Propeller Safety
frank freedman
Posts: 1,983
An interesting thought occurred to me today regarding the safety of using the propeller over many other possible choices. The majority of the designs I have seen and worked with across many vendors of medical x-ray systems seem to have the common view that an active signal should be low/ground. I would be willing to bet other areas of application are the same way as well. This attitude as was explained to me years ago was that many device inputs will float to a high state or can be pulled up to a high state when an input is not active or in the event of a failed open connection. One example of this in an x-ray system based on some form of intelligence is the fact that the unit will go into a blocked mode if for example it detects the operators footswitch is active. It should not be active at boot up, so if there is a bad switch or cable short, the unit will not initialize. If open it will initialize and if the switch is bad or cable open, no big deal, maybe not even an error code as open footswitch is normal operation. The point is that there is a natural advantage to that way of thinking. Enter the propeller chip in safety critical situation.
Set up one cog to do nothing other than watch a timer (watchdog timer say) any and all safety interlocks etc. When all is normal, the cog happily sits there essentially watching the clock. Rest of the cogs cogging along doing motor control or other functions that could be hazardous in the event of specific failures. What if something happens, clock times out, safety guard activated by operator error, over current from motor jamming etc. If all of the normal functions are set up to activate on a low going output, all the safety cog needs to do in the event of a failure would be to simply set DIRA = 0xF--F and then OUTA = 0xF--F and everything is suddenly taken to the inactive state. Motors shutdown, brakes applied, valves closed etc. Two instructions to shut down the entire system the prop chip is in charge of. Just because of the props or'd output structure. Sure all the other cogs have their own DIRA and OUTA, but whoever has the high wins. Not many chips have that capability. Immediately, not when an interupt comes in and gets serviced, immediately.
Frank
A rolling stone gathers no moss, but a wandering mind well............
Set up one cog to do nothing other than watch a timer (watchdog timer say) any and all safety interlocks etc. When all is normal, the cog happily sits there essentially watching the clock. Rest of the cogs cogging along doing motor control or other functions that could be hazardous in the event of specific failures. What if something happens, clock times out, safety guard activated by operator error, over current from motor jamming etc. If all of the normal functions are set up to activate on a low going output, all the safety cog needs to do in the event of a failure would be to simply set DIRA = 0xF--F and then OUTA = 0xF--F and everything is suddenly taken to the inactive state. Motors shutdown, brakes applied, valves closed etc. Two instructions to shut down the entire system the prop chip is in charge of. Just because of the props or'd output structure. Sure all the other cogs have their own DIRA and OUTA, but whoever has the high wins. Not many chips have that capability. Immediately, not when an interupt comes in and gets serviced, immediately.
Frank
A rolling stone gathers no moss, but a wandering mind well............
Comments
If you are looking into PLC type of programming, which is known as ladder logic. There is a program call PICoPLC that complies the ladder logic into spin or C and uses one cog to do all. The cool thing is this program works great.
As far as I remember in atomic power plants it would also be desasterous to do an immediate stop of the reaction.
I think in most cases (at least when talking about such critical systems) some controlled shutdown has to be implemented, which can definitly not mean "set all outputs to high".
Hello Frank,
That statement may be true for TTL logic since those input tend to float high when no connected. However, that seems to not work so well with CMOS logic that is left unconnected. For the relay board I built (BOB rebuild project in SERVO) I used a CMOS chip to select the relay. When I went to do an initial bench test the board went crazy with no inputs connected. To correct that you can add some weak pull-up (or pull-down) resistors to help sway the inputs to a known state if the cable is disconnected, etc. I also did this on a robot project that used a joystick for manual control. If the cable is disconnected it goes to a know state that disables movement.
Having some extra code in the prop to also watch for issues is a good idea if the system is critical.
Robert
I remember back in the day when I was at my first job out of school. I was working on a design and had found some cool ways to make the code more efficient and run faster. The owner of the company took a look and rejected it all out of hand. His reason was simple and stuck with me ever since.
The control system needs to fail safe. What that means differs from situation to situation and may cause significant overhead. It may not always be possible to fail completely safe. In those cases it's life over injury and injury over equipment. Better for a failure to burn up a pump then cost a person an arm or leg.
Second point, I'm working a remote controller that must initialize in a safe mode so as not to reset the device it's connected to. For me that is resolved because the Propeller starts up with all pins as inputs, high impedance. This
means no current flow. There are not many discrete chips that have tri-state outputs which you can rely on to not do ANYTHING upon power up. This means I can't just drop a 74x138 in there and go to town.
Agreed that one would want as orderly a shutdown as possible. For instance in a CT system, you may want the x-ray system immediately inhibited, and then the gantry to be slowed and stopped under control. would not want to see the resulting damage of a short stop on a CT gantry doing max speed. As to the nuclear plant, it has been over 30 years but if I recall, a scram is in fact an immediate driving home of the control rods into the core to stop the reaction quickly. The danger in sudden shutdown is the waste heat that continues to be generated as the reaction abates as was demonstrated by the TEPCO plants following the tsunami. The cooling system also went down with all the resulting issues that followed. (I have to wonder though if even had the cooling pumps remained on line the problems would have still been significant. The heat energy would still have to have been dissipated somehow, but if the turbines are down, where would the heat energy go?)
As to the following post regarding logic floating to predefined levels, yes, some logic families can be counted on to do this. However in a critical system or even just for additional reliability sake, I personally would add pull ups or other circuits to guarantee the state under given conditions. Risk versus economics. Everyone makes this choice.
My point was that a feature of the prop could be used to enhance the safety of a system of which it is a part, a general idea only. The actual implementation would depend on the things mentioned, criticality of the device function and recoverability. What is controlled and how to safely stop its functioning; lock the shaft on a large high mass motor and tear it off its mountings with attendant potential injury, destruction and economic loss or would a controlled spindown even be possible. If the motor speed sensor fails for example, the drive pulses to the drive circuit could be cut off and the motor can only spin down with no energy input. Is it safe to do so? Only the systems engineer can answer that and make the determination of what to do. The suggestion was meant in general terms. In designing the system, its developer must make all the appropriate risk assessments and then decide how to control the system as well as mitigating the effects of failure and the process to handle that.
But mainly the initial point was that the or function of all the pins outputs can be an interesting feature rather than just "#$%# forgot cog-n needed to release the high out on pin x so that cog-n+1 could use it now". Which seems to come up at times........
Frank