|
|
|
|
|
|
by EvanAnderson
703 days ago
|
|
|
> I'm mostly familiar with North American traffic signal control, and in those traffic cabinets there is a device known as an "MMU" (Malfuction Management Unit) which acts as a safety monitor for the rest of the traffic cabinet. Presumably the logic for this MMU could be implemented in strictly electrical components (relays or such). That would give me the most comfort (since its functionality would be, literally hard-wired). I worry that some enterprising manufacturer, out to save a few bucks, would implement this functionality in a microcontroller with firmware that could be updated remotely. Does the standard specify the functionality of the MMU must be hard-wired, or at the very least not able to be changed without physical access? |
|
|
The majority of MMUs on the market that I have had a close look at implement safety-critical functionality on a microcontroller with updatable firmware. Some can even be updated over IP. I haven't had the opportunity to dig into if those firmware upgrades are signed or otherwise integrity-protected.
The standard unfortunately does not specify a functional safety standard or other measures to ensure absolute safety.
In theory it would be possible to implement it in discrete logic (or an FPGA or other formally-verifiable process), but as far as I know no manufacturer has done so (I'd love to be wrong!)