diff --git a/mybib.bib b/mybib.bib index 1db2cc4..fa3e5ff 100644 --- a/mybib.bib +++ b/mybib.bib @@ -72,11 +72,18 @@ ISSN={Doi:10.1145/2330667.2330683},} @BOOK{scsh, AUTHOR = "D. Smith", - TITLE = "Safety Critical Stystems Handbook, 3rd Ed. ISBN 978-0-08-096781-3", + TITLE = "Safety Critical Systems Handbook, 3rd Ed. ISBN 978-0-08-096781-3", PUBLISHER = "Butterworth HeinemannH", YEAR = "2011" } +@BOOK{fpodsadsp, + AUTHOR = "Robert D Strum and Donald E. Kirk", + TITLE = "First Principles of discrete Systems and Digital Signal Processing ISBN 0-201-09518-1", + PUBLISHER = "Addison-Wesley", + YEAR = "1988" +} + @ARTICLE{embedsfmea, AUTHOR = "Peter L. Goddard", TITLE = "Validating The Safety of Embedded Real-Time Control Systems using FMEA", diff --git a/submission_thesis/CH1_introduction/copy.tex b/submission_thesis/CH1_introduction/copy.tex index b00e61e..3e0456f 100644 --- a/submission_thesis/CH1_introduction/copy.tex +++ b/submission_thesis/CH1_introduction/copy.tex @@ -30,9 +30,47 @@ firstly looking at electronic circuits and then at electronic/software hybrid sy } \section{Introduction} +The motivation for this study came form two sources, one academic and the other +practical. I had recently completed an +Msc and my project was to create an Euler/Spider Diagram editor in Java. +This editor allowed the user to draw Euler/Spider diagrams, and could then +represent these as abstract---or mathematical---definitions. +At work, writing embedded `C' and assembly language code for safety critical +industrial burners, we were faced with a new and daunting requirement. +Conformance to the latest European standard, EN298. It appeared to ask for the impossible, +not only did it require the usual safety measures (self checking of ROM and RAM, watchdog processors with separate clock sources, EMC +triple fail safe control of valves), it had one new clause in it, that had far reaching consequences. +It stated that in the event of a failure, where the controller had gone into a `lockout~state'--- a state where the controller +applies all possible safety measures to stop fuel entering the burner---it could not become dangerous should another fault occur. +In short this meant we had to be able to deal with double failures. +Any of the components that could, in failing create a dangerous state, were already +documented and approved using failure mode effects analysis (FMEA). This new requirement +effectively meant that any all combinations of component failures were +now required to be analysed. This, from a state explosion problem alone, +meant that it was going to be virtually impossible to perform. +% +Following the concept of de-composing a problem, and thus simplifying the state explosion---using the thinking behind +the fast Fourier transform (FFT)~\cite{fpodsadsp}[Ch.8], which takes a complex intermeshed series of real and imaginary number calculations +and by de-composing them simplifies the problem. +My reasoning was that were I to analyse the problem in small modules, from the bottom-up following the FFT example, I could apply +checking for all double failure scenarios. +Once these first modules were analysed, I now call them {\fgs}, I could determine the symptoms of failure for them +Using the symptoms of failure, I could now treat these modules as components, now called {\dcs}, and use them to build higher level +modules. I could apply double simultaneous failure mode checking, because the number of components +in each module/{\fg} was quite small---thus avoiding state explosion problems, but I could apply +double checking all the way up the hierarchy. In fact this meant, as a by-product that many multiple as well as double +failures would be analysed. -Msc project Euler/Spider Diagram editor --- Euler/Spider Diagrams + +Euler/Spider Diagrams could be used to model failure modes in components. +Contours could represent failure modes, and the spider diagram +`existential~points' instances of failure modes. +By drawing a spider collecting existential points, a common failure symptom could +be determined and from this a new diagram generated automatically, to represent the {\dc}. +Each spider represented a derived failure mode. +These concepts were presented at the ``Euler~2004''~\cite{Clark200519} conference at Brighton University. + --- 2005 paper --- need for static analysis because of high reliability of modern safety critical systems.