Applying modern UI technology to safety-critical systems

Implementing Flash in safety-critical user interfaces ensures timely response and consistency across platforms.

3The User Interface (UI) can make all the difference between a product that works and a product that doesn't, and the results of not working can be disastrous. More robust, better tested, and more uniform interfaces are needed. One way to help achieve UI reliability is to eliminate the error-prone process of translating UIs designed with high-level tools into conventional graphics technology. Rather than use two or more technologies to design, prototype, and deploy UIs, teams can work with one common technology: Adobe Flash.

Between 1985 and 1987, three people died and three others fell seriously ill from radiation overdoses caused by user error and software malfunction in a radiation therapy machine, the Therac-25. An oft-quoted example of poor all-round design, the Therac-25 incident also highlights how the UI plays a major role in the success or failure of safety-critical systems.

For example, if a serious error occurred, the machine’s UI would display “MALFUNCTION,” followed by a numeric code from 1 to 64. Neither the UI, the device, nor the user manual explained what the various codes indicated. Moreover, the operator could override an error condition by simply pressing “P” on the keyboard. By allowing operators to bypass critical warnings, the UI contributed to the radiation overdoses. It also required tedious, repetitive user entries and contained bugs that led to erroneous entries[1].

Discussions of safety-critical design often focus on hard real-time control software. But, as the Therac-25 story demonstrates, the operator and the UI contribute just as much to system safety. Paradoxically, a technology that can help developers build better safety-critical UIs comes not from the world of real-time embedded systems, but from the world of consumer-grade computers and mobile devices.

Adobe Flash started life on the desktop and the Internet. Originally a Web animation technology, it has grown into a compelling tool for designing and implementing UIs such as the QNX-based digital instrument cluster for in-vehicle electronics (pictured on this page). Moreover, developers can use Adobe Flash Lite, which has been optimized for resource-constrained environments, to implement Flash-based UIs in their embedded systems. Already, manufacturers have deployed Adobe Flash Lite in more than 800 million devices.

A strong candidate

Adobe Flash offers many benefits: It is platform independent (that is, it runs the same across many Operating Systems or OSs), it supports fast prototyping and iterative UI development, and it has become the lingua franca of UI and graphics designers. These qualities make Flash a strong candidate for safety-critical UIs. To understand this point, consider some of the UI design guidelines published by the FDA[2]:

n Keep the UI consistent with user expectations. Consider the user’s experience with similar devices and well-established conventions.

n Keep the display well-organized and uncluttered.

n Ensure that the user can see and hear signals. Consider the ambient lighting and noise.

n Keep labels, displays, controls, and acronyms consistent with the user manual and established conventions (for instance, PWR for Power).

n Arrange controls to prevent inadvertent activation.

n Use color and shape coding to convey information quickly, but ensure the coding follows universal conventions (for instance, most systems use red to indicate errors, so don’t display alarms in blue).

n Provide feedback to user input.

n Correctly indicate resets, failures, or default values.

n Relieve the operator of complex processes or mental calculations.

n Don’t use software when a simple hardware solution would suffice.

n Consider using dedicated displays or display areas to present critical information; don’t display other data in these areas.

Adobe Flash addresses many of these requirements. For instance, consider the need to build a UI consistent with user expectations and well-established conventions. Flash-based UIs are, by nature, consistent across platforms, even when scaled to different screen sizes. Moreover, Flash allows developers to create highly interactive UIs that use the same familiar UI conventions found in consumer software applications for desktop environments.

Consider also the need to create an uncluttered, understandable, easy-to-use UI. This goal is rarely achieved on the first try; the UI design typically must go through multiple iterations before it becomes sufficiently intuitive and understandable for operators. The need, then, is for a tool that excels at fast prototyping. Adobe Flash integrates with the most popular graphics design software packages used today, for instance, Adobe Photoshop or Adobe Illustrator, which are typically used to create graphical elements of UIs; it also adds animation and visual programming via ActionScript to provide a full-blown UI development environment. All this makes Flash a superior prototyping platform and helps teams iterate quickly through multiple revisions of the UI.

Smoother transition

The prototyping and evaluation phase, where the design team tests the UI design on real operators, constitutes a critical step in designing safe systems. Because Flash provides consistency between platforms, it allows developers to perform UI testing on a desktop system or reference platform well before the target hardware is available. UI testing can proceed while other software and hardware components are still in development.

Translating the finalized UI design to the operational device constitutes another key step. Traditionally, development teams would take the final output from the UI designer and translate it into conventional graphics technology, typically a collection of widgets, 2D libraries, or 3D graphics implemented in C. But now, teams can eliminate this time-consuming and error-prone step not only in function, but also in design, intuitiveness, and intent by building the UI with high-level Flash tools and then deploying that UI directly on an embedded Flash player. Eliminating the translation from designer tools to developer tools improves productivity and enhances UI design and usability.

Figure 1 contains two flow charts, one depicting the traditional approach of translating UI prototypes into conventional graphics technology (widgets, 2D/3D libraries, and so on) and the other showing the faster transition from design to implementation in Flash.

Figure 1: Compared to traditional approaches, Flash offers a faster transition from design to deployment.

Determinism and real-time behavior

By its very nature, Adobe Flash doesn’t provide a deterministic or real-time programming environment. It uses an interpreted Javascript-based language, ActionScript, which runs in a virtual machine inside the Flash player. Nonetheless, system designers can still use Flash in safety-critical systems for several reasons:

n Adobe Flash Lite embedded players use less CPU and memory resources than their desktop equivalents and are specifically tuned for the Real-Time OS (RTOS) they run on.

n By following some simple design guidelines, system designers can limit the CPU and memory resources required for the Flash player. For instance, designers can minimize alpha blending and transparency, avoid overuse of gradients, and use the minimum acceptable frame rate for animations.

n Many embedded OSs, including the QNX Neutrino RTOS, provide CPU time partitioning, which allows the system designer to control and limit how much memory and CPU time the Flash player consumes. Conversely, partitioning can also ensure that the Flash player always has enough memory and CPU time to respond quickly to user input.

n Some RTOSs provide an easy-to-use communications interface from Flash ActionScript applications running within the Flash player (the interpretive, non-real-time environment) to RTOS threads and processes (the hard real-time environment). This interface gives system designers the flexibility to assign activities to the real-time processing layer as needed. Designers can relegate noncritical UI functions to ActionScript.

n Graphical layering technology allows developers to overlay multiple UI technologies on the same screen (shown in Figure 2). By using software blending or hardware layering support, system designers can seamlessly blend Flash-based graphics with real-time 2D or 3D rendering of time-critical data.

Figure 2: Using graphics layers, designers can combine Flash-based and real-time graphics on the same display.

Guaranteed performance

Besides serving as an ideal UI designer’s tool, Adobe Flash also offers flexible development and deployment technology for embedded systems. Its familiarity and support for widely accepted UI conventions make it well-suited for UIs in all sorts of devices. Its support for rapid prototyping and iterative design helps guarantee that the UI is sufficiently tested and easy to use.

Combining Flash with the preemptive scheduling and time partitioning of modern embedded OSs ensures timely response in safety-critical applications, while graphical layering allows developers to leverage 2D/3D real-time graphics technology for displaying critical information.


[1] “The Therac-25 Accidents,” Nancy Leveson,

[2] “Do It By Design: An Introduction to Human Factors,” Dick Sawyer, Office of Communication, Education, and Radiation Programs (OCER), U.S. Federal Drug Administration,

Bill Graham is a product marketing manager at QNX Software Systems, based in Ottawa, Ontario, Canada. He has more than 20 years of experience in the software industry, including work with embedded and real-time systems development, software development processes and techniques, UML modeling, and object-oriented design. He holds Bachelor’s and Master’s degrees in Electrical Engineering from Carleton University in Ottawa, Canada.

QNX Software Systems