Draft Robustness

Carnegie Mellon University
18-849b Dependable Embedded Systems
Spring 1998

Authors: Chris Inacio
Ying Shi


 






Abstract:

Embedded systems are deployed in almost every part of modern life.  These systems control everything from when your VCR turns on to tape to the doors at the local supermarket opening.  For these systems to be deployed with the trust of the public, the robustness becomes a critical property.  Robustness is the property of the system to operate correctly in the presence of invalid inputs.  As more and more embedded systems become deployed especially in safety critical systems, it become more important for these systems to be robust.

Related Topics:

Contents:

Introduction

The IEEE standard glossary defines robustness as "The degree to which a system or component can function correctly in the presence of invalid inputs or stressful environmental conditions." This definition can be used to motivate the design engineer to consider several different possibilities which typically aren't dealt with in earnest during the design of most embedded systems.  The embedded system can almost be expected to be used in an environment the designer didn't anticipate and possibly for an application the designer hadn't considered.  Adding to this, if a significant amount of human interaction is expected, the system will almost surely get an unimagined set of unexpected inputs.

In order to mitigate these problems, various techniques can be employed. Some of these techniques include classical hardware fault tolerance methods, graceful degradation, mecahnical or electrical fail safes, "idiot-proof" user interfaces, and functional diversity.  By using a combination of these techniques in a well thought out approach the robustness of the system can be increased.  Robustness is an emergent property, however, and so designing specifically for robustness is not possible.  A system can be designed with robustness as a goal, and surely a system with robustness as a goal will be more robust than a system designed without that goal, but it does not gurantee a robust system.

Key Concepts


Available tools, techniques, and metrics

Robustness Benchmark


A robustness benchmark can be used to measure how a system reacts to possible erroneous inputs or environmental factors.  The robustness benchmark is used as an indentification of a system error detection mechanism.  Unforuntately, it is not possible to fully determine how robust a system is.  Using a robustness benchmark can only help in modeling and estimating the robustness of the system.  (For more information on why you cannot measure this property, see the software testing section.)
 

Graceful Degradation

 

Fail safes


An important part of many embedded systems, especially those embedded systems which are safety critical, are the fail safe mechanisms.  Fail safes are an old concept in which, when a system detects that it is becoming unstable defaults into moving to a fail safe state.  The fail safe state should put the system into the safest possible state and wait for either the user to intervene or reset the system.
 

Safety Interlocks


Safety interlocks are a method of using additional subsystems within a complex embedded system in order to ensure that even if a different subsystems malfunctions, the system does not create a dangerous situation. For example, the doors on an elavator may use mechanical safety interlocks so that, unless the mechanical interlocks are released, the doors will not open between floors.  The doors are generally controlled by an electronic motor and controller system, however, and the sole purpose of the mechanical system is for extra safety, increasing the robustness of the system.

Relationship to other topics

Software Testing

In order to measure the robustness of an embedded system, it is necessary to understand the limitations in testing a complex computer controlled system.  The description of software testing describes the necessary use of testing in combination with modeling in order to estimate a property such as robustness.

Conclusions

Annotated Reference List

(Please try to include a URL to either an on-line source for the paper, or a pointer to the author, or both if possible.) 

Loose Ends

Go To Project Page