Post by thread:[PIC] Anyone using C Compiler for critical applica

You will find that the microprocessors are also documented as not for use in life critical devices. FDA have rules for testing and releasing software for life critical applications. Several government agencies regulate automotive software. Over time the issue has become application testing and not the tools application developers use. Companies that implement high reliability are required to satisfy the regulatory agencies and their customers that they have followed good practices. Regards, -- Walter Banks Byte Craft Limited 1 (519) 888-6911 http://www.bytecraft.com spam_OUTwalterTakeThisOuTbytecraft.com Rafael Vidal Aroca wrote: {Quote hidden}> Hi, > > i was reading MikroC user's guide, and there is a note that they do > not take any responsability for any C code written for criticial > applications. > > My question is if anyone is using Microchip C18 or any other C > compiler for PICs in critical applications such as flight control > systems, automotive ones, or other applications that needs high reliability. > > thanks > > Rafael > -

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Rafael Vidal Aroca wrote: > Hi, > > i was reading MikroC user's guide, and there is a note that they do > not take any responsability for any C code written for criticial > applications. > > My question is if anyone is using Microchip C18 or any other C > compiler for PICs in critical applications such as flight control > systems, automotive ones, or other applications that needs high reliability. Believe me, I would not rely on mikroc for anything close to reliable! It's one of the worst compilers I have ever seen and, looking at the way the assembly is created, it is constructed pretty much as a basic compiler adjusted to look like C. It's not where close to ANSI meaning porting code is a no-no. - -- Brendan Gillatt | GPG Key: 0xBF6A0D94 brendan {a} brendangillatt (dot) co (dot) uk http://www.brendangillatt.co.uk -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) iD8DBQFIBLvYuv4tpb9qDZQRAl5bAJ99ngfaqDZEJBVlG0ZYhlq3r4o6HgCeN6QS GuUzi/1D41c0tinBCLASa40= =JI3x -----END PGP SIGNATURE-----

I am sure if you read the fine print, somewhere in Microchip's (and in other manufacturers) documentation you'll find similar warnings too. I remember coming across an application guide from TI where they had given a description on how to go about designing an ECG (and other medical equipment) using their parts. Then right on the very last page in small print they write that their parts are not meant for critical applications unless the designers have necessary expertise and have some written agreement on it. So you can use any tool/component for any application, if you are competent enough to design for it - which, please note, also means that you should also be competent enough to decide whether the application specs are inside the tool/component specs. And at the end of the day, its the testing of the designed product that indicates the reliability of the system... You may use a million dollar tool that may be used by NASA in all their spacecrafts, but unless you've designed and tested it properly, it really doesn't matter to the reliability. Remember, its not the machine but the man behind the machine! But also please don't use no-name Chinese batteries in any kind of product whether safety-critical or not, despite whatever the manufacturer specs state. :-) Rafael Vidal Aroca wrote: {Quote hidden}> Hi, > > i was reading MikroC user's guide, and there is a note that they do > not take any responsability for any C code written for criticial > applications. > > My question is if anyone is using Microchip C18 or any other C > compiler for PICs in critical applications such as flight control > systems, automotive ones, or other applications that needs high reliability. > > thanks > > Rafael

Rafael Vidal Aroca wrote: > Hi, > > i was reading MikroC user's guide, and there is a note that they do > not take any responsability for any C code written for criticial > applications. > > My question is if anyone is using Microchip C18 or any other C > compiler for PICs in critical applications such as flight control > systems, automotive ones, or other applications that needs high reliability. > > thanks > > Rafael > That's not what they mean. They mean "time-critical" applications. Their stuff works fine anywhere you'd like to use it. --Bob Axtell

We have used both PICC and PICC18 "old" versions and still using the "old" version as possible for automotive, truck and marine products. They works great. The new V9.xx really sucks, you can use bit variable without declaration (powerful but wrong!). Things like that really worries me if I have to use it for new released chips. Personally I don't think the new V9.xx(s) are fully tested. It is a pain of "on-time release first, fix it later" issue from those "smart" MBAs. Funny N. Au Group Electronics, New Bedford, MA, http://www.AuElectronics.com {Original Message removed}

>I am sure if you read the fine print, somewhere in Microchip's (and in >other manufacturers) documentation you'll find similar warnings too. I remember that National Semiconductor has had, for far more years than I can remember, a disclaimer in their data books and data sheets that their products are not for use in life support products or other critical applications, without written consent from National Semiconductor. I suspect they were setting out to head off any possible law suit due to a medical instrument malfunctioning, causing death.

"Alan B. Pearce" wrote: > >I am sure if you read the fine print, somewhere in Microchip's (and in > >other manufacturers) documentation you'll find similar warnings too. > > I remember that National Semiconductor has had, for far more years than I > can remember, a disclaimer in their data books and data sheets that their > products are not for use in life support products or other critical > applications, without written consent from National Semiconductor. I suspect > they were setting out to head off any possible law suit due to a medical > instrument malfunctioning, causing death. That is a part of the reason. The FDA has specific rules for approving devices that contain unapproved parts. Essentially a different testing requirement kicks in. By saying that they specifically are saying they haven't tested according to FDA requirements headed off some nasty potential liability issues (US 1% rule) and forced there customers to add more testing. For the average PIC (small microprocessor of any stripe) be glad they have this disclaimer because potential life threatening liability would add a significant amount to a sub $1.00 part. w..

I guess noone makes a really extensive unit test except for critical applications where they can supply components fully tested and possibly even under rated to achieve better reliability. For development tools could be done the same with special libraries that have run-time range checking or more rigid compile time validators. As far as I know currently only Ada supports that, but I my wrong on this. Tamas On Wed, Apr 16, 2008 at 2:01 PM, Alan B. Pearce <.....A.B.PearceKILLspam@spam@rl.ac.uk> wrote: {Quote hidden}> >I am sure if you read the fine print, somewhere in Microchip's (and in > >other manufacturers) documentation you'll find similar warnings too. > > I remember that National Semiconductor has had, for far more years than I > can remember, a disclaimer in their data books and data sheets that their > products are not for use in life support products or other critical > applications, without written consent from National Semiconductor. I > suspect > they were setting out to head off any possible law suit due to a medical > instrument malfunctioning, causing death. > > -

I am not sure what initial post means by "critical", if that means "safety critical" then this is to be expected. Industry standards for safety critical systems are much higher than consumer products can achieve. For instance, SIL4 rail systems have requirements that cannot be fulfilled by standard hardware components, designs nor languages like C. Thinks like a pointer, a "void" variable and many other things are very flexible but unsafe, you are right ADA is the language of choice in most cases. Now this is completely different story if "critical" means "mission critical" or "time critical", etc My 2 cents 2008/4/16, Tamas Rudnai <tamas.rudnaiKILLspamgmail.com>: {Quote hidden}> I guess noone makes a really extensive unit test except for critical > applications where they can supply components fully tested and possibly even > under rated to achieve better reliability. For development tools could be > done the same with special libraries that have run-time range checking or > more rigid compile time validators. As far as I know currently only Ada > supports that, but I my wrong on this. > > Tamas > > > On Wed, Apr 16, 2008 at 2:01 PM, Alan B. Pearce <.....A.B.PearceKILLspam.....rl.ac.uk> wrote: > > > >I am sure if you read the fine print, somewhere in Microchip's (and in > > >other manufacturers) documentation you'll find similar warnings too. > > > > I remember that National Semiconductor has had, for far more years than I > > can remember, a disclaimer in their data books and data sheets that their > > products are not for use in life support products or other critical > > applications, without written consent from National Semiconductor. I > > suspect > > they were setting out to head off any possible law suit due to a medical > > instrument malfunctioning, causing death. > > > > --

In the automotive industry you'll find that they pay for the very expensive compilers, and they follow a set of rules for coding in C called MISRA that disallow many common practices for reasons of "C" safety. They then test to the umpteenth degree. Then they have backups and backups of the backups in really critical cases, and often the backups are mechanical linkages that prevent certain things from happening. This is the major reason why we don't have, for instance, drive by wire for steering, brakes, and only recently have introduced electronic throttle control. Even if every ECU in the car stopped (say, through an EMP pulse) the car wouldn't explode, and it would still be steerable and brakeable. When any major ECUs do shut down, typically the car enters a "limp" mode, where it turns off all but critical systems, and automatically turns on the headlights and windshield wipers in case it happens at night, in the rain, or both. This allows you to drive it to the shop. So if your windshield wipers turned on at any odd time by themselves, it usually means a fairly major ECU had a hiccup... :-D But yes, PICs are used in automotive modules (not often, but they are there) and so are C compilers. When a consumer sues the auto company, the auto company tries to pin it on the supplier, who tries to pin it on the compiler maker, who tries to pin it on the chip. At the end of the day the insurance for the companies go up, the lawyers buy new yachts, everyone is under a gag order, and the supplier has to work harder bidding on the next contract to prove that it won't happen again even though it may have been the car company's fault. Usually this means another rule or so added to the great book of "lessons learned." -Adam On Tue, Apr 15, 2008 at 10:03 AM, Rafael Vidal Aroca <EraseMErafaelspam_OUTTakeThisOuTagx.com.br> wrote: {Quote hidden}> > Hi, > > i was reading MikroC user's guide, and there is a note that they do > not take any responsability for any C code written for criticial > applications. > > My question is if anyone is using Microchip C18 or any other C > compiler for PICs in critical applications such as flight control > systems, automotive ones, or other applications that needs high reliability. > > thanks > > Rafael > -

> -----Original Message----- > From: piclist-bouncesspam_OUTmit.edu [@spam@piclist-bouncesKILLspammit.edu] On Behalf {Quote hidden}> Of M. Adam Davis > Sent: 16 April 2008 23:06 > To: Microcontroller discussion list - Public. > Subject: Re: [PIC] Anyone using C Compiler for critical applications > > In the automotive industry you'll find that they pay for the very > expensive compilers, and they follow a set of rules for coding in C > called MISRA that disallow many common practices for reasons of "C" > safety. > > They then test to the umpteenth degree. > > Then they have backups and backups of the backups in really critical > cases, and often the backups are mechanical linkages that prevent > certain things from happening. > > This is the major reason why we don't have, for instance, drive by > wire for steering, brakes, and only recently have introduced > electronic throttle control. We are almost there though. Many cars can apply the brakes without the driver touching the brake pedal for stability control, and the BWM system will even adjust the steering angle, again without the driver commanding it. Mike ======================================================================= This e-mail is intended for the person it is addressed to only. The information contained in it may be confidential and/or protected by law. If you are not the intended recipient of this message, you must not make any use of this information, or copy or show it to any person. Please contact us immediately to tell us that you have received this e-mail, and return the original to us. Any use, forwarding, printing or copying of this message is strictly prohibited. No part of this message can be considered a request for goods or services. =======================================================================

Michael Rigby-Jones wrote: >> From: M. Adam Davis This is the major reason why we don't have, for >> instance, drive by wire for steering, brakes, and only recently have >> introduced electronic throttle control. > > We are almost there though. Many cars can apply the brakes without the > driver touching the brake pedal for stability control, and the BWM > system will even adjust the steering angle, again without the driver > commanding it. You have to somehow transmit brake, steering and accelerator commands from the driver to the executing device. As long as electronics were/are far more unreliable than mechanics, drive by wire was a no-no. But the moment that reliability relation changes, they become an option. Gerhard

> drive by wire was a no-no. But the moment > that reliability relation changes, they become an option. That's interesting as many small airplanes use wires for the rudder. Is it because with planes they have a more strict test virtually every time before flying? Or they think that if rudder gone they can still do something with aileron+elevator? Tamas On Thu, Apr 17, 2008 at 11:42 AM, Gerhard Fiedler < KILLspamlistsKILLspamconnectionbrazil.com> wrote: {Quote hidden}> Michael Rigby-Jones wrote: > > >> From: M. Adam Davis This is the major reason why we don't have, for > >> instance, drive by wire for steering, brakes, and only recently have > >> introduced electronic throttle control. > > > > We are almost there though. Many cars can apply the brakes without the > > driver touching the brake pedal for stability control, and the BWM > > system will even adjust the steering angle, again without the driver > > commanding it. > > You have to somehow transmit brake, steering and accelerator commands from > the driver to the executing device. As long as electronics were/are far > more unreliable than mechanics, drive by wire was a no-no. But the moment > that reliability relation changes, they become an option. > > Gerhard > > -

M. Adam Davis wrote: > This is the major reason why we don't have, for instance, drive by > wire for steering, brakes, and only recently have introduced > electronic throttle control. > > Adam, i agree with you, but just to mention, SMART (a Swiss "mini" car for 2 passengers) uses CAN bus to control the steering and gas. Only the brakes are mechanical. It's even possible to implement a DIY autopilot for this car, sending CAN commands to the steering system and to the gas pedal. Rafael

drive by wire means using electronics not mechanical control wires/lines. many new large aircraft and most modern fighters have no mechanical link from the stick to the control surfaces and in some cases are actually impossible to fly without the aid of a computer. Tamas Rudnai wrote: {Quote hidden}>> drive by wire was a no-no. But the moment >> that reliability relation changes, they become an option. >> > > That's interesting as many small airplanes use wires for the rudder. Is it > because with planes they have a more strict test virtually every time before > flying? Or they think that if rudder gone they can still do something with > aileron+elevator? > > Tamas > > > On Thu, Apr 17, 2008 at 11:42 AM, Gerhard Fiedler < > RemoveMElistsTakeThisOuTconnectionbrazil.com> wrote: > > >> Michael Rigby-Jones wrote: >> >> >>>> From: M. Adam Davis This is the major reason why we don't have, for >>>> instance, drive by wire for steering, brakes, and only recently have >>>> introduced electronic throttle control. >>>> >>> We are almost there though. Many cars can apply the brakes without the >>> driver touching the brake pedal for stability control, and the BWM >>> system will even adjust the steering angle, again without the driver >>> commanding it. >>> >> You have to somehow transmit brake, steering and accelerator commands from >> the driver to the executing device. As long as electronics were/are far >> more unreliable than mechanics, drive by wire was a no-no. But the moment >> that reliability relation changes, they become an option. >> >> Gerhard >> >> --

On 4/17/08, Tamas Rudnai <spamBeGonetamas.rudnaispamBeGonegmail.com> wrote: > That's interesting as many small airplanes use wires for the rudder. Is it > because with planes they have a more strict test virtually every time before > flying? Or they think that if rudder gone they can still do something with > aileron+elevator? Well you have to take into account all the factors. In cars weight is a factor, but it's effect on the overall equation is low. In aircraft weight has a much greater effect on the decision to use fly by wire. Further, that mechanical linkage is much longer, heavier, more complex, and expensive to manufacture and assemble than any of the mechanical linkages in a car. Lastly, while you want to avoid it, you _can_ fly and control many (most?) airplanes even if all the the tail linkages fail, though you certainly don't want to. So it's not as safety critical as, say, the wing surfaces. But even given all that, it's not like brakes where human strength can be expected to control the surfaces of a large plane - so there are backup systems to power the hydraulics, etc, and for all intents and purposes there's no direct link between the control stil and the rudders on many aircraft - it has to go through a few transitions (mechanical solids to mechanical liquids to torque multipliers, etc) which require power of some sort to function. So the move to electricity performing some of that linkage is not as big a jump as it is on a car. Besides, if we started using aircraft fly by wire in cars we'd have to eliminate cell phone use in the vehicle, right? ;-) -Adam

On 4/17/08, Rafael Vidal Aroca <TakeThisOuTrafaelEraseMEspam_OUTagx.com.br> wrote: > M. Adam Davis wrote: > > This is the major reason why we don't have, for instance, drive by > > wire for steering, brakes, and only recently have introduced > > electronic throttle control. > > Adam, i agree with you, but just to mention, SMART (a Swiss "mini" > car for 2 passengers) uses CAN bus to control the steering and gas. Only > the brakes are mechanical. > > It's even possible to implement a DIY autopilot for this car, > sending CAN commands to the steering system and to the gas pedal. That's very cool. I know there are steer by wire vehicles available now, but it's technology that's not widely used. Keep in mind, though, that even though liability is a factor, eventually cost becomes the overriding consideration. If a supplier could make a steering system, including all the electronic and mechanical components required, for 10-50% of the cost of existing systems and demonstrated equivilant reliability then you'd find the auto companies working with their lawyers and insurers to get that into the car. It would improve the weight and maintainability of the car significantly as well. -Adam

> drive by wire means using electronics not mechanical control wires/lines. Oh, I mixed up with the "fly by cable" then... For some reason I thought that the claim is that the mechanical pull-pull system is more vulnerable than any other push rod style control system. My bad. Cheers, Tamas On Thu, Apr 17, 2008 at 1:32 PM, Jake Anderson <RemoveMEjakeTakeThisOuTvapourforge.com> wrote: {Quote hidden}> drive by wire means using electronics not mechanical control wires/lines. > > many new large aircraft and most modern fighters have no mechanical link > from the stick to the control surfaces and in some cases are actually > impossible to fly without the aid of a computer. > > Tamas Rudnai wrote: > >> drive by wire was a no-no. But the moment > >> that reliability relation changes, they become an option. > >> > > > > That's interesting as many small airplanes use wires for the rudder. Is > it > > because with planes they have a more strict test virtually every time > before > > flying? Or they think that if rudder gone they can still do something > with > > aileron+elevator? > > > > Tamas > > > > > > On Thu, Apr 17, 2008 at 11:42 AM, Gerhard Fiedler < > > listsEraseME.....connectionbrazil.com> wrote: > > > > > >> Michael Rigby-Jones wrote: > >> > >> > >>>> From: M. Adam Davis This is the major reason why we don't have, for > >>>> instance, drive by wire for steering, brakes, and only recently have > >>>> introduced electronic throttle control. > >>>> > >>> We are almost there though. Many cars can apply the brakes without > the > >>> driver touching the brake pedal for stability control, and the BWM > >>> system will even adjust the steering angle, again without the driver > >>> commanding it. > >>> > >> You have to somehow transmit brake, steering and accelerator commands > from > >> the driver to the executing device. As long as electronics were/are far > >> more unreliable than mechanics, drive by wire was a no-no. But the > moment > >> that reliability relation changes, they become an option. > >> > >> Gerhard > >> > >> --

Jake Anderson wrote: > > That's interesting as many small airplanes use wires for the rudder. Is it > > because with planes they have a more strict test virtually every time before > > flying? Or they think that if rudder gone they can still do something with > > aileron+elevator? > > The mechanical systems have a different kind reliability problems as well. I know of three cases of elevator reversal after maintenance and one of rudder reversal that were not caught before flight. One of the elevator reversals resulted in a fatality. Many years ago I was a passenger in the right seat in a plane with one of the old VOR and wing leveller type auto pilots, about 20 minutes after we got underway still climbing out the pilot slid his seat back to take off his shoes when auto pilot locked up. The controls were out of his reach. (It's amazing how fast you can find the master switch) It is these old horror stories that fly by wire systems are still viewed with suspicion. w..

>> drive by wire was a no-no. But the moment >> that reliability relation changes, they become an option. > That's interesting as many small airplanes use wires for > the rudder. Is it > because with planes they have a more strict test virtually > every time before > flying? Or they think that if rudder gone they can still > do something with > aileron+elevator? Drive-by-wire means electrical control via "wiring" - not mechanical cables. The changes being talked about are to put electrical control into braking and steering circuits. Don't buy one for the first 10 years and don't travel in one for the first 3 :-). Russell

Running revenuer barricades ... yeehaaaa! Okay, okay I'm settled down now ... I promise uh-huh ... RiB On Thu, Apr 17, 2008 at 8:25 PM, Apptech <EraseMEapptechparadise.net.nz> wrote: {Quote hidden}> > It's even possible to implement a DIY autopilot for > > this car, > > sending CAN commands to the steering system and to the gas > > pedal. > > Hmm. A car that can be accelerated and steered by remote > control, but not braked. I wonder what use that could > possibly be? > > > R :-) :-( >

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, Apr 17, 2008 at 08:47:59AM -0400, M. Adam Davis wrote: {Quote hidden}> On 4/17/08, Tamas Rudnai <RemoveMEtamas.rudnaiEraseMEEraseMEgmail.com> wrote: > > That's interesting as many small airplanes use wires for the rudder. Is it > > because with planes they have a more strict test virtually every time before > > flying? Or they think that if rudder gone they can still do something with > > aileron+elevator? > > Well you have to take into account all the factors. In cars weight is > a factor, but it's effect on the overall equation is low. > > In aircraft weight has a much greater effect on the decision to use > fly by wire. Further, that mechanical linkage is much longer, > heavier, more complex, and expensive to manufacture and assemble than > any of the mechanical linkages in a car. For resistance to combat damage the longer attribute can be a big problem, just that much more stuff that can be hit by shrapnel. At the extreme take a look at an old Vietnam era OH13 Bell 'sioux' choppers. The control cables going to the tail rotor on them are completely exposed to fire, sitting right out in the open on a space frame construction tail. Lots of them got shot down by just small arms fire that cut cables. Now if there were reliable fly-by-wire systems on the other hand it'd be dead simple to get, say, four data cables, hide them in the struts of the tail, and setup a redundent comm protocol where by the time you've lost communication your tail has fallen off anyway. In the context of Vietnam, even a not all that reliable fly-by-wire system implementable with current, cheap, digital technology would probably have failed less often than the fly-by-cable system they had to use. Not that I'd be inclinded to sign up for anything more intense than rear-base mechanic. :) - -- peter[:-1]@petertodd.org http://petertodd.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFIB2pX3bMhDbI9xWQRAjTNAJ9/pbJuGemv2JlIwUCYThz8w/74LwCgmCdY F4t6mD6WswLaTw1rOiDu5iA= =Zw1U -----END PGP SIGNATURE-----

It continues to happen - A couple three years ago in Kansas (I think) a relatively well-known experimental aircraft guy was killed on take-off by aileron linkage reversal. Low & slow, with the AC rolling the wrong way, even a very experienced pilot could'nt realize & react in time... Murphy rules. On 4/17/08, Apptech <RemoveMEapptechspam_OUTKILLspamparadise.net.nz> wrote: {Quote hidden}> > ... and one of rudder reversal that were not caught before > > flight. > > Old pilots and checklist-careless pilots but no ... > > Rudder reversal MIGHT be bearable albeit very hard on the > brain. > > > R > > -

Russell Wrote: >Rudder reversal MIGHT be bearable albeit very hard on the >brain. On landing, unless you were equipped with differential breaking to steer once you've hit the tarmac you could have problems. Some aircraft have nose-wheel steering connected to the rudder pedals. If only one aspect of the rudder control (the rudder itself) were reversed and the nose-wheel wasn't this could get extremely tricky... first with the rudder having more impact to your direction, then as you slow, the nose-wheel having more impact. Aside from that, I think yes, after a few minutes most pilots could handle the reversal - or just decide to trim the rudder to center and fly without it. I bet it's possible to configure a rudder reversal on an aircraft (rather than just rudder *control* reversal) and simulate that in FS2004/FSX and see how messy the landing became. Would be interesting. Adam Davis wrote: >Lastly, while you want to avoid it, you _can_ fly and control many >(most?) airplanes even if all the the tail linkages fail, though you >certainly don't want to. So it's not as safety critical as, say, the >wing surfaces. Losing the rudder is one thing, but control loss of the horizontal stabilizers on the tail has been a factor in a number of MD-80 and DC-9 crashes. Of course, the design of the aicraft (the MD-80/90 and DC-9 are similar) and the nature of the failure will either doom you or not. en.wikipedia.org/wiki/Alaska_Airlines_Flight_261 en.wikipedia.org/wiki/Aeromexico_Flight_498 http://en.wikipedia.org/wiki/Continental_Express_Flight_2574 The tail fin itself is also critical: http://en.wikipedia.org/wiki/American_Airlines_Flight_587 Andy.

In airplane modelling actually some of us practising what to do if control surface is reversed - as it happens from time to time. It can be learned, but extremely difficult, especially when you least expect it. Most probably it is even harder if not impossible when you panic while saving your life. Tamas On Thu, Apr 17, 2008 at 4:49 PM, John Gardner <RemoveMEgoflo3TakeThisOuTspamgmail.com> wrote: {Quote hidden}> It continues to happen - A couple three years ago in Kansas (I think) > a relatively well-known experimental aircraft guy was killed on take-off > by aileron linkage reversal. > > Low & slow, with the AC rolling the wrong way, even a very experienced > pilot could'nt realize & react in time... Murphy rules. > > On 4/17/08, Apptech <EraseMEapptechspamspamBeGoneparadise.net.nz> wrote: > > > ... and one of rudder reversal that were not caught before > > > flight. > > > > Old pilots and checklist-careless pilots but no ... > > > > Rudder reversal MIGHT be bearable albeit very hard on the > > brain. > > > > > > R > > > > --

> -----Original Message----- > From: RemoveMEpiclist-bouncesKILLspammit.edu [piclist-bouncesSTOPspamspam_OUTmit.edu] On Behalf > Of Peter Todd > Sent: 17 April 2008 16:19 > To: Microcontroller discussion list - Public. > Subject: Re: [PIC] Anyone using C Compiler for critical applications > > Now if there were reliable fly-by-wire systems on the other hand it'd be > dead simple to get, say, four data cables, hide them in the struts of > the tail, and setup a redundent comm protocol where by the time you've > lost communication your tail has fallen off anyway. In the context of > Vietnam, even a not all that reliable fly-by-wire system implementable > with current, cheap, digital technology would probably have failed less > often than the fly-by-cable system they had to use. Getting data to the actuators intact is a relatively simple task compared to maintaining the power source to the actuators (probably hydraulic on a heli or fixed wing craft). FWIW the Typhoon uses an optical network to reduce susceptibility to EMI weapons; "fly by light". Mike ======================================================================= This e-mail is intended for the person it is addressed to only. The information contained in it may be confidential and/or protected by law. If you are not the intended recipient of this message, you must not make any use of this information, or copy or show it to any person. Please contact us immediately to tell us that you have received this e-mail, and return the original to us. Any use, forwarding, printing or copying of this message is strictly prohibited. No part of this message can be considered a request for goods or services. =======================================================================

I have developed quite a bit of code that one might consider critical. Although not involving a risk to life or limb, a failure could end up in $millions of damage to hydroelectric generators. The largest such system runs on embedded x86 hardware. We use the Microsoft C++ compiler, and a proprietary operating system kernel that I developed that emulates enough of the Win32 environment to allow a single standard Windows executable to run. Basically, we protect ourselves in several ways: 1) Watch dog timers 2) Redundant systems 3) Careful, well reviewed, design 4) Testing 5) Testing 6) Testing 7) Testing .... n) Testing --- Bob Ammerman RAm Systems {Original Message removed}

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, Apr 17, 2008 at 05:05:20PM +0100, Michael Rigby-Jones wrote: {Quote hidden}> > Now if there were reliable fly-by-wire systems on the other hand it'd > be > > dead simple to get, say, four data cables, hide them in the struts of > > the tail, and setup a redundent comm protocol where by the time you've > > lost communication your tail has fallen off anyway. In the context of > > Vietnam, even a not all that reliable fly-by-wire system implementable > > with current, cheap, digital technology would probably have failed > less > > often than the fly-by-cable system they had to use. > > Getting data to the actuators intact is a relatively simple task > compared to maintaining the power source to the actuators (probably > hydraulic on a heli or fixed wing craft). Well in the original 'sioux' the power source is the cables themselves, one set for clockwise, another for anti-clockwise. These rotated a pully on the tail rotor to change the rotor pitch. To be exact, the sioux I've seen in person had *8* control cables, two sets of four. If this was for redundency, or some other reason, (tensioning? maximum pully diameter? common parts requirements?) I don't know, but they were spaced close together enough that a single piece of shrapnel would take them all out at once if your luck wasn't holding up. You are of course right, but given the probably low power requirements of that particular chopper, a electric servo motor, powered by wires running along-side the data cables should be fine. Usual redundency engineering challenge to take four power sources and make something reliable in the face of shorts and the like. Point being, the full solution could still conceivably weigh less, and still be more reliable than the alternative even with corners cut in the use of relatively off the shelf parts. All that said, I don't see a good electronic replacement for that single half inch and vulnerable drive shaft powering the back rotor... - -- peter[:-1]@petertodd.org http://petertodd.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFIB3uE3bMhDbI9xWQRAvDfAJ9SKb4z4rBp88/e5PZMd8ikSCuJ7ACeI6ia VsB6qS12EMF0cfE2/i62zkk= =4zy1 -----END PGP SIGNATURE-----

On 4/17/08, James Salisbury <KILLspampiclistspamBeGonejsalisbury.clara.co.uk> wrote: > Hi all, > > My Vauxhall / GM Astra has an electrical power steering pump, lose that > and I can't turn the wheel.... Is that counted as drive by wire? Are you sure you can't? The power steering system is designed to assist the driver by boosting your effort. If it's a typical power steering in every other way, then you should be able to steer even when the pump is off. -Adam -- EARTH DAY 2008 Tuesday April 22 Save Money * Save Oil * Save Lives * Save the Planet http://www.driveslowly.org