On Tue, Nov 22, 2011 at 5:23 PM, Brett Frankenberger <rbf+na...@panix.com> wrote: > On Tue, Nov 22, 2011 at 06:14:54PM -0500, Jay Ashworth wrote: > in a manner that removes voltage from the relays). It doesn't protect > against the case of conflicting output from the controller which the > conflict monitor fails to detect. (Which is one of the cases you > seemed to be concerned about before.)
Reliable systems have triple redundancy. And indeed... hardwired safety is a lot better than relying on software. But it's not like transistors/capacitors don't fail either, so whether solid state or not, a measure of added protection is in order beyond a single monitor. There should be a "conflict monitor test path" that involves a third circuit intentionally creating a safe "test" conflict at pre-defined sub-millisecond intervals, by generating a conflict in a manner the monitor is supposed to detect but won't actually produce current through the light, and checking for absence of a test signal on green; if the test fails, the test circuit should intentionally blow a pair of fuses, breaking the test circuit's connections to the controller and conflict monitor. In addition the 'test circuit' should generate a pair of clock signals of its own, that is a side effect and only possible with correct test outcomes and will be verified by both the conflict monitor and the controller; if the correct clock indicating successful test outcomes is not detected by either the conflict monitor or by the controller, both systems should independently force a fail, using different methods. So you have 3 circuits, and any one circuit can detect the most severe potential failure of any pair of the other circuits. > -- Brett -- -JH
