Carnegie Mellon University
18-849b Dependable Embedded Systems
Spring 1999

Author: Leo Rollins


Most embedded systems contain some type of input or output to control or communicate with the external world. The scope of the I/O subsystem in an embedded system includes sensors and actuators, conversion of signals between the analog and digital realm and delivery to (from) the controlling function. In order to build dependable embedded systems, the designer must consider the requirements that are allocated to the I/O subsystem. For increased dependability, redundancy in the form of multiple or diverse sensors, mechanical interlocks, and manual input from human operators must be considered. Two trends in I/O promise additional features and dependability: Fieldbus and intelligent I/O. These techniques promise lower cost, enhanced maintenance and diagnostic capabilities, and interoperability. However, a slow and fragmentary standardization process presents a challenge to the widespread use of these techniques.

Related Topics:



The I/O subsystem is a sometimes overlooked component of the larger embedded control system. It includes devices in the field that convert physical phenomena (such as temperature or flow) into electrical signals (such as voltage or current). Some part of the I/O subsystem must convert these electrical signals into digital representations. Here we are assuming that the embedded control system is a digital system. These digital representations must also be delivered to the portion of the system that is performing the control algorithm. This distinction between analog to digital conversion and delivery to control function is made because recent trends in system design have distributed the components of the embedded system. In this paper a discussion of the I/O system as defined above is considered in the development of dependable embedded control systems.

Key Concepts

Dependable I/O Systems

In building dependable I/O subsystems, two main aspects must be considered: the requirements of individual sensors and actuators and the application of redundancy. The redundancy aspects of I/O are covered briefly. The use of redundancy in general is covered under the topic Distributed Dependability.


Some improvement in the dependability of the I/O hardware in a system can be gained from adding a second sensor or actuator for the same function. For sensors at least, this assumes that there is some algorithm that allows erroneous signals to be excluded from the control function. For actuators, parallel I/O devices may be used control the external device. Another typical scheme is to use majority voting of actuation devices. If some coverage of software is desired, completely diverse measurements and control algorithms may be used. For instance, a holding tank may be protected from overpressurization by monitoring both pressure and temperature. Unfortunately, complete diversity can be costly. This may exclude its use from certain embedded applications such as automobiles.

The replication of sensors and actuators (excluding diversity) does not address software failures of the I/O subsystem. An economical redundancy method that includes some coverage of software errors is to include manual permissives or interlocks. Figure 1 shows an example of the use of a manual interlock in an air-bag control system. This example is taken from [Hollingum96]. A micro-controller has an accelerometer as an input. Other potential inputs may be vehicle speed and whether the driver has their seatbelt fastened. Using these inputs, the microcontroller determines the optimum time to deploy the airbag using its output to a transistor switch. In series with the airbag is a mechanical interlock. This interlock is a switch held open by a spring. On the switch a magnet is mounted. If the car decelerates rapidly, the inertia of the mass of the magnet overcomes the spring force and the switch closes. The magnet serves to hold the switch closed. This interlock is designed to prevent spurious actuation in the presence of some failure in the accelerometer, micro-controller, or transistor switch. Note that this interlock could also prevent unwanted actuation due to some design errors in the micro-controller software. This series example is designed to prevent spurious actuation of the airbag in the presence of failures. A parallel system would be required to assure actuation in the presence of failures.

Figure 1: Air-bag Mechanical Interlock Example

A third redundancy method is to allow manual inputs to the system. This serves to make the human operator the redundant component of the system. Certain foreseen and unforeseen system events can best be handled in this manner. For more information, refer to Human Computer Interfaces.

Dependable Individual Sensors and Actuators

Many factors go into the design of individual sensors and actuators that are dependable. While all of these factors are important in developing dependable I/O, the factors that present special challenges to embedded systems are of particular interest. Presented below is a list of important factors and a brief discussion.


The method of signaling between sensors and actuators and the rest of the system is an important aspect of I/O design. Several signaling methods have dominated for a period of years. From the early control period before electronic systems (1940's into the 1960's), pneumatic signaling (3-15psi) was used. Latter with the development of analog electronics, current loop signaling (4-20mA) became popular. Current loops were chosen because of their superiority over voltage signaling with respect to noise immunity. Current loops continue to be used today in digital systems. However, it has been recognized that digital signaling presents some advantages in digital systems. An interim standard was developed called Hart that combined digital and analog signaling. Current loops were used as a carrier for digital information. Both the analog current and the impressed digital carried the information about the process value and either could be used. In existing systems, the wiring could be preserved and selected sensors or embedded controllers could be upgraded in a phased manner. In the 1990s an all-digital signaling system known as Fieldbus began gaining in popularity. A discussion of Fieldbus and its properties follows.

Fieldbus is a generic name that describes an all-digital signaling method. Sensors, actuators and controllers are networked together to exchange information. This implies that all sensors and actuators must have some digital component to transmit and receive communication messages. Many Fieldbus components contain a microprocessor, however the digital signaling may be accomplished with special purpose devices such as field programmable gate arrays, ASICs or custom ICs. It is interesting to note that when they contain a microprocessor, the sensors and actuators themselves become embedded systems.

The advantages of Fieldbus communication have been widely publicized by the process control industry. The primary advantages claimed include:

Standardization of presents the largest challenge to Fieldbus in becoming the major signaling method used for I/O. In the pursuit of market share and profit, many vendors have quickly developed their own proprietary protocols or endorsed existing protocols. Standardization efforts have been ongoing for the last 15 years. Some Fieldbus protocols have joined forces in an effort to produce a unified standard. An example of this is the efforts of ISP (Interoperable Standards Project) and WorldFIP (World Factory Information Protocol) which have joined forces to form the Fieldbus Foundation. Vendors have endorsed these protocols while still delivering product based on earlier protocols. This "wait-and-see" attitude has hampered the emergence of a single protocol for Fieldbus. Over 200 Fieldbus protocols are in use today. Some of the popular protocols include Profibus (Europe), Modbus, CAN (auto), and FIP (factory automation). A good introduction to Fieldbus and the challenges of standardization can be found in [Coutinho95].

Intelligent I/O

There is another trend in I/O toward increasing function that is largely compatible with Fieldbus called intelligent I/O. Several loose definitions have been proposed for what constitutes intelligent I/O. Lawrence Holliday characterized them in 1993 as "... highly sophisticated sensing devices capable of signal analysis self-diagnosis, and digital communication." Another view holds that in order to be intelligent, the sensor or actuator must take over some portion of the control function normally allocated to the controller.

Intelligent I/O devices normally include a microprocessor. They almost always use some type of Fieldbus communication. Therefore, they claim all of the advantages that are claimed by Fieldbus. They also claim the following additional benefits:

Available tools, techniques, and metrics

Many of the design and evaluation techniques associated with the I/O system are well understood. The challenge for the embedded designer is familiarity with the variety of techniques. In particular the embedded I/O designer must be versed in control theory, digital signal processing, filtering, A/D conversion techniques and transducer conversion techniques.

Fortunately there are many high quality computer tools to assist the embedded I/O designer. One widely used example is MATLAB. Various toolboxes within MATLAB exist and are consistently upgraded, such as the control systems toolbox and the signal processing toolbox. There are also many tools that automate the configuration of Fieldbus devices. The good news for Fieldbus is that good configuration tools exist. The bad news is that every vendor has his own. The tool situation for Fieldbus may improve with increasing standardization.

The important metrics for I/O design are primarily associated with A/D conversion and control theory. For A/D conversion, designers are concerned with signal-to-noise ratio, dynamic range of converters, effective number of bits, accuracy, resolution, conversion speed and cost. For control theory the primary interest is with sample rate and its effects on the stability of the control system.

Relationship to other topics

Embedded Communication

Because of the emerging Fieldbus trend, I/O is closely linked with communication.

Real-Time Systems

I/O is normally used for real-time control.

Robust Control Theory

The sample rate and uncertainty in I/O have implications for the stability of the control system. Uncertainty is covered by robust control.


Intelligent I/O represents a convergence of the microprocessor and the sensing device. MEMS takes this convergence to the extreme where the microprocessor and sensor become co-located on the same physical integrated circuit.


Designing dependable I/O systems has two aspects: individual I/O and redundancy. The design of dependable individual I/O has a variety of aspects including EMC, shock/vibration, environment, A/D and D/A conversion, diagnostics, testing and calibration. Each can present special challenges for the embedded designer in terms of cost or accessibility concerns. All of the redundancy methods, including diversity, interlocks, and human interaction, should be considered to address the safety concerns of an embedded system.

Two new trends in I/O design are important: Fieldbus and Intelligent I/O. These promise increased functionality and lower cost. The primary challenge to acceptance of these techniques is standardization to achieve interoperability.

The embedded I/O designer must be well versed in a variety of techniques to produce dependable cost effective designs.

Annotated References

Further Reading

Loose Ends

DASP - Digital Alias Free Sampling. Refer to [Bilinskis97]

Go To Project Page