http://embeddedgurus.com/barr-code/2009/06/firmware-disasters/ A Blog by Michael Barr Fri, 18 May 2012 17:16:50 +0000 hourly 1 http://wordpress.org/?v=3.3.1 http://embeddedgurus.com/barr-code/2009/06/firmware-disasters/comment-page-1/#comment-52 st4rbux Fri, 26 Jun 2009 03:39:07 +0000 http://www.gfcdev.org/test-stack/2009/06/23/firmware-disasters/#comment-52 Maybe it's semantics, and I'm not an embedded engineer, but what is the definition of "fail-safe"? I'm assuming that means if the sensors fail, it defaults to a safe state (like stopping the train ASAP). If the sensors provide bad data, that's not a failed state so all the system can do is process the data is has available.I'm also curious what defines a bug. I thought buggy code fails to implement the design (shame on the embedded coders). Is it me, or are these examples more a case of failure in design?Ultimately, dependent components (inputs to the embedded logic, like the air-speed sensors) fail, right? Don't we have to accept that four panic-dives out of millions of A330 flights is as close to perfect as we're going to get? Maybe it's semantics, and I'm not an embedded engineer, but what is the definition of "fail-safe"? I'm assuming that means if the sensors fail, it defaults to a safe state (like stopping the train ASAP). If the sensors provide bad data, that's not a failed state so all the system can do is process the data is has available.I'm also curious what defines a bug. I thought buggy code fails to implement the design (shame on the embedded coders). Is it me, or are these examples more a case of failure in design?Ultimately, dependent components (inputs to the embedded logic, like the air-speed sensors) fail, right? Don't we have to accept that four panic-dives out of millions of A330 flights is as close to perfect as we're going to get?

]]> http://embeddedgurus.com/barr-code/2009/06/firmware-disasters/comment-page-1/#comment-51 Lisa Wed, 24 Jun 2009 10:44:11 +0000 http://www.gfcdev.org/test-stack/2009/06/23/firmware-disasters/#comment-51 I suspect the embedded code could very well have been to blame - it seems nearly impossible to test every condition, but a collision like this ones seems an obvious test case to simulate. I'd also be looking at the similarities between automatic mode vs other modes. A smoking gun (for firmware anyway) is the idea of "A" car vs "B" car and which is in front, and the algorithms when these cars are reversed. And if anyone bothered to think such a situation might happen.Boy, I hate to prematurely slam embedded code, but we aren't very good about consistent, comprehensive and logical testing.I can't want to see the final report on the firmware if we ever get to see it. It's too bad we all as a community can't dig through it - engineers love puzzles - just too bad this is such a sad one.LisaReal Life Debugged" Technology Blogwww.lisaksimone.com/phoneonfire/ I suspect the embedded code could very well have been to blame – it seems nearly impossible to test every condition, but a collision like this ones seems an obvious test case to simulate. I'd also be looking at the similarities between automatic mode vs other modes. A smoking gun (for firmware anyway) is the idea of "A" car vs "B" car and which is in front, and the algorithms when these cars are reversed. And if anyone bothered to think such a situation might happen.Boy, I hate to prematurely slam embedded code, but we aren't very good about consistent, comprehensive and logical testing.I can't want to see the final report on the firmware if we ever get to see it. It's too bad we all as a community can't dig through it – engineers love puzzles – just too bad this is such a sad one.LisaReal Life Debugged" Technology Blogwww.lisaksimone.com/phoneonfire/

]]>