From e7d791ceb5b43bcc470b1fd2b181de496d5a543b Mon Sep 17 00:00:00 2001 From: Robin Clark Date: Sat, 12 Jan 2013 11:48:28 +0000 Subject: [PATCH] JMC pr, additional claim on FMMD identifying unobservable failure modes. --- submission_thesis/CH5_Examples/software.tex | 45 +++++++++++++-------- 1 file changed, 29 insertions(+), 16 deletions(-) diff --git a/submission_thesis/CH5_Examples/software.tex b/submission_thesis/CH5_Examples/software.tex index 068c08b..8212fda 100644 --- a/submission_thesis/CH5_Examples/software.tex +++ b/submission_thesis/CH5_Examples/software.tex @@ -505,6 +505,7 @@ We analyse this hardware/software combined {\fg}. { \tiny \begin{table}[h+] +\center \caption{$G_2$: Failure Mode Effects Analysis} % title of Table \label{tbl:radc} @@ -582,6 +583,7 @@ software component $read\_4\_20\_input$, i.e. $G_3 = \{read\_4\_20\_input, RADC\ { \tiny \begin{table}[h+] +\center \caption{$G_3$: Read\_4\_20: Failure Mode Effects Analysis} % title of Table \label{tbl:r420i} @@ -801,8 +803,8 @@ In all `bare~metal'\footnote{`Bare~metal' is a term used to indicate a micro-pro controlled system that does not use a traditional operating system.} software architectures, we need a rudimentary operating system, often referred to as the `monitor'. % -We bear in mind that PID, because the algorithm depends heavily on integral calculus is time sensitive -and we therefore need to call at precise intervals determined by its proportional, integral and differential (PID) coefficients. +We bear in mind that PID, because the algorithm depends heavily on integral calculus~\cite{dcods}[Ch.3.3] it is time sensitive +and we therefore need to execute it at precise intervals determined by its proportional, integral and differential (PID) coefficients. % Most micro-controllers feature several general purpose timers~\cite{pic18f2523}. We can use an internal timer in conjunction with the monitor function @@ -851,7 +853,7 @@ demand which will be returned to the monitor function). The PID demand value will be applied via the PWM. We now have a rudimentary closed loop control system incorporating both hardware and software. % -By using the Yourdon methodology we obtain a the programmatic design i.e. we define a call tree structure. +By using the Yourdon methodology we obtain a programmatic design frame-work i.e. a call tree structure. % We now have all the components, i.e. hardware elements and software functions that will be used in the temperature controller. @@ -878,14 +880,14 @@ Identified electronic components: -\subsection{Temperature Controller Hardware Elements FMMD} +\subsection{Temperature Controller Hardware Elements FMMD.} \paragraph{ACDMUX and Read\_ADC} We re-use this derived component from section~\ref{readADC}. $$ fm(RADC) = \{ VV\_ERR, HIGH, LOW \} .$$ -\paragraph{TIMER} +\paragraph{TIMER.} The internal timer in use is a register which when read returns an incremented time value. Using two's complement mathematics, by subtracting @@ -895,20 +897,20 @@ We can say that a timer can fail by incrementing its value at an incorrect rate, or can stop incrementing. $$ fm(TIMER) = \{ STOPPED, INCORRECT\_INTERVAL \}$$ -\paragraph{HEATER} +\paragraph{HEATER.} A heating element is typically some configuration of resistive wire. It therefore has the same failure modes as a resistor and we can state $$fm(HEATER) = \{ OPEN, SHORT \}$$ -\paragraph{Pt100 Platinum Temperature Sensor} +\paragraph{Pt100 Platinum Temperature Sensor.} The Pt100 four wire configuration is analysed in section~\ref{sec:Pt100} $$ fm(Pt100) = \{ OUT\_OF\_RANGE \} $$ -\paragraph{PWM} +\paragraph{PWM.} %The PWM, in use, is a hardware register written to with an integer value~\cite{pic182523}[Ch.15]. -From a programmatic perspective a PWM output is a register that software writes -an unsigned magnitude value to~\cite{pic18f2523}[Ch.15]. +From a programmatic perspective a PWM output is a register to which software writes +an unsigned magnitude value~\cite{pic18f2523}[Ch.15]. The PWM hardware module applies this using a mark space ratio proportional to that value, providing a means of varying the amount of power supplied. @@ -917,7 +919,7 @@ will typically be held in a high or low state. We therefore state: $$ fm(PWM) = \{ HIGH, LOW \}.$$ -\paragraph{Micro-Controller} +\paragraph{Micro-Controller.} The Micro controller is a complex piece of highly integrated electronics. Typically, along with a micro-processor with PROM and RAM, they have many I/O modules including UARTS, PWM, ADCMUX, CAN General I/O and interrupt lines to name but a few. @@ -1130,7 +1132,7 @@ The post-condition is that it outputs correct control values. % and controll values..... Jitter might not matter, wrong int times would % controlling function provdes context of use. Those familiar with the PID algorithm may realise that digital signal processing algorithms are sensitive to calling frequency. -Were this function to be called at an incorrect rate its output +Were this function to be called at an incorrect rate, its output would be wrong (the differential and integral parameters would effectively have been changed). % However this problem is a failure mode for the function calling it. @@ -1358,7 +1360,7 @@ anything going wrong! The common causes for software failing are: \item ROM memory failures; \item Unintended behaviour of software. \end{itemize} -Because the software is running on a medium, that of the processor or micro-controller +Because the software is running on a medium, that of the processor or micro-controller, our design at the final or highest level (see table~\ref{tbl:pid}), must include all possible failure modes of this medium i.e. $$fm (micro-controller) =\{ PROM\_FAULT, RAM\_FAULT, CPU\_FAULT, ALU\_FAULT, CLOCK\_STOPPED \}.$$ We perform the final FMMD stage by forming a functional group with the {\dcs} @@ -1445,7 +1447,8 @@ The post condition for the monitor function is that it implements the PID contro We can now create a {\dc} for the standalone temperature controller, and give it the name TempController. It will have the following failure modes: -$$fm ( TempController ) = \{ ControlFailureIndicated, ControlFailure, KnownIndicationError, UnknownIndicationError \}.$$ +$$fm ( TempController ) = \{ ControlFailureIndicated, ControlFailure, \\ +KnownIndicationError, UnknownIndicationError \}.$$ We can now represent this failure mode analysis as an Euler diagram, see figure~\ref{fig:euler_temp_controller}. @@ -1462,8 +1465,18 @@ We can now represent this failure mode analysis as an Euler diagram, see figure~ \subsection{Conclusion: Standalone system, PID Temperature Controller} The PID temperature control example above, shows that complete hybrid software/electronic systems can be -modelled using FMMD. The analysis has revealed system level failure modes that are un-handled and some that are unobservable, -but the FMMD analysis shows which failure modes they are. For the failure modes caused +modelled using FMMD. +% +The analysis has revealed system level failure modes that are un-handled and some that are unobservable, +but using the FMMD analysis we can trace to the low level modules that are the cause of unobservable +failure modes. +% +This means that by using FMMD, we can identify the sub-systems which require +re-design to eliminate unobservable failure modes. +The demands of EN61508~\cite{en61508} for minimum safe failure fraction~\cite{scsh}[p.52] thresholds associated with +SIL levels, make this a desirable feature of any FMEA based methodology. +% +For the failure modes caused by electronics we can apply reliability statistics. % For software errors, we could, if necessary provide extra functions to provide self checking.