Date: Fri, 12 Jun 1998 06:05:34 -0400 (EDT) From: Peter Dufault <dufault@hda.com> To: jb@cimlogic.com.au (John Birrell) Cc: luigi@labinfo.iet.unipi.it, jb@cimlogic.com.au, mike@smith.net.au, current@FreeBSD.ORG Subject: Re: floating point usage within the kernel - howto ? Message-ID: <199806121005.GAA28797@hda.hda.com> In-Reply-To: <199806110933.TAA18520@cimlogic.com.au> from John Birrell at "Jun 11, 98 07:33:27 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
> Luigi Rizzo wrote: > > (and, last not least, robotics people tend to have a > > lot of money just because their hardware costs so much :) > > If it is robotics, where is the double redundent safety implemented? > Are they actually moving mass around? What's your point here? The rule we use for a fail-safe system is roughly: Any detectable single point failure (undetectable failures can't be discounted and you must design for multiple undetected faults and a single detectable fault) must result in the system entering its safe state within the fault tolerance time associated with the failure. The fault tolerance time is the smallest amount of time that any hazard resulting from the fault can be tolerated. A fail safe system could be implemented with FreeBSD. You'd have a small safety kernel, you'd have to have ways of demonstrating that it was running when it was supposed to and doing what it was supposed to, and you'd have to design the software/hardware/mechanics appropriately. I'm not saying this is easy or that I'd do it, but there is nothing inherently stopping you, especially in a research setting. Consider building the contrived failsafe system of an elevator powered by giant superconducting linear motors commutated by software. The faults that result in the hazard "system accelerates to .85g" are addressed by the existing mechanical braking system invented by Otis 100 years ago as long as the motors can be demonstrated as being incapable of overcoming the brakes and as long as you have a way of demonstrating there is no second fault associated with the brakes. The annoyed and scared customers are then removed by the fire department over a few hours, so it better not happen very often. A fault tolerant system is much more difficult to build and will typically be built out of multiple fail safe systems. Peter -- Peter Dufault (dufault@hda.com) Realtime development, Machine control, HD Associates, Inc. Safety critical systems, Agency approval To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199806121005.GAA28797>