Experience Report Contributions of SFMEA to Requirements Analysis.pdf

《Experience Report Contributions of SFMEA to Requirements Analysis.pdf》由会员分享，可在线阅读，更多相关《Experience Report Contributions of SFMEA to Requirements Analysis.pdf（8页珍藏版）》请在得力文库 - 分享文档赚钱的网站上搜索。

1、ExperienceReport?ContributionsofSFMEAtoRequirementsAnalysisRobynR?Lutz?andRobertM?WoodhouseJetPropulsionLaboratoryCaliforniaInstituteofTechnologyPasadena?CA?AbstractThisexperiencereportdescribesthelessonslearnedfromtheuseofSoftwareFailureModesandE?ectsAnalysis?SFMEA?forrequirementsanalysisofcrit?ica

2、lspacecraftsoftware?TheSFMEAprocesswasfoundtobesuccessfulinidentifyingsomeambigu?ous?inconsistent?andmissingrequirements?Moreimportantly?theSFMEAprocess?followedbyaback?wardanalysissomewhatsimilartoFaultTreeAnal?ysis?FTA?identi?edfoursigni?cant?unresolvedre?quirementsissues?Theseissuesinvolvedcomple

3、xsys?teminterfacesandunanticipateddependencies?Ourresultschallengesomecurrentviewsonthelimita?tionsofSFMEAandsuggestthatrecente?ortsbyresearcherstointegrateSFMEAwithabroaderFTAapproachhavemerit?TheProblemTherearesoftwareprogramsonboardspacecraftthatmustautonomouslydetect?identify?andoverseetherecove

4、ryofthespacecraftfromfaultsduring?ight?Sincethesefaultscanthreatenthewell?beingofthespacecraftandthesuccessofitsscienti?cmission?thesoftwarethatrespondstosuchfaultsisconsideredtobecriticalbythedevelopmentteam?Afaultisgiventhestandardde?nitionhereofbeingeither?adefectinahardwaredeviceorcomponent?or?a

5、nincor?rectstep?process?ordatade?nitioninacomputerprogram?Thosefaultswhichcancausepowerloss?excessivetemperature?propellanttankoverpres?sure?interruptionofuplinkcommandability?orlossofdownlinkedscienti?candengineeringtelemetryaredetectedandhandledbyonboardsoftware?Requirementsanalysisofthiscriticals

6、oftwareisdi?cultsincethesoftwareisoftenbothcomplexand?Toappear?ICRE?April?ColoradoSprings?CO?Firstauthor?smailingaddressisDept?ofComputerSci?ence?IowaStateUniversity?Ames?IA?highlycoupled?Thesoftwarethatrespondstofaultsisoftendependentonotherdistributedsoftwareandhardwarecomponents?forexample?asingl

7、ehard?warefaultmaya?ectmultiplesoftwareprocesses?andsubjecttotimingconstraints?forexample?thesoft?waremustprovidequickrecoveryoffunctionality?Thesepropertiesmakethecorrectandcompletespec?i?cationofrequirementshardtodetermineandhardtovalidate?Inparticular?inadequatesoftwareresponsestoex?tremeconditio

8、nsandboundarycasesareofconcern?Appropriatesoftwareresponsestoanomaloushard?warebehavior?unanticipatedstates?invaliddata?andsignalsaturationarerobustnessissuesthatshouldberesolved?ifpossible?duringtherequirementsphase?OurApproachThisexperiencereportdescribesouruseofSoft?wareFailureModesandE?ectsAnaly

9、sis?SFMEA?followedbyabackwardanalysissomewhatsimilartoFaultTreeAnalysis?FTA?toassistinanalyz?ingthesoftwarerequirementsforcriticalportionsofthespacecraftsoftware?Theapproachwasusedontwenty?foursoftwaremodulesontwospacecraftsys?tems?CassiniandGalileo?Thegoalsweretohelpreducethenumberoffailuremodes?mi

10、nimizetheef?fectoftheremainingfailuremodes?andsearchforunanticipatedfailuremodes?Afailuremodeisde?nedtobe?thephysicalorfunctionalmanifestationofafailure?Afailureisde?nedtobe?theinabil?ityofasystemorcomponenttoperformitsrequiredfunctionswithinspeci?edperformancerequirementslimits?SoftwareFailureModes

11、andE?ectsAnalysisisanextensionofthehardwareFailureModesandE?ectsAnalysis?FMEA?TheprocedureforperforminghardwareFMEAhasbeenstandardized?ThereisnocomparablestandardforperformingSFMEA?althoughitsuseiswell?documented?Forex?ample?atechniquesimilartoSFMEA?calledSoft?wareErrorE?ectsAnalysis?SEEA?wasusedint

12、hedevelopmentoftherendezvousandberthingsoftwarefortheColumbusFreeFlyer?Forcriticalsoftware?aSEEAwasrequired?TheSystemSafetyAnalysisHandbookprovidesabrief?non?proceduraldescrip?tionofSFMEA?AmoredetaileddescriptionoftheSFMEAprocessasappliedtoourprojectappearsinSection?WeembeddedtheSFMEAinatwo?steprequ

13、ire?mentsanalysisprocess?Fig?TheSFMEAusedforwardsearchingtoidentifyCause?E?ectrelationshipsinwhichunexpecteddataorsoftwarebehavior?causes?canresultinfailuremodes?e?ects?Forexample?outdatedsensordata?cause?can?preventthesoftwarefromcommandinganeededhardwarerecon?gu?ration?e?ect?Notethatalthoughthecau

14、seisoftenlabeleda?fault?indescriptionsofSFMEA?itismoreuse?fultoconsiderunexpectedoranomalousdataandbehavior?aswellasstrictlyincorrectdataandbehavior?ThisisespeciallytrueforSFMEAperformedduringrequirementsanalysis?sincea?fault?atthisearlystageoftenmeansnothingmoreconcretethanadeviationfromexpecta?tio

15、ns?Abackwardsearchtechniquewasthenusedtoexaminethepossibilityofoccurrenceofeachanomaly?cause?thatproducedafailuremode?e?ect?Intheexampleabove?therootnodeforthebackwardsearchwas?outdatedsensordata?Inthiscaseourbackwardsearchforcir?cumstancesthatcouldleadtooutdatedsensordatafoundasituationinwhichfaile

16、dhardwarecontinuedtoprovide?inaccurate?datatothesoftware?Thisbaddata?duetothevotinglogicinthesoftware?couldvetoaneededrecoveryaction?Bydemonstratingthepossibilityofanewfailuremode?obsoletedatapreventingre?quiredactions?therequirementsspeci?cationswereimproved?Thefailuremodewaseliminatedbyachangetoth

17、esoftwarerequirements?ThebackwardsearchissimilartoaFaultTreeAnalysis?exceptthattherootnode?thecause?isnotnecessarilyafaultorevenanevent?AFaultTreeAnalysis?ontheotherhand?takesaknownfaultorhazardasitsrootandworksbackwardtodeterminethepossiblecauses?Anotherdif?ferencebetweenourbackwardsearchandFTAisth

18、atSoftwareFTAisusuallyappliedtocode?whereasthebackwardsearchhereisappliedtosoftwarerequirements?SinceFaultTreeAnaly?sishasbeenpreviouslydocumentedindetail?nofurtherdescriptionisprovidedhere?Notealsothatthebackwardsearchinthisre?quirementsanalysisevaluatesonlythe?possibil?ity?ofoccurrence?notthelikel

19、ihood?Atthere?quirementsphaseofdevelopmentthereisinsuf?cientknowledgetoprovideanynumericalmea?surementoftheprobabilityofoccurrence?Identify unexpected dataAnalyze enabling circumstancesForward Searchcause failure modesBackward Search SpecificationRequirementsSoftwareunexpected data or behaviorcontri

20、buting to possibility ofor behavior that can Figure?OverviewofAnalysisProcess?IntegratingSFMEAandBackwardSearchInourexperience?thestrengthofSFMEA?iden?tifyingpreviouslyunknownfailuremodes?andthestrengthofbackwardsearch?identifyingcombina?tionsofeventsandcircumstancesthatcouldcausethehypothesizedfaul

21、ttooccur?werecomplementary?Thus?somecurrentviewsregardingthelimitede?ec?tivenessofSFMEAwerenotsupportedbytheresultsofourintegratedSFMEAandbackwardsearchap?proach?Forexample?SFMEAisoftendescribedasonlyconsideringonediscrepantevent?fault?atatime?ratherthancombinationsofevents?Wefound?how?ever?thatwhen

22、integratedwithabackwardanaly?sis?theSFMEAoftenhelpedisolatecombinationsofeventsandcircumstancesthatcanleadtoundesirablestates?Itwasinterestingthatinfourcasesthefailuremodeidenti?edbytheSFMEAwasnotapreviouslyknownfailuremode?Thus?ifaFTAhadbeenper?formedstartingfromtheknownfailures?thesefourrequiremen

23、tinadequacieswouldhaveremainedhid?den?Instead?theSFMEAisolatedacause?e?g?badinput?thatledtoanundesirede?ect?e?g?badcon?troldecision?Thebackwardsearch?e?g?howcouldthatbadinputreachthesoftware?thenidenti?edacombinationofeventsorunexpectedinteractionsthatcouldleadtothefailuremodepostulatedintheSFMEA?Ou

24、rresultsindicatethatrecentworktointegratetheforwardsearchfore?ects?typicalofSFMEA?andthebackwardsearchforcontributingcauses?typicalofFTA?hasmerit?Forexample?arecentpaperbyMaierdescribestheuseofafault?treebasedhazardanalysistoderivesafetyrequirementsforarobot?scontrolsoftware?FMECA?FailureModes?E?ect

25、?andCriticalityAnalysis?isperformedonthedocumentedsoftwarerequirements?Maier?ndsthatthemajorbene?toftheFMECAliesinitsbeingapreparatoryactivitytofaulttreeconstruction?ArecentpaperbyMcDermidandPumfreyde?scribesatechniqueforsoftwaresafetyanalysisbasedonastructuredapproachtothe?imaginativeantic?ipationo

26、fhazards?BasedontheHAZOPap?proach?theirworkconcentratesoninformation?owsanddevelopssetsofguidewordstopromptconsiderationofhypotheticalfailures?WhereasweperformtheSFMEA?rstandthenthebackwardsearch?they?consistentwiththeHAZOPtechnique?rstperformthebackwardsearchforcausesandthenconsiderthee?ectsofeachh

27、ypotheticalfailure?Itwouldbeinterestingtocomparethee?ectoftheorderingofthesearchesonthesuccessoftheanalysis?Fromourlimitedexperience?itisnotclearwhethertheorderofthestepsissigni?cant?Forexample?allfourofourunanticipatedfailuremodesmighthavebeenidenti?edevenifabackwardsearchforcon?tributingcauseshadp

28、recededtheSFMEA?SFMEADuringRequirementsAnalysisSoftwareFailureModesandE?ectsAnalysisismostcommonlyusedduringdesignanalysis?WefoundthatSFMEAwase?ectiveduringrequirementsanal?ysiswhen?asinourcase?therequirementsspeci?cationprovidedsu?cientdetail?Therequirementsdocumentthatweusedcontainedover?pagesofEn

29、glishtext?datatables?and?owchartsdescribing?softwaremodules?Therequirementsspeci?cationde?nedanewsoftwaresystem?Therewasnoreuseofsoftwarecomponentsfromprevioussystems?Forsimple?stand?alonesoftwarewherefewdetailsaredocumentedattherequirementsstage?SFMEAisnotfeasibleuntiladesigndocumentexists?However?

30、wefoundthatforacomplex?embeddedapplicationsuchasaspacecraft?theSFMEAimprovedthequal?ityofthesoftwarerequirementsspeci?cationaswellastheunderstandingofthesoftwareproblem?Inparticular?SFMEAmadethefollowingcontri?butionstotherequirementsanalysis?Earlyunderstandingofrequirements?Under?standingwhatthesof

31、twarerequirementsareisahugetaskinacomplex?distributedsystem?SFMEAhelpedidentifyconstraintsthatwouldbeimposedonthedesignbyotherpartsofthesystemorbythecontextinwhichtheembed?dedsoftwareoperated?Theseconstraintsanddependencieswerethusabletobeincorporatedintotherequirementsspeci?cation?Communication?The

32、requirementsspeci?cationdocumentiswrittenbyasystemengineer?andthenhandedo?toadesigndevelopmentteam?Aclear?unambiguous?andcompletedocumentminimizesthepossibilityofmisunderstandingatthisjuncture?TheSFMEAassistedinthise?ort?Errorremoval?Requirementserrors?especiallyinterfacerequirementserrors?havehisto

33、ricallybeenasourceofpersistenterrorsduringspace?craftdevelopment?sometimesescapingdetectionuntilsystemtesting?Oftentheserequire?mentserrorsinvolveunanticipatedfailuremodesorinterfacedependenciesthataredi?culttode?tect?TheSFMEAwasabletoidentifysomesucherrorspriortodesigndecisionsbeingmade?sav?ingsubs

34、equenttimeande?ort?SFMEAhassomewell?knownlimitationsanddis?advantagesthatwerecon?rmedbyourexperience?Likemostfailureanalysismethods?SFMEAistime?consuming?muchofitistedious?anditdependsonthedomainknowledgeoftheanalystandtheaccu?racyofthedocumentation?Inaddition?unlikehard?ware?acompletelistoffailurem

35、odesforsoftwarecannotbeassembled?SFMEAisalsoamanualratherthananautomaticmethod?TheSFMEAapproachwaschosenaspartofthere?quirementsanalysisprocessonthisprojectlargelybe?causeitcontributestoasystemsapproachtorequire?mentsvalidation?Itfocusesonthewaysinwhichsoftwarecancontributetothesystem?sreachinganund

36、esirablestate?SFMEAanalyzesthesoftware?sre?sponsetohardwarefaults?e?g?malfunctioningsen?sors?andtooperatorerrorsthatresultinbadinputdata?e?g?inappropriatecommands?SFMEAalsoanalyzesthee?ectofincorrectsoftwareactions?e?g?asoftwareprocessissuingerroneousrecon?gurationcommands?onthehardwarecomponents?SF

37、MEApaysparticularattentiontohiddendependenciesorinteractionsthatcouldcausethepropagationofer?roneousdatatoothersoftwaremodules?Inthiswaytherequirementsanalysisprocessexploitstheavail?abledomainexpertise?SFMEAdi?ersfromacausalanalysissuchasFTAinthatSFMEApostulatestheexistenceofbaddataorunexpectedbeha

38、viorandtheninvestigatestheef?fectsofthatanomalyonthecorrectfunctioningof?thesoftwaremoduleandthesystem?Whetherthedataorbehaviorcouldactuallybecorruptedinthatmanner?e?g?thearrivalofoutdatedsensordataorabnormalterminationofthesoftwaremodule?isnottheprimaryconcernatthispointofdevelopment?ThefocusinSFME

39、Aisinsteadontheconsequencesofincorrectdataorinappropriatesoftwareactivity?Thisisespeciallyappropriateforrequirementsanaly?sissincejudgmentsastowhetheraparticularfailurescenarioiscredibleveryoftenshiftasdevelopmentprogresses?Ifthee?ectsofthebaddataorunexpectedbehav?iorareshowntobeacceptable?thencon?d

40、enceintherequirementsisenhanced?Examplesofacceptableef?fectsarethatbaddataarerejectedbythesoftwareorthatprematureterminationofthesoftwaremodulestillleavesthesysteminaconsistentstate?Ifthee?ectsofthebaddataorunexpectedbe?haviorareshowntobeunacceptableandaback?wardsearchcon?rmsthepossibilitythatthesit

41、uationcouldoccur?thentheinformationisfedbackintotherequirementsdevelopmentprocess?Examplesofun?acceptablee?ectsarethatthebaddataareusedinacontroldecisionresultinginerroneousissuanceofcommands?orthatanabnormalterminationofthesoftwaremoduleresultsinaglobalvariablebeingup?datedwhilethestatusvariablesti

42、llindicatesthatnochangehasbeenmade?TheSFMEAProcessThissectiondescribestheprocessbywhichtheSFMEA?the?ForwardSearch?inFig?wasper?formedonthespacecraftsoftwaremodules?Addi?tionaldescriptionisavailablein?Detailedde?scriptionsofbackwardsearchareavailablein?Inamessage?passingmodelofadistributedsys?tem?two

43、kindsoffailuresaregenerallyrepresented?communicationfailuresandprocessfailures?Inaccordancewiththismodel?twokindsoffailuresareanalyzedinaSFMEAforeachsoftwareprocess?Toassistintheanalysisofanypossiblefailuresofthesoftware?twotablesareconstructed?aDataTableandanEventsTable?ADataTableinvolvescommu?nica

44、tionfailures?Itprovidestheinformationneededtoanalyzedatadependenciesandsoftwareinterfaceerrors?AnEventsTableinvolvessoftwareprocessfailures?TheEventsTableprovidestheinforma?tionneededtoanalyzethee?ectsoffailurespossiblycausedbysoftwarethatfailstofunctioncorrectly?Theinvestigationoffaultsinthetwotabl

45、esisconsis?tentwithcurrentclassi?cationsofdefectsinsoftwareThe?rsttypeoftableistheDataTable?Table?Thistableevaluatesboththee?ectofreceivingbadorunexpectedinputdataonthebehavioroftheprocessbeinganalyzed?andthee?ectofproducingbadorunexpectedoutputdataonthebehavioroftheprocessesthatusethisdata?Foreachi

46、nput?dataitemreadorreceivedbythesoftwareprocess?andeachoutput?dataitemwrit?tenoroutputbythesoftwareprocess?including?inourapplication?commandstospacecraftsubsys?tems?eachofthefollowingfourfaultsispostulated?AbsentData?Lostormissingmessages?absenceofsensorinputdata?lackofinputoroutput?fail?uretorecei

47、veneededdata?missingcommands?missingupdatesofdatavalues?datalossduetohardwarefailures?failureofasoftwareprocessorsensortosendthedataneededforcorrectfunc?tioningofthissoftwaremodule?IncorrectData?Baddata?agsorvariablessettovaluesthatdon?taccuratelydescribethespacecraft?sstateortheoperatingenviron?men

48、t?erroneoustriggers?limits?deadbands?de?laytimers?erroneousparameters?wrongcom?mandsoutput?orwrongparameterstotherightcommands?spuriousorunexpectedsignals?TimingofDataWrong?Dataarrivetoolatetobeusedorbeaccurate?ortooearlytobeusedorbeaccurate?obsoletedataareusedincon?troldecisions?dataage?inadvertent

49、?spurious?unexpected?ortransientdata?DuplicateData?Redundantcopiesofdata?dataover?ow?datasaturation?DataDataDescriptionE?ectItemFaultTypeCriticalIncorrectFlagsetUnnecessarymodevaluetotruerecon?guration?agduringcommandednon?criticalmodeTable?DataTableExampleForeachofthesefourfaulttypestheDataTableinc

50、ludesthedescriptionofthefaultasappliedtotherelevantdataitemandthee?ect?bothlocallyandmoregloballyonthesubsystemandsystem?ThesecondtypeoftableistheEventsTable?Table?Foreacheventthatoccursastheprocessexecutes?foureventfaulttypesarepostulated?Whatconsti?tutesaneventdependsonthelevelofdetailofthe?docume