Reflections on Software Development

Present-day equipment relies on increasingly complex software, creating ever-greater demand for software quality and security. The two attributes, while similar in their effects, are different. A quality software is not necessarily secure, while a secure software is not necessarily of good quality. Safe software is both of high quality and security. That means the software does what it is supposed to do: it prevents hackers and other external causes from modifying it, and should it fail, it does so in a safe, predictable way. Software verification and validation (V&V) reduces issues attributable to defects, that is to poor quality, but does not currently address misbehavior caused by external effects.

Poor software quality can result in huge material losses, even life. Consider some notorious examples of the past. An F-22 Raptor flight control error caused the $150 million aircraft to be destroyed. An RAF Chinook engine controller fault caused the helicopter crash with 29 fatalities. A Therac radiotherapy machine gave patients massive radiation overdoses causing death of two people. A General Electric power grid monitoring system’s failure resulted in a 48-hour blackout across eight US states and one Canadian province. Toyota’s electronic throttle controller was said to be responsible for the lives of 89 people.

Clearly, software quality is paramount, yet too often it takes the back seat to the time to market and the development cost. One essential attribute of quality software is its traceability. This means that every requirement can be traced via documentation from the specification down to the particular line of code—and, vice versa, every line of code can be traced up to the specification. The documentation (not including testing and integration) process is illustrated in Figure 1.

FIGURE 1: Simplified software design process documentation. Testing, verification and validation (V&V) and control documents are not shown.

FIGURE 1: Simplified software design process documentation. Testing, verification and validation (V&V) and control documents are not shown.

The terminology is that of the DO-178 standard, which is mandatory for aerospace and military software. (Similarly, hardware development is guided by DO-254.) Other software standards may use a different terminology, but the intentions are the same. DO-178 guides its document-driven process, for which many tools are available to the designer. Once the hardware-software partitioning has been established, software requirements define the software architecture and the derived requirements. Derived requirements are those that the customer doesn’t include in the specification and might not even be aware of them. For instance, turning on an indicator light may take one sentence in the specification, but the decomposition of this simple task might lead to many derived requirements.

Safety-Instrumented Functions

While requirements are being developed, test cases must be defined for each and every one of those requirements. Additionally, to increase the system safety, a so-called Safety-Instrumented Functions (SIF) should be considered. SIFs are monitors which cause the system to safely shut down if its performance fails to meet the previously defined safety limits. This is typically accomplished by redundancy in hardware, software or both. If you neglect to address such issues at an early development stage, you might end up with an unsafe system and having to redo a lot of work later.

Quality design is also a bureaucratic chore. Version control and configuration index must be maintained. The configuration index comprises the list of modules and their versions to be compiled for specific versions of the product under development. Without it, configuration can be lost and a great deal of development effort with it.

Configuration control and traceability are not just the best engineering practices. They should be mandated whenever software is being developed. Some developers believe that software qualification to a specific standard is required by the aerospace and military industries only. Worse, some commercial software developers still subscribe to the so-called iron triangle: “Get to market fast with all the features planned and high level of quality. But pick only two.”

Engineers in safety-critical industries (such as medical, nuclear, automotive, and manufacturing) work with methods similar to DO-178 to ensure their software performs as expected. Large original equipment manufacturers (OEMs) now demand adherence to software standards: IEC61508 for industrial controls, IEC62034 for medical equipment, ISO 26262 for automotive, and so forth. The reason is simple. Unqualified software can lead to costly product returns and expensive lawsuits.

Software qualification is highly labor intensive and very demanding in terms of resources, time, and money. Luckily, its cost has been coming down thanks to a plethora of automated tools now being offered. Those tools are not inexpensive, but they do pay for themselves quickly. Considering the risk of lawsuits, recalls, brand damage, and other associated costs of software failure, no company can really afford not to go through a qualification process.

Testing

As with hardware, quality must be built into the software, and this means following strict process rules. You can’t expect to test quality into the product at the end. Some companies have tried and the results have been the infamous failures noted above.
Testing embedded controllers often presents a challenge because you need the final hardware when it is not yet finished. Nevertheless, if you give testing due consideration as you prepare the software requirements, much can be accomplished by working in virtual or simulated environments. LDRA (www.ldra.com) is one great tool for this task.
Numerous methods exist for software testing. For example, dynamic code analysis examines the program during its execution, while the static analysis looks for vulnerabilities as well as programming errors. It has been shown mathematically that 100% test coverage is impossible to achieve. But even if it was, 35% to 40% of defects result from missing logic paths and another 40% from the execution of unique combinations of logic paths. Such defects wouldn’t get caught by testing, but can be mitigated by SIF.

Much embedded code is still developed in-house (see Figure 2). Is it possible for companies to improve programmers’ efficiency in this most labor-intensive task? Once again, the answer lies in automation. Nowadays, many tools come as complete suites providing various analyses, code coverage, coding standards compliance, requirements traceability, code visualization, and so forth. These tools are regularly seen at developers of avionic and military software, but they are not as frequently used by commercial developers because of their perceived high cost and steep learning curve.

FIGURE 2: Distribution of embedded software sources. Most is still developed in-house.

FIGURE 2: Distribution of embedded software sources. Most is still developed in-house.

With the growth of cloud computing and the Internet of Things (IoT), software security is gaining on an unprecedented importance. Some security measures can be incorporated in hardware while others are in software. Data encryption and password protection are the vital parts. Unfortunately, security continues to be not treated by some developers as seriously as it should be. Security experts warn that numerous IoT developers have failed to learn the lessons of the past and a “big IoT hack” in the near future is inevitable.

Security Improvements

On a regular basis, the media report on security breaches (e.g., governmental organization hacks, bank hacks, and automobile hacks). What can be done to improve security?

There are several techniques—such as Common Weakness Enumeration (CWE)—that can help to improve our chances. However, securing software is likely a task a lot more daunting than achieving comprehensive V&V test coverage. One successful hack proves the security is weak. But how many unsuccessful hacks by test engineers are needed to establish that security is adequate? Eventually, a manager, probably relying on some statistics, will have to decide that enough effort has been spent and the software can be released. Different types of systems require different levels of security, but how is this to be determined? And what about the human factor? Not every test engineer has the necessary talent for code breaking.

History teaches us that no matter how good a lock, a cipher, or a password someone has eventually broken it. Several security developers in the past challenged the public to break their “unbreakable” code for a reward, only to see their code broken within hours. How responsible is it to keep sensitive data and systems access available in the cyberspace just because it may be convenient, inexpensive, or fashionable? Have the probability and the consequences of a potential breach been always duly considered?

I have used cloud-based tools, such as the excellent mbed, but would not dream of using them for a sensitive design. I don’t store data in the cloud, nor would I consider IoT for any system whose security was vital. I don’t believe cyberspace can provide sufficient security for many systems at this time. Ultimately, the responsibility for security is ours. We must judge whether the use IoT or the cloud for a given product would be responsible. At present, I see little evidence to be convinced the industry is adequately serious about security. It will surely improve with time, but until it does I am not about to take unnecessary risks.


George Novacek is a professional engineer with a degree in Cybernetics and Closed-Loop Control. Now retired, he was most recently president of a multinational manufacturer for embedded control systems for aerospace applications. George wrote 26 feature articles for Circuit Cellar between 1999 and 2004. Contact him at gnovacek@nexicom.net with “Circuit Cellar”in the subject line.

Handy Four-Channel, High-Resolution Oscilloscope

TiePie engineering recently introduced a new four-channel, high-resolution, USB 3.0 oscilloscope. Featuring TiePie engineering’s SafeGround technology, the Handyscope HS6 DIFF is available in models with sampling rates from 50 MSps up to 1 GSps. SafeGround enables you to use the oscilloscope inputs both as single ended and as differential. When SafeGround is active and you accidentally create a short circuit, SafeGround disconnects the ground of the input channel without damaging the oscilloscope or PC.TiePie Handyscope

The Handyscope HS6 DIFF’s features, benefits, and specs:

  • 1 GSps sampling and a flexible resolution of 8 to 16 bit
  • Four input channels with up to 250-MHz analog bandwidth
  • Highly accurate 1 ppm time base
  • DC accuracy of 0.25 % and 0.1 % typical
  • 200-MSps USB streaming data logger
  • Up to 256 mega-sample memory per channel
  • SureConnect connection test on all channels
  • Spectrum analyzer with 32 million bins

Source: TiePie

New Advanced Bus Converter for High-Power Applications

Ericsson’s PKB4413DA is a low-profile, 408-W DC/DC converter module well suited for high-power, high-performance applications. Intended to provide point-of-load (POL) DC/DC converters with tightly regulated 12-V output at up to 34 A, the PKB4413DA’s five-pin, 1/8-brick footprint is compatible with the Distributed-power Open Standards Alliance’s (DOSA) standard. In addition, it has a full 36 to 75 V telecom input range. This combination makes it ideal for intermediate bus conversion in information and communication technologies (ICT) applications.Ericsson PKB4413DA

The PKB4413DA’s features, benefits, and specs:

  • Hybrid Regulated Ratio (HRR) technology minimizes power losses
  • Efficiency can be up to 96% with a 48-V input and 12-V output at half-load.
  • Standard eighth-brick format (2.30 × 0.89 × 0.52″)
  • I/O protection and operational features (e.g., input under-voltage shutdown, monotonic start-up, remote control, output over-voltage, over-temperature, and output short-circuit protection
  • Calculated MTBF of 8.5 million hours
  • Meets IEC/EN/UL60950-1 safety requirements

The PKB4413DA costs $36.15 in OEM quantities of 1,000 or more.

Source: Ericsson

New Wi-Fi Hardware and Device Platform

Texas Instruments recently announced its next generation of Wi-Fi hardware and the new SimpleLink MCU platform. The products include the SimpleLink Wi-Fi CC3220 wireless MCU and CC3120 wireless network processor. Designed with security in mind, the CC3220 products are built with two separate execution environments within a single chip.ti simplelink

Promoted as the “new standard for IoT developers,” The SimpleLink MCU Platform offers you the following:

  • 100% code compatibility across SimpleLink MCU portfolio
  • Encryption-enabled security features
  • TI Drivers offers standardized set of functional APIs for integrated peripherals
  • Integrated TI-RTOS, a robust, intelligent kernel for complete, out-of-the-box development
  • POSIX-compatible APIs offer flexible OS/kernels support
  • IoT stacks and plugins to add functionality to your design

Source: Texas Instruments

Electrical Engineering Crossword (Issue 321)

The answers to Circuit Cellar 321‘s crossword are now available.321 crossword

Across

  1. EMPTYSET—Null [2 words]
  2. STATOR—Nonrotating portion of a motor
  3. EXBI—Ei
  4. BPS—Data rate
  5. PLESIOCHRONOUS—Not quite synchronized
  6. RING—Devices connected in a circle; topology
  7. AMBIENT—Air temperature around a system
  8. DYNE—10-5 N
  9. ENUMERATION—ENUM
  10. RECTIFIER—Converts alternating current to direct current

Down

  1. ELICITATION—Collect system requirements
  2. MACTEL—Mac OS + Intel processor
  3. FEMPTOSECOND—1/1,000,000,000,000,000 s
  4. MICROFARAD—1,000,000 pF
  5. REPETITIVE—Iterative
  6. PEAKTOPEAK—Alterations between high and low values [3 words]
  7. MANHATTAN—Los Alamos; Oppenheimer
  8. FIRSTQUARTILE—25th percentile [2 words]
  9. MESON—One quark, one antiquark
  10. TRACE—The blanking process makes it invisible

The Future of Embedded Computing

Although my academic background is in cybernetics and artificial intelligence, and my career started out in production software development, I have been lucky enough to spend the last few years diving head first into embedded systems development. There have been some amazing steps forward in embedded computing in recent years, and I’d like to share with you some of my favorite recent advances, and how I think they will progress.

While ever-decreasing costs of embedded computing hardware is expected and not too exciting, I think there have been a few key price points that are an indicator of things to come. In the last few months, we have seen the release of Application Processor development boards that are below $10. Tiny gigahertz-level processors that are Linux-ready for an amazingly low price. The most well-known is the Raspberry Pi Zero, which is created by the Raspberry Pi Foundation, who I believe will continue to push this impressive level of development capability into schools, really giving the next generation of engineers (and non-engineers) some hands-on experience. Perhaps a less well known release is C.H.I.P, the new development platform from Next Thing Co. The hardware is like the Pi Zero, but the drive behind the company is quite different. We’ll discuss this more later.

While the hobbyist side of embedded computing is not new, the communities and resources that are being built are exciting. Most of you will have heard of Arduino and Raspberry Pi. The Pi is a low-cost, easy-to-use Linux computer. Arduino is an open-source platform consisting of a super-simple IDE, tons of libraries, and a huge range of development boards. These have set a standard for member of the maker community who expect affordable hardware, open-source designs, and strong community support, and some companies are stepping up to this.

Next Thing Co. has the goal of creating things to inspire creativity. In addition to developing low-cost hardware, they try to remove the pain from the design process and only open-source, well-documented products will do. This ethos is embodied in their C.H.I.P Pro, which is not just an open-source Linux System-on-Module. It’s built around their own GR8 IC, which contains an Allwinner 1-GHz ARM Cortex-A8, as well as 256 MB of DDR3 built in, accompanied with an open datasheet requiring no NDA, and with a one-unit minimum order quantity. This really eliminates the headaches of high-speed routing between DDR3 and the processor, and it reduces the manufacturing complexities of creating a custom Linux ready PCB. Innovation and progress like this provide a lot more value than the many other companies just producing insufficiently documented breakout boards for existing chips. I think that this will be a company to watch, and I can’t wait to see what their next ambitious project will be.

 
We’ve all been witnessing the ever-increasing performance of embedded systems, as successive generations of smart phones and tablets are released, but when I talk about high performance I don’t refer to a measly 2+GHz Octa-core system with a few Gig of RAM, I’m talking about embedded supercomputing!

As far as I’m concerned, the one to watch here is NVIDIA. Their recent Tegra series sees them bringing massively parallel GPU processing to affordable embedded devices. The Tegra 4 had a quadcore CPU and 72 GPU cores. The TK1 has a quadcore CPU and 192 GPU cores, and the most recent TX1 has an octacore CPU and a 256 GPU cores that provide over 1 Teraflops of processing power. These existing devices are very impressive, but NVIDIA are not slowing down development, with the Xavier expected to appear at the end of 2017. Boasting 512 GPU cores and a custom octacore CPU architecture, the Xavier claims to deliver 20 trillion operations per second for only 20-W power consumption.

NVIDIA is developing these systems with the intent for them to enable embedded artificial intelligence (AI) with a focus on autonomous vehicles and real-time computer vision. This is an amazing goal, as AI has historically lacked the processing power to make it practical in many applications, and I’m hoping that NVIDIA is putting an end to that. In addition to their extremely capable hardware, they are providing great software resources and support for developing deep learning systems.

We are on the horizon of some exciting advancements in the field of embedded computing. In addition to seeing an ever-growing number of IoT and smart devices, I believe that during the next few years we’ll see embedded computing enable great advancements in AI and smart cities. Backyard developers will be enabled to create more impressive and advanced systems, and technical literacy will become more widespread.

This essay appears in Circuit Cellar 321.

 

Steve Samuels (steve@think-engineer.com) is a Cofounder and Prototype Engineer at Think Engineer LLP, a research, development and prototyping company that specializes in creating full system prototypes and proof-of-concepts for next-generation products and services. Steve has spent most of his career in commercial research and development in domains such as transportation, satellite communications, and space robotics. Having worked in a lot of different technical areas, his main technical interests are embedded systems and machine learning.

eMCOS Scalable POSIX-Compliant RTOS

eSOL recently released eMCOS POSIX, which is a POSIX-compliant profile for eMCOS. The eMCOS POSIX accelerates R&D and shortens product development time with Linux software assets and engineering resources, including open source software (OSS) such as the Robot Operating System (ROS) framework for robotic control and the Autoware software for autonomous driving systems.

eMCOS POSIX provides superior real-time capabilities for embedded systems that require a high level of computing power and operate on an autonomous and distributed basis. Applications include autonomous driving systems, industrial IoT systems, advanced driver assistance systems (ADAS), AI, and computer vision.

eMCOS is a POSIX-compliant RTOS that complies with POSIX 1003.13 PSE 53. It provides full support for multiple processes and threads, loadable processes, and shared libraries. It also offers a multiprocessing environment for multicore systems with distributed memory, allowing the use of POSIX inter-process communications (IPC) for communication with different scheduling clusters and hardware clusters.

Conventional RTOSs use a single kernel to manage multiple cores. In contrast, the eMCOS employs a distributed microkernel architecture with a separate microkernel installed on each core. Thus, it can support different numbers of cores as well as heterogeneous hardware configurations with a variety of device architectures (e.g., FPGAs, GPUs, and microcontrollers with on-chip flash memory). Along with eMCOS POSIX, eMCOS is made up of a number of profiles, including the eMCOS AUTOSAR profile for AUTOSAR. By selecting the appropriate profile to suit system requirements, it is easy to configure distributed systems that combine POSIX and AUTOSAR applications running on separate processors. Supported devices include the Kalray MPPAR-256 and Renesas Electronics RH850 series. Because eMCOS is not designed for particular processor architectures or instruction sets, support for other processors will be added in the future.

Source: eSOL 

Aurora Software for Evaluation of ArcticPro eFPGA IP

QuickLogic Corp. recently announced the release of its new Aurora software, which enables SoC developers to evaluate the integration of embedded FPGA (eFPGA) IP into devices designed for different Global Foundries process nodes. The Aurora eFPGA development tool supports design implementation from RTL through place and route. It enables SoC developers to determine the amount of eFPGA resources needed to support a design (including logic cell count, clock network requirements, and routing utilization) and also provide the estimated eFPGA die area associated with those resources. The current version of the tool supports GF’s 40-nm node. Support for the 65-nm node and 22FDX (FD-SOI) platform will be released in the future.

Source: QuickLogic Corp.

Chip Antennas for the New NB-IoT Standard

Antenova Ltd recently announced a new Narrow Band IoT (NB-IoT) standard.The compact 20 × 11 × 1.6 mm antenna is easy to integrate onto a small PCB.SR4C033The Latona SR4C033  chip antenna is a member of Antenova’s lamiiANT antenna family. The embedded NB-IoT antennas are designed to be easily integrated onto a host PCB for a wide variety of IoT projects.

Source: Antenova

Lightweight Systems and the Future of Wireless Technology

Last November, we published engineer Alex Bucknall’s essay “Taking the ‘Hard’ Out of Hardware.” We recently followed up with him to get his thoughts on the future of ‘Net-connected wireless devices and the Internet of Things (IoT).

BucknallAs we enter an age of connected devices, sensors, and objects (aka the Internet of Things), we’re beginning to see a drive for lightweight systems that allow for low power, low complexity, and long-distance communication protocols. More of the world is becoming connected and not all of these embedded devices can afford high-capacity batteries or to be connected to mains power. We’ll see a collection of protocols that can provide connectivity with just a few milliwatts of power that can be delivered through means of energy harvesting such as solar power. It’ll become essential for embedded sensors to communicate from remote locations where current standards like Wi-Fi and BLE fall behind due to range constraints. Low-Power Wide Area Networks (LPWANs) will strive to fill this gap with protocols such as Sigfox, LoRa, NB-IoT, and others stepping up to the plate. The next hurdle will be the exciting big data challenge as we start to learn more about our world via the Internet of Things! — Alex Bucknall (Developer Evangelist, Sigfox, France)

World’s Smallest Bluetooth Chip

The Swatch Group recently introduced the smallest Bluetooth chip on the market. Designed by EM Microelectronic, Swatch Group R & D, and the Swiss Center for Electronics and Microtechnology (CSEM), the compact chip is well suited for portable devices and IoT applications.Swatch_005

The IC’s features, specs, and benefits:

  • Smallest Bluetooth chip on the market.
  • Low energy consumption
  • High-speed start-up capability
  • Officially qualified to meet the latest Bluetooth standard, version 5.0.
  • Consists of more than 5 million transistors on a surface of about 5 mm2.
  • Works alone or in conjunction with various sensors

Source: EM Microelectronic

100-V No-Opto Flyback Regulator

Linear Technology recently announced H-grade versions of the LT8304/-1 monolithic flyback regulators with guaranteed operation for junction temperatures as high as 150°C. By sampling the isolated output voltage directly from the primary-side flyback waveform, it requires no opto-coupler or third winding for regulation.Linear LT8304HThe LT8304H/-1’s features, specs, and benefits:

  • VIN Range from 3 to 100 V
  • Up to 24 W of output power
  • LT8304-1 Capable of output voltages up to 1 kV
  • Onboard 2-A, 150-V integrated DMOS power switch
  • Off-the-shelf power transformers
  • No opto-coupler or transformer third winding required for voltage feedback
  • 116-µA Quiescent current
  • Boundary mode operation
  • Accurate input enable & undervoltage lockout with hysteresis
  • Output diode temperature compensation
  • H Grades: –40°C to 150°C operating junction temperature

Source: Linear Technology

vSound Violin Digital Processor

Saelig Company recently introduce the Cambrionix ThunderSync16, which provides 16  USB2.0 ports and a Thunderbolt host connection capable of transfer speeds of up to 20 Gbps to allow large data transfer in the shortest possible time. For data syncing requirements, the Thunderbolt’s data transfer speed delivers a greatly increased data transfer rate between a host Thunderbolt connection and 16 attached devices than a USB2.0 connection.saelig

The ThunderSync 16’s features, specs, and benefits:

  • Speeds up situations needing large data transfer (e.g., video file uploading or operating system updates) when the data is required to be loaded in the fastest possible time.
  • Supports universal, intelligent charging of USB ports at up to 2.4 A simultaneously.
  • It can be daisy-chained via the dual Thunderbolt ports.
  • Allows for the charging of multiple device types simultaneously (e.g., mobile phones, MP3 players, e-readers, etc.)
  • Preprogrammed Very Intelligent Charging protocol ensures the correct charging profile is used for the specific product, maintaining battery performance and extending battery life
  • Operates with the complementary Cambrionix LiveView app
  • Supplied software displays the charging status in detail.
  • An API is also provided for software automation scripting, essential for software QA and mobile phone remarketing companies.

The ThunderSync 16 is well suited for industrial, defense, security, software QA, and wearable camera applications requiring large-scale charging and data transfer. It is powered by an internal universal power supply, and is Intel Certified, CE Marked, UL Listed, and EMC FCC tested

Source: Saelig Company