Carnegie Mellon University
18-849b Dependable Embedded Systems
Author: Michael Carchia
No matter what the industry, the notion of profits drives businesses. But in the realm of safety critical computer systems, certain topics and their relation to profits and business models have a lack of attention drawn to them. First, profits can sometimes interfere with safety. Systems can usually be made safer but is this cost justifiable? One can use a cost benefit analysis but when human lives are at stake, this can quickly become an ethical debate whose outcome may lie in a gray area. Secondly, due to the nature of the industry, maintenance policies can play a large role in a company's success from the perspective of both profits and product failure. Thus, particular attention needs to be paid to a product's maintenance policy. A discussion of customer replaceable units, preventative maintenance plans, Third party maintenance, and designing for targeted life is presented. Lastly, a discussion of time to market is presented along with its connections to safety critical computer systems.
Above all other reasons, companies exist to reap profits. What follows in this text is some discussion that touches on some of the issues involved with profits and safety critical embedded systems. First, for instance, a company’s product’s safety level can sometimes be at odds with profits and ethics. This requires a company to know very intimately their expected safety requirements and how to achieve them economically. Secondly, companies can opt to reap substantial profit from their maintenance policy. Thus this can have a dual purpose of ensuring reliability and bringing in income. Lastly, time to market can be a big concern in certain markets and can decide whether a product succeeds or fails. Therefore, it is important to achieve this goal where necessary while not having it compromise safety due to haste.
Companies produce safety critical systems in order to make money. But how safe is safe enough? Determining an appropriate level of safety can be a difficult decision to make. Furthermore, adding too much safety can sometimes be a costly matter. Thus making decisions such as these can lead to situations where safety is pitted against profits versus ethics.
Spending too much on safety can result in a company not making any money on their product while spending too little can lead to disaster. Aside from money spent on litigation and lawsuits, the company name might be tarnished, hurting other aspects of business. One can use a cost benefit analysis to try to determine the best tradeoff between the two, but this can lead to another gray area, ethics. A cost benefit analysis is an attempt to identify and analyze a set of costs and benefits in order to make a decision through an economic justification. However if it is not economically justifiable to make some design change in favor of safety, then in the case of safety critical computer systems, human lives will be at stake. This brings up the question of how many losses of human life are acceptable? From an economic standpoint, the value of human life can be estimated to be anywhere between $2.9-8 million [Kahn86]. It would appear that profits and safety are at odds with one another.
In a classic example of the ethical aspects present with a cost benefit analysis when safety factors are involved, consider the Ford Pinto. During the 1970’s, Ford Motor Company produced a subcompact car called the Pinto. The car was accused of having design flaws involving the fuel system and critics charged that Ford failed to respond properly to this problem. It was charged that a cost-benefit analysis that put a price on human life was used and determined for it not to be economically justifiable to fix the fuel system immediately. The end result was that at least 27 people were killed in low-speed collisions involving Pintos and Ford lost millions of dollars in lawsuits [Birsch94].
Being that systems wear and age with time, a considerable amount of money needs to be spent on keeping systems operational through maintenance. Depicted in figure 1 below, more than half of the lifecycle costs for space applications are consumed in operations and maintenance.
Figure 1. Life Cycle Costs – Space Applications [Wall98]
Furthermore, almost three-quarters of these costs are determined in the feasibility and design stage. From this we can take away two concepts. First, a considerable amount of money is spent on maintenance and this can most easily be limited by accommodating for that fact in the design stage of the project. A large percentage of maintenance time is taken up by problem diagnosis [Dibble84]. Thus, an example of taking maintenance into account during design would be to incorporate test hardware into system designs in order to speed up diagnosis. Secondly, if a lot of money is spent on maintenance of systems, then it follows that a lot of money could be made from providing maintenance services and choosing an appropriate maintenance strategy.
Depending on the specific product market, one can choose between various different maintenance strategies.
Sell maintenance service. After production of a system, a company may opt to sell maintenance service to customers or rely on 3rd party maintenance houses. Selling diagnostic and repair services can be a profitable business. In the case of IT systems, maintenance costs manufactures between 5% and 12% of the purchase price [Dibble84]. Depending on the system and the services provided (on-site engineer, support outside working hours, speed of response), a substantial markup can be made from this base percentage producing a very profitable margin.
3rd Party maintenance. A manufacturer may allow or designate a 3rd party maintenance house to handle all maintenance of a certain product. This was originally established to support ranges of equipment that the supplier regarded as obsolete and were thus unwilling to provide support. To the consumer, third party maintenance offers the possibility of being cheaper with quicker response time. This is due to the possibility of service center being relatively close. However, the service representative may be less knowledgeable than one working for the manufacturer.
No maintenance plan. Some devices can be marketed with no form of maintenance contract. By placing trust in the systems construction and inherent reliability, the only form of maintenance that may be offered is a clause in the warranty providing replacement of faulty parts during the warranty period.
Design for targeted life/Age based replacement. Similar to the above "No maintenance plan", the item in question may have been designed to last only a certain period of time. The intent might be to replace all parts beyond a certain age which lends nicely to selling replace components. This works well for consumer electronics and systems of small cost where it is either not a big concern to purchase a new item or the cost of maintenance is large relative to sale price.
Periodic maintenance/Preventative maintenance. Whether a 3rd party service vendor or the manufacturer, the more profitable option may be to provide periodic or preventative maintenance. The elevator industry is a good example of this. Some companies offer monthly maintenance plans where a representative will visit and inspect the site on a regularly scheduled plan. Parts and subsystems are replaced during scheduled visits even if they are not broken. In some cases, it may be more expensive to travel to the site than actually do repairs. This makes it a profitable means of doing business.
Customer replaceable units. One possibly effective maintenance strategy is incorporating modular design thus lending to customer replaceable units. These are components that can be purchased new and swapped into the system by the end user once failure is realized. An example of this would be toner cartridges in laser printers. It is well understood that what typically wears out or breaks in laser printers is the toner drum. Thus, this is a modular portion of the unit that the end user can swap when necessary. Customer replaceable units lends to the business model of profits from spare parts and not from service contracts. However, modular design might be difficult or costly to make this an effective strategy. Also for this to be an effective strategy, there needs to be a means for fault identification. The customer can not replace a part if it is unclear which particular subsystem is broken.
Time to market can be a crucial factor regarding product success. Often useful and well-designed products in time sensitive industries miss their market window and the ability to reap substantial profits. With technology changing as rapidly as it has been, this can be of great concern in the embedded market. Cisco Systems for instance, a current market leader in networking technology, is one that has fairly successfully met time to market demands. While numerous reasons for such success, one has been by not doing all work on a product in-house. For instance, where possible and deemed necessary, they have contracted other companies to do its surface mount manufacturing. This not only saves them money because of the large fixed cost savings, but it lets them produce products quickly [Scouras99]. Related to this discussion is the one of whether a company should make or buy a certain piece of technology. Either software or hardware can either be too costly or slow to produce on one’s own and thus the best option might just be to purchase it from someone else.
While time to market may not always be a concern in the safety critical embedded systems industry, there can be more to the story. Products not designed for safety critical purposes can sometimes find themselves in an environment where failure can not be tolerated. Consider a pager being toted around by a surgeon or medical doctor. Failure of this device could mean certain death for his patient. However, this device was never certified and could contain faults. Thus the strict time to market demands of the consumer goods industry may be responsible for this danger. The end conclusion of this hypothetical scenario is that time to market may not always be a concern of the safety critical systems industry on the surface level. But if one considers devices whose dependability is relied on as a safety critical device, the time to market’s sphere of influence in the safety critical systems industry broadens. Again, profits are at odds with safety.
In the end, the best metric to measure success is profits. However profits may not be realized over the short term. If ones strategy is to make the majority of profits on maintenance plan sales or replacement parts and not on unit sales, then in order to assess profits, a larger time frame might need to be viewed.
While attempting to acquire information pertaining to this topic, numerous books were encountered, many of which were not able to be located by the time of writing. For more information on this topic, one might find it useful to consult the following sources:
Safety vs. Profits vs. Ethics
The following are the key ideas for this topic:
Index of other topics