Project

Real-Time Firmware Timing Measurement and Deadline Validation Project

Computer engineering project for measuring and validating real-time firmware timing with trace instrumentation, interrupt latency, WCET bounds, response-time margins, stress tests, regression gates, and release evidence.

This project produces a timing-measurement and deadline-validation package for real-time embedded firmware. The deliverable is a release file: requirements, instrumentation points, trace method, worst-case execution-time evidence, interrupt-latency measurements, response-time margins, stress tests, regression gates, and open actions.

The project is not a formula sheet and not a single failure story. It shows how an engineering team turns real firmware running on real hardware into timing evidence that can support release. The central question is:

Does the firmware meet its deadlines under representative, stressed, and degraded operating conditions with enough margin to survive normal variation?

Average task time is not enough. A credible timing release records the start and stop events, trace resolution, compiler settings, hardware clock, scheduler configuration, interrupt priorities, data-bus load, disabled-interrupt sections, cache or flash wait-state behavior, and the acceptance rule used for each deadline.

Project Objective

Validate the timing behavior of a microcontroller-based controller before release.

The final package must include:

  • timing requirements and deadline owners;
  • firmware build and hardware configuration;
  • instrumentation and trace plan;
  • interrupt latency and jitter measurements;
  • worst-case or justified upper-bound execution times;
  • response-time and margin calculations;
  • stress conditions and overload tests;
  • regression gates for future firmware changes;
  • release recommendation and unresolved risks.

Engineering Scenario

An embedded controller closes a current loop, reads sensors, services a communication bus, logs diagnostic events, and supervises a hardware interlock. It uses a single 160 MHz microcontroller, timer interrupts, DMA-assisted ADC sampling, a quadrature encoder interface, a fieldbus driver, nonvolatile event logging, and a watchdog.

The controller has passed bench functional tests, but the project team needs release evidence that the timing behavior is bounded. The product will be used in equipment where missed control deadlines can reduce stability, stale sensor data can corrupt diagnostics, and delayed interlock response can create unsafe output behavior.

Use this project boundary:

ItemProject basis
processorsingle-core microcontroller at 160\ \text{MHz}
schedulerfixed-priority pre-emptive RTOS plus hardware interrupts
control update period1.0\ \text{ms}
fastest interruptencoder edge burst during high speed
communication loadfieldbus command and diagnostic traffic
loggingnonvolatile event record under fault conditions
main riskdeadline miss hidden by average timing results

Timing Requirements

Define timing requirements before measuring code. Each requirement needs a start event, stop event, deadline, and evidence method.

RequirementStart eventStop eventDeadline
control-loop updatetimer tickPWM compare register updated1.0\ \text{ms}
fault input responsehardware fault edgeinterlock output driven safe250\ \mu\text{s}
sensor timestamp jitterADC triggersample timestamp committed\pm 20\ \mu\text{s}
encoder event captureencoder edgecount update visible to control loop100\ \mu\text{s}
fieldbus command responsevalid command receivedresponse queued10\ \text{ms}
watchdog health decisionfailed critical taskwatchdog no-refresh condition reached50\ \text{ms}

The requirement table prevents a common ambiguity: one engineer measures from ISR entry while another cares about the physical input edge. The project must measure the boundary that matters to the system.

Instrumentation Plan

Use two complementary timing sources:

  1. hardware trace pins or GPIO toggles observed by a logic analyzer;
  2. an internal timestamp counter recorded into a bounded trace buffer.

Recommended instrumentation points:

SignalToggle or timestamp pointPurpose
TICK_INcontrol timer ISR entrytimer-to-handler latency
CTRL_STARTcontrol task begins computationscheduler release latency
CTRL_ENDPWM update committedcontrol response time
FAULT_INhardware fault edge capturefault-response start
SAFE_OUTinterlock output driven safefault-response stop
ENC_ISRencoder ISR entry and exitinterrupt burst duration
BUS_RXvalid fieldbus command parsedcommunication phasing
LOG_BUSYnonvolatile logging activeblocking and priority risk
WD_REFRESHwatchdog refresh decisionhealth-supervision evidence

The trace pins should be low overhead and compiled into the release-candidate build or into an instrumented build whose timing difference is bounded. If instrumentation changes scheduling materially, the evidence must include an overhead correction or a separate non-instrumented measurement path.

Measurement Conditions

Measure at least these conditions:

ConditionPurpose
nominal loadconfirm baseline timing and trace setup
maximum sensor rateexercise ADC, DMA, encoder and control paths
maximum communication loadexpose bus-driver and queue interaction
diagnostic logging activereveal nonvolatile memory blocking
low supply and temperature corners if relevantexpose clock, wait-state or analog timing shifts
fault-injection runverify interlock and watchdog timing
overload runprove degraded behavior is controlled
post-change regression runcompare with prior release evidence

Do not accept timing data from a single clean bench run. Real release evidence should include worst credible phasing: a control tick arriving while communication, logging, encoder bursts, and diagnostics are active.

Worked Timing Dataset

A stressed measurement campaign records the following worst observed times.

PathWorst observed time
timer edge to control task start58\ \mu\text{s}
control computation512\ \mu\text{s}
PWM register update36\ \mu\text{s}
highest-priority encoder interference during one control response44\ \mu\text{s}
bounded lower-priority blocking32\ \mu\text{s}
trace resolution allowance2\ \mu\text{s}

Control response time is:

R_{ctrl}=t_{release}+C_{ctrl}+t_{pwm}+I_{hp}+B+t_{res}

Substitute:

R_{ctrl}=58+512+36+44+32+2=684\ \mu\text{s}

Deadline margin:

M=D-R_{ctrl}
M=1000-684=316\ \mu\text{s}

Relative margin:

\displaystyle M_{rel}=\frac{M}{D}=\frac{316}{1000}=0.316

Therefore:

M_{rel}=31.6\%

Engineering Comment

The control loop passes the measured stressed response-time screen with useful margin. The result is stronger than average CPU load because it is tied to a system boundary: timer event to PWM update. It is still not absolute proof of all future firmware behavior. The release package must state compiler version, optimization level, interrupt priorities, trace method, test duration, traffic profile, and whether the worst observed phasing includes logging and communication bursts.

WCET Upper-Bound Screen

Measured maxima are not automatically worst-case execution times. A practical release package should add a guard when formal WCET analysis is not available.

For the control computation, use:

QuantityValue
maximum measured control computation, C_{meas}512\ \mu\text{s}
trace resolution allowance, u_{trace}2\ \mu\text{s}
clock and wait-state allowance, g_{clk}1.02
stress guard for unobserved phasing, g_s1.12

Bounded control execution estimate:

C_{bound}=(C_{meas}+u_{trace})g_{clk}g_s

Substitute:

C_{bound}=(512+2)(1.02)(1.12)=587\ \mu\text{s}

Recalculate control response:

R_{bound}=58+587+36+44+32+2=759\ \mu\text{s}

Deadline margin:

M_{bound}=1000-759=241\ \mu\text{s}

Engineering Comment

The guarded screen still passes. This is the right direction for an engineering release: do not call a measured maximum a WCET unless the measurement campaign and hardware state justify that claim. If the guarded margin had fallen below the release threshold, the action would be to reduce computation, shorten blocking, change priorities, reduce logging interference, or require stronger analysis.

Interrupt Latency Check

The fault input must drive the interlock output safe within:

D_{fault}=250\ \mu\text{s}

Measured stressed values are:

SegmentTime
input synchronizer and interrupt entry18\ \mu\text{s}
maximum masked-interrupt interval42\ \mu\text{s}
fault ISR execution64\ \mu\text{s}
output driver register update21\ \mu\text{s}
relay driver propagation34\ \mu\text{s}
trace and measurement allowance3\ \mu\text{s}

Fault response time:

R_{fault}=18+42+64+21+34+3=182\ \mu\text{s}

Margin:

M_{fault}=250-182=68\ \mu\text{s}

Engineering Comment

The fault response passes, but the largest controllable risk is the masked-interrupt interval. A future driver change that disables interrupts for another 80\ \mu\text{s} would erase the margin. The release package should include a regression gate for maximum interrupt-disabled time, not only a fault-response test.

CPU Load Cross-Check

Use utilization as a screen, not as release proof.

Work itemBounded execution timePeriod or rate
control task587\ \mu\text{s}1.0\ \text{ms}
sensor processing140\ \mu\text{s}2.0\ \text{ms}
communication service420\ \mu\text{s}10\ \text{ms}
diagnostics760\ \mu\text{s}50\ \text{ms}
logger service900\ \mu\text{s}100\ \text{ms}
periodic ISR total52\ \mu\text{s}1.0\ \text{ms} equivalent

Utilization:

\displaystyle U=\frac{587}{1000}+\frac{140}{2000}+\frac{420}{10000}+\frac{760}{50000}+\frac{900}{100000}+\frac{52}{1000}
U=0.587+0.070+0.042+0.0152+0.009+0.052=0.7752

Therefore:

U=77.5\%

Engineering Comment

The utilization is high enough to deserve attention but not a failure by itself. The stronger evidence is the measured and guarded response-time margin. If a future feature adds 150\ \mu\text{s} to the 1 ms control path, utilization may still be below 100\% while the deadline margin becomes weak.

Regression Gates

Define timing gates that every release candidate must satisfy.

GateAcceptance criterion
control responseguarded response time \le 800\ \mu\text{s}
control relative marginM_{rel}\ge 20\% under stress
fault responseinterlock safe output \le 250\ \mu\text{s}
max interrupts disabled\le 50\ \mu\text{s} unless safety review approves
sensor timestamp jitterwithin \pm 20\ \mu\text{s}
communication burstno control deadline miss during maximum command traffic
logging stressno unbounded blocking during nonvolatile writes
watchdog supervisionfailed critical task stops refresh within 50\ \text{ms}
trace repeatabilitysame test profile compared with previous release

These gates should be part of configuration control. A firmware change that modifies compiler options, clock configuration, ISR priority, communication buffers, DMA setup, flash driver, RTOS version, or safety-output code invalidates at least part of the timing evidence.

Validation Matrix

Use a validation matrix instead of a loose test note.

TestEvidencePass rule
nominal timing tracelogic-analyzer capture and timestamp logall deadlines pass
stressed timing tracemax sensor, bus, logging and diagnostics loadno deadline miss, margin gates pass
fault injectionhardware input edge to safe output traceR_{fault}\le250\ \mu\text{s}
interrupt-disabled audittrace counter or static instrumentationmaximum masked interval within gate
jitter testADC trigger to timestamp distributionjitter inside bound
overload testartificial command and logging loaddegraded mode, no unsafe output
watchdog teststalled critical taskrefresh stops and recovery evidence is logged
regression comparisonprevious release versus candidateno unexplained margin loss

The matrix should include sample size, test duration, load profile, firmware hash, hardware revision, compiler version and trace-tool setup. Timing evidence without configuration identity is difficult to defend later.

Release Decision

For the worked scenario, the release decision is conditional approval:

  • control response passes with a guarded margin of 241\ \mu\text{s};
  • fault response passes with 68\ \mu\text{s} margin;
  • utilization is high but acceptable when response-time gates are met;
  • the largest future risk is added blocking or interrupt-disabled time in drivers and logging;
  • release requires a regression gate that rejects any build with masked interrupts above 50\ \mu\text{s} or guarded control response above 800\ \mu\text{s}.

The project should not be closed until the timing traces, scripts, configuration records, and open-action list are stored with the release evidence.

Final Deliverable

The completed timing-validation package should include:

  1. requirements table with start and stop events;
  2. firmware build identity and hardware revision;
  3. scheduler, interrupt and priority configuration;
  4. instrumentation map and trace-tool configuration;
  5. raw and summarized timing traces;
  6. WCET or guarded upper-bound rationale;
  7. response-time calculations and margins;
  8. stress-test and fault-injection evidence;
  9. regression gates for future releases;
  10. release recommendation, limitations and owner sign-off.

Limitations

This project uses measurement-based bounds, which are practical but not equivalent to formal WCET proof. The confidence depends on test coverage, stress realism, trace overhead, hardware state coverage, compiler stability, cache or flash wait states, interrupt priority correctness, and whether unobserved phasing remains credible.

If the system is safety-critical, regulated, or hard real-time with severe consequences, the timing release may need formal timing analysis, independent review, tool qualification, coding-rule evidence, static analysis, hardware failure-mode review, and documented safety-case linkage.

Common Mistakes

Common firmware timing validation mistakes include:

  • measuring average task time and ignoring worst observed traces;
  • measuring inside the task while the requirement starts at a hardware event;
  • using an instrumented build without accounting for instrumentation overhead;
  • ignoring disabled-interrupt sections in drivers;
  • accepting CPU utilization as a schedulability proof;
  • testing without communication, logging or diagnostic load;
  • treating a watchdog reset as proof of safe recovery;
  • failing to record compiler options and clock configuration;
  • allowing later firmware changes without timing regression gates.

Good firmware timing evidence is boring by design: every deadline has an owner, every measurement has a boundary, every margin has units, and every future change has a gate that prevents silent erosion of timing reserve.

REF

See also