Transition out of Failing for Functional Monitor

[pasetti]

Clause 6.12.4.5.1 determines how state transitions are made by a Functional Monitor (FMON). Its full text is as follows:

For each functional monitoring definition, whenever a new PMON checking status has been established for one of its parameter monitoring definitions, the functional monitoring subservice shall perform the following:

1. If the FMON function status is "enabled" and the FMON status is "enabled" and the current FMON checking status is not "failed":
   (a) the check validity condition, if any, is computed;
   (b) If the computed check validity condition yields false, the FMON checking status is set to "invalid".
2. If the FMON function status is "enabled", the FMON status is "enabled" and the current FMON checking status is neither "failed" nor "invalid":
   (a) check if the number of related parameter monitoring definitions that are contemporaneously in violation equals or exceeds the minimum PMON failing number;
   (b) if the check yields true, the FMON checking status is set to "failed" and the associated event is raised;
   (c) if the check yields false, the FMON checking status is set to "running".

The clause 6.12.4.5.1 implies that once an FMON has entered state FAILING, it can never exit this state. Is this really the intention? To illustrate, consider the following scenario:

• An FMON monitors two Parameter Monitors (PMONs) and has a minimum failing number of 1
• At time t1, one of the two PMONs detects a violation. The FMON responds by entering state FAILED.
• At a later time t2, the PMON which had detected a violation goes back to normal (e.g. the variable it monitored goes back within limits). The FMON however remains in state FAILED

This behavior does not seem desirable because it leaves the FMON in state FAILED even when all its PMONs are in a valid state. Is this really the intended behaviour?