From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=0.1 required=5.0 tests=BAYES_05,INVALID_MSGID autolearn=no autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: f849b,167419cb5887cd4c X-Google-Attributes: gidf849b,public X-Google-Thread: 115aec,5495dac456fa22ef X-Google-Attributes: gid115aec,public X-Google-Thread: 103376,5495dac456fa22ef X-Google-Attributes: gid103376,public From: Marin David Condic Subject: Re: Processor Synchronization Date: 1999/01/22 Message-ID: <36A885AA.F6160D2F@pwfl.com>#1/1 X-Deja-AN: 435632611 Content-Transfer-Encoding: 7bit Sender: condicma@bogon.pwfl.com References: <36A509DB.95F62C0B@pwfl.com> <36A51F3A.2207F91@west.raytheon.com> <36A602E0.DA6E298F@pwfl.com> <36a83fe3.3666942@news.geccs.gecm.com> To: Brian Orpin Content-Type: text/plain; charset=us-ascii Organization: Pratt & Whitney Mime-Version: 1.0 Reply-To: diespammer@pwfl.com Newsgroups: comp.lang.ada,comp.realtime,comp.arch.embedded Date: 1999-01-22T00:00:00+00:00 List-Id: Brian Orpin wrote: > > OK maybe I am being thick here but isn't the discrete a single point of > failure? If that goes which processor takes over and how does it know it > should and that it isn't just the link that has gone down? If both > processors check for instability and take over if it is detected do they > need to be closely synchronised? Of course it is impossible to describe the entirety of our architecture in a newsgroup post, so expect some inaccuracy. Also, I am describing an "in general" architecture that is used by our controls. The control for the F119 engine (Advanced Tactical Fighter) actually has three processors per channel and two channels. (much more complex sync problem!) The Joint Strike Fighter is yet again even more complex. So it is hard to give you a schematic here in a post which can't be picked apart. Yes, the discrete between both channels would be a single point failure, but not one that necessarily causes the control to fail catastrophically. If the discrete goes down (assuming you have no other means of communicating between the two channels, which we do - a manchester data link.) you can at least reason about what to do next: I know I'm alive. The other guy may be dead or alive. If he's dead and I take control, that's cool. If he's alive and I take control, is that bad? Are the actuators dual active? Are there any ways of determining if the other side is still controlling the actuators?, etc... In any event, you're not necessarily putting a pilot in the drink or blowing up a billion dollar space payload because a wire broke loose between the two channels. I hope that sheds a little light on it. It really becomes a fascinating problem when you get into the FDA aspects of the control and the system it runs! MDC -- Marin David Condic Real Time & Embedded Systems, Propulsion Systems Analysis United Technologies, Pratt & Whitney, Large Military Engines M/S 731-95, P.O.B. 109600, West Palm Beach, FL, 33410-9600 Ph: 561.796.8997 Fx: 561.796.4669 ***To reply, remove "bogon" from the domain name.*** "Airplanes are interesting toys but of no military value." -- Marechal Ferdinand Foch, Professor of Strategy, Ecole Superieure de Guerre.