The chips that I mentioned use static memory with ECC. Of course,
ECC circuitry may fail. There may be error undetected by ECC.
The two cores may have the same error or comparison circuitry
may fail to detect the difference. Each may happen, but each
is much less likely to happen than simple transient error.
Detecting such thing looks easy. Recovery is tricky, because
if you have spare FET and activate it there is good chance that
it will fail due to the same reason that the first FET failed.
OTOH, if you have propely designed circuit around the FET,
disturbance strong enough to kill the FET is likely to kill
the controller too.
Use 3 (or more) and voting. Of course, this increases cost and one
have to judge if increase of cost is worth increase in safety
(in self-driving car using multiple sensors looks like no-brainer,
but if this is just an assist to increase driver comfort then
result may be different).
Sure. But for common failures or serious failures having non-negligible
pobability redundancy may offer cheap way to increase reliability.
It does not matter if handover _always_ works. What matter is
if system with handover has lower chance of failure than
system without handover. Having statistics of actual failures
(which I do not have but manufacturers should have) and
after some testing one can estimate failure probablity of
different designs and possibly decide to use handover.
You may have tests essentially as part of normal operation.
Of course, if you have single-tasked design with a task which
must be "always" ready to respond, then running test becomes
more complicated. But in most designs you can spare enough
time slots to run tests during normal operation. Tests may
interfere with normal operation, but here we are in domain
specific teritory: sometimes result of operation give enough
assurance that device is operating correctly. And if testing
for correct operation is impossible, then there is nothing to
do, I certainly do not promise to deliver impossible.

"Opportunistic" seems to work well -- *if* you declare the resources
you will need and wait until you can acquire them.

The downside is that you may NEVER be able to acquire them,
based on what processes are active on a node. You wouldn't want
the diagnostic task to have to KNOW those things!

As different tests may require different resources, this
becomes problematic; do you request the largest set? A
smaller set? Or, design a mechanism to allow for arbitrarily
complex combinations to be specified <frown>

This became apparent when running the DRAM test using the
DRAM emulator (non-production board designed to validate the
DRAM test by allowing arbitrary fault injection, on demand).
While it was known that *some* tests could NOT be run out of
DRAM (which limits their efficacy in a running system), there
were other system resources that were "silently" called upon
that would have impacted other coexecuting tasks. <frown>

The good news (wrt DRAM testing) is that checking for "stuck at"
faults -- the most prevalent described in published research -- makes
no special needs for resources, beyond access to DRAM!

Moral of story: CAREFULLY enumerate (and declare) ALL such
resources. And, consider how realistic it is to expect
ALL of them to be available serendipitously in a given node.

Else, resort to *scheduling* the diagnostic ("maintenance period")

Significant loss? From a doorbell failing to ring? Are you
sure YOUR doorbell has rung EVERY time someone pressed the button?
But things can *still* "fail to perform". That;s the whole point of
runtime diagnostics; to notice a failure that the user may NOT!
If you can take remedial action, then you have a notification that
it is needed. If this requires the assistance of the user, then
you can REQUEST that. If you can offload some of the responsibilities
of the device (something that I can do, dynamically), then you
can elect to do so. If you can do nothing to keep the device in
service, then you can alert the user of the need for replacement.

*NOT* knowing of a fault means you gleefully keep operating as
if everything was fine.
But bugs need not be consequential. They may be undesirable or
even annoying but need not have associated "costs".

I have a cassette deck (Nakamichi Dragon) that has a design flaw.
When the tape reaches the end of side "A", it is supposed to
autoreverse and play the "back side". So, the revolutions
counter counts *up* while playing side A and then back down
while playing side B.

However, if you eject the tape just as side A finishes and
physically flip it over (so side B is the "front" side)
pressing FORWARD PLAY (which is the direction that the
reels were moving while the tape counter was counting UP),
the tape will move FORWARD but the reels will count backwards.

If you had removed the tape and placed some OTHER tape in
the mechanism, the same behavior results (obviously) -- moving
forward but counting backwards. If you turn the deck OFF
and then back ON, the tape counter moves correctly.

How am I harmed by this? To what monetary extent? It's
a race in the hardware & software (the tape counter is
implemented in a separate MCU). I can avoid the problem
by NOT ejecting the tape just after the completion of
side A...
If you have memory protection hardware (I do), then such changes
can't casually occur; the software has to make a deliberate
attempt to tell the memory controller to allow such a change.
Really? Wanna bet that doesn't happen? How many Linux-based devices
load applications and start a process to continuously verify the
integrity of the TEXT segment?

What are they going to do if they notice a discrepancy? Reload
the application and hope it avoids any "soft spots" in memory?
Then you are dealing with high reliability designs. Do you
really think my microwave oven, stove, furnace, telephone,
etc. are designed to be resilient to those types of faults?
Do you think the user could detect such an occurrence?
Studies suggest that temperature doesn't play the role that
was suspected. What ECC does is give you *data* about faults.
Without it, you have no way to know about faults /as they
occur/.

Testing tries to address faults at different points in their
lifespans. Predictive Failure Analysis tries to alert to the
likelihood of *impending* failures BEFORE they occur. So,
whatever remedial action you might take can happen BEFORE
something has failed. POST serves a similar role but tries to
catch failures that have *occurred* before they can affect the
operation of the device. BIST gives the user a way of making
that determination (or receiving reassurance) "on demand".
Run time diagnostics address testing while the device wants
to remain in operation.

What you *do* about a failure is up to you, your market and the
expectations of your users. If a battery fails in SOME of my
UPSs, they simply won't power on (and, if the periodic run-time
test is enabled, that test will cause them to unceremoniously
power themselves OFF as they try to switch to battery power).
Other UPSs will provide an alert (audible/visual/log message)
of the fact but give me the option of continuing to POWER
those devices in the absence of backup protection.

The latter is far more preferable to me as I can then decide
when/if I want to replace the batteries without being forced
to do so, *now*.

The same is not true of smoke/CO detectors; when they detect
a failed (failING battery), they are increasingly annoying
in their insistence that the problem be addressed, now.
So much so, that it leads to deaths due to the detector
being taken out of service to stop the damn bleating.

I have a great deal of latitude in how I handle failures.
For example, I can busy-out more than 90% of the RAM in a device
(if something suggested that it was unreliable) and *still*
provide the functionality of that node -- by running the code
on another node and leaving just the hardware drivers associated
with *this* node in place. So, I can alert a user that a
particular device is in need of service -- yet, continue
to provide the services that were associated with that device.
IMO, this is the best of all possible "failure" scenarios;
the worst being NOT knowing that something is misbehaving.

You missed my "to some extent" qualifier. It allows you to make
the case /to that jury/ that you *thought* about the potential
problems and made a concerted attempt to address them. Contrast
that with "Didn't it occur to the manufacturer that a customer
might LIKELY use their device in THIS manner, resulting in
THESE sorts of problems?"

You can never understand how a device can be "misapplied". But,
not making ANY attempt to address "off label" uses is sure to
result in a hostile attitude from those judging your behavior:
"So, you made HOW MUCH money off this product and still
couldn't afford the time/effort to have considered these issues?"

"Small fish" are seldom targeted by such lawsuits as they have
few assets and can fold without consequences to their owners.
But you still have to demonstrate a loss. And, be able to
argue some particular value to that loss. "Well, MAYBE
Publishers' Clearinghouse came to my house to give me that
oversized/cartoon check but the doorbell MIGHT not have
rung. So, I want '$3000/week for life' as compensation..."

On Sun, 20 Oct 2024 19:11:31 +0200, Nioclásán Caileán de Ghlostéir
Courts need not be involved ... just lawyers.

A few weeks ago there was an article in Forbes magazine saying that
the /average/ billing by lawyers at moderately sized firms in the US
is now $1500..$1800/hr, and billing by lawyers from top firms is now
$2600..$3000/hr.

Litigating a product liability case routinely takes hundreds to
thousands of hours depending. True, many of those hours will be for
paralegals unless/until the case gets to arbitration or court - but
even small firms now bill their paralegals at over $200/hr.