diff --git a/submission_thesis/CH5_Examples/software.tex b/submission_thesis/CH5_Examples/software.tex index 9510a03..068c08b 100644 --- a/submission_thesis/CH5_Examples/software.tex +++ b/submission_thesis/CH5_Examples/software.tex @@ -9,18 +9,20 @@ In this chapter we show that FMMD can be applied to both software and electroni of typical modern safety critical systems. With modular FMEA i.e. FMMD %(FMMD) we have the concepts of failure~modes -of components, {\fgs} and symptoms of failure for a functional group. +of components, {\fgs} and symptoms of failure. % for a functional group. % -A programmatic function has similarities with a {\fg} as defined by the FMMD process. +A programmatic function has similarities with these concepts. %a {\fg} as defined by the FMMD process. % -An FMMD {\fg} is placed into a hierarchy. -A software function is typically placed into the hierarchy of its call-tree. -A software function calls other functions and uses data sources via hardware interaction, which could be viewed as its `components': +An FMMD {\fg} is placed into a hierarchy, likewise +a software function is typically placed into the hierarchy of its call-tree. +A software function calls other functions and uses data sources %via hardware interaction +which could be viewed as its `components': it has outputs, i.e. it can perform actions on data or hardware. %which will be used by other functions that may call it. % We show that we can map a software function to a {\fg} in FMMD: its failure modes -are the failure modes of the software components (other functions it calls) +are the failure modes of the software components %(other functions +it calls %) and the hardware from which it reads values. Its outputs are the data it changes, or the hardware actions it performs. %% @@ -38,7 +40,7 @@ We apply the FMMD process to software functions by viewing them in terms of thei As software already fits into a hierarchy we have one less analysis decision to make, compared to analysing electronics. % -For Electronics and Mechanical systems, although we may be guided by the original designers +For electrical and mechanical systems, although we may be guided by the original designers concepts of modularity and sub-systems in design, applying FMMD means deciding on the members for {\fgs} and the subsequent hierarchy. % @@ -74,13 +76,13 @@ be modular~\cite{en61508}[3] and non recursive~\cite{misra}[15.2]. %{iec61511}. Because of this we can assume direct call trees~\footnote{A typical embedded system will have a run time call tree, and (possibly multiple) interrupt sourced call trees.}. Functions call functions from the top down and eventually call the lowest level library or IO -functions that interact with hardware/electronics. +functions that interact with hardware.%/electronics. What is potentially difficult with a software function, is deciding what its failure modes and symptoms are. With electronic components, we can use literature to point us to suitable sets of {\fms}~\cite{fmd91}~\cite{mil1991}~\cite{en298}. %~\cite{en61508}~\cite{en298}. -With software, only some library functions are well known and rigorously documented +With software only some library functions are well known and rigorously documented enough to have the equivalent of known failure modes. Most software is `bespoke'. % @@ -90,7 +92,7 @@ We can use definitions from contract programming to assist here. \subsection{Contract programming description} -Contract programming is a discipline~\cite{dbcbe} for building software functions in a controlled +Contract programming~\cite{dbcbe} is a discipline for building software functions in a controlled and traceable way. Each function is subject to pre-conditions (constraints on its inputs), post-conditions (constraints on its outputs) and function wide invariants (rules). @@ -105,11 +107,15 @@ to operate successfully. % %If we consider a software function to be a {\fg} in the FMMD sense, i.e. We can consider a software function to be -a collection of code, functions called and values/variables used. +a collection of code, functions called and %values/ +variables used. +% In this way it is similar to an electronic circuit, which is a collection of components connected in a specific way. +% Using this analogy for software, the connections are the functions code, and the -called functions and variables are the components. +called functions %and variables +are the components. % Erroneous behaviour from called functions and variables/inputs has the same effect as component failure modes on an electronic {\fg}. @@ -158,7 +164,7 @@ violations could simply occur. \paragraph{Mapping contract `invariant' violations to symptoms and failure modes.} Invariants in contract programming may apply to inputs to the function (where violations can be considered {\fms} in FMMD terminology), -and to outputs (where violations can be considered {failure symptoms} in FMMD terminology). +and to outputs (where violations can be considered {failure modes} in FMMD terminology). \subsection{Combined Hardware/Software FMMD} @@ -167,26 +173,25 @@ For the purpose of example, we chose a simple common safety critical industrial that is nearly always used in conjunction with a programmatic element. A common method for delivering a quantitative value in analogue electronics is to supply a current signal to represent the value to be sent~\cite{aoe}[p.934]. +% Usually, $4mA$ represents a zero or starting value and $20mA$ represents the full scale, -and this is referred to as {\ft} signalling. +and this is referred to as {\ft} signalling which has intrinsic electrical safety advantages. % -{\ft} signalling has intrinsic electrical safety advantages. -% -Because the current in a loop is constant~\cite{aoe}[p.20], -resistance in the wires between the source and receiving end is not an issue -that can alter the accuracy of the signal. -% -%This circuit has many advantages for safety. -If the signal becomes disconnected -it reads $0mA$ at the receiving end: as this is outside the {\ft} range, -it is easily detectable as an error condition rather than an incorrect value. -% -Should the driving electronics go wrong at the source end, it will usually -supply far too little or far too much current, also making error conditions easy to detect. -% -At the receiving end, we only require one simple component to convert the -current signal into a voltage that we can read with an AD---a resistor---given -its properties defined by Ohms law. % the humble resistor! +% Because the current in a loop is constant~\cite{aoe}[p.20], +% resistance in the wires between the source and receiving end is not an issue +% that can alter the accuracy of the signal. +% % +% %This circuit has many advantages for safety. +% If the signal becomes disconnected +% it reads $0mA$ at the receiving end: as this is outside the {\ft} range, +% it is easily detectable as an error condition rather than an incorrect value. +% % +% Should the driving electronics go wrong at the source end, it will usually +% supply far too little or far too much current, also making error conditions easy to detect. +% % +% At the receiving end, we only require one simple component to convert the +% current signal into a voltage that we can read with an AD---a resistor---given +% its properties defined by Ohms law. % the humble resistor! %BLOCK DIAGRAM HERE WITH FT CIRCUIT LOOP @@ -224,7 +229,8 @@ Our acceptable voltage range is therefore $$(V \ge 0.88) \wedge (V \le 4.4) \; .$$ -This voltage range forms our input requirement and can be considered as an invariant condition. +This voltage range forms our input requirement and can be considered as an invariant condition (i.e. both a pre-condition and a postcondition +for the system to be operating correctly the voltage should be within the above bounds). % We can now examine a software function that performs a conversion from the voltage read to a per~mil representation of the {\ft} input current. @@ -380,8 +386,9 @@ We now apply FMMD starting with the hardware. This functional group contains the load resistor and the physical Analogue to Digital Converter (ADC). -Our functional group, $G_1$ is thus the set of base components: $G_1 = \{R, ADC\}$. -We now determine the {\fms} of all the components in $G_1$. +%Our functional group, $G_1$ is thus the set of base components: $G_1 = \{R, ADC\}$. +%We now determine the {\fms} of all the components in $G_1$. +We now determine the {\fms} of all the components in the {\fg}. For the resistor we can use a failure mode set from the literature~\cite{en298}. Where the function $fm$ returns a set of failure modes for a given component we can state: @@ -479,7 +486,8 @@ which we can call $ CHAN\_NO $. The reference voltage for the ADC has a 0.1\% accuracy requirement. % If the reference value is outside this, it is also a {\fm} -of this function, which we can call $V\_REF$. +of this function, which we can call $V\_REF$ (this failure mode is observable +only if we specifically use a test input to measure the reference). Taken as a component for use in FMEA/FMMD our function has two failure modes. We can therefore treat it as a generic component, $Read\_ADC$, @@ -721,28 +729,30 @@ Using FMMD we can determine an accurate failure model for the interface as well~ \section{Closed Loop Control Hardware/Software Hybrid Example} -It is desirable to model a complete standalone system with FMMD. -Not only a standalone system, but ideally a hybrid software/hardware system. +It is desirable to model a complete standalone system with FMMD, +not only a standalone system, but ideally a hybrid software/hardware system. +% Temperature control is a first order differential problem, and is often addressed using the Proportional Integral Differential (PID) algorithm~\cite{dcods}[p.66]. -Traditionally this was performed in analogue electronics -with trimmer potentiometers providing the P and I parameters. -Since the introduction of micro-processors, it has been possible to -implement PID pro-grammatically. -An FMMD analysis of a PID temperature controller would mean an -analysis of a realistic standalone system without being it becoming an un-wieldingly large task. -\paragraph{The PID Temperature Control Algorithm.} -PID control starts with a setpoint, or desired value for a process -(here the temperature). It reads the process value and determines an error value for it. -The aim of the PID controller is to minimise this error term, by setting an output value, -which is fed back into the process (in this example the amount of power to supply the heater). -The error value is integrated and multiplied by an I constant. -A differential of the error value is calculated and multiplied by a D constant. -The error value itself is multiplied by a P constant, and all three of these are added -to obtain the output required. % -A mathematical description of PID with frequency domain modelling (La-Place transforms etc) -may be found in~\cite{dcods}[Ch.3.3]. +Traditionally this was performed in analogue electronics +with trimmer potentiometers providing the P,I and D parameters. +Since the introduction of micro-processors, it has been possible to +implement PID in software. %pro-grammatically. +An FMMD analysis of a PID temperature controller is presented. %would mean an +%analysis of a realistic standalone system without being it becoming an un-wieldingly large task. +% % \paragraph{The PID Temperature Control Algorithm.} +% % PID control starts with a setpoint, or desired value for a process +% % (here the temperature). It reads the process value and determines an error value for it. +% % The aim of the PID controller is to minimise this error term, by setting an output value, +% % which is fed back into the process (in this example the amount of power to supply the heater). +% % The error value is integrated and multiplied by an I constant. +% % A differential of the error value is calculated and multiplied by a D constant. +% % The error value itself is multiplied by a P constant, and all three of these are added +% % to obtain the output required. +% % % +% % A mathematical description of PID with frequency domain modelling (La-Place transforms etc) +% % may be found in~\cite{dcods}[Ch.3.3]. % \subsection{Design Stage: Implementation on a micro-controller.} When designing a computer program it is often useful to diff --git a/submission_thesis/thesis.tex b/submission_thesis/thesis.tex index 7db99dd..24ce050 100644 --- a/submission_thesis/thesis.tex +++ b/submission_thesis/thesis.tex @@ -85,7 +85,7 @@ \chapter{FMMD Examples} % {Examples of FMMD applied to electronic circuits} \input{CH5_Examples/copy} -\chapter{Applying FMMD to Software} +\chapter{Applying FMMD to Software and Hybrid Systems} \input{CH5_Examples/software} \chapter {FMMD Metrics Critiques Exceptions and Evaluation}