Trust never any signal from outside until you checked it is trustable!

Exact! But not only the outside signals shoudn't be trusted, also the inside...

In such applications designer should show a sane portion of paranoia. Means, designer should ask himself over and over again: "Hey, what happens if this signal fails?" "What happens if there is noise superimposed to signal?"

Unfortunately, it's extremely easy to have always enough reasons, that something fails, than the opposite. Think only of simple contacts of a switch etc. They age, become contaminated with dirt, do bounce, etc. Everything bad you can imagine. The secret of a good design is to use all these imperfections in such a way, that they make the start of this dangerous run of gear box less probable!

Do everything that this start becomes less and less probable: Why should the hit of start button be accepted with the first edge? Do only accept it, when operator has pressed it down for at least one second... This only as an example to demonstrate the idea behind.

It cannot be overemphasized how important it is, to limit the bandwidth of each signal to the absolute needed minimum by intensive use of filtering!!! A simple RC low pass filter in combination with a Schmitt-trigger gate can do the job very well! But even on the software side 'filtering' should be used: Accept a signal only if succeeding readings give an identical result. Only by this intensive filtering, short voltage spikes, which are always present for many reasons, can be prevented from degrading signal integrity or causing false triggers.

Where do these annoying short lasting voltages spikes come from?
From everywhere! Even if you have shielded everything against everything, there's still the cosmic radiation... It's impossible to totally shield an application against all possible interference, not only because costs would rise astronomically. But, there's one thing you can do: In a saftey relevant application, do only use parts which cannot be badly influenced by this unavoidable interference. What does this mean?
Michael stated in his reply, that a SRAM was used to store reliability relevant data, not a DRAM! What do you think is more prone to change it's state due to unavoidable interference: A memory cell on a microcontroller die, containing 1 million of transistors, or a flip-flop fabricated of two 'fat' transistors?
If microcontrollers and other very high integrated chips are used in safety relevant applications it's always wise to drastically increase redundance by storing information at a relevant number of different locations! The reason behind is, to add so many memeroy cells, that they tend to look like this 'fat' transistor again.

May be this sounds a bit offensive, but if the Apollo project would have used todays microcontrollers no human being would ever have reached the moon. Would they have used todays PCs running on microsoft operation systems, not anyone would even have left the earth's surface.


Kai