C Garret comments on CH6
This commit is contained in:
Robin Clark
parent
504bf7b8e1
commit
fa08768746
@ -9,18 +9,20 @@ In this chapter we show that FMMD can be applied to both software and electroni
|
||||
of typical modern safety critical systems.
|
||||
With modular FMEA i.e. FMMD %(FMMD)
|
||||
we have the concepts of failure~modes
|
||||
of components, {\fgs} and symptoms of failure for a functional group.
|
||||
of components, {\fgs} and symptoms of failure. % for a functional group.
|
||||
%
|
||||
A programmatic function has similarities with a {\fg} as defined by the FMMD process.
|
||||
A programmatic function has similarities with these concepts. %a {\fg} as defined by the FMMD process.
|
||||
%
|
||||
An FMMD {\fg} is placed into a hierarchy.
|
||||
A software function is typically placed into the hierarchy of its call-tree.
|
||||
A software function calls other functions and uses data sources via hardware interaction, which could be viewed as its `components':
|
||||
An FMMD {\fg} is placed into a hierarchy, likewise
|
||||
a software function is typically placed into the hierarchy of its call-tree.
|
||||
A software function calls other functions and uses data sources %via hardware interaction
|
||||
which could be viewed as its `components':
|
||||
it has outputs, i.e. it can perform actions on data or hardware.
|
||||
%which will be used by other functions that may call it.
|
||||
%
|
||||
We show that we can map a software function to a {\fg} in FMMD: its failure modes
|
||||
are the failure modes of the software components (other functions it calls)
|
||||
are the failure modes of the software components %(other functions
|
||||
it calls %)
|
||||
and the hardware from which it reads values.
|
||||
Its outputs are the data it changes, or the hardware actions it performs.
|
||||
%%
|
||||
@ -38,7 +40,7 @@ We apply the FMMD process to software functions by viewing them in terms of thei
|
||||
As software already fits into a hierarchy we have one less analysis decision to make, compared
|
||||
to analysing electronics.
|
||||
%
|
||||
For Electronics and Mechanical systems, although we may be guided by the original designers
|
||||
For electrical and mechanical systems, although we may be guided by the original designers
|
||||
concepts of modularity and sub-systems in design, applying FMMD means deciding on the members for {\fgs}
|
||||
and the subsequent hierarchy.
|
||||
%
|
||||
@ -74,13 +76,13 @@ be modular~\cite{en61508}[3] and non recursive~\cite{misra}[15.2]. %{iec61511}.
|
||||
Because of this we can assume direct call trees~\footnote{A typical embedded system
|
||||
will have a run time call tree, and (possibly multiple) interrupt sourced call trees.}. Functions call functions
|
||||
from the top down and eventually call the lowest level library or IO
|
||||
functions that interact with hardware/electronics.
|
||||
functions that interact with hardware.%/electronics.
|
||||
|
||||
What is potentially difficult with a software function, is deciding what
|
||||
its failure modes and symptoms are.
|
||||
With electronic components, we can use literature to point us to suitable sets of
|
||||
{\fms}~\cite{fmd91}~\cite{mil1991}~\cite{en298}. %~\cite{en61508}~\cite{en298}.
|
||||
With software, only some library functions are well known and rigorously documented
|
||||
With software only some library functions are well known and rigorously documented
|
||||
enough to have the equivalent of known failure modes.
|
||||
Most software is `bespoke'.
|
||||
%
|
||||
@ -90,7 +92,7 @@ We can use definitions from contract programming to assist here.
|
||||
|
||||
\subsection{Contract programming description}
|
||||
|
||||
Contract programming is a discipline~\cite{dbcbe} for building software functions in a controlled
|
||||
Contract programming~\cite{dbcbe} is a discipline for building software functions in a controlled
|
||||
and traceable way. Each function is subject to pre-conditions (constraints on its inputs),
|
||||
post-conditions (constraints on its outputs) and function wide invariants (rules).
|
||||
|
||||
@ -105,11 +107,15 @@ to operate successfully.
|
||||
%
|
||||
%If we consider a software function to be a {\fg} in the FMMD sense, i.e.
|
||||
We can consider a software function to be
|
||||
a collection of code, functions called and values/variables used.
|
||||
a collection of code, functions called and %values/
|
||||
variables used.
|
||||
%
|
||||
In this way it is similar to an electronic circuit, which is a collection
|
||||
of components connected in a specific way.
|
||||
%
|
||||
Using this analogy for software, the connections are the functions code, and the
|
||||
called functions and variables are the components.
|
||||
called functions %and variables
|
||||
are the components.
|
||||
%
|
||||
Erroneous behaviour from called functions and variables/inputs has the same effect as component failure modes
|
||||
on an electronic {\fg}.
|
||||
@ -158,7 +164,7 @@ violations could simply occur.
|
||||
\paragraph{Mapping contract `invariant' violations to symptoms and failure modes.}
|
||||
|
||||
Invariants in contract programming may apply to inputs to the function (where violations can be considered {\fms} in FMMD terminology),
|
||||
and to outputs (where violations can be considered {failure symptoms} in FMMD terminology).
|
||||
and to outputs (where violations can be considered {failure modes} in FMMD terminology).
|
||||
|
||||
|
||||
\subsection{Combined Hardware/Software FMMD}
|
||||
@ -167,26 +173,25 @@ For the purpose of example, we chose a simple common safety critical industrial
|
||||
that is nearly always used in conjunction with a programmatic element.
|
||||
A common method for delivering a quantitative value in analogue electronics is
|
||||
to supply a current signal to represent the value to be sent~\cite{aoe}[p.934].
|
||||
%
|
||||
Usually, $4mA$ represents a zero or starting value and $20mA$ represents the full scale,
|
||||
and this is referred to as {\ft} signalling.
|
||||
and this is referred to as {\ft} signalling which has intrinsic electrical safety advantages.
|
||||
%
|
||||
{\ft} signalling has intrinsic electrical safety advantages.
|
||||
%
|
||||
Because the current in a loop is constant~\cite{aoe}[p.20],
|
||||
resistance in the wires between the source and receiving end is not an issue
|
||||
that can alter the accuracy of the signal.
|
||||
%
|
||||
%This circuit has many advantages for safety.
|
||||
If the signal becomes disconnected
|
||||
it reads $0mA$ at the receiving end: as this is outside the {\ft} range,
|
||||
it is easily detectable as an error condition rather than an incorrect value.
|
||||
%
|
||||
Should the driving electronics go wrong at the source end, it will usually
|
||||
supply far too little or far too much current, also making error conditions easy to detect.
|
||||
%
|
||||
At the receiving end, we only require one simple component to convert the
|
||||
current signal into a voltage that we can read with an AD---a resistor---given
|
||||
its properties defined by Ohms law. % the humble resistor!
|
||||
% Because the current in a loop is constant~\cite{aoe}[p.20],
|
||||
% resistance in the wires between the source and receiving end is not an issue
|
||||
% that can alter the accuracy of the signal.
|
||||
% %
|
||||
% %This circuit has many advantages for safety.
|
||||
% If the signal becomes disconnected
|
||||
% it reads $0mA$ at the receiving end: as this is outside the {\ft} range,
|
||||
% it is easily detectable as an error condition rather than an incorrect value.
|
||||
% %
|
||||
% Should the driving electronics go wrong at the source end, it will usually
|
||||
% supply far too little or far too much current, also making error conditions easy to detect.
|
||||
% %
|
||||
% At the receiving end, we only require one simple component to convert the
|
||||
% current signal into a voltage that we can read with an AD---a resistor---given
|
||||
% its properties defined by Ohms law. % the humble resistor!
|
||||
|
||||
|
||||
%BLOCK DIAGRAM HERE WITH FT CIRCUIT LOOP
|
||||
@ -224,7 +229,8 @@ Our acceptable voltage range is therefore
|
||||
|
||||
$$(V \ge 0.88) \wedge (V \le 4.4) \; .$$
|
||||
|
||||
This voltage range forms our input requirement and can be considered as an invariant condition.
|
||||
This voltage range forms our input requirement and can be considered as an invariant condition (i.e. both a pre-condition and a postcondition
|
||||
for the system to be operating correctly the voltage should be within the above bounds).
|
||||
%
|
||||
We can now examine a software function that performs a conversion from the voltage read to
|
||||
a per~mil representation of the {\ft} input current.
|
||||
@ -380,8 +386,9 @@ We now apply FMMD starting with the hardware.
|
||||
|
||||
This functional group contains the load resistor
|
||||
and the physical Analogue to Digital Converter (ADC).
|
||||
Our functional group, $G_1$ is thus the set of base components: $G_1 = \{R, ADC\}$.
|
||||
We now determine the {\fms} of all the components in $G_1$.
|
||||
%Our functional group, $G_1$ is thus the set of base components: $G_1 = \{R, ADC\}$.
|
||||
%We now determine the {\fms} of all the components in $G_1$.
|
||||
We now determine the {\fms} of all the components in the {\fg}.
|
||||
For the resistor we can use a failure mode set from the literature~\cite{en298}.
|
||||
Where the function $fm$ returns a set of failure modes for a given component we can state:
|
||||
|
||||
@ -479,7 +486,8 @@ which we can call $ CHAN\_NO $.
|
||||
The reference voltage for the ADC has a 0.1\% accuracy requirement.
|
||||
%
|
||||
If the reference value is outside this, it is also a {\fm}
|
||||
of this function, which we can call $V\_REF$.
|
||||
of this function, which we can call $V\_REF$ (this failure mode is observable
|
||||
only if we specifically use a test input to measure the reference).
|
||||
|
||||
Taken as a component for use in FMEA/FMMD our function has
|
||||
two failure modes. We can therefore treat it as a generic component, $Read\_ADC$,
|
||||
@ -721,28 +729,30 @@ Using FMMD we can determine an accurate failure model for the interface as well~
|
||||
|
||||
\section{Closed Loop Control Hardware/Software Hybrid Example}
|
||||
|
||||
It is desirable to model a complete standalone system with FMMD.
|
||||
Not only a standalone system, but ideally a hybrid software/hardware system.
|
||||
It is desirable to model a complete standalone system with FMMD,
|
||||
not only a standalone system, but ideally a hybrid software/hardware system.
|
||||
%
|
||||
Temperature control is a first order differential problem, and is often
|
||||
addressed using the Proportional Integral Differential (PID) algorithm~\cite{dcods}[p.66].
|
||||
Traditionally this was performed in analogue electronics
|
||||
with trimmer potentiometers providing the P and I parameters.
|
||||
Since the introduction of micro-processors, it has been possible to
|
||||
implement PID pro-grammatically.
|
||||
An FMMD analysis of a PID temperature controller would mean an
|
||||
analysis of a realistic standalone system without being it becoming an un-wieldingly large task.
|
||||
\paragraph{The PID Temperature Control Algorithm.}
|
||||
PID control starts with a setpoint, or desired value for a process
|
||||
(here the temperature). It reads the process value and determines an error value for it.
|
||||
The aim of the PID controller is to minimise this error term, by setting an output value,
|
||||
which is fed back into the process (in this example the amount of power to supply the heater).
|
||||
The error value is integrated and multiplied by an I constant.
|
||||
A differential of the error value is calculated and multiplied by a D constant.
|
||||
The error value itself is multiplied by a P constant, and all three of these are added
|
||||
to obtain the output required.
|
||||
%
|
||||
A mathematical description of PID with frequency domain modelling (La-Place transforms etc)
|
||||
may be found in~\cite{dcods}[Ch.3.3].
|
||||
Traditionally this was performed in analogue electronics
|
||||
with trimmer potentiometers providing the P,I and D parameters.
|
||||
Since the introduction of micro-processors, it has been possible to
|
||||
implement PID in software. %pro-grammatically.
|
||||
An FMMD analysis of a PID temperature controller is presented. %would mean an
|
||||
%analysis of a realistic standalone system without being it becoming an un-wieldingly large task.
|
||||
% % \paragraph{The PID Temperature Control Algorithm.}
|
||||
% % PID control starts with a setpoint, or desired value for a process
|
||||
% % (here the temperature). It reads the process value and determines an error value for it.
|
||||
% % The aim of the PID controller is to minimise this error term, by setting an output value,
|
||||
% % which is fed back into the process (in this example the amount of power to supply the heater).
|
||||
% % The error value is integrated and multiplied by an I constant.
|
||||
% % A differential of the error value is calculated and multiplied by a D constant.
|
||||
% % The error value itself is multiplied by a P constant, and all three of these are added
|
||||
% % to obtain the output required.
|
||||
% % %
|
||||
% % A mathematical description of PID with frequency domain modelling (La-Place transforms etc)
|
||||
% % may be found in~\cite{dcods}[Ch.3.3].
|
||||
%
|
||||
\subsection{Design Stage: Implementation on a micro-controller.}
|
||||
When designing a computer program it is often useful to
|
||||
|
||||
@ -85,7 +85,7 @@
|
||||
\chapter{FMMD Examples} % {Examples of FMMD applied to electronic circuits}
|
||||
\input{CH5_Examples/copy}
|
||||
|
||||
\chapter{Applying FMMD to Software}
|
||||
\chapter{Applying FMMD to Software and Hybrid Systems}
|
||||
\input{CH5_Examples/software}
|
||||
|
||||
\chapter {FMMD Metrics Critiques Exceptions and Evaluation}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user