From 7746317e42b2be6ae34ea1eee62e7b1342813618 Mon Sep 17 00:00:00 2001 From: Robin Clark Date: Fri, 30 Nov 2012 20:18:16 +0000 Subject: [PATCH] Need to ensure all postconditions of every function come up in the FMMD analysis tables --- submission_thesis/CH1_introduction/copy.tex | 2 +- submission_thesis/CH5_Examples/Makefile | 2 +- .../CH5_Examples/euler_heater_output.dia | Bin 0 -> 1077 bytes .../CH5_Examples/euler_led_output.dia | Bin 0 -> 1309 bytes submission_thesis/CH5_Examples/software.tex | 180 +++++++++++++++++- 5 files changed, 181 insertions(+), 3 deletions(-) create mode 100644 submission_thesis/CH5_Examples/euler_heater_output.dia create mode 100644 submission_thesis/CH5_Examples/euler_led_output.dia diff --git a/submission_thesis/CH1_introduction/copy.tex b/submission_thesis/CH1_introduction/copy.tex index 60c8f59..4076916 100644 --- a/submission_thesis/CH1_introduction/copy.tex +++ b/submission_thesis/CH1_introduction/copy.tex @@ -14,7 +14,7 @@ Blanket measures, RAM ROM checks, EMC, electrical and environmental stress testi \subsection{Practical limitations of testing for certification vs. rigorous approach} State explosion problem considering a failure mode of a given component against -all other components in the system i.e. an exponential (2^N) order of processing resource rather than a ploynomial i.e. N^2. +all other components in the system i.e. an exponential ($2^N$) order of processing resource rather than a polynomial i.e. $N^2$. Impossible to perform double simultaneous failure analysis (as demanded by EN298~\cite{en298}). diff --git a/submission_thesis/CH5_Examples/Makefile b/submission_thesis/CH5_Examples/Makefile index 9d7ef40..9670a12 100644 --- a/submission_thesis/CH5_Examples/Makefile +++ b/submission_thesis/CH5_Examples/Makefile @@ -7,7 +7,7 @@ PNG_DIA = blockdiagramcircuit2.png bubba_oscillator_block_diagram.png circuit1 tree_abstraction_levels.png vrange.png sigma_delta_block.png ftcontext.png ct1.png hd.png \ sigdel1.png sdadc.png bubba_euler_1.png bubba_euler_2.png eulersd.png eulersdfinal.png \ eulerfivepole.png eulerswhw.png context_diagram_PID.png context_diagram2_PID.png context_software.png \ - context_calltree.png euler_afferent_PID.png + context_calltree.png euler_afferent_PID.png euler_heater_output.png euler_led_output.png diff --git a/submission_thesis/CH5_Examples/euler_heater_output.dia b/submission_thesis/CH5_Examples/euler_heater_output.dia new file mode 100644 index 0000000000000000000000000000000000000000..b68b9f7b10d91dd8c6c1db9fde9da0df2dffcb37 GIT binary patch literal 1077 zcmV-51j_p#iwFP!000021MQjLZ{j!*$KU%`MCmJQV&|uqh1IUKr@ox_bl1~8Rt|B4 zZ$pe61LfuZ_H%x)kdQziq$f^9YE`1ieC^51e8%O|=eK#Jt*A&CkHAI+`}bzyvo>jf26xAO&0m@<)@#eqqKpY->hO<|QNqd1&Aez6|& zB^5VzzUmg*C?e-Xge*SPQL%~gKp@~Dgj6tW>|w*TT)2(N`EvgI%0=%hC*D_%B`*su zq##TlO8T5fl*GBJ6ia%!PBJBtO0i?x>adGfCM7?y{#OzuZ8nhK{#kA3R&FR*aJ+C! z77bq3EReI8x1Pe4d*AfreZ>;yN3?GBES6VuzqyY4>f6b>_wMnI*^ql{#6#dwo7(5& zAzZS6CMVLYY}4RrR+tS>MZId*HZb|E3am4Uh-|1R+<)C+S}R^~(Qz~~m29>Bv=tEIat;0DQBt=9z<)wcPRw{9yq|Xt06dS zAWZ_kU-d844oDnE^rwbrry?V012k{}zEF)ubpA5sB0iiDuD7L3Bx@yy+uF7f6QC~M zXOx9A+3X$y+cx$u_cAe`i-3w#n=t?^WT1r&2pxznlS^iN{ZccTw!l_>j~MO>qD6%~ z(>J+SBCseC*ttZ~!NgW+YocDOB$si3tLnr8CQcE=M`J+!XT2aZSWWVj7zk-A6 ztgRW(C|_1L(Q*p5Ps2;J%Je>R#50U;LTWY+<2kK=p)_93i(s}?sb%wdRk6yJRIQ8M zQq1eNq9Zjz6_}~O5ySvGY4TyGS9EvX*d5;gFL;}sOT_^QtGq@1 zPPmzh0~~7vJ%xs>O?$V1?x$~Gp1=Kmr+4r4uFJzayl)TQR_Bg{w^;2J-Wa$}0dM4h zH1%+=0 zg=4E6NKtOz0?PSPE|yZ2YAgkh?nv(&=?y7)hx+Y7-Rat%Ft7#)z&<+@R&6NN7$FZ} zdw?%iYX|ghJ8DC7H8Nb~pxlb)Y6L2Y-D%!|=I#|v<=(&q4(j<(o{AXe2tk0q!p literal 0 HcmV?d00001 diff --git a/submission_thesis/CH5_Examples/euler_led_output.dia b/submission_thesis/CH5_Examples/euler_led_output.dia new file mode 100644 index 0000000000000000000000000000000000000000..e4a28a11233bbc1fc4ebe82f12dcb2ad3c5b8261 GIT binary patch literal 1309 zcmV+&1>*W2iwFP!000021MOQ|Z=*OAe($e9^tIz)1IC_CI@-}*rIotU%sy96a0xR6 zB5=~?WqlAlNmbvLvpLd@O|22W20qd2YO$hAqzg+PEHgydrQlu#$|0{F5fhr^A|3zwW1EtX3c${L)5*cEzxz)jo$5@DL$NV2zQtabE`S?5A4rOkX z$KmV5-5Akg;H!j?R*%zs*?X{&m{mEu@z zEaJt>-P)RDqpy4{DrY|nmWC`3t#{U^?Acz`AhH69!=ZieY%bQed(xQH!P;ugvQ zHEYCRMTnyr0y{Ir2L$Wz#U?o-QJ_YFw~zuT5hYKsQJ!>ltY^xbVhZZa6#5dwMwvoE zfGegTETvxZ#3)U=dbJNt0^qnF)fe(T>LFs3G#;UAU=a4C*-e@+{8_BA23D+byRrs3 zfVfD>J#tJ|VJ|os_!KJcxWJ=Om18dT$dS4!)S~RzdTfnpd%L<dUa@tCb|Fb#9yvZrBj;4C<0Bc6|xq`nQMx?*_`?GrB$O zmmi(W{mvCI2IR&C7#VG+lpu2XRTg&uq8Q100zE>0{wyw2`2AeW=AzHzrt^4HH10qJR!5a-hfCD6zEp3 zt7w8ucY3>c)wASn)w!fIO%R}gZV;HQbW0cvuzL$VfLztA3IhKks@%T5HD2E~Mqyv! z{>&9_iz3kzC{mycPS-K4NP&k{F2%ZuE>+1v64j%Zvia_1=?t>e5Q@DlU7##M=L8)= zS?g1Pu;G?qfT5NpU&|5!j;lh@^Dp9Gd%Z55ryW=i#a@;!QI_BdWC?q+a)z#9S&}Fi z_?}WE1a+-WE@A)n$3K7F_lk4|MXE<(uSl1uNSzN4A_$O_3TpHSREgpG{;mE~MxKK% zK#h7OGJfQ#9(}zIU7`-1;y9){O@Ry_#Z+gIu+pIt&g*rk*P-U<>viad>QH&Fztnek TwehXLyQ}{JaU`Q489)F4@raXS literal 0 HcmV?d00001 diff --git a/submission_thesis/CH5_Examples/software.tex b/submission_thesis/CH5_Examples/software.tex index e3ff6c7..9f12d4e 100644 --- a/submission_thesis/CH5_Examples/software.tex +++ b/submission_thesis/CH5_Examples/software.tex @@ -821,6 +821,7 @@ Identified electronic components: \item Pt100 --- Pt100 Temperature sensor, as analysed in section~\ref{sec:Pt100}. \item PWM --- Internal micro controller pulse width modulation module \item micro-controller --- the medium for running the software + \item setLEDs --- Set status indication LEDs via GPIO \end{itemize} @@ -882,8 +883,10 @@ Identified Software Components: \item --- output\_control (which sets the PWM hardware according to the PID demand value) \end{itemize} With the call tree structure defined (see figure~\ref{fig:context_calltree}), we can now analyse these -components from the bottom-up, starting with the electronics. +components from the bottom-up, starting with the afferent flow, the reading in of the temperature and its conversion +to a PID calculated heater output demand. +\subsubsection{Afferent flow FMMD analysis , Pt100, temperature, set point error, PID output demand.} We start with the afferent flow from the Pt100. %with the software, and consider the hardware elements %used (if any) by each software function. @@ -1118,6 +1121,181 @@ We have now modelled the the software call tree for the afferent flow, we repre Two call tree branches remain. The LED indication branch and the PWM/heater output. +\subsubsection{Efferent flow, PID demand value to PWM output} + +The monitor function calls the output\_control function with the PID demand. +The output\_control function then sets the PWM hardware register, which causes the mark space output of the PWM module to +apply the demanded power. We form a {\fg} with the Heating element, a PWM module and the output\_control function to model this branch +of the efferent flow. We apply FMMD analysis to this {\fg} in table~\ref{tbl:heateroutput}. +For the output\_control function, we have a pre-condition that the PWM module is +configured and working, and has the correct clock frequency. + A second pre-condition is that the heating element is connected and working. +The post condition is that is sets the correct value into the PWM register +to implement the PWM demand. + +{ +\tiny +\begin{table}[h+] +\caption{ HeaterOutput: Failure Mode Effects Analysis} % title of Table +\label{tbl:heateroutput} + +\begin{tabular}{|| l | c | l ||} \hline +% \textbf{Failure} & \textbf{failure} & \textbf{Symptom} \\ +% \textbf{Scenario} & \textbf{effect} & \textbf{RADC } \\ \hline + \hline + \textbf{Failure} & \textbf{Failure } & \textbf{Derived Component} \\ + \textbf{cause} & \textbf{Effect} & \textbf{Failure Mode} \\ + + + \hline + FC1: $ PWM stuck HIGH $ & pre-condition violated & HeaterOnFull \\ + & PWM module not working & \\ \hline + + + FC2: $ PWM stuck LOW $ & pre-condition violated & HeaterOff \\ + & PWM module not working & \\ \hline + + FC3: $ output\_control$ wrong value & The software supplies the wrong & HeaterOutputIncorrect \\ + & value to the PWM register & \\ \hline + + + FC4: HEATER $SHORT$ & heating element resistor & HeaterOff \\ + & SHORT no heating effect & \\ \hline + + + FC5: HEATER $OPEN $ & heating element resistor & HeaterOff \\ + & OPEN no heating effect & \\ \hline + +\end{tabular} +\end{table} +} + +We now create a {\dc} called HeaterOutput +with the following failure modes: +$$fm(HeaterOutput) = \{ HeaterOnFull, HeaterOff, HeaterOutputIncorrect \}$$ + + + +\begin{figure}[h] + \centering + \includegraphics[width=300pt]{./CH5_Examples/euler_heater_output.png} + % euler_heater_output.png: 392x141 pixel, 72dpi, 13.83x4.97 cm, bb=0 0 392 141 + \caption{Euler diagram showing HeaterOutput with its two hardware components, PWM and HEATER, and its software component output\_control.} + \label{fig:eulerheateroutput} +\end{figure} + + + + + + + + + + + + + + + + + + + + + + + + + + + +\subsubsection{Efferent flow: LED status LEDs} + +The status LEDS will be controlled by general purpose (GPIO) I/O pins. +We could have say, three LEDS one flashing with a human readable mark +space ratio representing the heater output, one flashing at a regular interval to +indicate the processor is alive and another flashing at an interval related to the temperature, +(to indicate if the temperature readings are within expected ranges). +Each LED should flash in normal operation, and any LED being permanently on or off +would indicate to the operator that an error had occurred. +The pre condition for this function is that the GPIO +is connected to working LEDS. +The post condition is that the function setLEDS, will supply correct indication by flashing the LEDs. +We form a {\fg} from the GPIO, the LEDs and the software function setLEDs. +We apply FMMD analysis to this {\fg} in table~\ref{tbl:ledoutput}. + +{ +\tiny +\begin{table}[h+] +\caption{ LEDOutput: Failure Mode Effects Analysis} % title of Table +\label{tbl:ledoutput} + +\begin{tabular}{|| l | c | l ||} \hline +% \textbf{Failure} & \textbf{failure} & \textbf{Symptom} \\ +% \textbf{Scenario} & \textbf{effect} & \textbf{RADC } \\ \hline + \hline + \textbf{Failure} & \textbf{Failure } & \textbf{Derived Component} \\ + \textbf{cause} & \textbf{Effect} & \textbf{Failure Mode} \\ + + + \hline + FC1: $ Temp LED fails $ & LED will not light & FailureIndicated \\ + & & \\ \hline + + + FC2: $ Processor LED fails $ & LED will not light & FailureIndicated \\ + & & \\ \hline + + FC3: $ PWM LED fails $ & LED will not light & FailureIndicated \\ + & & \\ \hline + + FC4: GPIO stuck HIGH & LED permanently OFF & FailureIndicated \\ \hline + + + FC5: GPIO stuck Low & LED permanently ON & FailureIndicated \\ \hline + + + FC6: Software SetLEDs & Incorrect Indication & IndicationError \\ + fails to set outputs correctly & Post condition failure & \\ \hline + + + +\end{tabular} +\end{table} +} + + + + +\begin{figure}[h] + \centering + \includegraphics[width=300pt]{./CH5_Examples/euler_led_output.png} + % euler_heater_output.png: 392x141 pixel, 72dpi, 13.83x4.97 cm, bb=0 0 392 141 + \caption{Euler diagram showing LEDOutput with its three LEDs and GPIO hardware elements, and its + and its software component setLEDS.} + \label{fig:eulerheateroutput} +\end{figure} + + + + + + + + + + + + + + + + + + + + %OK STOP AT PID and follow the other data flows until we are ready to bring them to the top: i.e. %