The sensor status never becomes OK, so calibrate commands
are never carried out.
?Timeout, Timeout, Error
Reset
?Timeout, Message, Error
?Command, Message, Error
?Command, Message, Error
In this run, InitialOutOfRangeMessage, the controller cycles without making
progress. It keeps sending reset commands but the sensor status never becomes
OK. The first message in response to the initial reset command is out-of-range, so
subsequent within-range messages are never accepted, and the calibrate command
can never be carried out.
?Timeout, Timeout, Error
Reset
?Message ??™999.9??™, Message, Error
CheckMessage ??™999.9??™, compare to 999.9, OK
?Timeout, Timeout, OK
Poll
?Message ??™99.9??™, Message, OK
46 Why We Need Model-Based Analysis
CheckMessage ??™99.9??™, compare to 999.9, Error
?Timeout, Timeout, Error
Reset
?Message ??™100.1??™, Message, Error
CheckMessage ??™100.1??™, compare to 999.9, Error
?Timeout, Timeout, Error
Reset
?Message ??™101.5??™, Message, Error
CheckMessage ??™101.5??™, compare to 999.9, Error
?Timeout, Timeout, Error
Reset
?Message ??™102.3??™, Message, Error
CheckMessage ??™102.3??™, compare to 999.9, Error
3.5 Design defects
The defects that caused these failures are deeper than the coding defect discussed in
Chapter 2.We consider these to be design errors. Recall that a design describes how
a system is built up from parts and how the parts communicate.
Pages:
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84