Quote: (Originally Posted by
Genesis)
If the CPU is in the handset, then the base is a dumb brick without it.
Not in our designs. The DL Open Revolution submission has a full controller in the base (in fact two independent controllers, one in FPGA and one in microcontroller), and two in the handset.
Quote: (Originally Posted by
Genesis)
If the handset is just a display device then losing it costs you the ability to see what the CPU is doing, which IMHO is a critical failure (inability of the "big brain" to see what the "little brain" is doing means you have lost redundant thinking.)
Which is why there is a HUD, which is not driven from the handset, and it is why the HUD has voice annunciation.
You make a series of assertions based on contemporary designs which fall into an uncomfortable middle ground: a system that neither demand the user does everything (e.g. KISS style CCRs), nor do they protect the user under all conditions (Open Revolution compliant eCCRs). As another user on this forum wisely pointed out, either end is OK and safe, anywhere in the middle is not. It is worth stepping back and looking at what EN61508 demands, and one thing it does demand is a change in design philosophy. With all due respect, you are adopting the middle ground and if you do that, I or anyone a coroner picks, will be able to find lots of errors. If you take either of the extremes, there should be no errors to find. For a KISS that is easy, for a unit that does things for the diver then it must meet EN61508 (in Europe), and if it does that none of the assertions you make are true (Assertion in the maths sense, i.e. an hypothesis).
Quote: (Originally Posted by
Genesis)
IS possible (and not terribly hard) to design a display that will not blow up the controller if it is shorted randomly by water intrusion. There are trade-offs that come iwth the CPU in the head however, so there's no "free lunch".
Very few handsets actually explode. The Open Revolution handset cannot explode, it just can fail (not work), and the base then does the appropriate thing instead.
Quote: (Originally Posted by
Genesis)
Your electronics pod is allowed to float at loop pressure? That is certainly different! If you conformal coat the board(s) then you're still hard encapsulated, its just thinner than a "full potting".
There is a conformal coat, but you cannot say it is full potting. We keep electronics in silicone oil.
Quote: (Originally Posted by
Genesis)
That's simply not true. The resistor can be shorted across in which case its protective value is lost. This is like saying "well the input resistance on the ADC is 500Mohms, so its isolated". Uh, only until the ADC fails!
To get a voltage on the cell, the resistor would have to fail short. 100K SMD resistors do not fail short, they fail open.
Even if by some new physical phenomena, it were to fail short, that is OK. If the ADC failed as well, then a voltage could appear across the sensor taking out one sensor. The sensor is out of range for the depth, therefore is ignored. There are 4 sensors fitted to the O.R. submission. Only one needs to work. There are two ADCs to achieve the billion hours (based on MTBF of the ADCs in military conditions).
Quote: (Originally Posted by
Genesis)
While discretes certainly have less failure risk than ICs, neither are generally considered likely to fail unless something "bad" happens to them externally (e.g. ESD, exposure to moisture, etc)
No guesswork needed. We published the full calculation of the MTBF and MTBCF and how we calculated it in our Open Revolution submission. It achieves 2.9 billion hours. Please point out where the error is.
Quote: (Originally Posted by
Genesis)
But you CAN'T completely bury the trace. You can run it down an internal plane and place guards around it, BUT it has to surface to be connected to the sensor!
It is connected to the centre pin of an SMB connector, which itself has 4 ground guard pins. You can flood it and there is no potential on the pin.
Quote: (Originally Posted by
Genesis)
Yes, I understand the concept of guarding signal channels that cannot withstand V+ excursions and all - however, I argue that there is no such thing as a guarantee if that circuitry is exposed to seawater and it penetrates either the housing or the encapsulation.
Yes, there is. One simply designs it properly and then tests it for exactly those conditions.
Quote: (Originally Posted by
Genesis)
At some point you have to bring the trace out of the inside of the board.
See above. It comes out on the centre pin of an SMB connector, with the 4 ground guard pins.
Quote: (Originally Posted by
Genesis)
THEORETICALLY it is impossible for there to be a V+ short to the K1's sensors.
If you say the trace is fully guarded with ground, and you have a big enough series resistor, then that is probably true. If either of those assumptions are false, then your statement is not true.
Quote: (Originally Posted by
Genesis)
I say theoretically because the head amplifier/ADC board is encapsulated in a solid potting compound, and therefore, in order for water to get to the traces and cause the short it has to get inside the potting compound and yet miss the guards, while bridging the connections. Impossible, right?
Not quite. It depends on your ESD arrangements. You said you use shunts, which have not been tested for ESD, and in that case, if the chip fails from ESD you may well find +ve on your sensor.
Quote: (Originally Posted by
Genesis)
You can be damn defensive but I'm not sold on the concept that you can be COMPLETELY certain.
So please, tell me the mechanism by which +ve gets onto the Open Revolution sensors, and its probability. The latter is easy to calculate if you can identify the former (I will do it for you). By reducing things to basic principles and maths, one can be certain. Maths is the only true science, with black and whites.
Quote: (Originally Posted by
Genesis)
One of the tests I did with the K1's head unit was to submerge the WHOLE THING, sensors and all, in seawater, with the power on, after potting and all (that is, "as assembled".) It continued to work, and when I rinsed off the sensors with fresh water they returned to normal too. No visible harm.
Good. Glad you tested that. Now try testing the ESD structure.
Quote: (Originally Posted by
Genesis)
My view is that the controller should never display data it is not reasonably confident in. For example, it is not possible to discern if all three sensors go tits up at the same time in the same way.
Yes it is, you have 4. Or, you check they work every minute using the PPO2 controller.
Quote: (Originally Posted by
Genesis)
If they ALL tell you the PO2 is 1.0 when it really is 1.3, yet when you inject O2 and expect to see a .2 rise you do, well, that's kinda tough to detect.
It is not hard at all, and is just what the O.R. unit from DL does. Sensors and injectors are part of the same checking system.
Quote: (Originally Posted by
Genesis)
The K1's philosophy is not to filter display values unless necessary for some reason, so you can see the response of the sensors.
So you sit in the middle ground, passing some things to the user and some things you handle in the K1. Uncomfortable place. We simply pass the right result to the user. Much more work in doing that, but that is the only way of sticking to the principle.
Quote: (Originally Posted by
Genesis)
In general I like having the big brain with true control. If the unit is making decisions I want it to still "expose" the data its using, rather than filtering it for display purposes, and I also want it to raise hell if it has any reason to be uncertain of what its doing (e.g. two cells read 1.4, one reads 0.15 - which one's right? If its the 0.15 and you don't inject, the user dies! If the 1.4 ones are right and you inject enough to bring the 0.15 up, you may kill the user with a tox event!) You CAN'T let that sort of situation occur without alerting the user that the "best guess" may be wrong, and he better use the big computer between the ears.
If the unit is designed properly, it should have many orders of magnitude better performance in determining when the sensors are working and what is the answer than a user looking and second guessing. The controller should detect immediately when sensors fail. The first step is using sensors that do not fail in either high or low states.
Quote: (Originally Posted by
Genesis)
I look at the electronics as a guide, not a God. The nature of electronics around seawater, along with O2 sensors that have known failure modes which do not meet the reliability requirements to be truly trusted, IMHO make this approach almost mandatory.
It makes your approach dangerous: it puts the unit in the middle ground. MTBFs, HAZOPs, proper FMECAs are a process that allows engineers to pin hard numbers for probability on what they design. Without these, it is a complete guess what the safety is, and the Second Law of Thermodynamics (most universal law in the universe) dictates the guess falls against you more often than in your advantage. Do publish everything (as K1 is I thought), but do the sums and publish them too!
Quote: (Originally Posted by
Genesis)
In addition, I do not believe that it is possible to build a system that cannot be compromised.
Agree, but safety engineering is all about putting a probability on the frequency of compromise.
Quote: (Originally Posted by
Genesis)
A physical failure of the loop is ALWAYS possible. For this reason I find the idea of a "safe" unit (e.g. one that can be dove safely without bailout) to be wishful thinking. ?
One always needs bail out. Each of our design philosophies embody that, but some do not, and some take different views on forcing the user to use the bail out ...
Alex