Ruben Joensson wrote: -big snip of a very thorough safety strategy- >At power up the integrity of the program should be checked by some >sort of checksum test of the EPROM (can't be done in a PIC, use a SCENIX). I have not used a PIC17, but I believe we can use the table read to read all program memory? For PIC16, i have been thinking: as we have two processors, they might be able to set each other in serial programming mode and read each other by use of little external hardware... No, much better use PIC17 or other processor... I want to add: The program memory check sould be run now and then, as the eprom slowly degrades by age, and is probably more possible that the first erroneous reading will take place during normal execution (!), as the EPROM is sensitive to both voltage and temperature (and supply noise too), which will vary during execution. To achieve a margin, we better test the eprom at slightly worse conditions than when runnig the safety routines. Therefor, the testing should be run at bot slightly lower, and slightly higher supply voltage trying to stress up errors of "0" and "1" bits respectively. This can easily be achieved, as one pin can via a resistor be connected to the voltage regulator feedback loop (i.e on a LM317-regulator), and use all three states (High/Tristate/Low). Take care in design so there is not too fast change or overshoot. Timing proposal: RESET: Initialize to output "safety violated" state Set lower voltage wait to stabilize voltage (sleep, and wake of timer interrupt?) -Check system- Set normal voltage ;Two-step to minimize overshoot wait to stabilize voltage ; Set higher voltage ; wait to stabilize voltage ; -Check system- MAIN: Set normal voltage wait to stabilize voltage [Run a safety pass] Set lower voltage wait to stabilize voltage -Check system- Set normal voltage wait to stabilize voltage [Run a safety pass] Set higher voltage wait to stabilize voltage -Check system- GOTO MAIN Also, all theese "-Check system-" routines above should check EEPROM to a checksum, and also test as much as possible of the rest of the chip (all that possibly can be tested-restored, or checksum compared etc), Like XOR FF twice to every RAM and see if it still reads the same. Check if timer or other things give interrupt correctly, etc. Also run a small routine tht use all CPU hardware and see that it always give the right result. Best also to run for different input values. I wonder what do Mchip use to test the chips; They should be able to tell a complete chip test scheme for every processor :) Best also to test external cirquitry during over/under voltage. The test routine can of course be split to do part of the test each time. Also the safety routines might sometimes temporarily be too busy doing something, but when finished, continue with the system check. (safety: max time set by watchdog) I think I better stop now... I was going to suggest a small simple RF-sweep oscillator that the PIC enables to inject noise on supply during test... Oops.. I did ;) I have never used anything except watchdog and brown-out yet... BTW, a better Watchdog might be good, like one that needs toggling within defined time high and low *windows*. So, also talking too much with the watchdog causes reset. I believe Maxim or LTC make them. Or wire your own. Or, maybe cheapest, use a 8-pin PIC ! Regards /Morgan / Morgan Olsson, MORGANS REGLERTEKNIK, SE-277 35 KIVIK, SWEDEN \ \ mrt@iname.com ph +46(0)414 70741 fax +46(0)414 70331 /