Microcontroller Central - Ryszard Milewicz - Safe Software Requires MCU Component Testing

Tw | Fb | In | Rss

Security Connectivity Low-Power Design User Interface Design OS and Dev Tools


Ryszard Milewicz Safe Software Requires MCU Component Testing Ryszard Milewicz, Design Engineer, RAT Electronics, 2/19/2013 Bio Email This Print Comment 23 comments Login 50% 50% Previously I wrote about safe-software requirements and software architecture. Here in Part 3 of this series I describe MCU-hardware testing. To assure proper operation of safe software, you must periodically test parts of the controller (hence the MCU) or have built-in features to assure safe operation (CRC checking, for example). For Class B software, the following parts of an MCU must undergo testing: CPU registers Program counter Interrupt handling and execution Clock Invariable memory Variable memory Memory addressing Internal buses, data, and addressing External communication Digital and analog I/Os CPU registers are tested for stuck-at faults, which means bits in registers remain stuck at logical 0 or 1 independent of the value written to this register. Suppose a register has the value 00000000₂. As a test, a new value is written, for example, 11111111₂. If one or more bits in register remain in the logic-0 state, the MCU register has a stuck-at fault. You can detect this fault through functional test or by periodic self-test using static-memory test or single-bit protection. In a similar way you test the MCU's program counter for a stuck-at fault by using logical monitoring of program sequence, or by independent time-slot monitoring. Interrupt handling and execution is tested for lack of interrupts or too frequent interrupts. This can be done by functional test or time-slot monitoring. The clock requires testing for an incorrect frequency. In case of a quartz-crystal-based clock, generation of subharmonic or over-harmonic frequencies must be detected. To test the clock, you monitor the frequency or use time-slot monitoring. For invariable memory (in most cases flash memory) all single-bit faults must be detected. You can accomplish this by word protection with single-bit redundancy, periodic modified checksum, or multiple checksums. Variable memory should be checked for a DC fault that acts like a short circuit. That is, two memory signals are connected when they should not be. This connection might result in wired-OR or wired-AND logic functions. Detection is provided by periodic static memory test or single-bit redundancy. Memory addressing is tested for stuck-at faults. This can be done by using a testing pattern, periodic CRC, or word-protection, including address with multi-bit redundancy. Internal data paths also should be tested for stuck-at faults. If the MCU is equipped with single-bit data protection, that suffices to comply with Class B requirements. Otherwise use a protocol test or testing pattern method. Internal addressing must be tested for wrong addresses. It can be realized by single-bit redundancy or by using a testing pattern that includes addresses. For external communication, Hamming distance is an essential test. Hamming distance refers to the minimum number of errors that could transform one string into another. For example Hamming distance between 00000111₂ and 00000000₂ is 3. Class B software and external communications require a Hamming distance of 3. If hardware protection is not available for external communication, you can run a protocol test to check communications. You also can use hardware protection, such as CRC or multi-bit redundancy. For digital and analog I/Os, you must test addressing and timing: first by using a protocol test, for example, and second, by using using time-slot monitoring or scheduled transmission tests. So now you are familiar with which MCU internal circuits require testing to comply with Class B requirements. Class C software adds another set of requirements. If an MCU includes hardware CRC or redundancy it becomes easier to implement safety checks; however, you also could use software routines. Email This Print Comment comments Newest First Oldest First Threaded View [close this box] Page 1 / 3 > >> Ryszard Milewicz 2/26/2013 6:32:05 PM User Rank Blogger Re: Testing code values JKVASAN, thanks for sharing your experience. For testing standard patterns 0xAA, 0x55 are better because for 0xA5, 0x5A two middle bits have the same level. Reply Post Message Messages List Start a Board Login 50% 50% Ryszard Milewicz 2/26/2013 6:26:58 PM User Rank Blogger Re: Testing code values ISO standard sets minimum requirements, parts of MCU can be tested for other failures. For Class C compliance busses must be checked for DC faults, hence crosstalks, shorts between lines etc. This can be done e.g. using data exchange protocol which can detect such failures. Reply Post Message Messages List Start a Board Login 50% 50% jkvasan 2/25/2013 8:05:35 PM User Rank Blogger Re: Testing code values RM I was testing a renesas promotional kit. It had a nice communication interface at Pc end. We could see what goes and comes. I was watching it out of curiosity and found a pattern like 0xA5,0x5A are sent. I found this a novel approach and felt it could be more helpful. Reply Post Message Messages List Start a Board Login 100% 0% BitBucket 2/25/2013 7:41:55 PM User Rank Blogger Re: Testing code values I would be interested in better understanding the failure modes that we should test for. Stuck at faults need to be covered, but how about pattern related failures? On bus interfaces it is helpful to try a single 1 with the rest zeros and a single 0 with the rest 1's so you can check for noise (or marginal power rails). Do we just do stuck-at faults or also some dynamic tests? Reply Post Message Messages List Start a Board Login 100% 0% Ryszard Milewicz 2/25/2013 6:01:23 PM User Rank Blogger Re: Testing code values Davidmicro, AN11208 from NXP can be adopted to other Cortex MCUs In Microchip library registers are tested in similar way like in NXP library: ; Test WREG0 && WREG1 registers MOV #0xAAAA,W0 MOV #0xAAAA,W1 CP W0, W1 BRA NZ, Error MOV #0x5555,W0 MOV #0x5555,W1 CP W0, W1 mov #CPU_REGISTER_TEST_FAIL, w1 BRA NZ, Error Reply Post Message Messages List Start a Board Login 50% 50% Ryszard Milewicz 2/25/2013 5:17:33 PM User Rank Blogger Re: Validation MicroPower, this standard is intended for safety-critical devices which can cause injures to people. It is important to prevent any unsafe situation, so MCU components must be tested during execution of program to assure right operation of MCU. Even if probability of MCU components failure is low, it is not zero and safety of people is most important. Reply Post Message Messages List Start a Board Login 50% 50% Ryszard Milewicz 2/25/2013 5:08:00 PM User Rank Blogger Re: Fake Component To comply with standard, tests must detect failures described in document. Methods can be different. Most important is to prevent unsafe situation, so if failure of some part of MCU or other component is detected, system should go into safe state. This is made usually by breaking current procedure and switching off loads like heaters, motors etc. Reply Post Message Messages List Start a Board Login 50% 50% Ryszard Milewicz 2/25/2013 4:59:54 PM User Rank Blogger Re: Standard for testing programmable systems IEC61508 is also applicable to medical devices, but main document there is IEC62304. It is a harmonised standard for software design in medical products. Software is divided in 3 classes: A, B and C. This classification is based on the potential to create a hazard that could result in an injury to the user, the patient or other people. There are also further standards: IEC60601 - general requirements for safety, , ISO14971 risk management, IEC13485 quality management. Reply Post Message Messages List Start a Board Login 50% 50% MicroPower 2/24/2013 11:23:04 PM User Rank Program Manager Validation All these testing must have been done by the validation team of the company that made the MCUs. The ones in production are supposed to undergo similar production test. I'm not sure we have to duplicate these processes. If I buy a new truck, I would right away put it in good use, either hauling or towing, instead of going back to the garage and test every mechanical component, etc.. Reply Post Message Messages List Start a Board Login 50% 50% BitBucket 2/23/2013 7:59:20 PM User Rank Blogger Re: Fake Component Thanx for the sample code. It is a big head start on development when vendors can provide examples. Would it be possible to do testing that doesn't just do a register at a time. How about coding up some operations that, like a hamming code, would tell you what the failure is without doing individual test. Also- is it important to know where the failure is, or just if there is a failure? Reply Post Message Messages List Start a Board Login 50% 50% Page 1 / 3 > >>		More Blogs from Ryszard Milewicz 14 Tips to Lower MCU Power Consumption 12 comments Minimizing an MCU design's power consumption requires more than simply choosing a low-power MCU. Safe MCU Design: Testing MCUs for Class C 7 comments In the last of a series on safety-related design, Ryszard discusses the unique features that Class C safety testing requires. Safe MCU Design: Software Architecture 6 comments Designing safe MCU-based systems requires the right software architectural development. Safe MCU Design: Control Classes 20 comments Many MCU-based designs must ensure the safety of users. IEC standards describe how. More from Ryszard Milewicz information resources sponsored content by Atmel DATASHEET - SAMA5D3 ARM Cortex - A5 eMPU DATASHEET - SAM4L ARM Cortex - M4 MCU Atmel SAMA5D35 Evaluation Kit Atmel SAM4L Xplained Pro Starter Kit Video: Enabling ethernet ports on Atmel’s SAMA5D3 (Linux) Atmel SAM4L Cortex M4 ARM versus a Z-80 Death of the DSP Enabling Ethernet ports on SAMA5D3 running Atmel's demo linux Android Solution on Atmel SAM9 Embedded Microprocessors Atmel launches ARM Cortex-M4 based Flash Microcontroller family All resources flash poll All polls MC on twitter Follow us like us on facebook