Precautions for Embedded Software Reliability Design

Men conquer the world, women conquer the world by conquering men; hardware is everywhere, and software controls hardware to conquer the world. In today's world, looking at the rivers and lakes, there are embedded software where there is electronics, and where there are electronic faults, there is also the shadows of embedded software design defects. Today, we will list all the mistakes and avoidance methods that the software is prone to, and provide solutions.

The most important feature of embedded software is control, which combines hardware and software with a large number of functions, and calls between modules, the external work environment is complex and vulnerable to interference or interference with other devices. The consequences of execution errors are not only data errors, but may lead to immeasurable disasters, the reliability design of embedded software requires attention in four aspects:

1. Software Interface

First, let's talk about the areas that are prone to problems in software interfaces and the mistakes that programmers are prone.

Software Interface calls usually have a value assignment for data, and the Data Type of the value assignment variable may have a forced Data conversion, which needs to be checked. To prevent problems, you can check the data range and data type.

The number of value assignment data is incorrect. If the number of values is too small, unexpected value assignment results may occur. However, this error is a good check.

In software programming, code for a function operation will be reused. For example, data check and control over a port will only happen twice in the whole program, the code segment may be directly inserted into the actual program module. In this way, the two segments in the source code are identical to complete the same function, it only serves the code of different modules. In principle, there is no problem with this design. Yes, you are right, but your behavior will make mistakes by others. Just like young men and women, girls simply want to fully enjoy the warm atmosphere and mood of boys, and do not want to go deeper, but girls invite boys to their homes, I changed my pajamas at home, closed the window, and put some ambiguous music. After being forced by boys, I said with infinite grief, "I didn't expect the result to be like this ", who is the blame? In terms of code, your practice is the same as that of a girl who seems to bait a boy.

Some people will say, How can I write code like this to seduce me? The reason is that the program may be upgraded. You cannot guarantee the perfection of these lines of code in the actual application process. If you find that the Code is not perfect, it is bound to be modified, if you can still think about it, you may not miss it. If someone else modifies the code, change it to another place, or change it to another place, isn't it still a hidden danger? What should we do? The method is not difficult. This function can be made into a single module, and the read and control assignment of this port is done by this independent module. If the correctness of the data is greatly affected, check and judge the correctness of port data. The four objectives of the embedded software reliability programming method are error prevention, error determination, error correction, and fault tolerance. The determination of port data is an error message. If the data is incorrect, the error correction and fault tolerance design methods should not be explained in depth?

2. Software and Hardware Interfaces

Hardware, such as a man, relies on it for external execution. Once a problem occurs, the consequences after implementation are uncontrollable. Premier Zhou said that "diplomacy is no small matter ". But how should we pay attention?

Determine whether the data of the read hardware interface is authentic;

Check the execution effect of the output data;

We need to conduct preventive design on the possible consequences of the output data and analyze the data output process from the design perspective. The analysis idea is that it is generally easy to be confined to the steady-state process, the transition process is ignored. For example, if we control the power supply of a branch, in terms of software control, we can directly send a start signal to the relay so that the open contacts can be closed, non-"off" is "on", which is the two steady states of the controlled relay, but in fact, in the process of opening to closing, the voltage of branch power supply is not a simple 0 V-24 V (24 V is used as an example) jump, but a process of jitter and shock signals, in this case, hardware protection is essential, but it is not possible to suspend the software.

In addition, logically, the easily disturbed and easily generated Interference control actions should be controlled from the time sequence and separated. For example, the process of controlling the relay is prone to producing jitter spikes and interfering with the data bus and the control signal bus. At this time, it is not appropriate to implement data transmission and receiving at the same time, it is not suitable for other control actions, so we cannot afford to hide it. Can we avoid this interference?

3. software code

Software reliability is gradually increased over time, which is different from electronic and mechanical reliability. Electronic Reliability is subject to exponential distribution. The failure rate is a constant throughout the life cycle. Mechanical Reliability decreases over time due to the presence of wear, corrosion, motion, and other factors. Therefore, there is a specific rule of software reliability design and precautions.

 

3. software code

Software reliability is gradually increased over time, which is different from electronic and mechanical reliability. Electronic Reliability is subject to exponential distribution. The failure rate is a constant throughout the life cycle. Mechanical Reliability decreases over time due to the presence of wear, corrosion, motion, and other factors. Therefore, there is a specific rule of software reliability design and precautions.

Since it takes time to improve software reliability. The maintainability of the software is a big problem. This is also the reason why software documents and comments are particularly concerned in software engineering management. However, those who make these requirements are just people and clouds, and do not understand the true motives for such a practice. As for how to annotate, how to name variables, and how to operate Software Configuration Management, there are both common methods and some common but incorrect methods. A few noteworthy details are provided for your reference.

Variable definition contains variables of the variable type, such as ad_result_int and cal_result_float. This is a good check to prevent data type errors during forced conversion or forced assignment of data types;

Adequate comments are required;

The layout style of the Code should be uniform for easy reading and searching;

Uncontrolled default flows are not allowed. All values and variables, whether granted to the function call, read from the interface, or calculated from the intermediate variables, before the application, it is recommended to make a judgment on the Data Validity and make a controlled response to all possible results.

... ...

Documents on Software maintainability programming methods are overwhelming on the Internet and will not be described in detail. Many articles have recommended Software maintainability programming specifications as embedded software reliability design specifications for enterprises. They are a bit biased and biased. In the words of the entertainment circle, "Love is an important part of life, but it is not the whole of life, "and the Software maintainability programming method is also true.

The next problem that may easily occur during software code execution is that the program pointer is disturbed and jumps to an uncontrolled location and executes the code that should not be executed. If you execute the code that shouldn't be executed, if you add enough variable judgment, read value judgment, and status detection judgment to the program, it's okay and the consequences will not be too serious, it may even come back on your own. However, it is terrible to run a flight. Generally, the program target code we store in the Rom is a 1-3 byte command, that is, the target code of a maximum of three fields is grouped into execution actions, if the program pointer flies to the first byte of a 3-byte command, What is the consequence of the execution? No one knows, even if the program has made enough data errors and logical jump prevention measures, the results will not be good. In addition, generally, Rom cannot be fully filled by program code. There is always surplus space. What is the default content in the surplus space? Will these default bytes also lead to some operations? The default space in single-chip microcomputer is 0ffh, and I have not checked DSP. If you are interested, it is easy to skip to these fields.

Well, let's just give a solution, that is, place several NOP commands manually at intervals of program code or control areas, place a long jump err handler after the NOP command. Note that NOP should be placed at least three, so that any running flight can only occupy two NOP at most. The third NOP can still roll back the program code, and then execute the err processing program after it is rolled back.

If you encounter a program with high security and reliability requirements, the recommended processing method can be hot backup, that is, the same function can be executed with two pieces of code at the same time, and the execution results are compared, if they are consistent, they are allowed. If the results are inconsistent, what should you do. But... ... There are some ways for Chinese people to make things easier. Didn't your leaders ask me to compile a hot backup program? Well, I copied the original code and inserted it somewhere again, you and the Ming Dynasty Feng Bao eunuch (or Yan Yu, Zhang juzheng? If you are interested, refer to those things of the Ming Dynasty.) You can write your own chapters and approve them. Since backup is used to prevent a person from having a problem, the best way is to write this section by different people. If the principle calculation method is different, the data collection channel is also different, then we will bring our daughter-in-law to the Chinese New Year.

There are still a lot of precautions for programming security and reliability. You can hardly see the whole leopard for a glimpse.

4. Data and variables

Variables are defined to avoid confusion, obfuscation of data and data in the same program, ambiguity in the understanding of variables when different people read the program, and errors in visual effects (the "O" and numbers of letters) "0 ", the letter "L" and the number "1 "). Here we should follow a basic rule of "same or different". This rule has been applied in many fields. The most used rule is Zhu Yuanzhang, who treats corrupt officials or ignores you, if you do not stop yourself, you can directly kill the system if you have done so. In the Ming Dynasty, Zhu yuantao was the emperor with the largest number of killings; this is also true for the selection of connectors in the anti-stay design of the structure. If a milky white plug-in and a light gray plug-in of the same type, the best choice is that there are visual differences or structural differences, or simply the same, the same must be based on a premise, and the interchangeable is better.

Use explicit symbols to name variables and statement labels. The name of an identifier has a clear meaning and is a full word or an easy-to-understand abbreviation. Short words are abbreviated by removing the "vowel". long words are abbreviated by the first few letters. Some words are accepted as abbreviations. For example:

Temp-TMP;

Flag-F. L. G; (* Note: Please use the. number in the middle of last year)

Statistic-Stat;

Increment-Inc;

Message-MSG.

Special conventions or abbreviations, which must be annotated. Comments on the abbreviations or conventions used at the beginning of the source file. Your own naming style must be consistent from start to end. For variable naming, it is not allowed to take a single character (such as I, J, K ...); meaning + variable type, data type, etc. I, J, and K are allowed as local cyclic variables, but should be used with caution for confusing letters. For example, int liv_width, l represents the local variable (local) (G global variable global), I represents the data type (interger), V represents the variable (variable) (C constant const) width indicates the meaning of the variable. This naming method can prevent the local variable from being named again than the global variable.

Disable obfuscated Identifiers (R1, rl, do, and D0) to indicate different variables, file names, and statement labels.

In addition to the compilation switch/header file and other special applications, do not use the definition of the start and end of the underscore like _ example_test.

Global variables are strategic resources. They determine the coupling between modules. They must be upgraded to a high enough level in the project. When you have to use global variables with caution, compile independent operation modules or functions for each global variable separately. When modifying a global variable, check whether another function is calling it and the value must be stable.

When a variable represents a specific meaning, do not just use a bit to represent anything. For example, use the nth bit of a variable to represent a State (0000 0001, where only 1 represents a specific content, in this way, 01 H, 03 h, 05 h... There will be many combinations that can represent this State); the bit is easy to be modified by interference, and the probability of Information errors is much higher.

Do not use 00 h, FFH and other data representatives. Just like interviewing a group of people, the first person to be interviewed and the last person to be interviewed are easy to remember. The same applies to 00h and FFH, the default states of the system are 00 and ff. They are easy to reset or set to this type of value. It is recommended to use a median value of a four-digit binary code as a state variable, such as 1001.

Before applying the variable data, it is advisable to determine the data type and value range;

Data is also prone to problems in the storage process. Similar cases have been found in EEPROM and ram. Data errors cannot be avoided. The solution is to learn about American financial enterprises such as Citibank. after 9.11, they can quickly restore their business and there is basically no data loss. Why? Because they have a remote disaster recovery data backup system, there are two keywords: Remote and backup. Our information is also the same. First, we choose to store different media or the same media but different storage environments and locations. The Dual Backup ends with inconsistency between the two sides, data is suspected and rejected, but embedded software often relies on data to promote the execution organization. administrative inaction is not allowed even if data is found to be faulty, it is also very difficult for us to solve the problem. How can we determine if two different data items have obvious problems and are all within a limited scope? In this case, there is no way to make three backups, and the minority is the only choice. The method of stone scissors cloth is not easy to use, and Ge You's different terminal is not suitable, so you have to choose the most primitive and most effective method, the only thing that needs to be noted is that data should be stored in three different backup environments. Otherwise, it will not be your brother or two.

The above section describes the importance of embedded software reliability in several categories. There are many points to be noted in practical applications, if you are preparing to develop your own design specifications, the above ideas should be enlightened. (Full text)