So I took a bit of time to get around to looking at this but went through all posts and made a few notes, apologies for the long post.
If RPM is above hard limit, cut ignition and injection
If MAP is above boost cut limit, cut injection
# Can this also be supplemented by setting a max position for the wastegate control and in the case of ETB closing the throttle by say 20% over a second? This would have an effect of reducing the energy to the turbine and lowering the MAP pressure (vs the TIP pressure).
If the electronic throttle has a problem (TBD how to compute that), set a rev limit of ~1500-2500 rpm (TBD) and disable throttle control for all throttles
# As discussed and suggested before, throttle operation can be limited in case of deviation problems to a configurable threshold (sey 30%) or in event of signal loss a fixed position or pulse width equivalent to fast idle can be set.
If a fatal error occurs, disable injection, ignition, electronic throttle, and trigger input (kill the engine).
# This is a tricky one, in some cases this could be worse than the fatal error, for this to work out then we need to be sure that in all cases of fatal error shutting the engine down is safer than allowing the driver to damage the engine. I am put in mind of the F3 incident where power failure on a car lead to a serious collision with a faster car on a corner exit.
Possible things to add in the future:
In case of a sensor failure, change fueling mode to a fallback that doesn't use that sensor
# Assuming this is the discussed TPS - VE transfer table. Difficulty comes with detecting the issue with the sensor, out of range is easy but deviation is harder. Producing the VE table is also tricky, maybe this is something where a script could auto gen it from a log?
In case of engine overheat, lower rev limit, do rolling cylinder cut, possibly cut engine?
# Rolling skip fire could be a good strategy for thermal limiting, proven to work well by cadillac.
In case of low oil pressure, limit engine speed/throttle position?
# Limit throttle as it lower pressure on the bearings, rpm may be needed in a case of a weak pump to keep the oil pressure up. However there is not much we can do about that one, your pretty SOL if its anything more than a bad pressure sender.
-- If rpm rate of change is bad 5krpm to 0rpm in one rotation then cut fuel pump.
we sort of already do this, the pump is on when there was a trigger event in the last XX period of time. Maybe that period should be shorter than the 1 second that it currently is.
# Given there is some time to loose pressure from the rail does this not present the possibility of a noisy trigger signal causing a lean out and engine destruction? Thinking if the pump ended up pulsing on and off.
There is also the issue of determining what is the threshold for "bad" we either go so broad with the default that its in effective or have the user set a limit which could be a source of calibration issues.
What could be very useful is simply logging the events and turning a warning light on as it helps show an aging sensor or a bracket that is just a little too far from the trigger wheel.
-- if unreasonably air temp then ???
# If high air temp then retard ignition and enrich target AFR.
-- if onstar then self destruct
# Agreed.
Yes, most of them should get a bit, but a few won't. For example, I'm not interested in letting you disable the ETB protections.
# Agreed, IMO we should be more aggressive with the requirement for dual signal.
The way I handle that in my set up is the feature is always on, but simply set the "act if" point to a value that effectively disables it. The only thing I currently act on is low oil pressure and limit engine rpm and max throttle position (engine load is probably better) but to disable I just set the min oil pressure to 0
# That is more or less how the older systems are configured when hacking OEM ecus, you just set them to a range where they no longer cause an intervention.
I have a malfunction light that has oil pres, engine temp, fuel pres at the moment but will likely add more like lamba error nd a few others.
# May I suggest a further intervention for hitting the duty cycle limit, and that is to lower the boost target by 50%. Also perhaps allow a minimum AFR while the boost target is above X, to prevent lean outs, if that occurs take the same steps as with duty cycle.