Hello Ed ..... > This and maybe using a SSR to isolate the launch and Fuzing circuit will > enhance the safety issue. .... > Want to help?? The only real concern is SAFETY to prevent an accidental > launch which might cause an injury. This can be avoided with some old > fashioned design criteria and common sense. I have until December 24th to get > this done. Any direction and comments would be greatly appreciated by the > recipient and myself. > > Ed About safety. Use two separate channels (2 processors with 2 different programs preferably by two different programmers), both handling all safety parameters in parallel. Both channels have one 2 pole positive action (safety) relays where one pole is used for output in series with one of the other channels relay. The other pole i s used for crosschecking the relay outputs between the two channels (both channel are checking the other channels relay). The processors should have a pulsed output to activate the safety relays, through for example a transformer (so that a static output can't activate the relay). The two processors should have some sort of communication between them in order to be able to check each other (check that the programs are working and that they have the same result on safety related conclusions). Use two separate sensors, one for each channel, for every safety related input. Design the input stage so the processors can check short circuited active inputs (one output can turn off the input stage, check that the processor input for the safety function can be set to inactive state by the output when the safe ty sensor is activated). To control the actual input - make it dynamic (so that the program can check that it at some point is off and not shorted to the active state). For example for a push button initiate the action when the button is fir st pressed and then released. Or, for static inputs have a maximum time difference between the two sensors (two channels) for them to be able to activate an event and set it as a condition that the sensor must be deactivated at power up (so a short is detected). All safety related electronics should be designed so that a failure in one component doesn't lead to a potentially dangerous state if it can't be discovere d by the processors. Test that no potentially dangerous state can be initiated by a shortcircuit between any two pins/legs on a any circuit or terminal. (If the sho rt circuit isn't detected restart the test with the pins shorted, do this up to thr ee levels if another short circuit is undetected). A processor which, when reading an output pin reads the actual pin and not the output latch is good here. In the program flow: Both channels continuously checks each other through the communication lines. If the response is unexpected put the channel that found the error in an interlocked state which can't be aborted and turn the safety rel ay off. Continously check the other channel's relay - if it doesn't match this channel - go to interlock state. Safety related RAM registers should continously be checked that they can be changed and that a write to some other RAM register doesn't affect this register. At power up the integrity of the program should be checked by some sort of checksum test of the EPROM (can't be done in a PIC, use a SCENIX). Also, all instructions used by safety related functions should be checked at power up. One channel could handle all the whistels and bells plus the safety and the othe r channel could handle just the safety. This may sound a bit overworked but it is how a human safety device of category 4 is done for industrial purposes (light barrier, light courtains, emergency stops etc.) -------------------------------------------- Ruben Jvnsson AB Liros Elektronik Box 9124, 200 39 Malmv, Sweden TEL INT +4640142078 FAX INT +4640947388 ruben@2.sbbs.se --------------------------------------------