This chapter is from the book
This chapter is from the book
This chapter is from the book
18.5 Life Cycle
The life cycle of mobile systems tends to feature some idiosyncrasies that an architect needs to take into account, and these differ from the choices made for traditional (nonmobile) systems. We’ll dive right in.
The Architect’s Concerns
The architect must be concerned with the hardware choices, testing, deploying updates, and logging. We elaborate on these concerns in the next four subsections.
Hardware First
For many mobile systems, the hardware is chosen before the software is designed. Consequently, the software architecture must live with the constraints imposed by the chosen hardware.
The main stakeholders in early hardware choices are management, sales, and regulators. Their concerns typically focus on ways to reduce risks rather than ways to promote quality attributes. The best approach for a software architect is to actively drive these early discussions, emphasizing the tradeoffs involved, instead of passively awaiting their outcomes.
Testing
Mobile devices present some unique considerations for testing:
Test display layouts. Smartphones and tablets come in a wide variety of shapes, sizes, and aspect ratios. Verifying the correctness of the layout on all of these devices is complicated. Some operating system frameworks allow the user interface to be operated from unit tests, but may miss some unpleasant edge cases. For example, suppose you display control buttons on your screen, with the layout specified in HTML and CSS, and suppose it’s automatically generated for all display devices you anticipate using. A naive generation for a tiny display could produce a control on a 1 × 1 pixel, or controls right at the edge of the display, or controls that overlap. These may easily escape detection during testing.
Test operational edge cases.
An application should survive battery exhaustion and shutdown of the system. The preservation of state in such cases needs to be ensured and tested.
The user interface typically operates asynchronously from the software that provides the functionality. When the user interface does not react correctly, re-creating the sequence of events that caused the problem is difficult because the problem may depend on the timing, or on a specific set of operations in progress at the time.
Test resource usage. Some vendors will make simulators of their devices available to software architects. That’s helpful, but testing battery usage with a simulator is problematic.
Test for network transitions. Ensuring that the system makes the best choice when multiple communication networks are available is also difficult. As a device moves from one network to another (e.g., from a Wi-Fi network to a cellular network and then to a different Wi-Fi network), the user should be unaware of these transitions.
Testing for transportation or industrial systems tends to happen on four levels: the individual software component level, the function level, the device level, and the system level. The levels and boundaries between them may vary depending on the system, but they are implied in several reference processes and standards such as Automotive SPICE.
For example, suppose we are testing a car’s lane keep assist function, where the vehicle stays in the lane defined by markings on the road and does so without driver input. Testing of this system may address the following levels:
Software component. A lane detection software component will be tested through the usual techniques for unit and end-to-end testing, with the aim of validating the software’s stability and correctness.
Function. The next step is to run the software component together with other components of the lane keep assist function, such as a mapping component to identify highway exits, in a simulated environment. The aim is to validate the interfacing and safe concurrency when all components of the function are working together. Here, simulators are used to provide the software function with inputs that correspond to a vehicle driving down a marked road.
Device. The bundled lane keep assist function, even if it passes the tests in the simulated environment and on the development computers, needs to be deployed on its target ECU and tested there for performance and stability. In this device test phase, the environment would still be simulated, but this time through simulated external inputs (messages from other ECUs, sensor inputs, and so forth) connected to the ECU’s ports.
System. In the final system integration testing phase, all devices with all functions and all components are built into full-size configurations, first in a test lab and then in a test prototype. For example, the lane keep assist function could be subjected to testing, along with its actions on the steering and acceleration/braking functions, while being fed a projected image or a video of the road. The role of these tests is to confirm that the integrated subsystems work together and deliver the desired functionality and system quality attributes.
An important point here is test traceability: If an issue is found in step 4, it needs to be reproducible and traceable through all test setups, since a fix will have to go through all four test levels again.
Deploying Updates
In a mobile device, updates to the system either fix issues, provide new functionality, or install features that are unfinished but perhaps were partially installed at the time of an earlier release. Such an update may target the software, the data, or (less often) the hardware. Modern cars, for example, require software updates, which are fetched over networks or downloaded via USB interfaces. Beyond providing for the capability of updates during operation, the following specific issues relate to deploying updates:
Maintaining data consistency. For consumer devices, upgrades tend to be automatic and one-way (there’s no way to roll back to an earlier version). This suggests keeping data on the cloud is a good idea—but then all the interactions between the cloud and the application need to be tested.
Safety. The architect needs to determine which states of the system can safely support an update. For example, updating a car’s engine control software while the vehicle is driving down the highway is a bad idea. This, in turn, implies that the system needs to be aware of safety-relevant states with respect to updates.
Partial system deployment. Re-deploying a total application or large subsystem will consume both bandwidth and time. The application or subsystem should be architected so that the portions that change frequently can be easily updated. This calls for a specific type of modifiability (see Chapter 8) and an attention to deployability (see Chapter 5). In addition, updates should be easy and automated. Accessing physical portions of a device to update them may be awkward. Returning to the engine controller example, updating the controller software should not require access to the engine.
Extendability. Mobile vehicle systems tend to have relatively long lifetimes. Retrofitting cars, trains, airplanes, satellites, and so forth will likely become necessary at some point. Retrofitting means adding new technology to old systems, either by replacement or addition. This could occur for the following reasons:
The component reaches the end of its life before the overall system reaches its end. The end of life means support will be discontinued, which creates high risks in case of failures: There will be no trusted source from which to get answers or support with reasonable costs—that is, without having to dissect and reverse-engineer the component in question.
Newer better technology has come out, prompting a hardware/software upgrade. An example is retrofitting a 2000s car with a smartphone-connected infotainment system instead of an old radio/CD player.
Newer technology is available that adds functionality without replacing existing functionality. For example, suppose the 2000s-era car never had a radio/CD player at all, or lacked a backup camera.
Logging
Logs are critical when investigating and resolving incidents that have occurred or may occur. In mobile systems, the logs should be offloaded to a location where they are accessible regardless of the accessibility of the mobile system itself. This is useful not only for incident handling, but also for performing various types of analyses on the usage of the system. Many software applications do something similar when they encounter a problem and ask for permission to send the details to the vendor. For mobile systems, this logging capability is particularly important, and they may very well not ask permission to obtain the data.