Patterns

Here you will find a WORK IN PROGRESS (version 20.11.2012) list of patterns we have discovered. Here we present so called "patlets" which are short descriptions of the whole patterns. If you want to know more about these patterns, please contact us.

Root Pattern

Pattern

Patlet

Control System

A work machine should be implemented in a way that offers interoperability between systems and is highly operable and has high productivity.

Therefore:

Implement control system software that controls the machine and has interfaces to communicate with other machines and systems.

Redundancy

Pattern

Patlet

Global Time

How to prevent different nodes on the system from getting out of sync?

Therefore:

Use external clock, e.g GPS or atom clock, to synchronize all the nodes.

Opportunistic Delegation

How to delegate tasks in a system where the situation is constantly in transition?

Therefore:

Create a mechanism for task delegation. This mechanism allocates tasks to subsystems without asking separately if they are able to do it or not. If they can do the task, they take the ownership of the task and inform the delegator. If the subsystem cannot do the task, it has to be reallocated to another subsystem.

Redundancy Selector

How to remedy the failure of a redundant unit when activation time of the hot standby unit is too long?

Therefore:

Design the system so that all redundant units are active at the same time. Add a monitoring component that takes outputs of all redundant controlling units as inputs and examines the output and chooses which unit's output is forwarded as a control signal.

Redundant Functionality

How to ensure availability of a functionality even if the unit providing it breaks down or crashes?

Therefore:

Clone the unit controlling a critical functionality. One of the units is active and other is in a hot standby mode. If the controlling unit fails, hot standby mode unit takes over controlling the functionality.

Voting

How to make reliable decisions in a distributed system where high correctness is required?

Therefore:

Create redundant nodes calculating the control output. 

Fault Tolerance

Pattern

Patlet

Forced Input Value

How to determine whether the malfunction is in a control unit on the machine control level or in the communication channel?

Therefore:

Create a mechanism separated from the bus that can force control unit's input to the certain value. In this way it can be seen if the output of the control unit receiving the forced input is expected. If it is not correct, the control unit is malfunctioning, otherwise the communication channel is broken.

Heartbeat

How to make sure that a node or a bus will not fail undetected?

Therefore:

Design the system so that the node sends messages at predetermined and regular intervals to monitoring component or to other node.

Limp Home

When a part of the machine is malfunctioning, how to still operate the machine to some extent? For example, to drive the machine from forest to the nearest road.

Therefore:

Divide the sensors and actuators into groups according to the high level functionalities, such as drive train, boom operations etc.. The groups may overlap. Malfunctioning device only disables the groups it belongs to and the other groups remain operable.

Sensor Bypass

How to offer operator a way continuing using advanced control mechanism even when some sensor of minor importance is faulty?

Therefore:

Implement a mechanism that the value provided by a sensor can be replaced with a default or simulated value.

Watchdog

How to make sure that a node crash does not go unnoticed?

Therefore:

Add a watchdog component to each node to monitor the behavior of the application(s). If the application does not react within a given time limit, the watchdog deems the node to malfunction and starts remedying actions, such as reboot.

Updating

Pattern

Patlet

Bumpless Update

How to offer a way to update the system without jeopardizing the availability?

Therefore:

Create a system that updates the program block by block so that the block that is currently executed is not updated. When the control leaves the block, it may be updated.

Centralized Updater

Update of entire system should be convenient for the operator.

Therefore:

Deliver compatible software together bundled in a single package. Create a centralized updater component which distributes the software from the bundle to nodes when necessary and aims for consistent system state.

Configuration Parameter Versions

How to ensure that configuration parameters are compatible between different software versions and on different product variations?

Therefore:

Group parameters related to one device to a separate set. Give these sets version numbers which is increased when the software is updated. The device reads parameter values from the sets which have the same or lower version number marker that what it is capable of reading.

Update Fallback

How to make sure that a failed update will not render the unit useless?

Therefore:

Handle updating with a separate bootstrapper that resides in persistent memory. It automatically updates the unit during the reboot if an update is available.

Updateable Program Storage

Software should be changeable in a system with long life cycle.

Therefore:

Place the software on rewritable persistent storage which is also large enough for future needs. It should be possible to update the software over existing wire. Any update failure should not prevent from trying again.

Notification

Pattern

Patlet

Devil May Care

How to handle transient faults that might be generated during the system start-up?

Therefore:

Define a time interval in which the system must reach Steady State. Being in Steady State means that the system is ready for normal operations. Before the Steady State is reached, the system can generate errorneous alarms that can be neglected.

Early Warning

How to detect a situation that the resource availability (e.g. cpu load, memory, oil, etc) is soon to reach the critical level?

Therefore:

Add a mechanism that monitors the availability level of a resource. Before the resource is exhausted, the mechanism warns the user or a tester.

Notification levels

Different kinds of notifications should be grouped according to their severity in order to be able to determine the consequences of the notification in deterministic way.

Therefore:

Attach level information to the notifications. Typical notification levels are: notices, warnings and faults. Each notification level has its own way to remedy the  situation and each level has different response times.

Notification Logging

There should be a way to find out what notifications have occured in the system later on.

Therefore:

Create a logging mechanism that logs selected notifications that occurs in the system. Add timestamps and notification source to all logged notifications. In this way, order of notifications can be deducted.

Notifications

The nodes of the system should have a uniform way to communicate that noteworthy events have occurred in the system. The delay related to commencing safety-related actions should be minimized.

Therefore:

Communicate noteworthy or alarming events and state changes in the system using notifications - a dedicated message type for notifications. Provide a way to create, handle and deliver notifications easily and enforce application developers to use these notifications.

Concurrency

Pattern

Patlet

Concurrent Execution

How to run multiple tasks concurrently on a single processor unit?

Therefore:

Implement a scheduler that divides the processor time into sequential slices. The tasks are executed in these slices. The scheduler selects the task to be executed for each time slice.

Housekeeping Task

How to run non-time-critical tasks which don't require their own time slot in scheduling?

Therefore:

Organize the scheduling so that time critical tasks are executed in pre-allocated cyclic time slots and all the remaining time is used for housekeeping task. That kind of task consists of all non-time-critical operations.

Locker Key

How to communicate between processes avoiding dynamic memory allocation?

Therefore:

Store sending node's message data to a slot in a shared memory (locker) and send a message containing only the key to the locker. Receiver then uses the key to retrieve the message data from the locker.

Human-Machine Interface

Pattern

Patlet

Appliance-provided UI

The work machine doesn't have a UI view for all possible optional equipment.

Therefore:

The equipment provides its own UI which is uploaded to the work machine when the equipment is attached. The UI view on the work machine is changed when the appliance is used.

Common Look-and-Feel

How to improve learnability and effectiveness of the user interface?

Therefore:

Make all user interface screens and notifications to have unified layout and colouring. Each UI element is presented in the same way and place independent of the view.

Double Confirmation

How to prevent unintentional (de)activation of a functionality which may have long lasting consequences?

Therefore: Design the graphical user interface so that the machine operator needs to enable the functionality twice changing the way each time. In this way, it is made sure that the operator is making a conscious decision to activate the functionality.

Feedback Near Action

How to catch attention of the machine operator to something noteworthy while the operator is concentrated on the current task?

Therefore

Place controls for functionality and functionality's feedback on the same screen or device or some place which is near the focus area of the operator when usign the functionality. For example, if warning light goes on, the light should be located near the focus area of the operator.

Go and see

The operator may not be able to observe all the details of the task at hand because the machine is blocking the view.

Therefore:

Add a remote control UI which provides the minimal controls for carrying out the task from a position where the operator can observe the process closely. 

HMI Notifications

How to notify the machine operator about the events occuring in the system?

Therefore:

Create a way to show subset of all notifications in the HMI. Implement a dedicated service that receives notifications and shows them in HMI. This service should also be able to send notifications.

Human-Machine Interface

How to enable the machine operator to communicate in convenient way with the control system?

Therefore:

Create graphical user interface where the operator can see the machine status and functions that are currently in use. Let the user to interact with the system using joysticks, buttons, etc.

Operator Profile

How the machine operator may use her personal settings for UI and controls regardless of the current machine in use and the adjustments other operators have made?

Therefore:

Package all operator's settings in a single easily movable archive. The archive may reside on the operator PC hard disk or it might be saved on removable media, e.g USB memory stick. Provide an easy way to transfer the settings between machines and take them in use.

Own UI For Each Role

How to show only such functionality in UI that is required by the user's job description?

Therefore:

Create own user interface for each user group, i.e. own UI for machine operator, maintenance personnel and production line personnel. User interface activation may require dongle, password, or additional equipment.

Task-based UI

Having a single UI view for diverse set of tasks results in low usability.

Therefore:

Create a separate UI view for each task. When the operator changes the task, the corresponding UI view is shown.

Upright is OK

How to offer machine operator an easy way to notice from UI that machine is functioning abnormally?

Therefore:

Use traditional looking meters and gauges in the interface, even if the UI is implemented with graphical components. Use these meters so, that values, e.g. for oil pressure, etc are in OK range when the meter is pointing upwards. This way it is easy to take an overview that everything is ok.

Operating System

Pattern

Patlet

Device Proxy

How to offer a unified way for a control system to control similar subsystems without knowing the details of the device?

Therefore:

Design an interface that describes the subsystem's functionalities as services. The subsystem becomes a location-transparent server and the interface acts as a proxy providing the access to the service.

Hardware Abstraction Layer

How to handle similar devices in an unified way in an application?

Therefore:

Abstract implementation details under a generic interface. These interfaces form a layer between the application software and the controlling mechanisms of the devices in the hardware.

Operating System Abstraction

How to make sure that the operating system can be changed with only minimal modifications to the application code?

Therefore:

In the application code, use cross-platform libraries and interfaces or wrap OS dependencies, such as services and interfaces.

Virtual Runtime Environment

Applications should be runnable on needed platforms without any modifications.

Therefore:

Create a virtual runtime environment, where the applications are executed. Implement this runtime environment for all platforms the applications should support.

Isolation

Pattern

Patlet

Component-based Configuration

How to build a product consisting of specific software components from a product platform component library?

Therefore

Create a unified way to describe system configurations in a configuration file. This file is used to select the required software components and their configuration parameters for the desired system setup.

Control System Options

How to enable different options which the customer can buy for the control system?

Therefore:

Include all software components required by the available options to the control system during development time. Once the customer buys an option the corresponding code block is enabled without any software updates.

Distributed Safety

How to prevent a malfunctioning node from initiating potentially dangerous action?

Therefore:

Divide the potentially harmful functionality into multiple nodes communicating with each other. Each of these nodes, implement a part of the functionality and only cooperation can trigger these actions.

Interchangeable Control Algorithm

How to make the control algorithm easily changeable?

Therefore:

Isolate the control algorithm in a single component, so that when the algorithm is changed, required modifications are limited only to one component.

Isolated Functionalities

The control system should be divided into manageable parts.

Therefore:

Identify entities which perform logically separated functionalities without extensive communication needs with the rest of the system. Implement each of them as a subsystem.

Start-Up

Pattern

Patlet

Bootstrapping

When a device is started, it should be checked that the hardware is in working order.

Therefore:

Add a bootstrapper that is the first component to wake up. It checks that the hardware is functional and starts to run the actual application code from a certain memory address.

Start-up Graph

How to determine an optimal start-up sequence when the system setup may vary?

Therefore:

Design the start-up graph of devices and their dependencies, start-up times and resources requirements during start-up and during normal use. The start-up monitor component determines the system setup and constructs the correct system start-up sequence.

Start-up Monitor

How to detect start-up malfunctions and contain them so that nothing else breaks?

Therefore:

Enhance the start-up queue with a monitoring component that looks that none of the nodes does not fail. For example, nodes should send messages to the monitoring component when they are in their normal operating mode. If a node fails, the whole start-up sequence is interrupted.

Start-up Negotiation

How to verify that required devices for base configuration are available and find out which features can be enabled based on the other found devices?

Therefore:

Make all nodes of the system to announce themselves by sending a short information package to the bus after self check. In the package, the node tells of its existence and also what it is, what it requires and what it can provide and in what limits. Design a central node that gathers this information and by a deadline builds a list of nodes and thus devices available.

Real-Time

Pattern

Patlet

Early Work

How to execute resource-greedy tasks which may require more resources than are available when the task is requested ?

Therefore:

Allocate resources for resource-greedy task's preparations in advance. Preparations can be done during compile time or when the task is not yet in operating mode. Once the task has finished preparations, it must free unused resources. Consequently, in run-time more resources are available for other tasks and the run-time response times are shorter.

Half Tasks

How to response quickly to an emerging task, e.g. device interrupt in a situation where needed resources are in some other use?

Therefore:

Divide emerging tasks into two parts. The first part just acknowledges that the task is received and marks that there is more work to do. Then the second part runs these tasks when the required resources are available.

Partial results

There are tasks that need longer execution time than loop cycle time would allow.

Therefore:

Implement longer tasks so that e.g. one tenth of the task is executed in each loop cycle. In this way, new result from the long running task is ready for use every tenth loop cycle.

Separate Real-time

How to offer high-end services without violating real-time requirements?

Therefore:

Divide the system into separate levels according to real-time requirements: e.g. machine control and machine operator level. Real-time functionalities are located on the machine control level and non real-time functionality on the machine operator level. Levels are not directly connected, they use bus or other medium to communicate with each other.

Static Resource Allocation

How to make sure that the critical services will always have the resources needed?

Therefore:

Pre-allocate all the resources needed for critical services during the system startup. The resources are never deallocated afterwards (i.e. the resources are fixed for the service).

Static Scheduling

How to schedule processes safely with low overhead?

Therefore:

Divide the system into executable blocks. The executable blocks may be e.g. applications, functions, or code blocks. The scheduler has time slots of fixed lengths. The developer or compiler divides the blocks into these time slots, thus scheduling the program statically.

Third-party Confinement

How to cost-efficiently provide a generic and safe platform to run third-party applications on operator level?

Therefore:

Provide a virtualization platform for third-party applications. Third-party applications can be installed on this platform so that they will not interfere with the machine's own applications.

Data Management

Pattern

Patlet

Blackbox

It should be possible to analyze the root cause of a failure afterwards even when the system is in a non-working condition.

Therefore:

Add a Blackbox component to the system which records selected events occurring in the system for later inspection.

Checkpoint

How to make sure that you always have a snapshot of the system state before the configuration change?

Therefore:

Create a mechanism in the system that saves system's state automatically as snapshots either periodically or before system configuration changes. The snapshot of the state creates a checkpoint where the system can return.

Counters

How to conveniently keep track of different kinds of quantities in distributed machine control system?

Therefore:

Create a service that provides counting functionality for different purposes. Service should offer different kind of counters: non-reseting usage counter, service counter, and customizable counter. The counters can be count up or count down ones.

Data Status

How to make sure that the data is trustworthy, e.g. not from faulty sensor?

Therefore:

Add status information to each data nugget or variable. Status information tells the age and/or state of the information (OK, fault, invalid, etc).

Diagnostics

How to monitor the health of the system in order to avoid suprising breakdowns?

Therefore:

Collect such data from a system, which allows to notice if some subsystem starts to operate poorly or produces erroneous data. Usually all data values have limits where they should operate and a deviation from this indicates a risk of breakdown.

Error Counter

How to distinguish substantial faults from false alarms or transient faults?

Therefore:

Create a counter which threshold can be set to certain value. Once the threshold is met, an error is triggered. The error counter is increased every time a fault is reported. The counter is decreased or reseted after certain time from the last fault report has elapsed.

Parametrizable values

How to adapt to different user preferences, use environments, or physical device properties which are changing over time?

Therefore:

Describe the properties which may or will change during the life cycle of the machine as parameters. The parameters can be altered from the UI when necessary.

Remote Access

Information should be remotely accessible from the machine.

Therefore:

Add a component which provides a way to communicate with the machine remotely and an interface providing access to the machine information.

Snapshot

How to find out what was the system-wide state when something of interest occurred?

Therefore:

Implement a mechanism to save the current state information (e.g. from Variable Manager) as a snapshot. This mechanism should also be able to restore system-wide state from the snapshot.

Variable Caching

How to minimize a need of repetitive fetching of variable values from the remote nodes?

Therefore:

Store variables retrieved from other nodes locally for a certain period. After the variable spesific predetermined period has elapsed, cached value should not be used any more. A new value should be retrieved from the source node.

Variable Guard

How to limit access or modifications to the common system state information?

Therefore:

Design a mechanism to guard the state variables, which knows if an application is allowed to read variable values or submit their own changes to system state information. The mechanism is the only component that can directly access Variable Manager.

Variable Manager

How can you efficiently share system wide information in the distributed embedded system?

Therefore:

For each node add a component, VARIABLE MANAGER, that handles system wide information as variables and provides an interface for reading and writing them. Whenever this component notices new relevant information on the bus, it updates the variables. When a variable is locally written through the interface, the information is also sent to the bus.

Variable Value Translator

How VARIABLE MANAGER could support different measuring units that the components may use?

Therefore:

Add a converter layer on the top of the variable manager. This layer converts the data to correct unit, e.g. from mph to km/h or from inches to cm, when data is requested.

Modes

Pattern

Patlet

Node Master

How to ensure that all nodes know the current operating mode and do not perform conflicting actions?

Therefore:

Add a dedicated decision making component to the system. The component should have system wide state information available. Decision making component decides the current mode and informs the nodes about the selected mode. All nodes should know how to implement the current mode.

Operating modes

How to make sure that only the functionalities which are required can be used in current operating context?

Therefore:

Design system so, that it consists of multiple functional modes. These modes correspond to certain operating contexts. The mode only allows usage of those operations that are sensible for its operating context.

Safe State

How to minimize the possibility that operator, machine or surroundings are harmed when some part of the machine malfunctions?

Therefore:

Design a safe state that can be entered in case of a malfunction in order to prevent the harm that machine can cause. The safe state is device and functionality dependent and it is not necessarily the same as unpowered state.

Messaging

Pattern

Patlet

Categorized Messages

How to ensure that important messages get handled before other less important messages?

Therefore:

Messages are categorized according to their importance which can be based on type, sender or receiver, size, etc. Separate MESSAGE QUEUEs are implemented for each category.

Dynamic Message Channel Selector

Communication should be carried out using the optimal channel for the current context.

Therefore:

Add a component which dynamically selects the messaging channel based on certain criteria i.e. cost, bandwidth, transfer rate etc. 

Message Bus

How the nodes can exchange information so that they can understand each other?

Therefore

Interconnect all devices in the system with a message channel, i.e. bus. These devices, nodes, use common language called messaging protocol to communicate with each other.

Message Gateway

How to connect different kind of message channels ?

Therefore:

Add a component, a message gateway, to the system between message channels. This component routes message traffic between message channels. If needed, the component can filter messages according to specific criteria defined in the system configuration. In addition, the component handles the translation from a message protocol to another.

Message Queue

How to enable nodes to communicate asynchronously with each other?

Therefore:

Add a queue for receiving and sending messages to each node. Implement a mechanism to put messages in the queue and to send messages from the queue. The same mechanism can read messages from the bus and add them to the received messages queue.

Messaging Interface

How to change the selected bus technology or protocol so that the application code does not need to be changed?

Therefore:

In order to make the system bus technology (and protocol) independent, a common application programming
interface (API) is constructed to provide uniform messaging functionality.

Multiple Message Channels

How to ensure the quality of communication in different kinds of communication situations?

Therefore:

Provide multiple communication channels that can be used in parallel. Different communication channels have different properties that can be utilized. For example, large messages can be transferred using a high bandwidth channel while real-time control messages are transferred in their own fast, low bandwidth channel.

Protocol Version Handshake

How nodes can negotiate during start-up that do they have common protocol version?

Therefore:

Design handshake mechanism where the nodes announce the highest protocol version they know. The lowest common version is then selected for use.

Unique Confirmation

How to handle situation where similar messages need confirmation responses and the responses may be received in wrong order?

Therefore:

Redesign the messaging logic so, that there are matching unique identifiers both in sent and received messages. Now the receiver always knows for which messages the response is for.

Vector Clock for Messages

How to find out the order of events in distributed system?

Therefore:

Give every event a vector clock timestamp. The timestamp consist of separate message counter values for every node. The message counter of a node is updated when a message containing vector clock timestamp with larger value is received.