Comments on: Are you, or someone you know, using voting within your embedded system designs? http://www.embeddedinsights.com/channels/2010/11/03/are-you-or-someone-you-know-using-voting-within-your-embedded-system-designs/ Shedding Light on the Hidden World of Embedded Systems Mon, 28 Jul 2014 16:18:37 -0400 hourly 1 http://wordpress.org/?v=3.0 By: Lance ==)----------- http://www.embeddedinsights.com/channels/2010/11/03/are-you-or-someone-you-know-using-voting-within-your-embedded-system-designs/#comment-4271 Lance ==)----------- Fri, 05 Nov 2010 04:27:43 +0000 http://www.embeddedinsights.com/channels/?p=370#comment-4271 I've been working with avionics control systems (DO-178B, level A) for almost 20 years and have seen a multiple voting schemes. These systems are the ultimate in paranoia, as they start out with the assumption that not only might the sensors have errors, they're quite possibly lying (i.e., wrong with very reasonable values). Because they're going on large commercial aircraft, these are scrutinized very closely by the FAA. This has both advantages and disadvantages: on the plus side, we're using the very best practices we *know* work; on the negative side, we're extremely slow to adopt practices that have yet to be compelling to the most skeptical safety engineers. From an economic stand point, it is much easier and faster to defend a scheme by demonstrating similarity to an already approved one than show that a new one is in all ways superior. With triply-identical sensors, after verifying that the sensors think they're healthy, the values are reasonable (both on their own and relative to earlier data from the same sensor), and filtering, then we compare the readings from the three and choose the middle one. This minimizes the magnitude of any erroneous data. With doubly-identical sensors for which there exists some combination of other sensor readings from which we can infer what this sensor ought to be reading, we choose the sensor that is closest to the synthesized reading, provided it is sufficiently close to the synthesized reading. The question has always been: with only two sensors (one of the three has declared itself bad or the synthetic reading is unavailable) that disagree, what do you do in circumstances where there is no fail-safe value? Lance ==)-------------------- I’ve been working with avionics control systems (DO-178B, level A) for almost 20 years and have seen a multiple voting schemes. These systems are the ultimate in paranoia, as they start out with the assumption that not only might the sensors have errors, they’re quite possibly lying (i.e., wrong with very reasonable values).

Because they’re going on large commercial aircraft, these are scrutinized very closely by the FAA. This has both advantages and disadvantages: on the plus side, we’re using the very best practices we *know* work; on the negative side, we’re extremely slow to adopt practices that have yet to be compelling to the most skeptical safety engineers. From an economic stand point, it is much easier and faster to defend a scheme by demonstrating similarity to an already approved one than show that a new one is in all ways superior.

With triply-identical sensors, after verifying that the sensors think they’re healthy, the values are reasonable (both on their own and relative to earlier data from the same sensor), and filtering, then we compare the readings from the three and choose the middle one. This minimizes the magnitude of any erroneous data.

With doubly-identical sensors for which there exists some combination of other sensor readings from which we can infer what this sensor ought to be reading, we choose the sensor that is closest to the synthesized reading, provided it is sufficiently close to the synthesized reading.

The question has always been: with only two sensors (one of the three has declared itself bad or the synthetic reading is unavailable) that disagree, what do you do in circumstances where there is no fail-safe value?

Lance ==)——————–

]]> By: Rick Matz http://www.embeddedinsights.com/channels/2010/11/03/are-you-or-someone-you-know-using-voting-within-your-embedded-system-designs/#comment-4269 Rick Matz Thu, 04 Nov 2010 09:33:04 +0000 http://www.embeddedinsights.com/channels/?p=370#comment-4269 I recently worked on a Steering Column Lock Module for a large automaker. Because of the threat that the steering column could lock while the car was in motion, it was rated SIL 3 (Safety Integrity Level 3) application. The way we implemented voting was this: There was a hardware path and a software path, each giving an output. These two outputs were ANDed together, and when the result was true, the system could lock. Each of these paths used three separate inputs, and each of these inputs were tested against other system parameters to insure that they were true. For example, the car had to be in PARK and the engine was off to lock the steering column. The hardware path looked at the Park switch and the state of the key cylinder, while the software looked at the Park status message on the CAN bus.It also looked to see the ignition status, the engine status (OFF) and vehicle speed (0). Even if the software was completely wrong, the hardware path would prevent the Steering Column Lock Module from locking the steering column while the car was in motion. I recently worked on a Steering Column Lock Module for a large automaker. Because of the threat that the steering column could lock while the car was in motion, it was rated SIL 3 (Safety Integrity Level 3) application.

The way we implemented voting was this: There was a hardware path and a software path, each giving an output. These two outputs were ANDed together, and when the result was true, the system could lock.

Each of these paths used three separate inputs, and each of these inputs were tested against other system parameters to insure that they were true.

For example, the car had to be in PARK and the engine was off to lock the steering column. The hardware path looked at the Park switch and the state of the key cylinder, while the software looked at the Park status message on the CAN bus.It also looked to see the ignition status, the engine status (OFF) and vehicle speed (0).

Even if the software was completely wrong, the hardware path would prevent the Steering Column Lock Module from locking the steering column while the car was in motion.

]]>