I am not expert in safety critical systems - just a retired electronics engineer. The concept of triple-redundancy with systems developed by separate teams is the architecture of control systems for things such as fly-by-wire aircraft and nuclear reactors. It applies to any system where an electronic control system intervenes between a human controller and a dangerous system, where the control system could put the system into a dangerous state independently of the actions of the human controller. The circumstance could be any type of hardware or software failure. The idea of using separate teams is to ensure that a design fault doesn't cause all three redundant systems to fail simultaneously. The concept has nothing to do with MicroPython or any specific implementation detail. Any computer can crash.metri wrote: ↑Sun Mar 01, 2020 1:43 pm...
Is your concern in general about micro-controllers, or because this one is using microPython? I'm also curious about systems like self-balancing unicycles, how much redundancy do they have? I point out that one in particular as the high speed ones can go 50km/h and can't coast. Do you feel most electric motor controllers for E-bikes have this much redundancy built in?...
The architecture has practical difficulties, notably the design of the majority voter. This is well above my pay grade
I have no idea which practical systems conform to this concept. I doubt cheap Chinese unicycles do, and I wouldn't ride one in circumstances where malfunction would cause serious injury. I'm talking protective clothing and an open area free of obstacles. In the worst-case you can jump off. A motorcycle in traffic does not have that guaranteed get-out.
I would very much hope that cars with "fly by wire" throttles or brakes conform. As for e-bikes, if there's a processor between the throttle and the motor, I would hope so. But ultimately the motor will be driven by electronics like a PWM controller. Hard to implement redundancy there, but a semiconductor could fail. You've raised a very interesting question; alas I don't know the answer.
Would I want to trust my life to a PWM controller of unknown origin??
As an amateur I wouldn't touch a control system with safety critical implications. My self-balancing robot fell over often enough, and it had only itself to hurt