Re: micro self-check of checksum
- From: "Lanarcam" <lanarcam1@xxxxxxxx>
- Date: 24 Sep 2005 13:52:47 -0700
Richard wrote:
> "Lanarcam" <lanarcam1@xxxxxxxx> wrote in message
> news:1127582372.465810.205740@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> >
> > Richard wrote:
> > > > I am not familiar with PICs, and somebody already pointed out that at
> > > > least some PICs can't read their code space as data. But the general
> > > > idea of performing a checksum on a binary image is a pretty simple
> > > > one, especially if the image is in a single contiguous chunk of
> > > > memory.
> > >
> > > Now, assuming you find an error...what do you do? You have just proven
> the
> > > code is not trust worthy, so you cannot rely on the code to make the
> system
> > > safe in any way. Or in fact do anything predictably So is the test
> worth
> > > while? (playing devils advocate).
> >
> > The principle is to put all devices in a safe state, this can be
> > accomplished by forcing a reset and by not executing the normal code
> > after that but instead disabling all hardware and busy looping.
> > This is based on the assumption that there exist a safe state for
> > the system upon failure of both hardware and software for instance
> > in the case of a power failure.
>
> So you are relying on code you know is corrupt to put all devices into a
> safe state? In fact you don't even know the code is corrupt, as if it is
> corrupt you don't know anything for sure, etc. You cannot even rely on it
> to force a reset - maybe it is the decision to reset that has the
> corruption.
>
> As Spehro Pefhany says, its a statistics game. You can only improve the
> probability of safe behaviour.
A probability of failure of 10E-9 is required in the most severe
cases. This is not a zero probability of failure.
You certainly can't leave the code memory unchecked. Now you can
imagine measures that enhance the probability of a correct
behaviour in case of code corruption. For instance you can have
multiple sections of code each with a check sum.
You can also double the critical portions of code, you could also
use different memory devices for each.
In some systems you must output a square watchdog signal. You can
have one portion of code thats writes a 1 and another that writes
a zero. If following the detection of an error you busy loop, the
correct waveform will not be output. This will trigger a reset by
an external watchdog. Of course you would then hope that the reset
code is correct.
Every safety device has to perform memory code checking. For high
levels of safety several processors are used, each with its own
copy of code. Even in these cases each processor performs a code
check and stops if an error is found. The others detect this state
and put the device in a safe state.
Regards
.
- Follow-Ups:
- Un-realistic Integrity Level (was Re: micro self-check of checksum)
- From: Paul E. Bennett
- Un-realistic Integrity Level (was Re: micro self-check of checksum)
- References:
- micro self-check of checksum
- From: Thomas Magma
- Re: micro self-check of checksum
- From: Jack Klein
- Re: micro self-check of checksum
- From: Richard
- Re: micro self-check of checksum
- From: Lanarcam
- Re: micro self-check of checksum
- From: Richard
- micro self-check of checksum
- Prev by Date: Re: micro self-check of checksum
- Next by Date: Re: RS485 CSMA/CD protocol
- Previous by thread: Re: micro self-check of checksum
- Next by thread: Un-realistic Integrity Level (was Re: micro self-check of checksum)
- Index(es):
Relevant Pages
|
