Right Sir! :-) I cannot emphasize that enough. On our test stand start-,
stop-, emergency stop-sequence etc. are controlled by a industrial PLC.
The DAQ can send signals to the PLC if things go strange, but no
computer/software can ever start the engine without pushing a physical
push button (secured by a key switch) pushed by a human. The start
button is connected to the PLC, the DAQ gets that signal too but can
never trigger a start signal. Interlocks between the valves (don't let
the kero valve open if the LOX-valve is still closed and don't let any
valve open if the igniter is not properly working etc.) should be done
on a physical level, not by software. An emergency push button should
act directly to the PLC and if possible directly to the valves and
pressurization system. The whole system should fall back into a safe
state if you have a power outage or broken, melted wires etc. This means
your actuators should go to a safe state without power (eg spring loaded
valves etc).
Never trust software on a PC ;-) For emergency procedures we even don't
trust the PLC alone.
Bruno
"At that time [1909] the chief engineer was almost always the chief test
pilot as well. That had the fortunate result of eliminating poor
engineering early in aviation" (Igor Sikorsky)
--
Bruno Berger
Swiss Propulsion Laboratory
E-Mail: bruno.berger@xxxxxx (HTML-Mails will be dropped!)
PGP: http://www.spl.ch/contact/Bruno.Berger.asc
WWW: http://www.spl.ch
HAM: HB9RSU
One suggestion: separate control from data acquisition. Keep the
control system as stupid and simple and stable as possible, and make
sure it doesn't depend on the data acquisition system for anything.
(This might mean an occasional duplicated sensor.) Then you can play
any fancy games you want with data acquisition, secure in the knowledge
that nothing you do wrong there can mess up your controls. This will
make both systems easier to build and modify.
Henry
