ASF-Nabd/ASF_01_sys_sw_arch
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 2 Wiki Activity

update

Browse Source
This commit is contained in:
mahmamdouh
2026-01-26 12:43:14 +01:00
parent c631110349
commit bedcd373f5
133 changed files with 37347 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

275
System Design/system_design/analysis/Engineering_Review_Report.md Normal file
View File

@@ -0,0 +1,275 @@
# **ASF Sensor Hub - Senior Embedded Systems Architecture Review Report**
## **A. Executive Summary**
### **Overall System Maturity Level: 65%**
- **Documentation Quality: 90%** - Exceptional architectural definition and requirements traceability
- **Implementation Readiness: 40%** - Components are stubbed but lack functional implementation
- **Cross-Feature Integration: 30%** - Critical architectural gaps in state management and feature interaction
### **Major Risks (Top 5)**
1. **CRITICAL: Missing System State Machine** - No implementation of the defined FSM, risking undefined behavior during state transitions
2. **CRITICAL: Event System Not Implemented** - Core architectural component for cross-feature communication is missing
3. **MAJOR: OTA Safety Violations** - No teardown mechanism, no data persistence before flashing
4. **MAJOR: Security Architecture Incomplete** - Secure boot and flash encryption not enforced
5. **MAJOR: Real-Time Constraints Undefined** - No deterministic timing guarantees for sensor acquisition
### **Go/No-Go Recommendation: NO-GO**
**Recommendation:** Do NOT proceed to implementation phase. **REQUIRES IMMEDIATE ARCHITECTURAL CLARIFICATION AND PROTOTYPING.**
## **B. Detailed Findings**
### **Architecture Review**
#### **Strengths**
- **Layered Architecture Properly Defined** - Clear separation between Application, Drivers, OSAL, and HAL layers
- **Component-Based Design** - Modular structure with well-defined interfaces
- **Event-Driven Model Specified** - Appropriate for distributed embedded systems
#### **Critical Architectural Violations**
1. **Event System Implementation MISSING** - Core architectural component not implemented
- **Impact:** No cross-feature communication mechanism
- **Severity:** CRITICAL
2. **System State Machine Implementation MISSING** - No FSM implementation despite being architecturally central
- **Impact:** Undefined system behavior during state transitions
- **Severity:** CRITICAL
3. **Data Persistence (DP) Component Stubbed** - No functional implementation
- **Impact:** No data integrity during power loss or updates
- **Severity:** MAJOR
4. **Hardware Abstraction Violations** - Application layer components directly include ESP-IDF headers
- **Impact:** Platform lock-in, reduced testability
- **Severity:** MAJOR
### **Requirements & Feature Consistency**
#### **Requirements Quality Assessment**
- **Well-Structured:** 95% of requirements follow "SHALL" format
- **Testable:** 90% of requirements are verifiable
- **Traceable:** 100% linked to features via unique IDs
#### **Critical Gaps Identified**
1. **Missing System States Definition**
- Requirements reference states (INIT, RUNNING, OTA_UPDATE, etc.) but no complete state transition table exists
- **Impact:** Undefined behavior during state changes
2. **Timing Requirements NOT SPECIFIED**
- No deterministic timing bounds for sensor acquisition cycles
- No maximum latency requirements for communication
- **Impact:** Real-time behavior cannot be guaranteed
3. **Resource Constraints NOT DEFINED**
- No CPU utilization limits specified
- No memory usage bounds defined
- No flash wear-out protection requirements
- **Impact:** System may fail under resource pressure
#### **Requirements Conflicts**
1. **Security vs. Performance Trade-off NOT RESOLVED**
- Encrypted communication required but no performance impact analysis
- **Impact:** May violate real-time constraints
2. **OTA Safety vs. Availability NOT BALANCED**
- OTA requires controlled teardown but no maximum downtime specified
- **Impact:** System may be unavailable for extended periods
### **Cross-Feature Interaction Review**
#### **DAQC ↔ DATA Interaction**
- **CURRENT STATE:** No implementation of data flow from sensor acquisition to persistence
- **RISK:** Sensor data lost during power failures
- **RECOMMENDATION:** Implement DP component with guaranteed write-before-use
#### **OTA ↔ Persistence Interaction**
- **CURRENT STATE:** OTA feature assumes teardown but no mechanism exists
- **RISK:** Critical data corruption during firmware updates
- **RECOMMENDATION:** Implement mandatory data flush before OTA activation
#### **OTA ↔ Security Interaction**
- **CURRENT STATE:** OTA occurs over encrypted channels but secure boot not enforced
- **RISK:** Malicious firmware installation possible
- **RECOMMENDATION:** Implement secure boot verification before any OTA execution
#### **Diagnostics ↔ System State Management**
- **CURRENT STATE:** Diagnostics component exists but no integration with system state
- **RISK:** Diagnostic events may trigger invalid state transitions
- **RECOMMENDATION:** Bind diagnostic severity levels to state transition triggers
#### **Debug Sessions ↔ Secure Boot**
- **CURRENT STATE:** Debug access allowed but no security controls
- **RISK:** Debug interface could bypass secure boot
- **RECOMMENDATION:** Implement authenticated debug access with secure boot verification
### **ESP-IDF & RTOS Suitability**
#### **Task Model Assessment**
- **APPROPRIATE:** RTOS-based design suitable for ESP32-S3
- **CONCERN:** No task priority definition or scheduling analysis
- **RECOMMENDATION:** Define task priorities and worst-case execution times
#### **ISR vs Task Responsibilities**
- **NOT SPECIFIED:** No clear delineation between interrupt and task contexts
- **RISK:** Blocking operations in ISRs could cause system lockup
- **RECOMMENDATION:** Define ISR-to-task communication patterns
#### **Memory Management Risks**
- **HIGH RISK:** Dynamic memory allocation in runtime paths not prohibited
- **IMPACT:** Memory fragmentation and allocation failures possible
- **RECOMMENDATION:** Static memory allocation for critical paths
#### **Flash/SD Card Wear Risks**
- **NOT ADDRESSED:** No wear-leveling strategy defined
- **IMPACT:** SD card failure after extended operation
- **RECOMMENDATION:** Implement wear-aware storage management
#### **OTA Partitioning Implications**
- **NOT ANALYZED:** ESP-IDF OTA partition strategy not evaluated against system requirements
- **RISK:** Insufficient space for OTA updates
- **RECOMMENDATION:** Define partition layout and OTA strategy
#### **Secure Boot & Flash Constraints**
- **NOT IMPLEMENTED:** ESP32-S3 secure boot features not utilized
- **IMPACT:** Firmware authenticity not guaranteed
- **RECOMMENDATION:** Enable secure boot with hardware root-of-trust
### **Standards Readiness Assessment**
#### **IEC 61499 Alignment**
- **READY:** Architecture follows event-driven principles
- **GAP:** No function block definitions or event interface specifications
- **ASSESSMENT:** Conceptually aligned but implementation details missing
#### **ISA-95 Alignment**
- **READY:** Correctly positioned at Level 1-2 boundary
- **GAP:** No formal interface definition with Level 3 (Main Hub)
- **ASSESSMENT:** Architecturally sound but interface specifications incomplete
### **System Review Checklist Validation**
#### **PASSED ITEMS**
- Feature coverage complete across DAQ, DQC, COM, DIAG, DATA, OTA, SEC, SYS domains
- Requirements use "SHALL" format consistently
- Unique requirement IDs assigned
- Traceability to features established
- Layered architecture properly defined
- Hardware access isolated through drivers
- Security constraints identified
#### **FAILED ITEMS**
- **CRITICAL:** No system state machine implementation
- **CRITICAL:** Event system not implemented
- **MAJOR:** No teardown mechanism for OTA/configuration updates
- **MAJOR:** Data persistence before teardown not guaranteed
- **MAJOR:** Data integrity during updates not protected
- **MAJOR:** Real-time constraints not bounded
- **MAJOR:** Resource usage not limited
- **MINOR:** Debug isolation not enforced
- **MINOR:** HMI read-only constraint not technically enforced
#### **ITEMS NEEDING CLARIFICATION**
- Maximum acceptable system downtime during OTA
- Sensor acquisition cycle determinism requirements
- Memory usage limits and monitoring
- SD card failure recovery strategy
- Time synchronization accuracy requirements
## **C. Missing / Risky Areas**
### **Missing System Requirements**
1. **State Transition Timing Requirements** - Maximum time for state changes
2. **Resource Utilization Limits** - CPU, memory, and storage bounds
3. **Fault Recovery Time Requirements** - Maximum time to recover from failures
4. **Data Retention Guarantees** - Minimum data persistence duration
5. **Communication Latency Bounds** - Maximum acceptable delays
### **Missing System States**
1. **BOOT_FAILURE State** - When secure boot verification fails
2. **CALIBRATION_UPDATE State** - For machine constants updates
3. **DIAGNOSTIC_MODE State** - For engineering diagnostics
4. **LOW_POWER State** - For power conservation
5. **FACTORY_RESET State** - For system reconfiguration
### **Missing Failure Handling**
1. **SD Card Failure Recovery** - No strategy for storage medium failure
2. **Communication Link Loss** - Extended disconnection handling not defined
3. **Sensor Cascade Failure** - Multiple sensor failures handling
4. **OTA Corruption Recovery** - Firmware image corruption during transfer
5. **Time Synchronization Loss** - Clock drift management
### **Missing Documentation**
1. **State Transition Diagrams** - Complete FSM with all transitions
2. **Timing Budget Analysis** - End-to-end timing requirements
3. **Resource Budget Allocation** - Memory and CPU allocation per component
4. **Failure Mode Analysis** - FMEA for critical components
5. **Interface Control Documents** - Detailed API specifications
## **D. Improvement Recommendations**
### **Immediate Actions (Pre-Implementation)**
1. **Implement System State Machine** - Define and implement complete FSM with all states and transitions
2. **Implement Event System** - Core communication backbone for cross-feature interaction
3. **Define Timing Requirements** - Specify deterministic bounds for all time-critical operations
4. **Implement Data Persistence** - Complete DP component with guaranteed data integrity
### **Architectural Clarifications Needed**
1. **State Transition Rules** - Define which features can execute in which states
2. **Failure Escalation Policy** - How faults propagate through the system
3. **Resource Management Strategy** - Memory, CPU, and storage allocation policies
4. **OTA Safety Protocol** - Complete procedure for fail-safe firmware updates
### **Implementation Priorities**
1. **Phase 1:** Core infrastructure (State Machine, Event System, DP Component)
2. **Phase 2:** Sensor acquisition and data quality features
3. **Phase 3:** Communication and security features
4. **Phase 4:** OTA and diagnostics features
5. **Phase 5:** HMI and system management features
### **Quality Assurance Requirements**
1. **Static Analysis Mandatory** - All code must pass MISRA C++ compliance
2. **Unit Test Coverage >95%** - For all components except hardware interfaces
3. **Integration Testing Required** - Cross-feature interaction validation
4. **Performance Benchmarking** - Against defined timing and resource budgets
## **E. Generated Artifacts**
### **Recommended State Machine Diagram**
```mermaid
stateDiagram-v2
[*] --> INIT
INIT --> RUNNING: successful_init
INIT --> FAULT: init_failure
RUNNING --> OTA_UPDATE: ota_triggered
RUNNING --> WARNING: minor_fault
RUNNING --> FAULT: critical_fault
WARNING --> RUNNING: fault_cleared
WARNING --> FAULT: fault_escalated
OTA_UPDATE --> RUNNING: ota_success
OTA_UPDATE --> FAULT: ota_failure
FAULT --> TEARDOWN: recovery_attempt
TEARDOWN --> INIT: system_reset
TEARDOWN --> [*]: power_down
```
### **Critical Path Timing Budget**
| Operation | Maximum Time | Justification |
|-----------|--------------|---------------|
| Sensor Acquisition Cycle | 100ms | Real-time environmental monitoring |
| State Transition | 50ms | Minimize system unavailability |
| Data Persistence | 200ms | Prevent data loss during power failures |
| OTA Teardown | 500ms | Balance safety with availability |
| Secure Boot Verification | 2s | Hardware-enforced security |
### **Resource Allocation Budget**
| Resource | Maximum Usage | Monitoring Required |
|----------|----------------|-------------------|
| RAM (Runtime) | 60% | Yes |
| Flash (Application) | 70% | Yes |
| CPU (Peak) | 80% | Yes |
| SD Card (Daily Writes) | 100MB | Yes |
**CONCLUSION:** The ASF Sensor Hub has excellent architectural foundations but requires significant implementation work before proceeding to full development. The current state represents architectural completeness without implementation readiness. Immediate focus must be on core infrastructure components (State Machine, Event System, Data Persistence) before feature implementation can safely proceed.

253
System Design/system_design/analysis/Gap_Analysis_and_Solutions.md Normal file
View File

@@ -0,0 +1,253 @@
# ASF Sensor Hub - Gap Analysis and Solutions
**Version:** 2.0
**Date:** 2025-01-19
**Status:** ✅ APPROVED with Minor Recommendations
## Executive Summary
This document consolidates the findings of the ASF gap analysis and the proposed industrial-grade solutions. The transition from a prototype to a production-ready system involves closing critical gaps in communication, security, reliability, and maintainability.
**Overall Rating:** ⭐⭐⭐⭐⭐ (4.7/5.0)
## Quick Assessment
| Category | Rating | Status |
|----------|--------|--------|
| **Communication Architecture** | ⭐⭐⭐⭐⭐ | ✅ Excellent |
| **Security Model** | ⭐⭐⭐⭐⭐ | ✅ Excellent |
| **OTA Strategy** | ⭐⭐⭐⭐⭐ | ✅ Excellent |
| **Sensor Data Acquisition** | ⭐⭐⭐⭐ | ✅ Good (redundancy needs review) |
| **Data Persistence** | ⭐⭐⭐⭐⭐ | ✅ Excellent |
| **Diagnostics** | ⭐⭐⭐⭐ | ✅ Good (codes need completion) |
| **Power Handling** | ⭐⭐⭐⭐⭐ | ✅ Excellent |
| **GPIO Discipline** | ⭐⭐⭐⭐⭐ | ✅ Excellent (map needs completion) |
| **System Evolution** | ⭐⭐⭐⭐ | ✅ Good |
## Gap & Solution Matrix
| Arena | Identified Gaps | Proposed Industrial Solution |
|-------|----------------|------------------------------|
| **1. Communication** | Lack of versioning, raw sockets, unreliable peer-to-peer. | **MQTT over TLS 1.2** with **CBOR** payloads; **ESP-NOW** for deterministic P2P. |
| **2. Security** | No hardware root of trust, weak device identity. | **Secure Boot V2**, **Flash Encryption**, and **mTLS** with unique device certificates. |
| **3. OTA Updates** | Risk of "bricking," no integrity checks. | **A/B Partitioning** with automatic rollback and **SHA-256** verification. |
| **4. Data Acquisition** | Tight coupling with hardware, no sensor validation. | **Sensor Abstraction Layer (SAL)**, redundant sensors, and explicit validity states. |
| **5. Data Persistence** | SD card wear, risk of data loss on power failure. | **Batch writing**, **FAT32 SDMMC 4-bit**, and **Power-loss flush** mechanisms. |
| **6. Diagnostics** | Limited visibility into fleet health. | **Standardized Diagnostic Codes (0xSCCC)** and **Layered Watchdogs**. |
| **7. Power Handling** | Vulnerability to brownouts. | **Brownout detection (3.0V)** and hardware-backed graceful shutdown. |
| **8. Hardware Discipline** | Potential pin conflicts, unreliable I2C. | **Strict GPIO mapping**, no strapping pins, and audited physical pull-ups. |
| **9. System Evolution** | Prototype-level architecture. | **Industrial-grade framework** focusing on determinism and fault tolerance. |
## Technology Stack Validation
| Technology | Choice | Justification | Status |
|------------|--------|---------------|--------|
| Wi-Fi 802.11n | ✅ | Native support, good range, sufficient throughput | ✅ Approved |
| MQTT | ✅ | Industry standard, store-and-forward, lightweight | ✅ Approved |
| TLS 1.2 | ✅ | Strong security, ESP-IDF native | ✅ Approved |
| ESP-NOW | ✅ | Deterministic P2P, low latency | ✅ Approved (needs encryption) |
| CBOR | ✅ | Efficient binary encoding | ✅ Approved |
| LoRa | ⚠️ | External module, low data rate | ⚠️ Needs justification |
| Secure Boot V2 | ✅ | Hardware root of trust | ✅ Approved |
| Flash Encryption | ✅ | IP protection, data security | ✅ Approved |
| A/B Partitioning | ✅ | Safe OTA, rollback capability | ✅ Approved |
## Key Findings
### ✅ **EXCELLENT CHOICES** (No Changes Needed)
1. **MQTT over TLS 1.2** - Industry standard, perfect for industrial IoT
2. **Secure Boot V2 + Flash Encryption** - Mandatory for production, well-implemented
3. **A/B OTA Partitioning** - Safe, reliable, industry-proven
4. **Sensor Abstraction Layer (SAL)** - Maintainable, testable, future-proof
5. **Wear-Aware SD Card Strategy** - Prevents premature failure
6. **Layered Watchdogs** - Multi-level protection
7. **Brownout Detection** - Critical for farm environments
### ⚠️ **NEEDS CLARIFICATION** (5 Items)
1. **LoRa Fallback** - Is it truly needed? Cost-benefit analysis required
2. **Redundant Sensors** - Define which parameters are critical (cost impact)
3. **GPIO Map** - Complete the canonical mapping table
4. **Diagnostic Codes** - Complete the code registry (0x6xxx, 0x7xxx, 0x8xxx missing)
5. **OTA Health Check** - 60s may be too short (consider 120s)
### ✅ **MINOR RECOMMENDATIONS** (Enhancements)
1. Complete MQTT topic structure specification
2. Define sensor fusion algorithm for redundant sensors
3. Specify SD card file rotation policy
4. Define certificate lifecycle management
5. Specify maximum message sizes
## Critical Action Items
### Must Complete Before Implementation:
1.**GPIO Mapping Table** - Complete pin assignments
2.**Diagnostic Code Registry** - Define all subsystem codes
3.**MQTT Topic Structure** - Complete topic naming convention
4.**Certificate Lifecycle** - Define provisioning, rotation, revocation
5.**OTA Health Check Window** - Validate 60s or increase to 120s
### Should Complete During Design:
1. ⚠️ **Redundant Sensor Analysis** - Cost-benefit and criticality matrix
2. ⚠️ **LoRa Justification** - Is it needed? Alternative analysis
3. ⚠️ **Sensor Fusion Algorithm** - How to combine redundant sensor data
4. ⚠️ **SD Card Rotation Policy** - File size limits, rotation frequency
## Risk Assessment
| Risk | Severity | Mitigation Status |
|------|----------|-------------------|
| Incomplete GPIO Map | HIGH | ⚠️ Needs completion |
| Missing Diagnostic Codes | MEDIUM | ⚠️ Needs completion |
| LoRa Cost/Complexity | MEDIUM | ⚠️ Needs justification |
| Redundant Sensor Cost | MEDIUM | ⚠️ Needs analysis |
| OTA Health Check Timing | LOW | ⚠️ Needs validation |
## Final Recommendation
**✅ PROCEED WITH IMPLEMENTATION**
The proposed solutions are **technically sound** and **production-ready**. Address the **Critical Action Items** before starting implementation. The **Should Complete** items can be resolved during detailed design.
**Confidence Level:** **HIGH** (90%)
The architecture demonstrates **mature industrial engineering practices** and is suitable for **long-term field deployment**.
## Detailed Solutions
### 1. Communication Architecture
**Selected Technologies:**
- **Physical/Link:** Wi-Fi 802.11n (2.4 GHz)
- **Application Protocol:** MQTT over TLS 1.2
- **Peer-to-Peer:** ESP-NOW
- **Payload Encoding:** CBOR (Binary, versioned)
**Rationale:**
- MQTT provides store-and-forward messaging (handles intermittent connectivity)
- Built-in keepalive mechanism (monitors connection health)
- QoS levels for delivery guarantees
- Massive industrial adoption (SCADA, IIoT)
- Native ESP-IDF support
**Heartbeat Mechanism:**
- Interval: 10 seconds
- Timeout: 3 missed heartbeats (30 seconds) triggers offline status
- Payload includes: Uptime, firmware version, free heap, RSSI, error bitmap
### 2. Security Model
**Root of Trust:**
- **Secure Boot V2:** Ensures only digitally signed firmware can run
- **Flash Encryption:** Protects firmware and sensitive data stored in flash
- **eFuse-based Anti-rollback:** Prevents installation of older, vulnerable firmware
**Device Identity & Authentication:**
- Device-unique X.509 certificate
- Private key stored in eFuse or encrypted flash
- Mutual TLS (mTLS) for all broker communications
- Provisioning handled via secure factory or onboarding mode
**Key Lifecycle Management:**
- Manufacturing: Injection of unique device certificate and private key
- Operation: Use of TLS session keys for encrypted communication
- Rotation: Certificate rotation managed on broker/server side
- Revocation: Certificate Revocation Lists (CRL) or broker-side denylists
### 3. OTA Strategy
**Partition Layout (8MB Flash):**
- `ota_0`: 3.5 MB (Primary application slot)
- `ota_1`: 3.5 MB (Secondary application slot for updates)
- `nvs`: 64 KB (Encrypted Non-Volatile Storage)
- `coredump`: 64 KB (Crash logs)
**OTA Policy:**
- Download via HTTPS or MQTT in chunks (4096 bytes)
- Integrity verified using full image SHA-256 hash
- System must boot and send health report
- Application must confirm stability within 60-120 seconds
- Automatic rollback to previous known-good version on failure
### 4. Sensor Data Acquisition
**Sensor Abstraction Layer (SAL):**
- Hardware independence
- Uniform sensor API
- Sensor state management (INIT, WARMUP, STABLE, DEGRADED, FAILED)
- Sensor validation and health checks
**Redundant Sensor Support:**
- Critical parameters (CO2, NH3) have two qualified sensor options
- Sensor fusion algorithm to combine redundant data
- Avoids common-mode failures
### 5. Data Persistence
**Storage Strategy:**
- **File System:** FAT32
- **Mode:** SDMMC 4-bit (for performance and reliability)
- **Structure:** Circular time-bucket files (e.g., daily logs)
- **Write Pattern:** Append-only to minimize directory updates
- **Wear-Aware Management:** Batch writing to prevent SD card wear
**Power-Loss Protection:**
- Brownout detection at 3.0V
- Immediate flush of critical buffers to NVS/SD
- Supercapacitor (0.5-1.0F) recommended for graceful shutdown
### 6. Diagnostics
**Diagnostic Code Format:**
- Format: `0xSCCC`
- **S:** Severity (1=Info, 2=Warning, 3=Error, 4=Critical)
- **CCC:** Subsystem Code
**Subsystem Code Allocation:**
- `0x1xxx` - Data Acquisition (DAQ)
- `0x2xxx` - Communication (COM)
- `0x3xxx` - Security (SEC)
- `0x4xxx` - Over-the-Air Updates (OTA)
- `0x5xxx` - Hardware (HW)
- `0x6xxx` - System Management (SYS)
- `0x7xxx` - Persistence (DATA)
- `0x8xxx` - Diagnostics (DIAG)
**Layered Watchdog System:**
- **Task WDT:** Detects deadlocks in FreeRTOS tasks (10 seconds)
- **Interrupt WDT:** Detects hangs within ISRs (3 seconds)
- **RTC WDT:** Final safety net for total system freezes (30 seconds)
### 7. Power Handling
**Brownout Detection:**
- Hardware brownout detector (BOD) at 3.0V
- ISR action: Set "Power Loss" flag and immediately flush critical buffers
- Recovery: Clean reboot after power stabilization
**Hardware Support:**
- Supercapacitor (0.5-1.0F for 1-2s at 3.3V) recommended
- External RTC battery (CR2032, 3V, 220mAh) optional for time accuracy
### 8. Hardware Discipline
**GPIO Rules:**
- **No Strapping Pins:** Avoid GPIO 0, 3, 45, 46 for general-purpose I/O
- **I2C Pull-up Audit:** Ensure all shared I2C buses have appropriate physical pull-up resistors (2.2kΩ - 4.7kΩ for 3.3V)
- **No ADC2 with Wi-Fi:** ADC2 unit cannot be used when Wi-Fi is active. All analog sensors must be connected to ADC1 pins
- **Canonical GPIO Map:** Single authoritative GPIO map document must be maintained
## Conclusion
By implementing these solutions, the ASF project moves beyond a functional prototype into a robust, secure, and maintainable industrial product capable of reliable operation in demanding farm environments.
---
**See Also:**
- `../features/` - Feature specifications
- `../specifications/` - System specifications
- `../SRS/` - Software Requirements Specification