Quote Originally Posted by mklotz View Post
Unless the shadow model can COMPLETELY model all failure mechanisms in the hardware, which is probably impossible, your time is probably better spent instrumenting the hardware to return a state response.

It all depends on the danger level of a hardware failure. If a failure is simply annoying the shadow approach is fine; if it's life-threatening then instrumenting the hardware is in order.
Marv,

The intent is to just follow along on the hidden state changes. The only failure mode I can detect is when the hardware has no power. If there was a failure within the hardware, there would be no way for the software to detect it.

I do avoid failures in the hardware due to illegal state change requests by doing a translation in the driver. The user can request a move to any state and the driver will figure out how to legally get there.

I have updated the article with a big red warning about safety. Thanks for the reminder.

Rick