The danger within

Despite their widespread use in industry and commerce worldwide, the potential of embedded systems to trigger chaos and damage, because of susceptibility to the millennium bug, is largely being ignored, warns Patrick Murphy

If 1998 was the year in which the world remembered the Titanic, then 1999 is one in which it looks forward to another disaster – the millennium bug.

Technological catastrophes have changed in physical size. A microchip weighing a few grammes is certainly a contrast to a 46,000 tonne ocean liner, but the ubiquity of such chips means that the potential damage caused by the millennium bug could be much greater.

Regardless of scale, what is common in most disasters is some kind of oversight. In the case of the millennium bug it could be a whole technology at fault.

Embedded systems are constructed from hardware control devices which are usually built into an item of equipment. Despite their widespread use in practically every factory, process plant and office around the world, embedded systems have been broadly ignored in industry’s rush to update its PCs and databases. But these largely forgotten devices may be just the tip of the iceberg.

Figures gathered by Action 2000, the Government’s year 2000 body, indicate that 47% of small and medium-sized companies do not have a year 2000 strategy in place for their embedded systems. And in manufacturing, 5% of all corporate systems may need detailed checking to ensure operation in 2000.

In specific industries, such as petroleum, the figure could be as high as 40%. Action 2000 believes that 1% of systems in manufacturing may be flawed seriously enough to bring down a company.

The millennium bug, or Y2K problem, arises because of the way some microchips or programs store dates. When they were designed, no one considered their use beyond this century. The `19′ in year dates was taken as a given, and only the following two digits used. This could cause malfunctions as chips fail to recognise the 2000 date. However, some other dates may also cause problems (see box).

Embedded devices, such as recording instruments or programmable logic controllers, do much of their work as part of a network, with software specifically written for each system or combination of components (many of which are from different suppliers).

The problem is that while most embedded units will pass stand-alone millennium bug tests, their behaviour as part of a network may cause concern. Network clocks may override the Y2k compliant hardware clock on a device, so something as simple as getting into a factory in the morning could be impossible because the timed locks fail to open. Company safes may also stay shut, preventing access to documents or cash.

A lack of co-ordination between centrally controlled devices and devices with independent clocks may lead to disruption of production lines, with some machines working out of sync with others. Workers may find lights or heating will not switch on, or that they cannot clock in.

In other cases, automatic inventory systems might not signal for a machine’s raw materials to be replenished. But the central network timer may signal payment for a scheduled supply which never arrived.

Another danger is battery back-ups. A device might be Y2k compliant, but if the whole system resets due to a disruption in a non-Y2k compliant power supply, a flat battery could result in settings being lost and the controller switching back to its default position.

According to Andrew Cowey, product manager for Siemens’ automation and drives division, companies looking at embedded systems must ask the following questions:

* Is an application code or program accessing the component’s real-time clock?

* Is there an external master clock serving the network?

* Am I sure of where the clock is?

* Has an independent clock program been written and how will it affect the application?

`This last point is crucial,’ Cowey says. `You might have shelf-lives in an automated warehouse. Or scheduled maintenance – machines might not think that they have been calibrated for 100 years and automatically shut down.’

In addition, the interaction between embedded controllers in networks should be checked for warm and cold start-ups. Many settings could have been changed since installation, while the units were running. Behaviour at start-up could be very different.

Andy Nurse, embedded systems specialist for Action 2000, says companies should be more aware of the dangers posed to their business by non-millennium-compliant embedded systems.

`Some of the companies working on IT systems haven’t been looking at embedded systems at all,’ said Nurse. He fears that by the time companies get round to checking their embedded systems, it would be too late.

`We’ve heard of some embedded unit suppliers taking up to four months to get back to a user with a compliance enquiry. The danger is that if your system has a problem, then other companies will have the same problems too.

`The supplier may have ten years’ worth of sales with problems that need to be sorted out. So companies have to think about booking requests for help. If you do need to book, do it as soon as possible because costs will reflect demand.’

For some suppliers, the number of products to test runs into hundreds of thousands. Ian Bowman, marketing manager for Siemens Automation and Drives, says that of a million of his company’s products, only 100 failed the year 2000 test.

But despite the high rate of compliance, there could still be problems arising from other parts of the system. `Application code, systems integrations, and third-party system software can all complicate the issue,’ he warns.

Cowey’s advice for companies devising their year 2000 strategies is to plan for all contingencies, including the paying of bills, which could fatally damage corporate cash flows. He says: `Make sure that you have your contingencies in place. Check spares – are they compliant? Have you checked all your modifications and new equipment? You don’t want to bring the problem back. Have you booked an on-site presence for that time and application? And do you have a contingency for when several parts of the plant go down?’

But while some people will be rushing about in fear of doomsday at the millennium, others will be planning celebrations – most of which, as Bowman observes, will be relying on a continuous supply of electricity. The electricity industry is not guaranteeing an uninterrupted supply over the holiday.

So where will Bowman be for the millennium? He laughs: `In a candlelit pub in Hertfordshire where the beer is pulled by hand.’

What to test?

* Business-critical systems: these include automatic payments, ordering and supply systems. Maintaining cash flow and a supply of raw materials is essential for the survival of any company. Systems essential for production should also be a priority.

* Health, safety, and environment systems: those which pose a threat to life and limb must be a priority. No company will be allowed to operate if it threatens the health and safety of its workers and the public. Any environmental consequences of poor control could result in large fines, which could cripple a company.

Key dates:

* Millennium rollover

* Leap year 2000

* Non-leap year 2001

* Leap year 2004

* Special date 09/09/99


* Easiest to obtain from internet and suppliers’ web-sites

* Printed services for those without internet are also available, but not as good because the internet can constantly be updated