[OK, I'll take a crack at this.
Executive summary: Misuse of the date by embedded systems poses
potential
problems. The practical extent of this potential must be determined
through
proper testing. Some systems are difficult to test properly.]
INTRODUCTION
Embedded systems control much of the infrastructure of the
industrialized
world. If not properly addressed, problems related to the Year 2000
transition
will degrade embedded systems and therefore have negative effects in
the
infrastructure. The most commonly recognized problem occurs when the
date
supplied by the real-time clock calendar (RTCC) contains a 2-digit
year. This
may cause a problem on or after midnight, December 31, 1999, when the
date rolls
over to January 1, 2000.
In those systems with this date problem, any software layer in
control of the
embedded system may interpret the 00 in the date as 1900, not 2000,
which can
potentially throw off time or date computations. 00 may also be
rejected as an
invalid year. In these cases, embedded systems with such problems may
not
operate as designed and thus cause control problems or malfunctions.
If the
embedded system is involved in a mission-critical or safety-critical
system,
there may be severe repercussions due to an embedded system failure.
Proper
testing is the most reliable way to identify potential embedded
system Year 2000
problems. This article describes issues andpriorities for testing
these systems.
[Translation: If the system has a RTC AND if the code uses the
date from that
RTC AND if the code uses that date incorrectly AND if the result is a
functional
(not cosmetic) problem AND if the system is critical AND if the
functional
problem is not easily addressed (depending on the details of the
system and the
failure), THEN we have a problem. OK, we know this.]
BACKGROUND
There are two primary areas where embedded systems typically have
date
problems: 1) the calculation of elapsed times, and 2) date
information
transmitted from one embedded system to another or to an external
system.
[This might be misleading. Incorrect calculations might cause
trouble. If
date information is simply transmitted, that shouldn't be a problem.
If the code
receiving the transmission doesn't use it properly, that's just a
miscalculation
by someone else.]
The elapsed time problem centers on two methods for performing
these
calculations. One may use date information and the other may not. In
method one,
elapsed time is computed by subtracting a start time from an end
time, e.g.,
12:15 p.m. 12:00 noon = 15 minutes. If the elapsed time rolls
over
midnight, then the start and end dates are also required to complete
the
calculation, e.g., 12/30/99 12:15 a.m. 12/29/99 12:00 midnight
= 15
minutes. At midnight on December 31, 1999, the rules change. In a 2-
digit year,
99 becomes 00 and the computation is now 01/01/00 12:15 a.m.
12/31/99
12:00 midnight = ? One of several answers may result depending on how
the date
computation was carried out. On a system programmed to recognize 00
as 2000,
thecomputation may be performed correctly. On many embedded systems,
this may
not be the case. It is impossible to say what the answer will be
since the
program controlling the embedded device may not be available.
[Yes, very true. This is typically a one-time bug, since it
happens only on
the single calculation spanning the rollover *from the perspective of
the
embedded clock*. However, in most such systems the actual date is
irrelevant,
and never set. This all depends on the system. Many such elapsed-time
systems
don't even have a battery for the RTC, since the real time is not
important,
only the interval. The failed calculation can still happen, but
*when* it will
happen could be anytime within a 100-year period. So this isn't a y2k
problem
UNLESS the date is ALSO used for some other purpose that requires it
to remain
synchronized with the real time and date (such as logging).]
The second method of elapsed time calculation relies on an epoch,
or base
date, and a time counter, which is added to the epoch to arrive at a
particular
date and time. An example of this method is presented elsewhere in
this report.
[But this approach doesn't really use the date, so doesn't
necessarily
present a danger.]
Another problem of Year 2000 testing stems from three areas where
date
information is transmitted between devices. The first area concerns
proprietary
data encoding used in many embedded devices built as single units
operating with
other embedded devices from the same manufacturer. In these cases,
the data
passed from one embedded device to another cannot be read by testing
instruments
that were not specifically made by the same manufacturer for testing
the devices
in question. Third party testing instruments often do not detect the
presence of
dates in data transmissions that are encoded in proprietary codes.
Hence, if a
date is not detected, the embedded device may not be tested according
to the
testing policies used by some large organizations.
[Confusing! Yes, date data can be encoded in proprietary
protocols, difficult
to interpret. But the problem doesn't lie with the SOURCE of the
date, it lies
in the USE of the date. We don't really care WHERE the date came
from, since
that's not where the error lies. There is no functional date error
until the
date is misused in a calculation or decision. Even if we can read the
encoded
date data, this is STILL no guarantee that the receiving device makes
any use of
it at all. So if there is a problem, it lies with the receiver's use
of the
date, not with the source or encoding of the date.]
The second area involves the windowing solution used in
remediation. In
windowing, a pivot year is defined to express the interpretation of 2-
digit
years that belong in the 20th or 21st centuries. For example, a pivot
year of
1950 states that all 2-digit years in the range 50 to 99 belong in
the 20th
century and all 2-digit years in the range 00 through 49 belong in
the 21st
century. If a sending device uses 1950 as the pivot year, but a
receiving device
uses a different pivot year, say 1990, then problems arise in the
interpretation
of the 2-digit years transmitted as part of a date. The sending
device may see
89 as belonging in the 20th century, but the receiving device may
decide that it
belongs in the 21st century, thus throwing any date and time
calculations off by
a wide margin. The effects of this problem may be exhibited
immediately as a
failure if future dates are involved in the computations.
[No, this doesn't stand up to examination. I think the writer is
lost.
Windowing is a technique for expanding a 2-digit year to a 4- digit
year by
applying a pivot year. In the above example it's explicitly stated
that the
transmitted date is 2 digits. Yes, it's possible that the transmitter
expanded
the date one way, and the receiver another. Since the transmitter is
only
sending a 2-digit year, there is no reason for the transmitter to
window that
year unless it USES that year for something. The receiver does his
own
expansion, and uses the year for something else. If either (or both)
sides use
an incorrect pivot year and expand improperly, whichever side does so
risks an
error. But the communication between devices is not involved in any
way! If the
transmitter windows the year and transmits a *4-digit* year, then the
receiver
expects a 4-digit year and there is no confusion (though the year may
be
incorrect). If only the receiver does the windowing, then the
transmitter has no
window, which perforce cannot be different!]
The third area is based on the premise that repairs may have been
made to an
embedded device to correct its date and time processing, but the
repairs may not
have been made or may not have been made in a compatible way to a
device
receiving information from the repaired device. This can happen in
systems where
one embedded system controls or synchronizes the operation of other
embedded
devices, even if not all of the embedded devices have real-time clock
calendars.
[I think I'd need an example to know what that paragraph is
talking about.
Certainly if the sending device is modified to send a larger year
size, the
receiving device must be modified to *accept* this new size.
Otherwise NOTHING
will be communicated. It's a well known truism that an interface MUST
be agreed
on by both sides.]
The effect is that data properly formatted to correct for the Year
2000
problem do not line up with the format expected by the receiving
embedded
device. For example, an embedded device may transmit a 4- digit year
to a device
that only understands 2-digit years. A corollary to this problem is
the data
offset problem whereby the last 2 digits of the year may appear to be
valid to
the receiving device, but the rest of the information is pushed off
alignment by
the 2 extra digits representing the century in the expanded date.
This situation
may not be caught immediately and may have long-term consequences
weeks or
months after the data becomes corrupted.
[But not very likely! Most embedded devices are acting in real
time, and
corrupting an interface (such that communications are garbled) is
almost always
instantly obvious. Also, give some credit for at least minimum
competence to
those involved. Even a child understands that teamwork implies that
everyone
follow the same rules.]
There are several layers in which date and time can come into play
in an
embedded system. These might include the application software
controlling the
embedded device, the interface between the real-time clock calendar
and the
operating system on the embedded device, and data transfers between
embedded
systems and other devices or external systems. An exhaustive check
would include
each standalone embedded device and all connected embedded devices or
external
sources of dates in an on-line end-to-end test. In some cases, such
as in the
interface between the real-time clock calendar and the operating
system,
special-purpose testers may be required.
[Whoa! Beyond the truism that all parties must agree on a common
interface,
whatever code uses the date in a calculation or decision must window
that date,
either explicitly (by expanding it to 4 digits) or implicitly (with
logic that
says IF current time is before prior time, do something reasonable).
The task is
to find where the date is USED, and make sure rollover won't lead to
a wrong
calculation or decision. The on-line end-to-end test can be used both
t0 FIND
who uses the date, and to make sure all such uses are done properly.]
THE PROBLEMS OF TESTING EMBEDDED SYSTEMS
Embedded systems testing is not an easy task to accomplish.
Various factors
play into this including the following:
Unknown embedded devices located in sealed units and components
within
components.
Devices with known problems that have not yet been remediated.
Difficulty in working on embedded devices because of the
environment, such as
those located within hazardous areas.
Hard-wired embedded components that cannot be replaced due to
design issues
or lack of replacement parts.
Firmware or software that has been patched, but not documented.
Lack of source code for software used in the embedded device.
Lack of a means of setting date and time, i.e., no apparent real-
time clock
calendar or no data entry mechanism.
[While this is all true, no effort has been made here to address
the
incidence of such issues. How many systems are unknown? How much date
functionality lies in hazardous areas? And so on. Listing all
possible problems
doesn't tell us how common they are. You could make a HUGE list of
all the
things you could run into if you fell asleep at the wheel. But making
that list
longer doesn't increase the odds of falling asleep!]
Date usage that is not apparent and consequently overlooked.
This last factor is especially pernicious since many embedded
devices use
real-time clock calendars that were developed during the 1960s, 70s,
80s, and
early 90s when the date and time were used as a single string
consisting of
year, month, day, hours, minutes, seconds, etc. in the form
YYMMDDhhmmss. Using
this type of embedded device, calculating elapsed times required the
use of the
date in addition to time. Later devices provided the date in the form
of an
epoch or base date, and a counter of elapsed units of time, typically
seconds,
since the epoch. For example, with a base date of 01/01/80 and a
counter with
the value 31,536,000 seconds, we couldcompute the date as 01/01/81.
Elapsed time
calculations using the counter were performed with a straightforward
subtraction
of the start count from the end count. The date played no part in
elapsed time
calculations.
[Well, no. The actual RTC hardware has individual registers
containing year
(2 digits), month, day of month, hours, minutes, and seconds. The
operating
system or application decides what to do with the values in these
registers. The
OS or app can create a string, or a count since the epoch, or
anything else it
damn well pleases. HOW it does so is hardware-independent, a function
SOLELY of
the software. If the hardware year source ONLY provides 2 digits, and
if the
year is used in a calculation then that year must be windowed
explicity or
implicitly. And even if the epoch and a counter is used, the counter
must be
STARTED based on the 2-digit year from the hardware. Windowing cannot
be avoided
if the hardware only supplies a 2-digit year.]
Embedded devices that do not apparently use dates in elapsed time
calculations are being ignored in some embedded systems testing. This
is a major
oversight in the testing process since there are still embedded
devices in
existence that do not use the epoch and counter method, but the older
date and
time method.
[As I said, the epoch method requires windowing to set the
original second
count when the device is powered up and the OS initializes. Second,
the
REPRESENTATION of the time/date is totally irrelevant to the USE of
the
time/date. How obvious it is that a given device uses the date has
NOTHING to do
with the internal bit representation used for the date. And third,
whether
overlooking devices that make nonobvious use of the date is a *major*
problem
depends on how common such "hidden functionality" is. And it isn't
very common.
The author here really doesn't understand what's going on under the
hood.]
TESTING EMBEDDED SYSTEMS
The elapsed time problem and the data transmission problems often
cannot be
detected in standalone device testing. Unless the tester has designed
cases to
test specifically for these situations, there is no guarantee that
experimental
end-to-end testing will detect these problems.The most accurate way
to find Year
2000 problems in embedded systems is to perform on-line end-to-end
testing. This
is not likely to happen for several reasons.
[Very true. If a device is connected to other devices, testing
must be
performed on all of the connected devices. This is what Gartner
called a Large
Scale Embedded System. Fixes may only apply to a small part of the
system, but
the entire system must be tested.]
Because there are so many embedded systems in existence, not every
system can
be tested before January 1, 2000. In addition, testing individual or
connected
embedded systems and external sources of dates is a very complex
proposition.
The fear of damaging systems in an on-line test is probably the
greatest
deterrent to performing embedded systems tests, but there are methods
that can
be used to provide a sense of the risk involved in not testing. A
suggested
method entails triage by assigning a very high priority to those
embedded
systems in mission-critical or safety-critical applications.
[Yes, this has been done. And not all embedded systems are
anywhere near this
complicated or interconnected. And type-testing widely used devices
is an
effective method, and need not be done in situ (which may be
dangerous).]
A confusing aspect of the embedded system problem is that embedded
systems
with real-time clocks are often used to monitor and control other
embedded
systems that may or may not have their own RTCC. If the controlling
system fails
because of a Year 2000 problem, then the controlled devices fail by
definition.
The question remains, did the controlled device fail due to the
controlling
device failure, or did it fail due to a problem in its own RTCC?
There is no way
to know without testing.
[If ALL the controlled devices fail at once, I'd start looking at
the
controller. if ANY of the controlled devices continues to operate
correctly, I'd
look at the controlled devices that failed.]
Some guidelines to use in testing embedded devices and sources for
dates
include the following:
1.Test embedded systems individually and also in concert with
other embedded
systems and external sources of dates in on-line end-to-end tests. In
end-to-end
tests, be aware of synchronization issues where multiple embedded
devices are
controlled by an external device or other embedded system. If
complete
end-to-end testing is not possible, individual subsystems can be
tested to
minimize any risk of system downtime.
2.Physically check for the existence of a real-time clock
calendar. We
recommend that manufacturers' statements of Year 2000 compliance or
readiness be
used only as a last resort to make any determinations since a
manufacturer's
definition of compliance or readiness may not meet the requirements
of a
particular environment.
[Not my reading, exactly. Read the available failure reports or
the warnings
at the websites of the manufacturers. They explain what goes wrong
under what
circumstances. The don't try to define "compliance" or "readiness".
They say,
"This device does THIS". It's up to you to decide whether the
documented failure
mode is critical to you.]
3.Physical testing can be accomplished through several means
appropriate to
the device in question. This may be accomplished through external
testing
instruments, signal analyzers, or test software designed specifically
to look
for date problems.
4.An indirect method of end-to-end testing involves setting
machine test
parameters and observing how the functioning of the machine changes
after the
embedded system senses these settings. If unexpected results occur,
one or more
devices may have problems.
5.Embedded systems can communicate or interoperate with other
devices or with
external date sources, such as PCs, workstations, databases, user
input, or LANs
and WANs. The data transfers between the embedded system and the
external
devices, users, or systems must be checked to determine if dates are
being sent
to or from the device in question.
[Vendors are, despite what's said here, an excellent source of
such
information.]
6.Both mainframe and embedded systems should be tested including
devices with
identical model numbers, even if they were manufactured recently.
[Easy for them to say. And maybe, somewhere, there may be a case
where there
is a real bug and no way to distinguish the device from apparently
identical
devices. The industry practice is to clearly label every firmware
version.
Software gets slipstreamed.]
7.Mainframe and embedded system date length compatibility should
be tested
though 10/10/2000. This is a primary situation in which modifying an
embedded
system by moving from a 2-digit to 4-digit year may cause problems in
alignment
of the data read by an application program. Experience in conducting
embedded
systems repairs found this situation to be one of the major causes of
problems
after fixes were effected.
[I can well believe it. You don't change interfaces lightly.]
8.Different platforms may use different time and date formats and
different
methods of computing date/time measurements. Therefore, interactions
between
different types of platforms should be tested.
[Well, these are being tested just by normal operation, if formats
differ. I
guess this applies to changing whole platforms that communicate with
other
platforms. Changeouts at that level should NEVER be tested on-line,
and test
coverage must be complete.]
In any of these cases, if a date or real-time clock calendar, or
access to
either, is found, the next step is to proceed to remediation.
[Huh? You remediate if you find errors. The mere presence of a RTC
is no
guarantee of error.]
CONCLUSION
The task of finding, testing, and fixing embedded systems with
Year 2000
problems is a complex issue. If an organization waits to perform
these tasks
after December 31, 1999, then the costs can be much greater. These
costs can
include repairing collateral damage to systems and equipment from
cascading
problems and the expense in time and resources needed to find the
real cause of
the problem. Since there is no way to determine what combinations of
factors
will actually cause a failure, it may be difficult to determine when
a failure
has actually occurred. If a determination can be made, it may be
possible to fix
the problem if repair parts and technicians can be located, and the
environment
is amenable to making the repairs.
Testing embedded systems can be costly and time consuming, but it
must be
done. Not all systems have to be tested immediately. The priority
should be
placed on mission-critical and safety-critical systems. Each embedded
system
should be tested individually and in concert with interoperating
systems and
external sources of dates. Testing can be accomplished by looking for
and
physically testing existing real-time clock calendars, date
processing routines
in application software, device drivers that process dates, and dates
from other
external sources that may be communicating with the device under test
through
local and wide area networks. Applying the guidelines described in
this article
may give organizations a means of achieving a high degree of
confidence in their
systems.
[First, most of what's said here is common sense. Testing is
important. Start
with the most critical systems. The actual bugs can be hard to find
in Large
Scale Embedded Systems.
However, NOTHING in this article addresses the scope of the
problem, only the
nature of the problem for the worst cases (most complex systems). We
can't
logically conclude that we're in Big Trouble because hard things are
hard,
without knowing:
1) How numerous are these hard problems?
2) How severe are the failure modes we're talking about? This
depends on both
the nature of the failure and the use to which the system is put.
3) How many such problems have already been resolved? We know GM's
assembly
lines are working now, for example. A lot has been accomplished.
The article makes some mistakes, but it's pretty good. Just bear
in mind that
the purpose of this article is to address the issue of testing
embedded systems.
A clearer understanding of the *nature* of (part of) the problem
doesn't
contribute toward any understanding of the *size* of the problem.
Which is not
addressed here.]
-- Flint (flintc@mindspring.com),
November 24,
1999.