Making An Arduino Ventilator? Read This First

Thanks to the virus crisis, lots of people are designing makeshift ventilator designs in the hopes of saving people’s lives. Many of these are based around some sort of Arduino-powered CPU. [Armstrong Subero] things that’s a great idea, but cautions that making an electronic pair of dice is a different proposition than creating a machine to breathe for someone. But he isn’t just complaining. He talks about considerations when building a real-time and safety-critical system.

[Armstrong] has a lot of good points, although we aren’t sure you need the complexity of a real-time operating system just to squeeze a bag. If anything, that seems like it might make it more susceptible to unexpected operation. However, we agree with his comments that you should have closed-loop control to make sure the device is working, alarming when the device isn’t working, and watchdog timers to guard against lockup.

One excellent point from the post:

For example a high availability system real time system may be specified as having an up time of around 99% in a 24 hour period. Which 1% of the day is it acceptable to have the ventilator not operational? Since we have 1440 minutes in a day, which 14.4 minutes of the day should the patient not be allowed to breathe?

However, he does have some solid suggestions such as using an IDE with debugging and adhering to a coding standard such as MISRA. Of course, he also points out you might choose a different CPU that has safety-critical certifications and corresponding libraries. One suggestion is to have multiple CPUs, and this is a common enough solution in many safety-critical systems. For example, imagine 3 CPUs driving a switching circuit that requires a low logic level to turn on.

You could make the outputs go to inputs if the CPU wants to not drive the switch, or pull the output to ground if it does. Then a pull-up resistor holds the state high if no CPU pulls it to ground. All CPUs could sense the state of the line and if they don’t think it looks right they sound their own alarm. Some systems vote so that two of three CPUs must agree (at least) or, in some cases, three out of five.

We’ve been talking about ventilators quite a bit lately. The kind of mechanical design [Armstrong] is probably thinking of is like the MIT design we talked about last week.

70 thoughts on “Making An Arduino Ventilator? Read This First

  1. So many reactions. Firstly, it’s not really rocket science. You use a fast booting system with a watchdog timer and a state machine whose state is in nonvolatile memory. But secondly, no you don’t want to use an Arduino because the Arduino development environment is crap with inscrutable hidden libraries and all sorts of moving parts glued together by who knows what. In a critical system you need to have access to every line of code and understand exactly how everything works so you can audit its behavior in every potential edge case, and this is pretty much the opposite of what any object-oriented environment is designed to offer.

    And thirdly, nothing you are designing in your garage today is going to be ready for production in time to make a lick of difference to the ongoing COVID crisis. Even if you intend for it to be available for yourself good luck finding a doctor who will be willing to use it.

        1. Even if you don’t have access to a plc you can still program for it.
          Codesys is a free plc-software that can be used on many plc’s from a bunch of different manufacturers.

          1. But those things don’t really help unless you have a real PLC to use to prototype an actual control system. How many hackers have ever even seen or used ladder logic? These manufacturers do not market to do-it-yourselfers. Odds are unless you work in industry you’ve never even seen the cheapest of PLC’s, and those are twenty times the price of an Arduino compatible board.

          2. Indeed. Allen Bradley’s RSLogix software starts at $3000ish for a full version, and their bottom end PLCs are $100s. Not to mention FactoryTalk, HMIs, and on and on. The safety critical stuff like CompactLogix and SmartGuard are even more expensive; and then you’d need the various softwares to work with those which can easily top $10000

        2. No, they don’t – they actually have some random microcontroller development board, and are using an extremely simplified hardware interface to that microcontroller, in such a way that they don’t actually control or understand the failure modes.

          That’s the danger. I mean, some of the Arduino peripheral calls don’t even have nonblocking versions, so seriously weird things could happen when people do multiple things. Yes, a watchdog will catch that and restart it, but even that requires thinking through a *lot* of things. You basically have to assume that your code can restart at any point.

          “And thirdly, nothing you are designing in your garage today is going to be ready for production in time to make a lick of difference to the ongoing COVID crisis.”

          No, but there are plenty of people who designed things in their garage a few weeks ago, and those *are* getting to that point.

          1. No, nothing that was started at any point in 2020 will be ready for manufacturing, market, or distribution before the COVID crisis has spun its course. Making tens or hundreds of thousands of units only starts when you have a solid design. Then you have supply chain, manufacturing, since it’s life critical testing and validation, and shipping and distribution. Those are all hard problems that you don’t solve by putting your project up on GoFundMe.

          2. “No, nothing that was started at any point in 2020 will be ready for manufacturing,”

            This is demonstrably wrong, as there are existing examples of this. Tooling a simple design up for manufacturing is *difficult*, but not wacko crazy when you’re only talking about O(100-1000) units being significant.

            But I think you’re misunderstanding my point. From a *manufacturing* standpoint, there are people and designs that could work and could scale to make a difference… *if* you ignored that these are life critical designs and need to be way higher reliability than a typical low-volume production.

            What I’m trying to say is that it’s actually important to realize that the reason that “garage projects” can’t be thrown together and have ~1000 of them made quickly and help in the crisis is that they won’t be able to get FDA approval or have time to get them to hospitals and teach people to use them, and it’s *not* just because of bureaucracy. When you’re talking about medical-grade devices, the amount of time it takes to *manufacture* a new widget barely even factors in to the lead time it takes to get it to market.

            This might be a long-winded way of me saying we interpreted “production” differently. People are certainly able to *build* O(100-1000) “things that can act like ventilators”, but building them’s only the first step, and unfortunately I think that a lot of people are going to have an “I could’ve saved people if only the FDA hadn’t gotten in the way” mentality after this – not realizing that their garage design isn’t within a mile of what hospitals need.

      1. as a plc programmer i can say that PLCs are not the magic thing everybody wants them to be.. i had a lot of failed IO cards, processors and other components.. in our company safety critical logic is allways implemented with relais. the logic of an ventilator is not that hard. wouldn’t an electromechanical setup be better? the mit design + some endstops you can adjust to regulate the airvolume would be simpler, and safer….

    1. “And thirdly, nothing you are designing in your garage today is going to be ready for production in time to make a lick of difference to the ongoing COVID crisis. Even if you intend for it to be available for yourself good luck finding a doctor who will be willing to use it.”

      Exactly. As if this article of Hackaday was written by a children who have zero clue about the real world.

      1. The reality is, laws are designed to run within a stable system. This virus is upsetting the fundamentals we have grown to trust. Hospitals are using 3D printed face masks, automotive manufacturers are building ventilators from car parts. When a healthcare system is stressed to beyond functional capacity, they will start using any extra resources to save lives that would be lost without. You guys are right about the supply chain thing, but i’m here to tell you that those rules only work in a stable running world of capitalism. This isn’t stable. People are dying by the hundreds every day in major states and cities. They will take ANYTHING and deal with the repercussions after the fallout.

    2. He’s right about the Arduino environment though. There’s a lot of hidden gotchas because of all the bubblegum patches that they’ve made to have it all kinda-sorta work. For example, opening the USB serial port on a board with a SAMD21 processor messes up with a number of interrupts in a way that putting the device to sleep will never wake it up again. To fix it, you have to reverse-engineer what they’ve done or implement your own USB and sleep routines.

      Same goes with the ADC. There are Arduino libraries that use the ADC in a continuous measuring mode and shift values to a buffer. This will cause random lock-ups if the buffer ever runs over. These problems come and go as the libraries are updated. The better bet is to just skip over the Arduino stuff entirely, open up the chip programming reference, and do it yourself – the time you take to figure it out is less than the time it takes you to debug the Arduino libraries.

    3. I disagree here, if the overall statement is “Anything you design in your garage today is not going to make a lick of difference in the ongoing COVID crisis, and you wouldn’t find a doctor willing to use it.”

      As the complexity of the system goes up, the testing that is needed also goes up, and the willingness of a medical professional to use it (uncertified/untested) is going to go down. That’s insanely true in the United States, I can’t speak for other “modern medicine” countries.

      However, my time in the field had us designing, building, testing, and implementing solutions at an insanely rapid rate. We literally had no option, except utter failures in patient outcomes with some solution.

      Kit-bashed traction devices for crushed limbs trans-surgery. Wound suction devices. I believe someone made an Arduino based medication flow monitor that just beeped if a drop was detected late or early, and started screaming if it fell consistently outside of a time window (Medication pumps are one of the critical items for an ICU, but really we just need to make sure the med is being delivered at the right rate).

      Hackers driving solutions to problems down to the lowest common denominator has had a tremendous impact in crisis/disaster medicine. If you’re here to drive that spirit in to the ground, respectfully, I think you’re on the wrong board.

    4. I’ll be sure to warn the people I’ve been developing industrial control systems for for 30 years that I don’t know anything. At least, once you say something more substantive than “you know [zero] about [subject].”

      1. As an engineer who works at a large engineering corp and buys such ecms and software from companies – i can say the 5 and 6 digit dollar ECM systems designed for industrial control are unreliable. Years and years of companies constantly trying to fix their software. Sad really

        1. Yes, I’ve noticed that. It wasn’t as bad in the 1980’s and early 90’s, but around the mid 90’s the development systems and end hardware started to get a lot flakier. Nowadays it’s not much better than a generic Windows PC, maybe it will crash and maybe it won’t. In fact I’ve replaced a couple of PLC systems with generic Windows boxes that are more reliable than the industrial hardware they replaced, but then I have a lot of experience knowing where I can and can’t cut a corner. The old days when you could pay enough $$$ and be confident that the box would do exactly what you told it no matter what seem to be long gone.

      2. I stand by my statement that you know nothing about it at all. Industrial what? Industrial systems that require a “do not enter” safety zone? Systems that require a ohs*t emergency shutdown button?
        You stating that “fast boot and watchdog” says it all that you never even went near a safety critical system.
        Did you know that any system can be certified to any safety level? Yes, even an arduino based one can fly a spaceship (btw there are/were a few components on the ISS based on arduino).
        All you have to do is do a failure mode analysis, and how you mitigate the occurrence and severity of the possible failure modes.
        It does not matter at all how many hidden libraries a system has. You describe a failure modes that the given component does not do what it supposed to do, then describe what mitigation you implement to counter act that. And avoid common mode failures if it has to pass for example SIL3/4 or ASIL4.

        Did you know that for example the door closing mechanism on a few high speed train has more than 1 million lines of code in them? All that system has to do is close the door when it receives the command to do so and report back that it succeeded.

        >30 years
        Yea and what? If the number of years you spent on X is your only argument. So yea, warn those people.

        1. This article was not about generic systems of arbitrary complexity, it was about ventilators. A watchdog and reset will generally meet the requirements. Hidden libraries are a big no-no. You must have access to all the code to audit it for edge cases, if you don’t you are courting disaster. I have had my code audited by, to give one example, one of the world’s largest sugar refineries which uses a system I built to weigh millions of pounds of sugar per day and they invoice off of it. If you think safety is a big deal, ask what industry thinks when they invoice millions of dollars a day based on your data. I see you have your little corner of experience, and I have mine, and they are obviously different corners. Don’t be so fucking insulting and maybe a useful conversation could develop.

        2. Wow you are a Arduino fanboi and childish to top it off. You know stable people don’t go off the rails like you do when someone correctly criticizes a hobbyist system like the Arduino. Really dude, it’s not something you’re gonna use for a flight control system in a jet or run a venitlator for a bumber of reasons. One of which is that dodgy library which is fine for kids blinking a LED or running a LCD but nothing anyone would trust in a life critical system.

          Remember smart guy, if that machine screws and kills a patient the hospital and the patients family will sue you into the poor house.

          You might want to examine what the people who actually make these devices get FDA approval;. It’s far beyond what some hobbyist working in his bedroom can pull off.

      1. And yet you still posted this one? Wow.

        All the designs people are proposing are garbage. They don’t know anything about the problem space, never mind the mediocre construction and programming and complete lack of risk analysis. There’s a reason big companies like Medtronic aren’t building super-simple machines already.

        As for this article, your idea of safe design is “use an IDE with debugging” and “run multiple cpus!” Never mind that “use a debugger” is basically level zero of embedded system competency and making a successful voting system in hardware is up at 8 or 9. Besides, hardware redundancy is useless if 99.99% of your failures come out of software, which they absolutely will with hackers putting these things together. Are you expecting a stray cosmic ray to hit this ventilator?

    1. Ok – so this is hard. I’m going to use my UNO to design a new autopilot for the 737 Max instead!

      From my experience, an IDE might be used to design a prototype, but the actual shipped product for a life-critical function does indeed use thoroughly vetted libraries and code, not code downloaded from GitHub.

  2. “They were not designed for the real time, safety-critical design that is required to build ventilators. ”

    “arduino” is just the hipster-level software abstraction on top of an mcu. mcu’s are have no problem with real-time accuracy. They are not massively parallel, nor have huge memories, nor particularly powerful, but their cycle and timer accuracy is more than capable in applications such as a ventilator. Remember that a ventilator is primarily a mechanical device and human respiration is not particularly fast. “how perfect” the device is will depend on how well patterns are detected and exceptions dealt with in reasonable ways. But that is by no means an absolute requirement for a minimal life-saving device, especially in times where such devices are in short supply. Search for “vintage ventilator” and you’ll find what is basically a tube, a mask, and a leather bag.

    From the article itself:

    “Think of a ventilator. Its main purpose is to provide mechanical ventilation to keep patients alive.”

    “safety-critical design that is required to build ventilators”… yes, in today’s hyper-litigious society where liability is more of a concern than getting things done, such claims have merit. The same “safety” warnings are also the basis behind supply shortages, price gouging, etc. Remember the medical-device industry is an industry driven by profit and protected by laws. Complexity, obscurity, and patents are what companies depend on to maintain their profit margins.

  3. While it is trivial to code, even in the official IDE, something of the complexity needed that will run perfectly for months on end, perhaps it’s more a question of having a deep knowledge about the human respiratory system and how it actually works?

    I do not feel this is an area where hackers should.. overreach.

  4. I like Hackaday but this is retarded. does anyone really think that an Arduiono powered ventilator will be used and manufactured? The lack of ventilators is not a technological but a political problem.


    “The US Federal Aviation Administration has ordered Boeing 787 operators to switch their aircraft off and on every 51 days to prevent what it called “several potentially catastrophic failure scenarios” – including the crashing of onboard network switches.

    The airworthiness directive, due to be enforced from later this month, orders airlines to power-cycle their B787s before the aircraft reaches the specified days of continuous power-on operation.

    The power cycling is needed to prevent stale data from populating the aircraft’s systems, a problem that has occurred on different 787 systems in the past.

    According to the directive itself, if the aircraft is powered on for more than 51 days this can lead to “display of misleading data” to the pilots, with that data including airspeed, attitude, altitude and engine operating indications. On top of all that, the stall warning horn and overspeed horn also stop working.”

    Basically power cycling commercial aircraft due to overflow bugs. I guess that’s a solution but it’s still odd that is an issue to begin with given how much effort and expense and time goes into developing this aircraft hardware and software.

    It’s not as if even what should be highly tested and very expensive commercial offerings are able to avoid issue like this though. Looks like there is an overflow in the 32 bit millisecond counter with regards to these Boeing 787 aircraft.

    It would be nice if the Arduino hardware had more protections against hardware issues. Over voltage, shock, physical heat, even bugs crawling across things or moisture or cosmic rays.

    1. Overflow problems is why formal verification has traditionally been a thing in aerospace. I’m surprised these companies have been slacking off on that. All in the name of profit I suppose.

      With the Arduino hardware you probably want to write straight C instead of relying on the Arduino libraries doing who knows what. Instead of MISRA like the article suggests, I’d suggest using Frama-C. This allows you to formally prove that your ventilator program does not have issues with overflow, incorrect memory access, that all calculations are correct etc. This on top of the usual stuff like using the WDT, brownout detection and so on.

  6. Arduino IDE is structured such that you are coerced into writing libraries for parts of your code that you would otherwise have in another loop, then guilted into sharing such… as a result, bazillions of low quality libraries. Ergo the ecosystem is not conducive to development of life and death products. The hardware may be pressed into service, but develop on something else.

  7. Why the hell are people having to MacGyver ventilators? For the love of god, can we please have a healthcare system that makes sense for one fucking moment in a global emergency? Seize the design IP from these medical hardware vulture assholes and seize some factories to churn then out. We can do it with planes and guns and bombs. What the hell is everyone doing? Sitting around at home? 2020 is ridiculous. This isn’t the future we deserve. First home surgery and pharmaceuticals, now home medical electromechanics–in the richest country in history. This is shameful. I feel like I’m going crazy.

    1. I agree 100%. We spend so much money and energy into developing technology and infrastructure intended to control automobile operators and charge them money when they don’t buy magic stickers to place on their vehicles, yet this somehow obvious piece of necessary gear is currently impossible to provide… it’s sad really, that we’ve been duped into this. Best thing we can do is make the stuff ourselves at this point. Human inventions are still just that: reproducible.

    2. More ventilators are not a solution since by the time a patent needs a ventilator their own respiratory system is either shot from COPD, Heart failure, diabetes or being a 300lb slob who can barely breathe in the best of times.

      The average age of Italians who died from Covid was 80 years old and most had two other illnesses like heart failure or diabetes. IOW they were already very ill and they couldn’t breathe on their own. And anything that attacked their lungs would kill them.

      The average American who died is 64 with one to two co-morbidities like COPD or heart failure.

      Worse, stats show that most Covid patients on ventilators still DIE – some 85% or so go home in a box.

      Even with non-Covid patients half of the patients on a ventilator die. The ones that survive tend to die within six months.

      This is what the MSM and the CDC does not tell the public that these ventilators are no saviors. It’s really depressing.

      But it gets better.

      You do realize intubation is a ICU function and the patient has to be put into a coma and you need trained nurses to handle such a patient. BTW the patient to nurse ratio is one to one. And the patient has to be turned over 3-4 hours often by hand by the nurse to prevent pooling and bed sores.

      BTW this makes the ICU UNFIT for non-Covid patients. So if ypu get a stroke, heart attack or some other injury where you need to be in a ICU. You are screwed because if they put you in the unti YOU WILL GET infected.

      1. Apparently what we need are CPAP machines. Even in the best of times ventilation comes with a litany of possible complications. Patients are often, if not always sedated to keep them from fighting the machines. Now you have an unconscious patient that needs an intensivist to keep them alive. We don’t have the skilled people at this time. Ventilation it too late, a CPAP applied early can hopefully keep people off ventilation. CPAPs are also much simpler.

  8. Unfortunately, ventilators are not quite the panacea that people are imagining them to be. When a patient is at the point where a ventilator is needed to keep them alive, only a not-large fraction of those who are intubated have been recovering.

    When inhaled, the virus invades the alveoli, causing the infected cells to pump out more virus until the cells die; which spread through the lungs. The more cells that die, the fewer that are able to exchange oxygen and carbon dioxide, reducing lung efficiency. If the immune system responds quickly enough, the virus doesn’t spread far before it’s shut down. But the white blood cells that come to the rescue arrive with their own fluids, and if the damage is already so great that too many have to show up, they can load up the lungs with fluid, causing pneumonia. Breathing becomes painful and labored, and that’s when a patient needs a ventilator to survive.

    A ventilator has to thread a very narrow path – too much pressure, and the patient’s lungs rupture – that is bad. Too little pressure and they don’t help. And the timing has to match the patient’s breathing. And as the patient’s conditions change rapidly while under attack from the virus, the ventilators require constant monitoring, feedback, and control from the physician; this is what makes commercial ventilators so complex.

    While the struggle is happening in the lungs, the virus may also have spread further throughout the body. If that’s the case, it’s invading and damaging other organs. At some point the patient can be overwhelmed by the virus and die, even if the respirator keeps the lungs functioning.

    With luck, a ventilator might keep a patient alive long enough for their own immune system to stop the virus. But in many cases, it doesn’t. And the lung damage means that once a respirator is needed, it may be needed for a very long time. That’s where I think home brew ventilators with limited features might find their niche – on a patient who is no longer fighting the virus on a minute-by-minute basis, but whose conditions are stable and whose lungs will need a long recovery time.

    1. Figures I saw mentioned earlier today was 2/3 of patients needing ventilation die at present. If I get badly sick, I’ll write up instructions to crank in the o2, then ice my brain, drown me with bicarb and give the old windbags a good flush out, then resuscitate, basically turn me off and on again see if that works.

    1. Generally they are supplying more oxygen than standard air, yes. Usually they can vary from 21% (no added oxygen) up to 100%, and are set at an appropriate level to maintain blood oxygen saturation. There are issues with breathing pure oxygen, and ventilators use a LOT of oxygen, so if possible they’re set to less than 100%.

  9. In these rather challenging times it’s reassuring to know that Arduinos are providing the same valuable service they always have – identifying people who haven’t got a clue.

    Anyway, nobody will be able to invent an Arduino powered ventilator until Sparkfun start selling ventilator shields. Then they’ll start popping up everywhere.

  10. I don’t know how precise a ventilator actually needs to be, in order to be useful. But something, has always got to be better, than “sorry, all of our ventilators are in use right now, but patient #103, looks to be about finished in a an hour or so…”. We use artificial respiration, in emergency situations, by people barely trained. Rescue workers use manual ventilators. Something thrown together, in a pinch, might not be the best available on the market, but it would be more useful than having someone sit there, and squeeze the bag manually.

    I don’t see the harm in people with a lot of free time on their hands, and parts to play with, from taking up the challenge. It helps pass the time, gives people a sense they are doing something useful, involved. I don’t think DIY ventilators will replace the need or use, of the actual equipment in hospitals, least full time. They might work well enough for a few hours, if needed. Personally, I’d be willing to let a doctor use any equipment he can scrounge up, over just laying on a table dying, because the FDA approved equipment is all in use, with other patients.

  11. Well, I do not think, that it is a good idea to let hundreds of makers make their own respiratory system. Even, if they work, who should test it? Imagine, you are the person who decides. You get hundreds of different approaches, which one will you choose and which one sort out? But: if the health system collapses, one could maybe help someone in his family – or maybe not.

    Another fact is, that the existing respirators are pretty perfect. What else can you do? What can you do better? Of course, you can use poor sensors, which are available on the market. You can code something and 3d print its parts. But nobody would ever use it. Because if the patient dies because he was not respirated well, then good luck. If you are an electrician, you would not use aluminium foil as an replacement for a fuse, even if it works.

  12. I like how it only has to be safety critical and not fail operational.
    I mean, ok by definition it is enough as a human error has to occur at the same time to cause harm. For example if this device can beep loud enough to signal that it failed, its enough (again by definition of a safety critical system).

  13. The reality is no home grown vent is going to find its way in to operation in the near future at least. BUT …

    The exercise of developing one is no different to building a blinky. There is no real point to it apart from “hey look what I did” but the value comes from the exercise of doing it. The skills learnt from the process would be huge. There’s the understanding the physiology of the cardiovascular system, the effects of mechanical ventilation, then the hardware to perform the ventilation, the software to control the various modes, the sensors and control loops and the requirements to make a safety critical system.

    If some one wants to make a vent give it a go. You never know the skills you learn may contribute to the next generation of mechanical ventilation.

    If you’ve got the time on your hands go for it you have nothing to loose – just don’t try to ventilate anyone – stick to a test lung…

  14. or you could just read the datasheet *gasp*
    Atmel’s products are not intended, authorized, or warranted for use
    as components in applications intended to support or sustain life.

  15. No matter what you, you are going to have to deal with liability issues. It will cost a fortune to get insurence on it. Do you really want ppl’s death on you soul because you designed a device that failed? BOTTOM LINE IS: Use the right equipment for the job. Microcontrollers are not fit for this. IMHO.

    1. Liability be damned… There is a good possibility that there won’t be enough automatic ventilators to go around, big time. That leaves only the manual ventilation (person squeezing a bag by hand). These patients are on the machine for days, even weeks. How many hours can a person sit and squeeze a bag, non-stop? Not being ventilated is going to cause more problems, and death. The manual method, doesn’t seem too complicated, or overly precise, but it works, and it’s a whole lot better, than nothing at all. Hopefully, we never get to that point, and we can keep getting enough equipment, to places where they are most needed. Couldn’t hurt to have a few homebrew ideas handy, just to make do, until something better is freed up. I don’t see ignoring any viable options, when the alternative, is just let people die, because all the available machines are in use.

  16. A lot of people are sitting idle looking for something to do, a way to contribute. If they want to try to develop a ventilator, let them try. FDA approval and liability are bridges to cross when you come to them, none of these projects are at that point yet (designing around/in consideration of is something else entirely).

    You cannot solve a problem if you cannot define a problem. I have not found an outline of required ventilator operating parameters published anywhere. My research indicates that an IPPV should be capable of delivering 5 – 30 breaths/minute, inspiration pressures up to 40cmH2O, expiration pressures from -10 – 10cmH2O, tidal volumes of 100-750mL, and adjustable inspiration/expiration ratio of 1:4 – 4:1.

    Purely time based ventilation is referred to as mandatory. This has been proven to cause a patient undue stress which extends recovery time. A better solution is assisted ventilation (triggered). The best low cost option for triggering appears to be monitoring flow rate during expiration and triggering when flow drops below preset.

    My two cents: organize labor, pool resources, delegate responsibility to people who are -qualified-, then everybody pass left and review your neighbor’s work.

  17. Article is about the difficulties of keeping a single CPU core from painting itself into a corner some real-time due to unexpected special circumstances and how this happening can easily kill for the case of a CPU being used in a safety critical real time system.

    microcontrollers are cheap. but they are not trustworthy.


    Don’t have a single point of failure (the central core). Avoid ‘real time’ OS. You don’t need them anymore.

    Instead, prove out the separate, minimally complex digital logic systems you need to implement the system you have.

    Exploit FSM design to be able to *prove* that there cannot be a circumstance that hasn’t been considered. Steer clear of ‘programmable’ FSM’s *unless you need them*, and/or put them ‘outside of the pipeline’ so their failure cannot interfere with proper operation.

    Again, all this is now relatively easily done — with an FPGA.

    You can have an FPGA complex enough to completely host a completely stand-alone embedded forth system, for about $10. That is supported by 100% open source toolchain that can all run on a linux SBC — which can than sit, outside of the critical system, as a ‘communication / monitoring’ device that rightfully should not be trusted.

    I.e, such that without movement of a physical switch, the SBC / communcation system is actually unable to interfere with the proper operation of the safety critical FPGA system, whether by reset / reprogramming, or even just by a DoS attack via a SPI / I2C / Serial bus.

    You can do this because an FPGA easily lets you just *add* an additional SPI slave interface, with its own unique data bus and a separate clock belonging to the SBC, and which can be arranged such that its use does not interrupt or change the cycle timing whatsoever of the critical real time system. And whose inputs, if allowed, can be passed through a simple ‘sanity limit check’ system also parallel on the FPGA, so as unrealistic or invalid inputs can be rejected before causing operational interference.

    Doing all this means using verilog / VHDL or some other FPGA specific tools, and paying attention to basic digital systems engineering, and most importantly, ignoring / depreciating a lot of the currently received wisdom that wants to overvalue assembly microcontroller skill sets — whether they be 6502, 8051, 68k, HC08, microchip, PowerPC, x86 or whatever — they are all a poor choice for safety critical applications. Same with C, and that goes double for C++ / wiring.

    Leave those to chiptunes and the super-cheap, mass produced products. Which also means you should only ever bother learning / using whatever’s cheapest in bulk, which today I think means those 4-cent Chinese chips. But they belong nowhere near any safety critical system. CPU’s in general belong only in OSS supported ‘communications or UI’ applications, behind a digital firewall because you can never entirely trust that they don’t have some glitch or security vulnerability that leaves them exposed to just dropping the ball.

    Yes, making a single small CPU literally sing is an impressive performance, but it’s also something that has no right at all to be depended upon in any real way. Dedicated hardware logic, on the other hand, is much *MUCH* more reliable. Even when it’s implemented ‘expensively’ and ‘wastefully’ in an FPGA, where many subsections of such chips are never actually needed, being programmed their whole existence to sit still and do nothing. Something which I’m sure offends the kind of microcontroller expert programmer who feels compelled to reach for his favourite hammer to apply it even onto brain surgery.

    FPGA’s basically mean that RTOS are obsolete. Worse than that really – they’re downright dangerous, since just using an RTOS certainly doesn’t prevent various lockups or glitches from occurring, and they just raise the difficulty of verifying that such can’t occur to a ludicrous degree.

    IM(NS)HO, every microcontroller implemented system has been glitchy. In every case, even where the engineers involved were extremely professional otherwise. Sometimes those glitches have had consequences.

    Ditch microcontrollers / CPUs for safety’s sake. Where you need low latency, or just *dependable* / *consistent* latency (what is known as ‘low jitter’), use an FPGA. Or use fixed-function digital logic, which is essentially the same thing. Safety is essentially the same thing — you need reliably consistent performance, that doesn’t and won’t ‘skip a beat’. Or lock up, or crash. Or go out lunch.

    In some cases, you want to ditch even digital systems — analogue control loops sure as hell are the standard in many electro-hydraulic systems, and for very good reason too!

    It’s just very difficult to protect a sampled-time system of any kind (analogue or digital, and yes, sampled-time analogue systems certainly do exist — see ‘chopper’ or ‘switched capacitor’) from out-of-band interference, since the whole real frequency domain ends up packed between +/- 1/2 the sample rate. Keep it all in the analogue continuous time domain, and you can dodge that whole issue fairly easily with careful filtering and shielding. Otherwise what performs well in a nice ‘electronically’ quiet lab might start glitching into positive feedback when in the real world and introduced to common and nasty forms of electrical interference.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.