embedded software boot camp

Calling all Embedded Systems Bloggers

March 25th, 2009 by Michael Barr

I am currently doing research for an in-depth blog post or series about the online social networking community of individuals and companies with blogs, facebook pages, twitter feeds, etc. about embedded systems development. If you are involved with any part of the online embedded systems community and think I may not have already heard of you, please reach out to me via an e-mail to mbarr@netrino.com or via twitter to @netrinomike.

Tags: ,
Posted in Uncategorized | No Comments »

Coding Standard Rule #2: Use const Wherever Possible

March 24th, 2009 by Michael Barr

Another in a continuing series of blog posts about simple rules for keeping bugs out of embedded software written in the C programming language.

Rule: The const keyword shall be used whenever possible, including:

  • To declare variables that should not be changed after initialization,
  • To define call-by-reference function parameters that should not be modified (e.g., char const * p_data),
  • To define fields in structs and unions that cannot be modified (e.g., in a struct overlay for memory-mapped I/O peripheral registers), and
  • As a strongly typed alternative to #define for numerical constants.

Reasoning: The upside of using const as much as possible is compiler-enforced protection from unintended writes to data that should be read-only.

Coding Standard Rule #1
Coding Standard Rule #3

These rules are excerpts from the Embedded C Coding Standard book.

Tags: , , ,
Posted in Coding Standards | 3 Comments »

Coding Standard Rule #1: Always Use Braces

March 19th, 2009 by Michael Barr


This is the first in a planned series of blog posts suggesting how to reduce firmware bugs by following a set of simple C programming rules.

Rule: Braces ({ }) shall always surround the blocks of code (a.k.a., compound statements) following if, else, switch, while, do, and for keywords. Single statements and empty statements following these keywords shall also always be surrounded by braces.

Example (don’t):
if (timer.done)
// A single statement needs braces!
timer.control = TIMER_RESTART;

Example (do):
while (!timer.done)
{
// Even an empty statement should be surrounded by braces.
}

Reasoning: There is considerable risk associated with the presence of empty statements and single statements that are not surrounded by braces. Code constructs of this type are often associated with bugs when nearby code is changed or commented out. This type of bug is entirely eliminated by the consistent use of braces.

Coding Standard #2

These rules are excerpts from the Embedded C Coding Standard book.

Tags: , , , ,
Posted in Coding Standards | 1 Comment »

Firmware Wall of Shame: Welch Allyn Defibrillator Recall

March 17th, 2009 by Michael Barr

The FDA has just announced a Class I (the most serious human risk category) recall of the Welch Allyn AED 10 automatic external defibrillator (shown).

Among the reasons for the recall are the following problems that are either caused by embedded software bugs or hardware problems able to be fixed entirely through a firmware upgrade:

  • “Units serviced in 2007 and upgraded with software version 02.06.00 have a remote possibility of shut down during use in cold environmental conditions. There are no known injuries or deaths associated with this issue. The units will be updated with the current version of software.”
  • “All of the recalled units will be upgraded with software that corrects [another] unexpected shutdown problem. In the meantime … it is vital to follow the step 1-2-3 operating procedure which directs attachment of the pads after the device has been turned on. This procedure is described on the back of your device and also in the Quick Reference material inside the AED 10 case. Some pages in the user’s manual may erroneously describe or show illustrations of [a different] operating procedure… Please disregard these erroneous instructions.”

There has been at least one death at a time when the second type of unexpected software shutdown occurred. Are bugs in the embedded software to blame? Of what sort? Could the authors of that firmware be sued in relation to the death? Were they negligent? Are they sure that there are Zero Bugs (or even just fewer bugs) in the “current version of the software”?

Expect more of this type of firmware-involved death as embedded systems continue to proliferate.

Tags: , , ,
Posted in Uncategorized | No Comments »

RTOS Myth #5: You Need One

February 23rd, 2009 by Michael Barr

The Myth: You need a real-time operating system (RTOS) to make your embedded software easy to implement and maintain.

The Truth: Three positive implications of the use of a preemptive priority-based RTOS must be weighed against ten negative implications. An RTOS works well in some scenarios, but overly complicates the design of many other systems.

Annual surveys of the readers of EETimes and Embedded Systems Design generally find that about half (50%) of embedded software developers work on projects that utilize a commercial RTOS, such as VxWorks or uC/OS-II. Due to a sampling bias stemming from the correlation between big teams and RTOS use, the number of new products containing an RTOS is likely much lower than 50%.

Contrary to popular belief, a real-time operating system (RTOS) is not the answer to all of your design problems. When chosen for the wrong reasons, the presence an RTOS can make the firmware design more complicated rather than less. In addition, preemption increases the opportunity for race condition and non-reentrancy bugs. Finally, the inclusion of an RTOS has other costs, such as additional RAM and ROM/Flash.

By my calculations, preemption has three principal positive implications and ten negative implications. For example, one positive is that an RTOS can help separate the timing (i.e., which code is running on the CPU when?) from the application-level algorithmics. The problem is decomposed into a less “fragile”/more maintainable firmware design.

However, the use of separately-coded parallel tasks also complicates the software. Without the RTOS, the only possible race conditions occur between communicating interrupt service routines and the background loop in main(). Additional tasks increase the need for communication and synchronization factorially.

Perhaps the most interesting tradeoff concerns responsiveness to interrupts. Although what an RTOS does is to divide up the spare CPU time not used by any interrupt service routine (ISR) between pseudo-parallel running tasks (i.e., a set of C functions that don’t return), one negative side effect is slower CPU response to interrupts. The interrupt latency is higher with an RTOS than without.

Don’t get me wrong, sometimes an RTOS is a valuable tool. But don’t go using one simply to put its name on your resume. You may instead find yourself languishing in an overly-complicated and buggy embedded software design at your present job.

The “RTOS Alternatives” course by Netrino Institute includes full coverage of these tradeoffs, including details of each of preemptions three positives and all ten of the negative implications of a commercial RTOS.

Go back to RTOS Myth #4.

Tags: , ,
Posted in RTOS Multithreading | No Comments »

« Older Entries
Newer Entries »