Home    Bloggers    Messages    Resources
Tw  |  Fb  |  In  |  Rss
Aubrey Kagan

Addressing the Issues of Validation & Verification

Aubrey Kagan

My company designed and manufactured a small controller for a client that sells air conditioning products (not actually air conditioners, but they do change the properties of the ambient air).

Recently, our client wanted to sell the product to a nuclear power generation company, and although it is to be used outside of the actual power generation, the product must undergo a validation and verification (V&V) process. The V&V requirements are often difficult to understand, and will be arduous to satisfy, if that is even possible.

The hardware of our controller consists of little more than an op-amp, a voltage regulator, a current transformer, several relays, and a PIC 16F877 microcontroller. It was originally designed about 15 years ago with a major revision about six years ago. The code is written in assembler and takes up most of the 4K bytes available on the micro.

To meet the V&V requirements, there are many issues that we will need to address. We comply with a large number of the requirements in one way or another as part of our ISO9000 procedures, so we're covered for peer review, specifications, revision control, and formal functional validation. The requirements also call for information on failures, returns, customer support, and the like. There are also requirements for descriptions of operation, user interface, and communications software. All of these are to be expected, though. It's some of the other requirements that have left me wondering just what we should do, especially since this is just a simple controller. Here are some examples and my thoughts on them.

    Describe the software design, including the process loops and functions managed and/or controlled.

I don’t know at what level one needs to provide this. Do you think program comments would be sufficient and would flow charts be acceptable?

    Describe the design processes and organizational interrelationships during the design process.

I have never had to quantify this before. Is there a wrong answer? I understand that processes and interrelationships can affect the quality of a product, but once the product has been successfully tested and field proven, how could this information be relevant any longer?

    Provide copies of the hardware and software FMEA documents.
    Provide MTBF and MTBR values for the design under review.
    List the five hardware components with the highest probability of failure.
    Identify the design elements and/or coding methodology implemented to reduce probability of coding related failures.

We do not undertake formal FMEA (failure mode and effects analysis) at my company because we do not have the resources. I wonder how many small companies actually do? We also do not undertake MTBF (mean time between failure) studies unless requested by the customer, because they are costly. Can you actually create a MTBF for software? Given that this product has only 4K in assembly code, do I still have to try and find some kind of methodology to describe what I did, especially after the fact?

    Provide a list of the code modules that implement the design specification requirements.
    Identify the testing activities utilized to evaluate and approve coded modules.
    Identify the black and/or white box test methodologies utilized to evaluate and approve coded modules.
    Provide a copy of a black and/or white box test plan.
    Provide a copy of a code module approval document
    The software is tested as small, discrete, functional blocks of code.

Here they are dictating the test methodology to be used. Am I limited to these methods? I certainly did all the tests and documented them. When a product is as small as this, how do you partition the operation? There are certainly separate functions, like start a fan and activate a valve, but they all interrelate. So where are the sides of the box?

    Regression testing or engineering evaluations are to be performed prior to release when code is revised.

They are quite right, of course. A small change in one area can impact some other function (as I said earlier it is all interrelated). The problem is that there are many options (the system has 10 jumpers) and some options take days or even months to check, so regression testing could take a long, long time. This is an area of ongoing concern for me.

    The manufacturer maintains cyber security during product development.

This security requirement includes the development equipment, PROM programmers, and computer based test equipment including those at the subcontractor. What controls does one have in place in Asia? The requirement also includes updating of software in the field and the security in place to implement updates.

    Describe the activities and timing of those activities performed during a complete process loop.
    If multiple process loops are employed, describe the timing and activities performed by each loop and the relationships of the loops to one another.
    Describe all conditional and non-conditional branching activities in the firmware design.

These are doozies. Any action that is timed uses a hardware timer, but to figure out execution times of each loop? There are just so many ways that the execution goes through a portion of code with all the conditional jumps, I just shake my head. Any jump instruction must be described -- in the PIC there is no long conditional jump so any conditional jump in fact consists of two branches, to say nothing of the paging techniques used. Would comments in the listing be sufficient to meet these requirements?

    Describe the existence of any installed or design features (interrupts, diagnostics, manual inputs) that could impact operation of the unit and describe why the feature will not negatively impact on firmware operation.

This requirement is rather puzzling to me. Any interrupt or manual input is likely to impact the operation as per the requirements. Testing, validation, and verification are supposed to prove that there is no negative impact.

It seems to me that these V&V requirements for the nuclear industry are more arduous than those that I saw in my time in the space sector! From my perspective as a consumer, I guess I am happy that the standards are so rigorous. But trying to meet them -- especially long after the design was completed -- will be long and difficult and expensive, if it is even at all possible.

How would your designs shape up to these requirements? Would you be able to go back and address all the issues?

Newest First   Oldest First   Threaded View
Page 1 / 2   >   >>
jkvasan
jkvasan
11/22/2012 10:42:01 AM
User Rank Blogger
Re: Lines of Code
I understand the situation.

We cannot go to a level of telling them that we use a RISC controller with less nuber of instruction set, which when written over and over contributes to these many lines of code, bla, bla.

It is quite sticky.

I am sure our community would be definitely coming up with something more helpful than what we just discussed. Best of luck!

50%
50%
antedeluvian
antedeluvian
11/22/2012 10:25:45 AM
User Rank Blogger
Re: Lines of Code
jkvasan

I may make them understand that all code is not critical sections by way of categorising into

I think you are working from the premise that the auditors are logical and understand what they are doing. In my experience (and certainly in this case) auditors are not familiar with the level of detail which they require. They simply follow the path, and make sure they have an answer to their questions, whether or not the answer makes sense. They are simply covering their backsides in case something goes wrong down the road.

There is a saying in English: "there are none so blind as those that will not see." You can try to make them understand all you want, if the rules say "lines of code" then that's what they want whether it makes sense or not.

50%
50%
jkvasan
jkvasan
11/22/2012 10:15:39 AM
User Rank Blogger
Re: Lines of Code
It occurs to me that they are interested more in the flow of code than the code itself.

I may make them understand that all code is not critical sections by way of categorising into 

Configuration code, library or driver code and application code which may be critical and non-critical. This way they would be looking for the critical section as the main code section. In essence, this would reduce the lines of code barrier.

This may be helpful. There is a saying in my mother tongue

"Milk the dancing cow by dancing along and the singing cow by singing along".

I do not know if I am translating it properly in english but the essence is clear, I guess.

50%
50%
antedeluvian
antedeluvian
11/22/2012 9:09:32 AM
User Rank Blogger
Re: Lines of Code
jkvasan

 

You are quite right. No doubt that was the intention of the experts who came up with the definitions- but I don't think the auditors have the same level of understanding and so there is no definitive answer to any clarification I request.

The problem is how to answer their questions, especially when I am trying to minimise the time I waste on it.

50%
50%
jkvasan
jkvasan
11/22/2012 9:02:39 AM
User Rank Blogger
Re: Lines of Code
Guess they are meaning by 'modules', the divisions based on the algorithms. We designers modularise our programs based on peripheral drivers and libraries whereas for the auditors who may be more concerned with overall product quality could ask for modules such as motor control, temperature sensing, rpm measurement etc, the modality could be based on the application and its functionality.

100%
0%
antedeluvian
antedeluvian
11/22/2012 8:45:20 AM
User Rank Blogger
Re: Lines of Code
jkvasan

Your concerns are certainly valid. The whole product is owned by the customer and I have explicit authorization to give the auditors any information they ask for. In turn our customer is protected by a Non Disclosure Agreement with the auditors.

As far as the lines of code are concerned, we are simply being asked for numbers, the question being how relevant the number of lines in a source document is. After all, there are many blank lines and comments. Everyone documents differently. How can you compare a source document from a verbose programmer to one from a taciturn engineer and use that number as a meaningful measure of software complexity?

This program translates to ~5500 words (the PIC uses a 14 bit "word")of machine code. By that number and the definitions that the auditors use, this is a medium complexity level, even though based on my experience and the drift in the electronics industry to much larger programs, this is a low complexity product. There are ~10500 lines of code in the source documents changing the complexity definition to High.

The auditors are working with a document from the Canadian Standards Association (although they are US based and the project is a US project) so I assume there is no US equivalent. The software complexity levels are:

<1000 lines of code: low complexity

1000-9999: medium

10000-99999: High

>100000: Very High

but there is no definition of "lines of code". Another factor is also "Internal Modules", but again no definition. Are these the source modules that make up the source program, or is it refrerring to possible library modules that are linked in?

50%
50%
jkvasan
jkvasan
11/22/2012 5:21:00 AM
User Rank Blogger
Re: Lines of Code
Is giving important part of code just like that, advisable? If you had already transferred all technology to customer, this doesn't matter. In case you are OEM supplying or providing only the hex file, it would be important to understand how this model will work.

We normally have several models of tech transfer which include

  1. Wholesome tech transfer with high-level/asm code
  2. Hardware tech transfer with only hex code.
  3. Supply as OEM product till certain quantity is met and do tech transfer
and so on. Above is in the descending order with respect to charges.

I am sure you must have secured your interests accordingly.




 

50%
50%
antedeluvian
antedeluvian
11/21/2012 5:24:55 PM
User Rank Blogger
Re: Lines of Code
Rich

you might ask them if they mean physical lines of code (which does include comments) or logical lines of code (which only includes things the compiler needs). You might also ask them if comments are to be counted separately.

I did ask- one auditor understood, the other didn't. I got conflicting answers.


Or, just provide all three - physical lines, logical lines, and comment lines. That way you'll be sure to give them what they need.

I did- fortunately since a PIC 16F series has a one-to-one correlation between flash memory usage and code producing lines of code (except for sting definitions, of which I have none) the answer was quite simple by reviewing the hex file or even better, in my case reading it into the PROM programmer and noting where the flash had data.


50%
50%
Rich Quinnell
Rich Quinnell
11/21/2012 3:55:31 PM
User Rank Blogger
Re: Lines of Code
AD, you might ask them if they mean physical lines of code (which does include comments) or logical lines of code (which only includes things the compiler needs). You might also ask them if comments are to be counted separately.

Or, just provide all three - physical lines, logical lines, and comment lines. That way you'll be sure to give them what they need.

50%
50%
antedeluvian
antedeluvian
11/21/2012 11:01:39 AM
User Rank Blogger
Lines of Code
Now I am being asked for lines of code as a measure of complexity. Do comments, memory allocation, macro definitions and processor definitions count as "lines of code"?

Anybody got any experience?

50%
50%
Page 1 / 2   >   >>
More Blogs from Aubrey Kagan
Aubrey concludes his ongoing Bluetooth/Android design project with a bit of a twist.
Concluding his series on temperature sensing using MCUs, Aubrey talks about mounting, calibration, and other considerations.
In the third of four parts, Aubrey talks about semiconductor sensors and software issues.
In part two of a four-part series on temperature sensing, Aubrey talks about getting the sensor's signal into the MCU.
First in a four-part series, Aubrey's blog sets the stage for talking about temperature measurement.
information resources
sponsored content by Atmel
All resources
flash poll
MC on twitter
like us on facebook
Microcontroller Central    About Us     Contact Us     Help     Register     Twitter     Facebook     RSS