Nothing's perfect

Back to Subject List

Old thread has been locked -- no new posts accepted in this thread

???
05/30/08 17:06
Read: times

#155296 - Nothing's perfect
Responding to: ???'s previous message

Erik Malund said:

... Shivaram Kumara Cunchala never answer questions.
so, let me repeat some, and I suggest that if not answered, there can be no help
1) why is failsafe not good enough?
2) why do you reject using the watchdog

Unfortunately, the watchdog only responds to a stopped or runaway MCU. It's conceivable that an errant MCU might still enter the "kick the dog" routine when required, despite the fact that some flag or register is "broken."

3) if you are to run 3 parallels where are you going to find the teams/persons to write #2 and #3

if you use the majority-logic method I mentioned, it doesn't require different code in each MCU, and, in fact requires that they be exactly alike.

4) are you aware that, whatever you do it can fail (there will ALWAYS be some part that can cause catastrophic failure, all you can do is reduce the likelyhood)
5) re 4) which 'failsafe' are you going to add if you are, indeed, going for triplicate.
6) why have you not revealed YOUR method/thoughts/hardware/code (the method/thoughts/hardware/code, not just "I want to do standby controller for emergency")
7) which method are you going to use to verify the "standby procesor" is, indeed, functioning before it is called into action
7) how are you going to ensure that e.g. a power spike is not going to take all 2 or 3 systems out
8) how many watts are your diesel power backup generator capable of
9) Pleaase fill in any other details you might have

Erik

At NASA, on the shuttle's main engine controller they used a second, redundant, processor, with code to manage the situation and disable the malfunctioning controller in the event of a failure. That was due to weight, cost, and size constraints. In this case, using more MCU's with the same code would be much easier, though there's always a single-point failure risk.

Frankly, I'm curious what could be so critical about a temperature controller that it needs more than just a watchdog. The most common reason for watchdog resets is not hardware failure, but, rather, badly written code.

RE

List of 32 messages in thread

Topic Author Date
stanby controller for emergency              01/01/70 00:00
   ALE pulse              01/01/70 00:00
   What are the expected problems?              01/01/70 00:00
   The problem here is...              01/01/70 00:00
      What about processing speed              01/01/70 00:00
         processing speed should not be an issue              01/01/70 00:00
   How do you know if it has failed?              01/01/70 00:00
      my querry              01/01/70 00:00
         Use a watchdog              01/01/70 00:00
            I think watchdog not suitable              01/01/70 00:00
               watchdog              01/01/70 00:00
                  if it is critical system              01/01/70 00:00
               Backup controllers              01/01/70 00:00
         does that going to help              01/01/70 00:00
            Where are erik and Andy              01/01/70 00:00
               Irrespective....              01/01/70 00:00
                  What you say is correct              01/01/70 00:00
                     engineering procedure              01/01/70 00:00
               Where are erik and Andy - asleep              01/01/70 00:00
   much simpler              01/01/70 00:00
   always operating or failsafe              01/01/70 00:00
   Have you considered this ...              01/01/70 00:00
      there is always a gotcha              01/01/70 00:00
         Yes, but it always depends ...              01/01/70 00:00
            hardware description is needed              01/01/70 00:00
               Is this feasible              01/01/70 00:00
                  No,              01/01/70 00:00
                  You have reinvented a watchdog              01/01/70 00:00
                     this is running in circles because ....              01/01/70 00:00
                        Nothing's perfect              01/01/70 00:00
                           not if you are only concerned with hardware failur              01/01/70 00:00
                              it's all about testing              01/01/70 00:00

Back to Subject List

Topic	Author	Date
stanby controller for emergency		01/01/70 00:00
ALE pulse		01/01/70 00:00
What are the expected problems?		01/01/70 00:00
The problem here is...		01/01/70 00:00
What about processing speed		01/01/70 00:00
processing speed should not be an issue		01/01/70 00:00
How do you know if it has failed?		01/01/70 00:00
my querry		01/01/70 00:00
Use a watchdog		01/01/70 00:00
I think watchdog not suitable		01/01/70 00:00
watchdog		01/01/70 00:00
if it is critical system		01/01/70 00:00
Backup controllers		01/01/70 00:00
does that going to help		01/01/70 00:00
Where are erik and Andy		01/01/70 00:00
Irrespective....		01/01/70 00:00
What you say is correct		01/01/70 00:00
engineering procedure		01/01/70 00:00
Where are erik and Andy - asleep		01/01/70 00:00
much simpler		01/01/70 00:00
always operating or failsafe		01/01/70 00:00
Have you considered this ...		01/01/70 00:00
there is always a gotcha		01/01/70 00:00
Yes, but it always depends ...		01/01/70 00:00
hardware description is needed		01/01/70 00:00
Is this feasible		01/01/70 00:00
No,		01/01/70 00:00
You have reinvented a watchdog		01/01/70 00:00
this is running in circles because ....		01/01/70 00:00
*Nothing's perfect*		01/01/70 00:00
not if you are only concerned with hardware failur		01/01/70 00:00
it's all about testing		01/01/70 00:00