Embedded Systems December 2000 Vol13_13

Issue link:

Contents of this Issue


Page 94 of 197

Niall Murphy LocI< U p Your Software Murphy's Law sho uld have s ta ted th a t an ything th a t can go wrong, will go wrong, while inter- rupts a re disabled. How ma ny o f us can confide ntly predict the behavio r of our software? To impleme nt fea- ture-rich softwa re according to com- me l-cia lly feas ibl e d eadlin es, pro- gramm rs have to accept that condi- ti o ns will be e ncounte red in the fi eld that were not exercised during devel- opment. Yo u may be a ble to tell me h ow you expect th e softwa re to behave in a given case, but most pro- grams a re too complex to predict the ir be havior fo r ce rtain-unless th ey have actually been tested. But testing is not a guara ntee tha t a ppli- catio ns will work th e same way next time. T he timing conditions o r a n uninitialized value may turn out okay o n one run, but th ey migh t not on th e next. T he Technische Uberwachungs- Ve re in (TUV) is the regulatory body that certifies medical and other elec- tro nic devices fo r sale 111 the Eu.-opean nio n. It fun ctions similar- ly to the FDA in the U.S. One of the criteria TUV reviewers have used is to ask th e following question: what is the worst thing the software might do? The assumptio n is that the combin a- tion of p.-oces o r and software is so complex that we cannot predict what instructio ns might ge t executed , sho uld e ithel- ha rdware o r software go wro ng. One approach to dealing with this lack of certain ty is to imagin e that a ma li cio us programme r, inte n t o n causing the maximum amoun t of damage, has reprogrammed yo ur devi ce. If th e device is a Game Boy, th a t does not amo unt to much. However, many embedded program- mers control devices on which lives direc tly d e pend, o r devi ces th at could put lives in da nger. In oth er cases, no lives are at sta ke, but a mal- function may cost the user money through , say, fac to ry downtime or loss of material. In tho e ca es it is justifiable to spend a fraction of the hazard, if the microconu-oller con- trolling yo ur bra kes fails, th e mecha nical co upling between th e pedal and th e breaking mechanism still fun ctions. It is still possible to sto p, just not as smoothly as in the computer-assisted case. In the past, I have worked on med- ical ventilato rs. These devices pump air into a patient's lungs according to parametel-s defin ed by the physician, The I

Articles in this issue

Archives of this issue

view archives of EETimes - Embedded Systems December 2000 Vol13_13