Professional Documents
Culture Documents
Any embedded computer system, no matter how well designed will go wrong some-time during its life, due to either a: hardware fault software fault transient fault permanent fault. The designer must be concerned with the consequences of such faults, and how the system copes with the faults. Real-time system failures will happen. Designers must concern themselves with the consequences of such faults and failures, and why these problems arose in the first place. All real-time software must be designed in a professional manner, to handle both foreseen and unforeseen program malfunctions (exceptions). It can be useful to think of real-time embedded computer systems operating within domains of behaviour: The Operational Domain (Designed for normal operation) The totality of points of the state space which the system might visit in the course of its normal operation, where it must display the attributes specified by the requirements; Domain of Tolerable Stress (Designed for fault-tolerant operation) The totality of points of the state space in which the system must survive without damage, and from which it must be able to recover its normal behaviour on return to the operational domain; Domain of Excess Stress The area outside the operational and tolerable stress domains where the system's behaviour and safety cannot be guaranteed; The system must therefore be externally protected against encountering excess stress
Tutor Version
Page 1 of 6
intro2ecs_04_tv.docx
Domains of Behaviour
Operational Domain
Excess Stress Domain Tolerable Stress Domain From which safe recovery is possible.
Service Region
NonService Region
Tutor Version
Page 2 of 6
intro2ecs_04_tv.docx
Tutor Version
Page 3 of 6
intro2ecs_04_tv.docx
A popular system design strategy, which tries to cope with failures, involves replicating the processor with the system.
SWIFT Banking system: Master Slave
When the processor itself is the major item in the system, the back-up processor method of coping with failures is both feasible and sensible. However, using this approach with Input/Output (I/O) dominated systems introduces much complexity and makes much less sense.
Which transducer do you believe is one has gone out of calibration? Do you need a third? Majority voting? Main Processor Interface Transducer Interface Transducer
Conventional exception handling schemes are usually concerned with detecting internal (program) problems: stack overflow; array bound violations; arithmetic overflows.
Tutor Version
Page 4 of 6
intro2ecs_04_tv.docx
Program Exceptions
Stack Overflow RAM
Stack
X
Attempt to place data outside of stack boundary.
RAM
ARRAY
Array
Arithmetic Overflow
Using 2s compliment arithmetic, 1 byte can store integers in the range -128 to +127. (The MSB is used to represent the sign.) A number outside of these values will overflow, leading to incorrect results. Decimal: Binary: -128 1000 0000 -1 1111 1111 0 0000 0000 1 0000 0001 127 0111 1111
Tutor Version
Page 5 of 6
intro2ecs_04_tv.docx
Tutor Version
Page 6 of 6
intro2ecs_04_tv.docx