Skip to content

Implement safety-critical command handling #502

New issue
New issue
Open
Feature
#559
#309
Open
Implement safety-critical command handling#502
Feature
#559
#309
Assignees
juliansalvador727
Labels
project: firmwareFirmware tasks
@Yarik-Popov

Description

@Yarik-Popov
Yarik-Popov
opened on Jun 4, 2025

Background

Currently, we enforce that safety-critical commands must be sent twice before they’re executed. This doesn’t provide much extra security. Revamp the approach to safety-critical command handling.

Requirements

  • Must prevent false triggers due to an operator mistake
  • Must prevent false triggers due to data corruption
    • Not a concern since we have an FEC-protected link

Important Information

  • One idea we discussed was an arm-then-execute approach. This would involve sending 2 commands for any safety-critical command. A safety-critical command can only be executed if we’ve sent an ARM and an EXECUTE msg. A command could be disarmed if the OBC resets or something else weird happens.
  • We can also think about this problem from a process POV. Can we put a process in place to mitigate against user errors?
    • Maybe the ARM and EXECUTE msgs must be sent by different operators (with different credentials)?

Metadata

Metadata

Assignees

Labels

project: firmwareFirmware tasks

Type

Feature

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions