robin/Robin_PHD
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

C Garret comments on CH6

Browse Source
This commit is contained in:
Robin Clark 2013-01-05 10:07:39 +00:00
parent 504bf7b8e1
commit fa08768746
2 changed files with 65 additions and 55 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

118
submission_thesis/CH5_Examples/software.tex
View File

@ -9,18 +9,20 @@ In this chapter we show that FMMD can be applied to both software and electroni
of typical modern safety critical systems. of typical modern safety critical systems.
With modular FMEA i.e. FMMD %(FMMD) With modular FMEA i.e. FMMD %(FMMD)
we have the concepts of failure~modes we have the concepts of failure~modes
of components, {\fgs} and symptoms of failure for a functional group. of components, {\fgs} and symptoms of failure. % for a functional group.
% %
A programmatic function has similarities with a {\fg} as defined by the FMMD process. A programmatic function has similarities with these concepts. %a {\fg} as defined by the FMMD process.
% %
An FMMD {\fg} is placed into a hierarchy. An FMMD {\fg} is placed into a hierarchy, likewise
A software function is typically placed into the hierarchy of its call-tree. a software function is typically placed into the hierarchy of its call-tree.
A software function calls other functions and uses data sources via hardware interaction, which could be viewed as its `components': A software function calls other functions and uses data sources %via hardware interaction
which could be viewed as its `components':
it has outputs, i.e. it can perform actions on data or hardware. it has outputs, i.e. it can perform actions on data or hardware.
%which will be used by other functions that may call it. %which will be used by other functions that may call it.
% %
We show that we can map a software function to a {\fg} in FMMD: its failure modes We show that we can map a software function to a {\fg} in FMMD: its failure modes
are the failure modes of the software components (other functions it calls) are the failure modes of the software components %(other functions
it calls %)
and the hardware from which it reads values. and the hardware from which it reads values.
Its outputs are the data it changes, or the hardware actions it performs. Its outputs are the data it changes, or the hardware actions it performs.
%% %%
@ -38,7 +40,7 @@ We apply the FMMD process to software functions by viewing them in terms of thei
As software already fits into a hierarchy we have one less analysis decision to make, compared As software already fits into a hierarchy we have one less analysis decision to make, compared
to analysing electronics. to analysing electronics.
% %
For Electronics and Mechanical systems, although we may be guided by the original designers For electrical and mechanical systems, although we may be guided by the original designers
concepts of modularity and sub-systems in design, applying FMMD means deciding on the members for {\fgs} concepts of modularity and sub-systems in design, applying FMMD means deciding on the members for {\fgs}
and the subsequent hierarchy. and the subsequent hierarchy.
% %
@ -74,13 +76,13 @@ be modular~\cite{en61508}[3] and non recursive~\cite{misra}[15.2]. %{iec61511}.
Because of this we can assume direct call trees~\footnote{A typical embedded system Because of this we can assume direct call trees~\footnote{A typical embedded system
will have a run time call tree, and (possibly multiple) interrupt sourced call trees.}. Functions call functions will have a run time call tree, and (possibly multiple) interrupt sourced call trees.}. Functions call functions
from the top down and eventually call the lowest level library or IO from the top down and eventually call the lowest level library or IO
functions that interact with hardware/electronics. functions that interact with hardware.%/electronics.
What is potentially difficult with a software function, is deciding what What is potentially difficult with a software function, is deciding what
its failure modes and symptoms are. its failure modes and symptoms are.
With electronic components, we can use literature to point us to suitable sets of With electronic components, we can use literature to point us to suitable sets of
{\fms}~\cite{fmd91}~\cite{mil1991}~\cite{en298}. %~\cite{en61508}~\cite{en298}. {\fms}~\cite{fmd91}~\cite{mil1991}~\cite{en298}. %~\cite{en61508}~\cite{en298}.
With software, only some library functions are well known and rigorously documented With software only some library functions are well known and rigorously documented
enough to have the equivalent of known failure modes. enough to have the equivalent of known failure modes.
Most software is `bespoke'. Most software is `bespoke'.
% %
@ -90,7 +92,7 @@ We can use definitions from contract programming to assist here.
\subsection{Contract programming description} \subsection{Contract programming description}
Contract programming is a discipline~\cite{dbcbe} for building software functions in a controlled Contract programming~\cite{dbcbe} is a discipline for building software functions in a controlled
and traceable way. Each function is subject to pre-conditions (constraints on its inputs), and traceable way. Each function is subject to pre-conditions (constraints on its inputs),
post-conditions (constraints on its outputs) and function wide invariants (rules). post-conditions (constraints on its outputs) and function wide invariants (rules).
@ -105,11 +107,15 @@ to operate successfully.
% %
%If we consider a software function to be a {\fg} in the FMMD sense, i.e. %If we consider a software function to be a {\fg} in the FMMD sense, i.e.
We can consider a software function to be We can consider a software function to be
a collection of code, functions called and values/variables used. a collection of code, functions called and %values/
variables used.
%
In this way it is similar to an electronic circuit, which is a collection In this way it is similar to an electronic circuit, which is a collection
of components connected in a specific way. of components connected in a specific way.
%
Using this analogy for software, the connections are the functions code, and the Using this analogy for software, the connections are the functions code, and the
called functions and variables are the components. called functions %and variables
are the components.
% %
Erroneous behaviour from called functions and variables/inputs has the same effect as component failure modes Erroneous behaviour from called functions and variables/inputs has the same effect as component failure modes
on an electronic {\fg}. on an electronic {\fg}.
@ -158,7 +164,7 @@ violations could simply occur.
\paragraph{Mapping contract `invariant' violations to symptoms and failure modes.} \paragraph{Mapping contract `invariant' violations to symptoms and failure modes.}
Invariants in contract programming may apply to inputs to the function (where violations can be considered {\fms} in FMMD terminology), Invariants in contract programming may apply to inputs to the function (where violations can be considered {\fms} in FMMD terminology),
and to outputs (where violations can be considered {failure symptoms} in FMMD terminology). and to outputs (where violations can be considered {failure modes} in FMMD terminology).
\subsection{Combined Hardware/Software FMMD} \subsection{Combined Hardware/Software FMMD}
@ -167,26 +173,25 @@ For the purpose of example, we chose a simple common safety critical industrial
that is nearly always used in conjunction with a programmatic element. that is nearly always used in conjunction with a programmatic element.
A common method for delivering a quantitative value in analogue electronics is A common method for delivering a quantitative value in analogue electronics is
to supply a current signal to represent the value to be sent~\cite{aoe}[p.934]. to supply a current signal to represent the value to be sent~\cite{aoe}[p.934].
%
Usually, $4mA$ represents a zero or starting value and $20mA$ represents the full scale, Usually, $4mA$ represents a zero or starting value and $20mA$ represents the full scale,
and this is referred to as {\ft} signalling. and this is referred to as {\ft} signalling which has intrinsic electrical safety advantages.
% %
{\ft} signalling has intrinsic electrical safety advantages. % Because the current in a loop is constant~\cite{aoe}[p.20],
% % resistance in the wires between the source and receiving end is not an issue
Because the current in a loop is constant~\cite{aoe}[p.20], % that can alter the accuracy of the signal.
resistance in the wires between the source and receiving end is not an issue % %
that can alter the accuracy of the signal. % %This circuit has many advantages for safety.
% % If the signal becomes disconnected
%This circuit has many advantages for safety. % it reads $0mA$ at the receiving end: as this is outside the {\ft} range,
If the signal becomes disconnected % it is easily detectable as an error condition rather than an incorrect value.
it reads $0mA$ at the receiving end: as this is outside the {\ft} range, % %
it is easily detectable as an error condition rather than an incorrect value. % Should the driving electronics go wrong at the source end, it will usually
% % supply far too little or far too much current, also making error conditions easy to detect.
Should the driving electronics go wrong at the source end, it will usually % %
supply far too little or far too much current, also making error conditions easy to detect. % At the receiving end, we only require one simple component to convert the
% % current signal into a voltage that we can read with an AD---a resistor---given
At the receiving end, we only require one simple component to convert the % its properties defined by Ohms law. % the humble resistor!
current signal into a voltage that we can read with an AD---a resistor---given
its properties defined by Ohms law. % the humble resistor!
%BLOCK DIAGRAM HERE WITH FT CIRCUIT LOOP %BLOCK DIAGRAM HERE WITH FT CIRCUIT LOOP
@ -224,7 +229,8 @@ Our acceptable voltage range is therefore
$$(V \ge 0.88) \wedge (V \le 4.4) \; .$$ $$(V \ge 0.88) \wedge (V \le 4.4) \; .$$
This voltage range forms our input requirement and can be considered as an invariant condition. This voltage range forms our input requirement and can be considered as an invariant condition (i.e. both a pre-condition and a postcondition
for the system to be operating correctly the voltage should be within the above bounds).
% %
We can now examine a software function that performs a conversion from the voltage read to We can now examine a software function that performs a conversion from the voltage read to
a per~mil representation of the {\ft} input current. a per~mil representation of the {\ft} input current.
@ -380,8 +386,9 @@ We now apply FMMD starting with the hardware.
This functional group contains the load resistor This functional group contains the load resistor
and the physical Analogue to Digital Converter (ADC). and the physical Analogue to Digital Converter (ADC).
Our functional group, $G_1$ is thus the set of base components: $G_1 = \{R, ADC\}$. %Our functional group, $G_1$ is thus the set of base components: $G_1 = \{R, ADC\}$.
We now determine the {\fms} of all the components in $G_1$. %We now determine the {\fms} of all the components in $G_1$.
We now determine the {\fms} of all the components in the {\fg}.
For the resistor we can use a failure mode set from the literature~\cite{en298}. For the resistor we can use a failure mode set from the literature~\cite{en298}.
Where the function $fm$ returns a set of failure modes for a given component we can state: Where the function $fm$ returns a set of failure modes for a given component we can state:
@ -479,7 +486,8 @@ which we can call $ CHAN\_NO $.
The reference voltage for the ADC has a 0.1\% accuracy requirement. The reference voltage for the ADC has a 0.1\% accuracy requirement.
% %
If the reference value is outside this, it is also a {\fm} If the reference value is outside this, it is also a {\fm}
of this function, which we can call $V\_REF$. of this function, which we can call $V\_REF$ (this failure mode is observable
only if we specifically use a test input to measure the reference).
Taken as a component for use in FMEA/FMMD our function has Taken as a component for use in FMEA/FMMD our function has
two failure modes. We can therefore treat it as a generic component, $Read\_ADC$, two failure modes. We can therefore treat it as a generic component, $Read\_ADC$,
@ -721,28 +729,30 @@ Using FMMD we can determine an accurate failure model for the interface as well~
\section{Closed Loop Control Hardware/Software Hybrid Example} \section{Closed Loop Control Hardware/Software Hybrid Example}
It is desirable to model a complete standalone system with FMMD. It is desirable to model a complete standalone system with FMMD,
Not only a standalone system, but ideally a hybrid software/hardware system. not only a standalone system, but ideally a hybrid software/hardware system.
%
Temperature control is a first order differential problem, and is often Temperature control is a first order differential problem, and is often
addressed using the Proportional Integral Differential (PID) algorithm~\cite{dcods}[p.66]. addressed using the Proportional Integral Differential (PID) algorithm~\cite{dcods}[p.66].
Traditionally this was performed in analogue electronics
with trimmer potentiometers providing the P and I parameters.
Since the introduction of micro-processors, it has been possible to
implement PID pro-grammatically.
An FMMD analysis of a PID temperature controller would mean an
analysis of a realistic standalone system without being it becoming an un-wieldingly large task.
\paragraph{The PID Temperature Control Algorithm.}
PID control starts with a setpoint, or desired value for a process
(here the temperature). It reads the process value and determines an error value for it.
The aim of the PID controller is to minimise this error term, by setting an output value,
which is fed back into the process (in this example the amount of power to supply the heater).
The error value is integrated and multiplied by an I constant.
A differential of the error value is calculated and multiplied by a D constant.
The error value itself is multiplied by a P constant, and all three of these are added
to obtain the output required.
% %
A mathematical description of PID with frequency domain modelling (La-Place transforms etc) Traditionally this was performed in analogue electronics
may be found in~\cite{dcods}[Ch.3.3]. with trimmer potentiometers providing the P,I and D parameters.
Since the introduction of micro-processors, it has been possible to
implement PID in software. %pro-grammatically.
An FMMD analysis of a PID temperature controller is presented. %would mean an
%analysis of a realistic standalone system without being it becoming an un-wieldingly large task.
% % \paragraph{The PID Temperature Control Algorithm.}
% % PID control starts with a setpoint, or desired value for a process
% % (here the temperature). It reads the process value and determines an error value for it.
% % The aim of the PID controller is to minimise this error term, by setting an output value,
% % which is fed back into the process (in this example the amount of power to supply the heater).
% % The error value is integrated and multiplied by an I constant.
% % A differential of the error value is calculated and multiplied by a D constant.
% % The error value itself is multiplied by a P constant, and all three of these are added
% % to obtain the output required.
% % %
% % A mathematical description of PID with frequency domain modelling (La-Place transforms etc)
% % may be found in~\cite{dcods}[Ch.3.3].
% %
\subsection{Design Stage: Implementation on a micro-controller.} \subsection{Design Stage: Implementation on a micro-controller.}
When designing a computer program it is often useful to When designing a computer program it is often useful to

2
submission_thesis/thesis.tex
View File

@ -85,7 +85,7 @@
\chapter{FMMD Examples} % {Examples of FMMD applied to electronic circuits} \chapter{FMMD Examples} % {Examples of FMMD applied to electronic circuits}
\input{CH5_Examples/copy} \input{CH5_Examples/copy}
\chapter{Applying FMMD to Software} \chapter{Applying FMMD to Software and Hybrid Systems}
\input{CH5_Examples/software} \input{CH5_Examples/software}
\chapter {FMMD Metrics Critiques Exceptions and Evaluation} \chapter {FMMD Metrics Critiques Exceptions and Evaluation}