robin/Robin_PHD
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

JMC pr, additional claim on FMMD

Browse Source 
identifying unobservable failure modes.
This commit is contained in:
Robin Clark 2013-01-12 11:48:28 +00:00
parent 392eed1d2b
commit e7d791ceb5
1 changed files with 29 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
submission_thesis/CH5_Examples/software.tex
View File

@ -505,6 +505,7 @@ We analyse this hardware/software combined {\fg}.
{
\tiny
\begin{table}[h+]
\center
\caption{$G_2$: Failure Mode Effects Analysis} % title of Table
\label{tbl:radc}
@ -582,6 +583,7 @@ software component $read\_4\_20\_input$, i.e. $G_3 = \{read\_4\_20\_input, RADC\
{
\tiny
\begin{table}[h+]
\center
\caption{$G_3$: Read\_4\_20: Failure Mode Effects Analysis} % title of Table
\label{tbl:r420i}
@ -801,8 +803,8 @@ In all `bare~metal'\footnote{`Bare~metal' is a term used to indicate a micro-pro
controlled system that does not use a traditional operating system.}
software architectures, we need a rudimentary operating system, often referred to as the `monitor'.
%
We bear in mind that PID, because the algorithm depends heavily on integral calculus is time sensitive
and we therefore need to call at precise intervals determined by its proportional, integral and differential (PID) coefficients.
We bear in mind that PID, because the algorithm depends heavily on integral calculus~\cite{dcods}[Ch.3.3] it is time sensitive
and we therefore need to execute it at precise intervals determined by its proportional, integral and differential (PID) coefficients.
%
Most micro-controllers feature several general purpose timers~\cite{pic18f2523}.
We can use an internal timer in conjunction with the monitor function
@ -851,7 +853,7 @@ demand which will be returned to the monitor function).
The PID demand value will be applied via the PWM.
We now have a rudimentary closed loop control system incorporating both hardware and software.
%
By using the Yourdon methodology we obtain a the programmatic design i.e. we define a call tree structure.
By using the Yourdon methodology we obtain a programmatic design frame-work i.e. a call tree structure.
%
We now have all the components, i.e. hardware elements and software functions
that will be used in the temperature controller.
@ -878,14 +880,14 @@ Identified electronic components:
\subsection{Temperature Controller Hardware Elements FMMD}
\subsection{Temperature Controller Hardware Elements FMMD.}
\paragraph{ACDMUX and Read\_ADC}
We re-use this derived component from section~\ref{readADC}.
$$ fm(RADC) = \{ VV\_ERR, HIGH, LOW \} .$$
\paragraph{TIMER}
\paragraph{TIMER.}
The internal timer in use is a register which when read
returns an incremented time value.
Using two's complement mathematics, by subtracting
@ -895,20 +897,20 @@ We can say that a timer can fail by
incrementing its value at an incorrect rate, or can stop incrementing.
$$ fm(TIMER) = \{ STOPPED, INCORRECT\_INTERVAL \}$$
\paragraph{HEATER}
\paragraph{HEATER.}
A heating element is typically some configuration of resistive wire.
It therefore has the same failure modes as a resistor and we can state
$$fm(HEATER) = \{ OPEN, SHORT \}$$
\paragraph{Pt100 Platinum Temperature Sensor}
\paragraph{Pt100 Platinum Temperature Sensor.}
The Pt100 four wire configuration is analysed in section~\ref{sec:Pt100}
$$ fm(Pt100) = \{ OUT\_OF\_RANGE \} $$
\paragraph{PWM}
\paragraph{PWM.}
%The PWM, in use, is a hardware register written to with an integer value~\cite{pic182523}[Ch.15].
From a programmatic perspective a PWM output is a register that software writes
an unsigned magnitude value to~\cite{pic18f2523}[Ch.15].
From a programmatic perspective a PWM output is a register to which software writes
an unsigned magnitude value~\cite{pic18f2523}[Ch.15].
The PWM hardware module
applies this using a mark space ratio proportional to that value, providing
a means of varying the amount of power supplied.
@ -917,7 +919,7 @@ will typically be held in a high or low state.
We therefore state:
$$ fm(PWM) = \{ HIGH, LOW \}.$$
\paragraph{Micro-Controller}
\paragraph{Micro-Controller.}
The Micro controller is a complex piece of highly integrated electronics.
Typically, along with a micro-processor with PROM and RAM, they have many I/O modules including UARTS, PWM, ADCMUX, CAN
General I/O and interrupt lines to name but a few.
@ -1130,7 +1132,7 @@ The post-condition is that it outputs correct control values.
% and controll values..... Jitter might not matter, wrong int times would
% controlling function provdes context of use.
Those familiar with the PID algorithm may realise that digital signal processing algorithms are sensitive to calling frequency.
Were this function to be called at an incorrect rate its output
Were this function to be called at an incorrect rate, its output
would be wrong (the differential and integral parameters would effectively have been changed).
%
However this problem is a failure mode for the function calling it.
@ -1358,7 +1360,7 @@ anything going wrong! The common causes for software failing are:
\item ROM memory failures;
\item Unintended behaviour of software.
\end{itemize}
Because the software is running on a medium, that of the processor or micro-controller
Because the software is running on a medium, that of the processor or micro-controller,
our design at the final or highest level (see table~\ref{tbl:pid}), must include all possible failure modes of this medium i.e.
$$fm (micro-controller) =\{ PROM\_FAULT, RAM\_FAULT, CPU\_FAULT, ALU\_FAULT, CLOCK\_STOPPED \}.$$
We perform the final FMMD stage by forming a functional group with the {\dcs}
@ -1445,7 +1447,8 @@ The post condition for the monitor function is that it implements the PID contro
We can now create a {\dc} for the standalone temperature controller, and give it the name TempController.
It will have the following failure modes:
$$fm ( TempController ) = \{ ControlFailureIndicated, ControlFailure, KnownIndicationError, UnknownIndicationError \}.$$
$$fm ( TempController ) = \{ ControlFailureIndicated, ControlFailure, \\
KnownIndicationError, UnknownIndicationError \}.$$
We can now represent this failure mode analysis as an Euler diagram, see figure~\ref{fig:euler_temp_controller}.
@ -1462,8 +1465,18 @@ We can now represent this failure mode analysis as an Euler diagram, see figure~
\subsection{Conclusion: Standalone system, PID Temperature Controller}
The PID temperature control example above, shows that complete hybrid software/electronic systems can be
modelled using FMMD. The analysis has revealed system level failure modes that are un-handled and some that are unobservable,
but the FMMD analysis shows which failure modes they are. For the failure modes caused
modelled using FMMD.
%
The analysis has revealed system level failure modes that are un-handled and some that are unobservable,
but using the FMMD analysis we can trace to the low level modules that are the cause of unobservable
failure modes.
%
This means that by using FMMD, we can identify the sub-systems which require
re-design to eliminate unobservable failure modes.
The demands of EN61508~\cite{en61508} for minimum safe failure fraction~\cite{scsh}[p.52] thresholds associated with
SIL levels, make this a desirable feature of any FMEA based methodology.
%
For the failure modes caused
by electronics we can apply reliability statistics.
%
For software errors, we could, if necessary provide extra functions to provide self checking.