a modularisation of the FMEA process. +% + +\begin{itemize} + \pause \item Failure + \pause \item Mode + \pause \item Effects + \pause \item Analysis +\end{itemize} + +\end{frame} + +% % \begin{itemize} +% \item Failure +% \item Mode +% \item Effects +% \item Analysis +% \end{itemize} + + +\subsection{FMEA basic concept} + +\begin{frame} +\begin{itemize} + \pause \item \textbf{F - Failures of given component} Consider a component in a system + \pause \item \textbf{M - Failure Mode} Look at one of the ways in which it can fail (i.e. determine a component `failure~mode') + \pause \item \textbf{E - Effects} Determine the effects this failure mode will cause to the system we are examining + \pause \item \textbf{A - Analysis} Analyse how much impact this symptom will have on the environment/people/the system itsself +\end{itemize} +\end{frame} + + +\begin{frame} + \frametitle{ FMEA Example: Milli-volt reader} +Example: Let us consider a system, in this case a milli-volt reader, consisting +of instrumentation amplifiers connected to a micro-processor +that reports its readings via RS-232. +\begin{figure} + \centering + \includegraphics[width=175pt]{./mvamp.png} + % mvamp.png: 561x403 pixel, 72dpi, 19.79x14.22 cm, bb=0 0 561 403 +\end{figure} + + +\end{frame} + + +\begin{frame} + \frametitle{FMEA Example: Milli-volt reader} +Let us perform an FMEA and consider how one of its resistors failing could affect +it. +For the sake of example let us choose resistor R1 in the OP-AMP gain circuitry. +\begin{figure} + \centering + \includegraphics[width=175pt]{./mvamp.png} + % mvamp.png: 561x403 pixel, 72dpi, 19.79x14.22 cm, bb=0 0 561 403 +\end{figure} + +\end{frame} + + + + +\begin{frame} +% + \frametitle{FMEA Example: Milli-volt reader} +\begin{figure} + \centering + \includegraphics[width=80pt]{./mvamp.png} + % mvamp.png: 561x403 pixel, 72dpi, 19.79x14.22 cm, bb=0 0 561 403 +\end{figure} +\begin{itemize} + \pause \item \textbf{F - Failures of given component} The resistor (R1) could fail by going OPEN or SHORT (EN298 definition). + \pause \item \textbf{M - Failure Mode} Consider the component failure mode SHORT + \pause \item \textbf{E - Effects} This will drive the minus input LOW causing a HIGH OUTPUT/READING + \pause \item \textbf{A - Analysis} The reading will be out of normal range, and we will have an erroneous milli-volt reading +\end{itemize} +% +\end{frame} + + + + + + + +\begin{frame} +\frametitle{Four main Variants of FMEA} + \begin{itemize} + \pause \item \textbf{PFMEA - Production} \pause Car Manufacture etc + \pause \item \textbf{FMECA - Criticality} \pause Military/Space + \pause \item \textbf{FMEDA - Statistical safety} \pause EN61508/IOC1508 \pause Safety Integrity Levels + \pause \item \textbf{DFMEA - Design or static/theoretical} \pause EN298/EN230/UL1998 +\end{itemize} +\end{frame} + + + +\subsection{FMEA - General Criticism} +\begin{frame} +\frametitle{FMEA - General Criticism} + +\begin{itemize} + \pause \item FMEA type methodologies were designed for simple electro-mechanical systems of the 1940's to 1960's. + \pause \item Reasoning Distance - component failure to system level symptom : \pause Software controlled systems have another layer of reasoning distance + \pause \item State explosion - impossible to perform rigorously + \pause \item Difficult to re-use previous analysis work + \pause \item Very Difficult to model simultaneous failures. + +\end{itemize} + +% + +\end{frame} + + +\subsection{FMEA - Better Methodology - Wish List} + +\begin{frame} +\frametitle{FMEA - Better Metodology - Wish List} + +\begin{itemize} + + \pause \item State explosion + \pause \item Rigorous (total coverage) + \pause \item Reasoning Traceable \pause ideally across disciplines \pause Mechanical \pause Electrical \pause Software + \pause \item Re-usable + \pause \item Simultaneous failures + %\pause \item +\end{itemize} + +%FMEDA is a modern extension of FMEA, in that it will allow for +%self checking features, and provides detailed recommendations for computer/software architecture, +%but + +\end{frame} +\section{Failure Mode Modular De-Composition} +\begin{frame} + \frametitle{FMMD - Failure Mode Modular De-Composition} +% Consider the FMEA type methodologies +% where we look at all the failure modes in a system, and then +% see how they can affect all other components within it, +% to determine its system level symptom or failure mode. +% We need to look at a large number of failure scenarios +% to do this completely (all failure modes against all components). +% This is represented in equation~\ref{eqn:fmea_state_exp}, +% where $N$ is the total number of components in the system, and +% $f$ is the number of failure modes per component. +% +% \begin{equation} +% \label{eqn:fmea_state_exp} +% N.(N-1).f % \\ +% %(N^2 - N).f +% \end{equation} + +\begin{itemize} + + \pause \item Analysis occurs in small stages, within {\fgs} + \pause \item Each {\fg} is analysed until we have a set of its symptoms of failure. + \pause \item A {\dc} is created with its failure modes being the symptoms from the {\fg} + \pause \item We can now use {\dcs} as higher level components + \pause \item We can build a failure model hierarchy in this way + %\pause \item +\end{itemize} + +% The FMMD methodology breaks the analysis down into small stages, +% by making the analyst choose {\fgs} of components, to which FMEA is applied. +% When analysed, a set of symptoms of failure for the {\fg} is used to create a derived~component. \pause +% The derived components failure modes, are the symptoms of the {\fg} +% from which it was derived. \pause +% We can use derived components to form `higher~level' {\fgs}. +% This creates an analysis hierarchy. +\end{frame} + + +\subsection{FMMD Outline of Methodology} +\begin{frame} +\frametitle{FMMD - Outline of Methodology} +\begin{itemize} + \pause \item Select `{\fgs}' of components ( groups that perform a well defined function). + \pause \item Using the failure modes of the components create failure scenarios. + \pause \item Analyse each failure scenario of the {\fg}. + \pause \item Collect Symptoms. + \pause \item Create a '{\dc}', where its failure modes are the symptoms of the {\fg} from which it was derived. + \pause \item The {\dc} is now available to be used in higher level {\fgs}. + %\pause \item We can represent this process as a function which converts a {\fg} into a {\dc} and use the symbol $ \derivec $ to represet it. + \pause $ \derivec ( FunctionalGroup ) \rightarrow {DerivedComponent} $ + %\item could use AMALG instead here $ \amalg $ +\end{itemize} +\end{frame} + + + +\subsection{FMMD - Example - Milli Volt Amplifier} +\begin{frame} +\frametitle{FMMD - Example - Milli Volt Amplifier} +\begin{figure} + \centering + \includegraphics[width=100pt]{./mvampcircuit.png} + % mvampcircuit.png: 243x143 pixel, 72dpi, 8.57x5.04 cm, bb=0 0 243 143 +\end{figure} + +We return to the milli-volt amplifier as an example to analyse. +\pause +We can begin by looking for functional groups.\pause +The resistors perform a fairly common function in electronics, that of the potential divider. +So our first functional group is $\{ R1, R2 \}$.\pause +We can now take the failure modes for the resistors (OPEN and SHORT EN298) and see what effect each of these failures will have on the {\fg} (the potential divider). + +\end{frame} + + +\begin{frame} +\frametitle{FMMD - Example - Resistor and failure modes} +Resistor and its failure modes represented as a directed graph. + +\begin{figure} + \centering + \includegraphics[width=200pt]{./resistor_failure_graph.png} + % resistor_failure_graph.png: 391x279 pixel, 93dpi, 10.68x7.62 cm, bb=0 0 303 216 + \label{fig:resasfm} +\end{figure} + +\end{frame} + + +\subsubsection{Potential Divider} +\begin{frame} +\frametitle{FMMD - Example - Failure mode analysis of Potential Divider} + + +\begin{table} +\begin{tabular}{|| l | l | c | c | l ||} \hline + \textbf{Failure Scenario} & & \textbf{Pot Div Effect} & & \textbf{Symptom} \\ +\textbf{ / test case } & & \textbf{ } & & \textbf{ } \\ + \hline + FS1: R1 SHORT & & $LOW$ & & $PDLow$ \\ \hline + FS2: R1 OPEN & & $HIGH$ & & $PDHigh$ \\ \hline + FS3: R2 SHORT & & $HIGH$ & & $PDHigh$ \\ \hline + FS4: R2 OPEN & & $LOW$ & & $PDLow$ \\ \hline +\hline +\end{tabular} +\end{table} + +\begin{figure} + \centering + \includegraphics[width=100pt,keepaspectratio=true]{./pd.png} + % pd.png: 361x241 pixel, 72dpi, 12.74x8.50 cm, bb=0 0 361 241 +\end{figure} +\end{frame} + + + +\begin{frame} +\frametitle{FMMD - Example - Potential Divider as Derived Component} +\begin{figure} + \centering + \includegraphics[width=175pt]{./pd_failures_as_graph.png} + % pd_dc_failures_as_graph.png: 389x284 pixel, 93dpi, 10.63x7.76 cm, bb=0 0 301 220 + \label{fig:pd} +\end{figure} +\end{frame} + + +\begin{frame} +\frametitle{FMMD - Example - Potential Divider as Derived Component} +\begin{figure} + \centering + \includegraphics[width=200pt]{./pd_dc_failures_as_graph.png} + % pd_dc_failures_as_graph.png: 389x284 pixel, 93dpi, 10.63x7.76 cm, bb=0 0 301 220 + \label{fig:pd} +\end{figure} +\end{frame} + +\begin{frame} +\frametitle{FMMD - Example - Potential Divider as Derived Component} + +We can now use this pre-analysed potential divider `derived~component' +in a higher level design. + +\begin{figure} + \centering + \includegraphics[width=100pt]{./pd_dc_failures_as_graph.png} + % pd_dc_failures_as_graph.png: 389x284 pixel, 93dpi, 10.63x7.76 cm, bb=0 0 301 220 + \label{fig:pd} +\end{figure} +\end{frame} + +\subsection{Non Inverting OP-AMP} + +\begin{frame} +\frametitle{FMMD - Example - Non Inverting OP-AMP} +\begin{figure} + \centering + \includegraphics{./mvampcircuit.png} + % mvampcircuit.png: 243x143 pixel, 72dpi, 8.57x5.04 cm, bb=0 0 243 143 +\end{figure} + +\end{frame} + + + +\begin{frame} +\frametitle{FMMD - Example - Non Inverting OP-AMP} +\begin{figure} + \centering + \includegraphics[width=300pt]{./non_inv_amp_fmea.png} + % non_inv_amp_fmea.png: 964x492 pixel, 96dpi, 25.50x13.02 cm, bb=0 0 723 369 +\end{figure} + +\end{frame} + + +\begin{frame} +\frametitle{FMMD - Example - Non Inverting OP-AMP} +% \begin{figure} +% \centering +% \includegraphics[width=200pt]{./opamp_failures_as_graph.png} // op amp failure modes +% % opamp_failures_as_graph.png: 329x440 pixel, 93dpi, 8.99x12.02 cm, bb=0 0 255 341 +% \end{figure} +\begin{figure} + \centering + \includegraphics[width=150pt]{./fg_opamp_pd_as_graph.png} + % fg_opamp_pd_as_graph.png: 750x826 pixel, 93dpi, 20.49x22.56 cm, bb=0 0 581 640 +\end{figure} +\end{frame} + + + +\begin{frame} +\frametitle{FMMD - Example - Non Inverting OP-AMP} +\begin{figure} + \centering + \includegraphics[width=150pt]{./n_inv_dc.png} + % n_inv_dc.png: 296x326 pixel, 72dpi, 10.44x11.50 cm, bb=0 0 296 326 +\end{figure} + +\end{frame} + + + +\begin{frame} +\frametitle{FMMD - Example - Non Inverting OP-AMP} +\begin{figure} + \centering + \includegraphics[width=200pt]{./fmmd_exm_h.png} + % fmmd_exm_h.png: 376x241 pixel, 72dpi, 13.26x8.50 cm, bb=0 0 376 241 +\end{figure} + + +\end{frame} + +% \begin{frame} +% \frametitle{FMMD - Failure Mode Modular De-Composition} +% %We can view the functional groups in FMMD as forming a hierarchy. +% %If +% % For the sake of example we consider each functional group to +% % be three components, the figure below shows +% % how the levels work and converge to a top or system level. +% \begin{figure} +% \centering +% \includegraphics[width=300pt]{./three_tree.png} +% % three_tree.png: 780x226 pixel, 72dpi, 27.52x7.97 cm, bb=0 0 780 226 +% \caption{Functional Group Tree example} +% \label{fig:three_tree} +% \end{figure} +% \pause +% For the sake of example we consider each functional group to +% be three components, the figure below shows +% how the levels work and converge to a top or system level. +% \end{frame} +% +% \begin{frame} +% \frametitle{FMMD - Failure Mode Modular De-Composition} +% The fact FMMD analyses small groups of components at a time, and organises them +% into a hierarchy +% addresses the state explosion problem. \pause +% +% For FMEA where we check every component failure mode rigorously +% against all the other components (we could call this \textbf{RFMEA}) +% Where $N$ is the number of components, we can determine the order +% of complexity $ O(N^2) $ thus. +% % % +% \begin{equation} +% \label{eqn:fmea_single2} +% N.(N-1).f +% \end{equation} +% % +% % %\end{frame} +% \end{frame} +% +% +% +% \begin{frame} +% \frametitle{FMMD - comparing number of checks RFMEA $\ldots$ FMMD} +% +% If we consider $c$ to be the number of components in a {\fg}, $f$ is the number of failure modes per component, and +% $L$ to be the number of levels in the hierarchy of FMMD analysis. +% +% +% We can represent the number of failure scenarios to check in an FMMD hierarchy +% with equation~\ref{eqn:anscen}. +% \pause +% \begin{equation} +% \label{eqn:anscen} +% \sum_{n=0}^{L} {c}^{n}.c.f.(c-1) +% \end{equation} +% +% +% \end{frame} +% +% +% +% % So for a very simple analysis with three components forming a functional group where +% % each component has three failure modes, we have only one level (zero'th). +% % So to check every failure modes against the other components in the functional group +% % requires 18 checks. +% % +% % \begin{equation} +% % \label{eqn:anscen2} +% % \sum_{n=0}^{0} {3}^{0}.3.3.(3-1) = 18 +% % \end{equation} +% % \clearpage +% % +% % +% % +% % In other words, we have three components in our functional group, +% % and nine failure modes to consider. +% % So taking each failure mode and looking at how that could affect the functional group, +% % we must compare each failure mode against the two other components (the `$c-1$' term). +% % +% % For the one `zero' level FMMD case we are doing the same thing as FMEA type analysis +% % (but on a very simple small sub-system). +% % We are looking at how each failure~mode can effect the system/top level. +% % We can use equation~\ref{eqn:fmea_state_exp44} to represent +% % the number of checks to rigorously perform FMEA, where $N$ is the total +% % number of components in the system, and $f$ is the number of failures per component. +% +% +% % +% % Where $N=3$ and $f=3$ we can see that the number of checks for this simple functional +% % group is the same for equation~\ref{eqn:fmea_state_exp22} +% % and equation~\ref{eqn:anscen}. +% % \clearpage +% +% %\section{Example}/derivec +% \begin{frame} +% \frametitle{FMMD - Failure Mode Modular De-Composition} +% To see the effects of reducing `state~explosion' we can use an example. +% % with fixed numbers +% %for components in a functional group, and failure modes per component. +% Let us take a system with 3 levels of FMMD analysis, +% with three components per functional group and three failure modes per component, +% and apply these formulae. +% Having 4 levels (in addition to the top zeroth level) +% will require 81 base level components. +% +% $$ +% %\begin{equation} +% \label{eqn:fmea_state_exp22} +% 81.(81-1).3 = 19440 % \\ +% %(N^2 - N).f +% %\end{equation} +% $$ +% +% $$ +% %\begin{equation} +% % \label{eqn:anscen} +% \sum_{n=0}^{3} {3}^{n}.3.3.(2) = 720 +% %\end{equation} +% $$ +% \end{frame} +% +% +% \begin{frame} +% \frametitle{FMMD - Failure Mode Modular De-Composition} +% +% +% +% \begin{itemize} +% \pause \item Thus for FMMD we needed to examine 720 failure~modes against functionally adjacent components, and for traditional FMEA +% type analysis methods, the number rises to 19440. +% \pause \item 19440 `checks' is not practical +% \pause \item 720 checks is quite alot, but... +% \pause \item Modules in FMMD can be re-used... +% \end{itemize} +% % In practical example followed through, no more than 9 components have ever been required for a functional +% % group and the largest known number of failure modes has been 6. +% % If we take these numbers and double them (18 components per functional group +% % and 12 failure modes per component) and apply the formulas for a 4 level analysis +% % (i.e. +% +% \end{frame} +% +% \begin{frame} +% \frametitle{FMMD - Failure Mode Modular De-Composition} +% +% To determine all possible double simultaneous failures for rigorous FMEA +% the order $O(N^3)$. +% +% +% \begin{equation} +% \label{eqn:fmea_state_exp2} +% N.(N-1).(N-2).f % \\ +% %(N^2 - N).f +% \end{equation} +% +% Or express in terms of the level +% +% \begin{equation} +% \label{eqn:fmea_state_exp2} +% c^{L+1}.(c^{L+1}-1).(c^{L+1}-2).f % \\ +% %(N^2 - N).f +% \end{equation} +% +% \pause +% The FMMD case (equation~\ref{eqn:anscen2}), is cubic within the functional groups only, +% not all the components in the system. +% \begin{equation} +% \label{eqn:anscen2} +% \sum_{n=0}^{L} {c}^{n}.c.f.(c-1).(c-2) +% \end{equation} +% \end{frame} + +\begin{frame} +\frametitle{FMMD - Failure Mode Modular De-Composition} +\textbf{Traceability} +Because each reasoning stage contains associations ($FailureMode \rightarrow Symptom$) +we can trace the `reasoning' from base level component failure mode to top level/system +failure, by traversing the tree/hierarchy. This is in effect providing a `framework' of the reasoning. + + +\end{frame} + +\begin{frame} +\frametitle{FMMD - Failure Mode Modular De-Composition} +\textbf{Re-usability} +Electronic Systems use commonly re-used functional groups (such as potential~dividers, amplifier configurations etc) +Once a derived component is determined, it can generally be used in other projects. + +\end{frame} + + +\begin{frame} +\frametitle{FMMD - Failure Mode Modular De-Composition} +\textbf{Total coverage} +With FMMD we can ensure that all component failure modes +have been represented as a symptom in the derived components created from them. +We can thus apply automated checking to ensure that no +failure modes, from base or derived components have been +missed in an analysis. +\end{frame} + + + +\subsection{FMMD summary} +\begin{frame} +\frametitle{FMMD - Failure Mode Modular De-Composition} +\textbf{Conclusion: FMMD} + +\begin{itemize} + \pause \item Addresses State Explosion (single and multiple failure models) + \pause \item Addresses total coverage of all components and their failure modes + \pause \item Provides traceable reasoning + \pause \item derived components are re-use-able +\end{itemize} +\end{frame} + +\section{Software and Failure Mode Effects Analysis} + +\subsection{Software and FMEA---Current work} +\begin{frame} + \frametitle{Software FMEA (SFMEA) --- Current work } + %\paragraph{Current work on Software FMEA} +\begin{itemize} + \pause \item SFMEA is performed in isolation to hardware FMEA + \pause \item SFMEA maps variable corruption for {\fms} --- + \pause this means a large number of combinations --- \pause automated SFMEA + \pause databases + tracking the relationships between variable corruption +and system failure modes + %\pause \item %Because of the large number of combinations for considering all variables as corruptible + % automated SFMEA + + \pause \item Some schools of thought recommend combining SFTA with SFMEA + \pause \item FMMD is different, allows integrated hardware and software models +\end{itemize} +% SFMEA usually does not seek to integrate +% hardware and software models, but to perform +% FMEA on the software in isolation~\cite{procsfmea}. +% % +% Work has been performed using databases +% to track the relationships between variables +% and system failure modes~\cite{procsfmeadb}, to %work has been performed to +% introduce automation into the FMEA process~\cite{appswfmea} and to provide code analysis +% automation~\cite{modelsfmea}. Although the SFMEA and hardware FMEAs are performed separately, +% some schools of thought aim for Fault Tree Analysis (FTA)~\cite{nasafta,nucfta} (top down - deductive) +% and FMEA (bottom-up inductive) +% to be performed on the same system to provide insight into the +% software hardware/interface~\cite{embedsfmea}. +% % +% Although this +% would give a better picture of the failure mode behaviour, it +% is by no means a rigorous approach to tracing errors that may occur in hardware +% through to the top (and therefore ultimately controlling) layer of software. +\end{frame} + + + + + +\subsection{Software and FMMD} +\begin{frame} +\frametitle{FMMD - How to apply this to software} +Clearly we need to be able to represent software failure modes +in a clear and modular model. +\pause +\begin{figure}[h] + \centering + \includegraphics[width=100pt]{./contract_function.png} + % contract_function.png: 181x256 pixel, 72dpi, 6.39x9.03 cm, bb=0 0 181 256 + \caption{Design by Contract Programmatic Function} + \label{fig:dbcpf} +\end{figure} + +\end{frame} + + + +\begin{frame} +\frametitle{FMMD - How to apply this to software} +\begin{figure}[h] + \centering + \includegraphics[width=35pt]{./contract_function.png} + % contract_function.png: 181x256 pixel, 72dpi, 6.39x9.03 cm, bb=0 0 181 256 + \caption{Design by Contract Programmatic Function} + \label{fig:dbcpf} +\end{figure} +\begin{itemize} + \pause \item Software is already modular call tree, function hierarchy \pause A function can be considered as a {\fg} + \pause \item A function has inputs and outputs, and a task to perform + \pause \item contract programming \pause , giving a function invariants, pre and post conditions +\end{itemize} + +\end{frame} + + +\begin{frame} +\frametitle{FMMD - How to apply this to software} +\begin{figure}[h] + \centering + \includegraphics[width=35pt]{./contract_function.png} + % contract_function.png: 181x256 pixel, 72dpi, 6.39x9.03 cm, bb=0 0 181 256 + \caption{Design by Contract Programmatic Function} + \label{fig:dbcpf} +\end{figure} +\begin{itemize} + \pause \item Pre condition violations are analogous to component failure modes + \pause \item Post condition violations are analogous to symptoms of failure of the function \pause i.e. the derived component failure modes +\end{itemize} + +\end{frame} + + + +\begin{frame} +\frametitle{FMMD - Example integrated hardware/software system --- {\ft} input} + + +For the purpose of example, we chose a simple common safety critical industrial circuit +that is nearly always used in conjunction with a programmatic element. +A common method for delivering a quantitative value in analogue electronics is +to supply a current signal to represent the value to be sent. %~\cite{aoe}[p.934]. +Usually, $4mA$ represents a zero or starting value and $20mA$ represents the full scale, +and this is referred to as {\ft} signalling. +\end{frame} + +\begin{frame} +\frametitle{FMMD - Example integrated hardware/software system --- {\ft} input} +\begin{figure}[h] + \centering + \includegraphics[width=200pt]{./ftcontext.png} + % ftcontext.png: 767x385 pixel, 72dpi, 27.06x13.58 cm, bb=0 0 767 385 + \caption{Context Diagram for {\ft} loop} + \label{fig:ftcontext} +\end{figure} +%The diagram in figure~\ref{fig:ftcontext} shows some equipment which is sending a {\ft} +%signal to a micro-controller system. +%The signal is locally driven over a load resistor, and then read into the micro-controller via +%an ADC and its multiplexer. +%With the voltage detected at the ADC the multiplexer can read the intended quantitative +%value from the external equipment. +\end{frame} +% +\begin{frame} +\frametitle{FMMD - Example integrated hardware/software system --- {\ft} input} +General Failure behaviour of {\ft} signalling +\begin{itemize} + \pause \item Electrical Current in a loop is constant (Kirchoff) + \pause \item Current to voltage conversion is simple at receiving end \pause a single resistor + \pause \item Detectable Error if outside 4mA 20mA range + \pause \item On disconnection \pause : 0mA, on mis-wiring\pause : 0mA + %\pause \item Post condition violations are analogous to symptoms of failure of the function +\end{itemize} +%{\ft} has an electrical advantage as well because the current in a loop is constant. %~\cite{aoe}[p.20]. +%Thus resistance in the wires between the source and the receiving end is not an issue +%that can alter the accuracy of the signal. +% +% This circuit has many advantages for safety. If the signal becomes disconnected +% it reads an out of range $0mA$ at the receiving end. This is outside the {\ft} range, +% and is therefore easy to detect as an error rather than an incorrect value. +% +% General Failure behaviour of {\ft}. +% +% Should the driving electronics go wrong at the source end, it will usually +% supply far too little or far too much current, making an error condition easy to detect. +% % +% At the receiving end, one needs a resistor to convert the +% current signal into a voltage that we can read with an ADC.% +\end{frame} + + + + + + +\begin{frame} +\frametitle{FMMD - Example integrated hardware/software system --- {\ft} input} + If we consider the software at the top of the failure mode hierarchy + the hardware is at the bottom. + \pause + Yourdon, afferent---transform---efferent data flow, in an embedded system our + sensors---data processing/software---actuators. + \pause + So the electronics are the below software in a modular hierarchy.... + + +\end{frame} + + + + + +\subsection{Example Electrical and Software system FMMD Analysis} + +\begin{frame} +\frametitle{FMMD - Example integrated hardware/software system --- {\ft} input} +\begin{figure}[h] + \centering + \includegraphics[width=150pt]{./ftcontext.png} + % ftcontext.png: 767x385 pixel, 72dpi, 27.06x13.58 cm, bb=0 0 767 385 + \caption{Context Diagram for {\ft} loop} + \label{fig:ftcontext} +\end{figure} +\pause + Starting with the bottom-up for this {\ft} input, we have the resistor and the ADC. + The resistor converts current to voltage and the ADC allows us to read the voltage. +\end{frame} + + + +\begin{frame} +\frametitle{FMMD - Example integrated hardware/software system --- {\ft} input} +\begin{figure}[h] + \centering + \includegraphics[width=100pt]{./ftcontext.png} + % ftcontext.png: 767x385 pixel, 72dpi, 27.06x13.58 cm, bb=0 0 767 385 + \caption{Context Diagram for {\ft} loop} + \label{fig:ftcontext} +\end{figure} +\pause +Bottom level {\fg}: +$G_1 = \{ R, ADC \},$ +\pause +$ fm(R) = \{ OPEN, SHORT \},$ +\pause +$ fm(ADC) = \{ ADC_{STUCKAT} , ADC_{MUXFAIL} , ADC_{LOW} , ADC_{HIGH} \} .$ +\end{frame} +%\subsection{Example Electrical and Software system FMMD Analysis} + +\begin{frame} +\frametitle{FMMD - Example integrated hardware/software system --- {\ft} input} +% \begin{figure}[h] +% \centering +% \includegraphics[width=100pt]{./ftcontext.png} +% % ftcontext.png: 767x385 pixel, 72dpi, 27.06x13.58 cm, bb=0 0 767 385 +% \caption{Context Diagram for {\ft} loop} +% \label{fig:ftcontext} +% \end{figure} +% \pause +{ \tiny + \begin{table}[h+] +\caption{$G_1$: Failure Mode Effects Analysis: Convert mA to Voltage (CMATV)} % title of Table +\label{tbl:cmatv} + +\begin{tabular}{|| l | c | l ||} \hline + \textbf{Failure} & \textbf{failure} & \textbf{Symptom} \\ + \textbf{Scenario} & \textbf{effect} & \textbf{ADC } \\ \hline + \hline + 1: $R_{OPEN}$ & resistor open, & $HIGH$ \\ + & voltage on pin high & \\ \hline + + 2: $R_{SHORT}$ & resistor shorted, & $LOW$ \\ + & voltage on pin low & \\ \hline + + + 3: $ADC_{STUCKAT}$ & ADC reads out & $V\_ERR$ \\ + & fixed value & \\ \hline + + + + 4: $ADC_{MUXFAIL}$ & ADC may read & $V\_ERR$ \\ + & wrong channel & \\ \hline + + 5: $ADC_{LOW}$ & output low & $LOW$ \\ + 6: $ADC_{HIGH}$ & output high & $HIGH$ \\ \hline + + +\hline + + +\hline + +\end{tabular} +\end{table} + +\pause +We can express this using the `$\derivec$' function thus: +$ CMATV = \; \derivec (G_1) .$ As its failure modes are the symptoms of failure from the functional group we can now state: +$fm ( CMATV ) = \{ HIGH , LOW, V\_ERR \} .$ +} +\end{frame} + +\begin{frame} +\frametitle{FMMD - Example integrated hardware/software system --- {\ft} input} +\begin{figure}[h] + \centering + \includegraphics[width=100pt]{./ftcontext.png} + % ftcontext.png: 767x385 pixel, 72dpi, 27.06x13.58 cm, bb=0 0 767 385 + \caption{Context Diagram for {\ft} loop} + \label{fig:ftcontext} +\end{figure} +\pause + We have analysed the hardware for our {\ft} input. +\pause +We must now look at the software. + +\end{frame} + +\subsection{Software {\ft} input} +\begin{frame} +\frametitle{FMMD - Example integrated hardware/software system --- {\ft} input} +\begin{figure}[h] + \centering + \includegraphics[width=100pt]{./ftcontext.png} + % ftcontext.png: 767x385 pixel, 72dpi, 27.06x13.58 cm, bb=0 0 767 385 + \caption{Context Diagram for {\ft} loop} + \label{fig:ftcontext} +\end{figure} +We consider two software functions, $Read\_ADC()$ which returns a value from the ADC, which is called by +$ Read\_4\_20\_input() .$ which returns a pro-mil value for the input. \pause +As $Read\_ADC$ is the function called it is lower in the call tree hierarchy. \pause +We form a {\fg} with $CMATV$ and this software function. +\end{frame} + + + + +\begin{frame} + \frametitle{FMMD - Example integrated hardware/software system --- {\ft} input} +\begin{figure}[h] + \centering + \includegraphics[width=140pt]{./read_adc.jpg} + % read_adc.jpg: 452x514 pixel, 96dpi, 11.96x13.60 cm, bb=0 0 339 386 + \caption{Software Function: \textbf{read\_ADC}} + \label{fig:read_ADC()} +\end{figure} + +\end{frame} + + + +\begin{frame} + \frametitle{FMMD - Example integrated hardware/software system --- {\ft} input} +\begin{figure}[h] + \centering + \includegraphics[width=32pt]{./read_adc.jpg} + % read_adc.jpg: 452x514 pixel, 96dpi, 11.96x13.60 cm, bb=0 0 339 386 + \caption{Software Function: \textbf{read\_ADC}} + \label{fig:read_ADC()} +\end{figure} + +\begin{itemize} + \pause \item validate mux channel number + \pause \item Set MUX + \pause \item initiate ADC read + \pause \item read value + \pause \item return value to calling function +\end{itemize} + +\end{frame} + + + +\begin{frame} + \frametitle{FMMD - Example integrated hardware/software system --- {\ft} input} +\begin{figure}[h] + \centering + \includegraphics[width=32pt]{./read_adc.jpg} + % read_adc.jpg: 452x514 pixel, 96dpi, 11.96x13.60 cm, bb=0 0 339 386 + \caption{Software Function: \textbf{read\_ADC}} + \label{fig:read_ADC()} +\end{figure} + +Pre-conditions +\begin{itemize} + \pause \item MUX channel number in range + \pause \item No timeout on ADC read +\pause \item ADC Vref out of range +\end{itemize} + Post-conditions +\begin{itemize} + \pause \item in range (0...1023) value from ADC/MUX returned +\end{itemize} +\end{frame} + + +\begin{frame} + \frametitle{FMMD - Example integrated hardware/software system --- RADC function} + Treating the read\_ADC() function as a {\fg}. + + The pre-conditions that can be violated are ADC\_TIMEOUT, MUX\_CHAN, ADC\_VREF. +We could term the failure modes of this function as + \{ ADC\_TIMEOUT\_OCCURS, INCORRECT\_MUX\_CHAN, INCORRECT\_VREF \} +\pause +\\ +We now create a {\fg} called RADC consisting of read\_ADC() and the hardware it interface directly with: CMATV. +\end{frame} + + + + +\begin{frame} +\frametitle{FMMD - Example integrated hardware/software system --- RADC function} +{ +\tiny +\begin{table}[h+] +\caption{$G_2$: Failure Mode Effects Analysis: Read\_ADC (RADC) and CMATV} % title of Table +\label{tbl:radc} +\begin{tabular}{|| l | c | l ||} \hline + \textbf{Failure} & \textbf{failure} & \textbf{Symptom} \\ + \textbf{Scenario} & \textbf{effect} & \textbf{RADC } \\ \hline + \hline + 1: ${INCORRECT\_MUX\_CHAN}$ & wrong voltage & $VV\_ERR$ \\ + & read & \\ \hline + + 2: ${INCORRECT_VREF}$ & ADC volt-ref & $VV\_ERR$ \\ + & incorrect & \\ \hline + + + 3: ${ADC\_TIMEOUT\_OCCURS}$ & ADC volt-ref & $VV\_ERR$ \\ + & incorrect & \\ \hline + + + 4: $CMATV_{V\_ERR}$ & voltage value & $VV\_ERR$ \\ + & incorrect & \\ \hline + + + + 5: $CMATV_{HIGH}$ & ADC reads & $HIGH$ \\ + & high voltage & \\ \hline + + 6: $CMATV_{HIGH}$ & ADC reads & $LOW$ \\ + & low voltage & \\ \hline +\hline +\hline +\end{tabular} +\end{table} + + +} +\end{frame} + + +\begin{frame} + Collecting symptoms, we can now create a {\dc} RADC, with the following failure modes: $ fm(RADC) = \{ VV\_ERR, HIGH, LOW \} .$ + \pause + We now have a model in which we have electronic and software + modules represented. + +\pause + + We can now look at the second software function. +\end{frame} + +% + +% \begin{frame} +% \frametitle{FMMD - Example integrated hardware/software system --- read\_4\_20_input} +% % \begin{figure}[h] +% \centering +% \includegraphics[width=120pt]{./read_4_20_input.jpg} +% % read_adc.jpg: 452x514 pixel, 96dpi, 11.96x13.60 cm, bb=0 0 339 386 +% \caption{Software Function: \textbf{read\_4\_20_input()}} +% \label{fig:read_4_20_input} +% \end{figure} + %end{frame} + +\begin{frame} + \begin{figure}[h] + \centering + \includegraphics[width=200pt]{./read_4_20_input.jpg} + % read_4_20_input.jpg: 452x514 pixel, 96dpi, 11.96x13.60 cm, bb=0 0 339 386 + \caption{Read 4 to 20mA input function} + \label{fig:read_4_20_input} +\end{figure} + +\end{frame} + + + +\begin{frame} + + + \begin{figure}[h] + \centering + \includegraphics[width=60pt]{./read_4_20_input.jpg} + % read_4_20_input.jpg: 452x514 pixel, 96dpi, 11.96x13.60 cm, bb=0 0 339 386 + \caption{Read 4 to 20mA input function} + \label{fig:read_4_20_input} +\end{figure} + +This function has one pre-condition, the voltage range ($0.88V \leftrightarrow 4.4V$) +and one postcondition {\ft} current mapped to per-mil integer output. +\pause +We could term the failure mode of this function, voltage out of range, as + \{ VRNGE \}. + +\end{frame} + + + + +\begin{frame} + +{ +\tiny +\begin{table}[h+] +\caption{$G_3$: Read\_4\_20: Failure Mode Effects Analysis} % title of Table +\label{tbl:r420i} + +\begin{tabular}{|| l | c | l ||} \hline + \textbf{Failure} & \textbf{failure} & \textbf{Symptom} \\ + \textbf{Scenario} & \textbf{effect} & \textbf{RADC } \\ \hline + \hline + 1: $RI_{VRGE}$ & voltage & $OUT\_OF\_$ \\ + & outside range & $RANGE$ \\ \hline + + 2: $RADC_{VV\_ERR}$ & voltage & $VAL\_ERR$ \\ + & incorrect & \\ \hline + + + 3: $RADC_{HIGH}$ & voltage value & $VAL\_ERR$ \\ + & incorrect & \\ \hline + + + + 4: $RADC_{LOW}$ & ADC may read & $OUT\_OF\_$ \\ + & wrong channel & $RANGE$ \\ \hline +\hline +\end{tabular} +\end{table} +} +\end{frame} + +\begin{frame} +We can finally make a {\dc} to represent a failure mode model for our function $read\_4\_20\_input$ (R420I) thus: +% +$ R420I = \; \derivec(G_3) .$ +% +This new {\dc} has the following {\fms}: +$$fm(R420I) = \{OUT\_OF\_RANGE, VAL\_ERR\} .$$ +\end{frame} + + +\begin{frame} +\begin{figure}[h] + \centering + \includegraphics[width=150pt,keepaspectratio=true]{./hd.png} + % hd.png: 416x381 pixel, 72dpi, 14.68x13.44 cm, bb=0 0 416 381 + \caption{FMMD Hierarchy for {\ft} input} + \label{fig:hd} +\end{figure} +\end{frame} + + + +\begin{frame} + +%\section{Conclusion} +% +\begin{itemize} + \item FMMD models integrated mechanical/electrical/software systems + \pause \item Each {\fg} to {\dc} transition represents a documented +reasoning stage. + \pause \item FMMD seamlessly integrates mechanical, electronics and software failure models. + \pause \item Added efficiency benefits\pause---smaller reasoning distances\pause---less checking for RFMEA + \pause \item Additionally, using FMMD we can determine a failure model for the hardware/software interface.%~\cite{sfmeainterface}. +\end{itemize} +\end{frame} + + +\begin{frame} +Questions ? +\end{frame} + + +\end{document}