Turbine-Generator Example(2) Uses polling: No interrupts except for fatal store fault(nonmaskable) Timing and sequencing thus defined More rigorous and exhaustive testing possible All messages unidirectional No recovery or contention protocols required Higher level of predictability Self-checks of Sensibility of incoming signals Whether processor functioning correctly Failure of self-check leads to reversion to safe state through fail-safe hardware State table defines Scheduling of tasks Self-check criteria appropriate under particular conditions Hazard reduction · Passive safeguards Maintain safety by their presence Fail into safe states Active safeguards Require hazard or condition to be detected and corrected Tradeoffs Passive rely on physical principles Active depend on less reliable detection and recovery mechanisms BUT Passive tend to be more restrictive in terms of design freedom and not always feasible to implementc ��������������������� ���������� Turbine−Generator Example (2) Uses polling : No interrupts except for fatal store fault (nonmaskable) Timing and sequencing thus defined More rigorous and exhaustive testing possible. All messages unidirectional No recovery or contention protocols required Higher level of predictability Self−checks of Sensibility of incoming signals Whether processor functioning correctly Failure of self−check leads to reversion to safe state through fail−safe hardware. State table defines: Scheduling of tasks Self−check criteria appropriate under particular conditions ��������������������� ���������� Hazard Reduction Passive safeguards: Maintain safety by their presence Fail into safe states Active safeguards: Require hazard or condition to be detected and corrected Tradeoffs: Passive rely on physical principles Active depend on less reliable detection and recovery mechanisms. c BUT Passive tend to be more restrictive in terms of design freedom and not always feasible to implement