LCN Wafer Inspection

Appearance

Below is a principal-level explanation of Device Command & Execution Model, aligned to the project’s source of truth under Hardware Integration & Device Control and its focus on how software interacts with real devices, where many failures come from timeouts, unstable integrations, partial execution, and device contention.

PART 1 — WHAT A DEVICE COMMAND REALLY IS

In normal business software, a “command” often feels like a function call.

You call a method:

csharp
customerService.UpdateAddress(customerId, newAddress);

The code runs inside your process, on your machine, under your runtime, with your memory model, your exception model, and usually with predictable control over completion.

A device command is fundamentally different.

When industrial software sends a command to a camera, motion controller, PLC-connected subsystem, light controller, robot, or measurement instrument, it is not really “calling code.” It is requesting behavior from an external system that has its own processor, firmware, timing model, state machine, internal buffers, error conditions, and sometimes undocumented quirks.

So the real model is closer to this:

  • software issues intent
  • intent crosses a boundary
  • external device may or may not accept it
  • device may execute immediately, later, partially, or not at all
  • software may receive a result, an event, a timeout, or ambiguous silence

That difference changes everything.

A device command is therefore not just “do X.” It is more like:

“I am asking an external actor to perform X, under uncertain timing, with incomplete visibility, and I must track what happens next.”

That is why device command handling in industrial software is usually:

Asynchronous Because physical work takes time. Exposure, movement, settling, acquisition, processing, actuation, and controller arbitration all happen over time.

Time-dependent A command that succeeds in 20 ms during idle conditions may take 300 ms during heavy load, or 2 seconds during recovery, or never finish if the device is waiting on an internal condition.

Uncertain The device may be busy, disconnected, faulted, half-initialized, internally queued, or in a different state than software believes.

This is one of the first major mindset shifts for a .NET engineer entering industrial systems:

A device command is not a local instruction. It is a distributed interaction with physical consequences.

PART 2 — COMMAND LIFECYCLE

A strong machine system never treats commands as one-line actions. It treats them as tracked lifecycles.

A typical command lifecycle looks like this:

  1. command created
  2. command validated
  3. command sent
  4. command accepted or rejected
  5. execution begins
  6. execution progresses
  7. completion, failure, or timeout occurs
  8. final state is recorded

In real systems, some steps are visible and some are not.

For example:

  • some devices send an immediate ACK
  • some only respond when finished
  • some send progress/status events
  • some send nothing unless there is an error
  • some return “accepted” even though real execution starts later

So software must explicitly model lifecycle state instead of assuming “send == done.”

Sequence diagram

text
Client/Workflow        Command Manager        Device Adapter        Physical Device
      |                      |                     |                     |
      |  Create Command      |                     |                     |
      |--------------------->|                     |                     |
      |                      | Validate           |                     |
      |                      |------------------->|                     |
      |                      |<-------------------| Ready to send       |
      |                      |                     |                     |
      |                      | Send Command       |                     |
      |                      |------------------->| Write to device     |
      |                      |                     |-------------------->|
      |                      |                     |<--------------------|
      |                      |<-------------------| ACK / Accepted?     |
      |                      |                     |                     |
      |                      | Mark InProgress    |                     |
      |                      |                     |                     |
      |                      |                     |<--------------------|
      |                      |<-------------------| Completion / Error   |
      |<---------------------| Final Result       |                     |
      |                      |                     |                     |

Why explicit lifecycle tracking matters

Because without it, you cannot reliably answer basic production questions:

  • Was the command ever sent?
  • Did the device acknowledge it?
  • Is it still running?
  • Did it fail, or did we just stop hearing from the device?
  • Did the device finish but we lose the completion message?
  • Is it safe to retry?
  • Can another command be sent now?

Weak systems treat command execution as a boolean: success or failure. Real systems need a richer model:

  • Created
  • Queued
  • Sending
  • Sent
  • Acknowledged
  • InProgress
  • Succeeded
  • Failed
  • TimedOut
  • CancelRequested
  • Cancelled
  • UnknownOutcome

That last one, UnknownOutcome, is uncomfortable but very real. Good engineers make space for it.

PART 3 — SYNCHRONOUS VS ASYNCHRONOUS COMMANDS

At a superficial level, the difference looks simple.

Synchronous

text
send command -> wait -> get result

Asynchronous

text
send command -> continue doing other work -> later receive completion/event

But in industrial systems, the deeper difference is about control ownership and time separation.

Synchronous command style

Synchronous style is reasonable when:

  • the device operation is very short
  • the protocol truly provides request/response semantics
  • the caller can safely block for the duration
  • command rate is low
  • timing risk is small

Example:

  • read current temperature
  • get firmware version
  • read digital input bit
  • query device status register

These are often short request/response interactions.

Asynchronous command style

Most meaningful physical operations are effectively asynchronous, even if the API tries to hide that.

Examples:

  • move axis to position
  • capture image
  • auto-focus
  • start scan
  • home robot
  • trigger measurement
  • start dispense cycle
  • start vacuum sequence

These all take time. More importantly, they often depend on changing physical conditions.

So even if a vendor SDK exposes:

csharp
device.StartCapture();

the real semantics are often:

  • request submitted
  • internal queue accepts it
  • hardware arms trigger
  • exposure starts later
  • data transfer happens later
  • completion appears later
  • error may appear even later

That is asynchronous reality behind a synchronous-looking API.

Why blocking threads is dangerous

Blocking seems easy in prototypes. It becomes harmful in real systems.

Why?

1. You destroy responsiveness If UI thread, orchestration thread, or device manager thread blocks waiting for device completion, the rest of the system becomes sluggish or frozen.

2. You lose control over cancellation and supervision A blocked call is much harder to stop cleanly, supervise, or timebox consistently.

3. You create hidden dead time A blocked workflow cannot manage related events, fault signals, operator actions, or correlated timeouts.

4. You blur command state If the only state is “inside a waiting call,” you have weak visibility and weak recoverability.

So mature industrial systems usually separate:

  • command submission
  • device-level execution tracking
  • completion observation
  • workflow-level reaction

That separation is one of the foundations of reliability.

PART 4 — TIMEOUTS & RETRIES

Timeouts are not just technical safeguards. They are one of the primary ways software protects itself from physical uncertainty.

A device may fail to respond because:

  • cable disconnected
  • firmware hung
  • internal queue full
  • device busy
  • driver deadlocked
  • response lost
  • operation still running but slower than expected
  • wrong mode prevents execution
  • hardware fault prevents completion

So timeout handling must be deliberate.

A timeout does not always mean the same thing

This is a key architectural lesson.

A timeout may mean:

  • command was never received
  • command was received but not acknowledged
  • command was acknowledged but never executed
  • command is still executing
  • command completed but response was lost
  • device communication layer is broken
  • device thread is starved or blocked

That means timeout is not “just failure.” It is often evidence of uncertainty.

Timeline diagram

text
Time --------------------------------------------------------------->

Command Sent      ACK          Execution Starts         Completion
    |              |                  |                    |
    |--------------|------------------|--------------------|

Normal timeout window:
    [-------------------- allowed ----------------------]

Late response case:
    |--------------|------------------|--------------------------X
                                                           timeout fired
                                                                  \
                                                                   \ response arrives late

The software challenge is not merely “wait N seconds.” It is to decide what N means and what to do afterward.

Example: camera capture delayed

Suppose software sends CaptureFrame.

Possible realities:

  • camera is ready and captures immediately
  • camera is waiting for external trigger
  • acquisition engine is busy flushing previous frame
  • transport buffer is congested
  • camera exposure happened, but frame transfer is delayed
  • capture completed, but completion callback is delayed in host software

If you blindly retry on timeout, you may accidentally trigger a second capture while the first one is still in flight.

Now you have:

  • duplicated frames
  • unexpected ordering
  • state confusion
  • wrong image associated to wrong workflow step

Example: device busy and ignores command

Suppose a motion subsystem accepts MoveTo(X) only when idle. If software sends it while controller is internally busy:

  • some devices return “busy”
  • some queue it
  • some silently ignore it
  • some reject it only later
  • some accept command text but do nothing physically

If software does not model that behavior explicitly, reliability collapses.

Retry strategies

Retries can be useful, but only when the command semantics are understood.

Good retry candidates:

  • idempotent read commands
  • safe status polls
  • connection establishment operations
  • commands with explicit “not accepted” outcomes and no side effects

Dangerous retry candidates:

  • motion commands
  • trigger commands
  • dispense commands
  • “start process” commands
  • commands that may have already partially executed

Blind retry is dangerous because

You may convert a communication problem into a physical problem.

Example:

  • software sends “open valve”
  • response is lost
  • software retries
  • valve receives second open command
  • downstream system enters unexpected state

The architect’s job is to distinguish:

  • safe retry
  • retry only after verification
  • never retry automatically
  • retry only with operator intervention

That policy must be explicit, not left to accidental coding style.

PART 5 — MATCHING REQUESTS & RESPONSES

One of the hardest practical problems is simply this:

How do we know which response belongs to which command?

In business APIs, correlation is often easy because the transport or framework handles it. In industrial systems, correlation may be weak, manual, or fragile.

Common strategies:

1. Correlation ID / command ID

Software generates a unique ID and includes it in the command or in internal tracking.

Best when protocol supports it.

text
Command: CaptureFrame(Id=8421)
Response: CaptureComplete(Id=8421)

This is the cleanest model.

2. Sequence number

Commands are numbered in send order.

text
Cmd #105 -> response #105

Useful, but fragile if:

  • responses are delayed
  • device reboots
  • numbering resets
  • multiple channels exist
  • duplicates occur

3. Implicit ordering

Some devices rely on “the next response belongs to the last command.”

This is common in simple serial or older instrument-style protocols.

It works only if:

  • one outstanding command at a time
  • strict request/response discipline
  • no unsolicited events
  • no delayed responses from previous operations

Once those assumptions break, the model becomes dangerous.

Risks

Delayed responses

A response for command A arrives after software already timed it out and sent command B.

Now software may accidentally attach A’s response to B.

Duplicate responses

Some devices resend on communication ambiguity, or host-side event wiring duplicates delivery.

If software treats duplicate completion as fresh completion, workflow state may advance twice.

Out-of-order responses

This happens when:

  • multiple internal device pipelines exist
  • a fast status command completes before a slow action command
  • device emits asynchronous events independent of command order

So response matching logic must be designed, not improvised.

A mature system usually keeps a command registry like this conceptually:

text
Pending Commands
------------------------------------------------------------
CommandId   Type           SentAt       State        TimeoutAt
8421        CaptureFrame   10:00:01.1   InProgress   10:00:03.1
8422        ReadStatus     10:00:01.3   Sent         10:00:01.8
8423        MoveStage      10:00:01.5   Queued       10:00:06.5

And incoming responses are matched against that registry using the best available correlation rule.

PART 6 — PARTIAL EXECUTION & UNCERTAIN STATE

This is where industrial systems become much more serious than normal application systems.

A device command may fail in the middle.

That means the world after failure is not always one of these:

  • command not executed
  • command fully executed

Often it is:

  • command partly executed
  • device state unknown
  • software state stale
  • physical system somewhere in between

Example: command sent, device crashes mid-operation

Suppose you send:

text
Move arm to unload position

What if:

  • communication succeeds
  • controller begins motion
  • controller faults halfway
  • host never receives final event

What is the truth?

Not “success.” Not clean “failure.” The arm may be physically between positions, and software may not know whether motion has stopped, faulted, or coasted to a halt.

Example: command executed, response lost

Suppose a light controller receives:

text
Set intensity to 70%

The controller applies it, but the ACK is lost.

Software times out and concludes failure.

If software retries or rolls back without verifying actual device state, its internal model diverges from physical reality.

Why uncertainty must be handled explicitly

Because physical systems do not always preserve nice transactional guarantees.

Industrial software must sometimes switch from:

command-driven reasoning to state re-validation reasoning

Meaning:

  • stop assuming based on the send result
  • query actual device state
  • inspect independent sensors or status bits
  • reconcile software model with physical reality
  • decide next action from observed truth, not desired truth

This is a major difference between weak and strong machine software.

Weak software says:

“The command failed, so nothing happened.”

Strong software says:

“The outcome is uncertain; verify the actual state before proceeding.”

PART 7 — REAL-WORLD FAILURE SCENARIOS

These are the situations that cause real production pain.

1. Command accepted but never executed

What it looks like

  • host sends command
  • device returns ACK or success code
  • nothing physically happens
  • workflow waits until timeout

Why it happens

  • ACK only means “received,” not “executed”
  • device internal queue accepted command but later discarded it
  • execution precondition was false
  • device busy state changed after acceptance
  • firmware bug

How engineers diagnose it

  • compare transport log vs device state log
  • inspect whether ACK semantics mean receipt or execution
  • check device busy/fault/precondition status around command time
  • verify whether command queue depth or internal errors were present

This is one of the classic traps: confusing accepted with completed.

2. Response arrives too late

What it looks like

  • workflow times out at 2 seconds
  • recovery path begins
  • original completion event arrives at 2.5 seconds
  • system now has conflicting interpretations

Why it happens

  • device slower than expected under load
  • transport delay
  • callback scheduling delay in host process
  • internal controller queueing
  • timeout threshold too aggressive

How engineers diagnose it

  • examine timestamped logs from send, ACK, device status, completion
  • compare normal latency distribution vs failure cases
  • identify whether late completion is transport latency or real slow execution
  • check load conditions and system contention

Late response handling is critical. A command that timed out is not always gone. Sometimes it is just late.

3. Duplicate execution due to retry

What it looks like

  • timeout occurs
  • software retries
  • device executes both original and retry
  • machine moves twice, captures twice, dispenses twice, or opens twice

Why it happens

  • original command actually succeeded
  • only response path failed
  • command not idempotent
  • retry policy assumed timeout == no execution

How engineers diagnose it

  • correlate physical action count with command count
  • inspect whether both commands were physically received
  • compare device log and host retry log
  • reproduce under induced packet loss or delayed callback conditions

This is why retries must be tied to command semantics, not generic infrastructure habits.

4. Device executes previous command unexpectedly

What it looks like

  • software believes system is idle
  • a stale queued command executes after reconnect or buffer flush
  • machine performs an unexpected action

Why it happens

  • device retained buffered command
  • reconnect path did not reset controller state
  • old response/event replayed after session recovery
  • command channel not fully drained

How engineers diagnose it

  • inspect reconnect/reset sequence
  • verify controller buffer-clearing semantics
  • check whether session boundary is represented explicitly
  • see if stale command IDs from old session were still valid

Strong systems often use session tokens or epoch numbers to invalidate pre-recovery activity.

5. Race condition between commands

What it looks like

  • Stop issued while StartCapture or MoveTo is in progress
  • both commands partially take effect
  • final state becomes inconsistent
  • UI says stopped while device still active, or vice versa

Why it happens

  • command serialization rules unclear
  • multiple callers allowed to issue commands concurrently
  • state machine too weak
  • command completion and cancellation events cross each other

How engineers diagnose it

  • reconstruct exact timing sequence
  • inspect which thread or subsystem emitted each command
  • verify allowed command transitions
  • look for missing state guards or ownership rules

In machine systems, race conditions are not just “occasional weird bugs.” They can become unsafe or production-stopping behavior.

PART 8 — SOFTWARE DESIGN IMPLICATIONS

This topic has major architectural consequences.

1. Command handling must be explicit

Do not bury device commands in random service methods with ad hoc waits.

Bad:

csharp
await _camera.TriggerAsync();
await Task.Delay(100);
var image = await _camera.GetLastImageAsync();

This style often hides:

  • whether trigger was accepted
  • whether capture is still running
  • whether timeout is protocol-level or workflow-level
  • whether late completion is possible
  • whether retry is safe

Good systems explicitly represent command state and outcome.

Conceptually:

csharp
var command = CommandEnvelope.Create(DeviceCommand.CaptureFrame(...));
var ticket = await _commandBus.SendAsync(command, ct);

var result = await _commandTracker.WaitForCompletionAsync(ticket.Id, timeout, ct);

The important part is not the API shape. It is the fact that command lifecycle is first-class.

2. Separate command issuance from command supervision

A healthy design often separates:

  • caller / workflow
  • command manager
  • device adapter
  • response correlator
  • timeout supervisor
  • state reconciler

That prevents one layer from having to do everything.

3. Serialize where needed

Many device interfaces are not safe for arbitrary concurrency.

Sometimes the correct design is:

  • only one in-flight command per device
  • ordered command queue
  • explicit exclusion rules
  • state-based rejection of illegal commands

That is not a limitation of architecture maturity. Often it is respect for physical/device constraints.

4. Timeout policy must be per command type

Do not use one global timeout for all device calls.

Different commands have different latency profiles:

  • status read: tens of milliseconds
  • light change: small but not zero
  • image capture: variable
  • homing or calibration step: much longer

Timeout should reflect physical reality and device semantics.

5. Retry policy must be per command type

You want a decision table like this:

text
Command Type       Auto Retry?       Conditions
------------------------------------------------------------
ReadStatus         Yes               transient comm loss
SetParameter       Verify first      only if state not changed
CaptureFrame       Usually no        verify capture state first
MoveAxis           No                requires explicit recovery
ResetDevice        Controlled        limited attempts only

6. Idempotency is gold when possible

If you can design commands so repeating them is safe, reliability improves dramatically.

But in industrial systems, many commands are inherently non-idempotent:

  • move
  • start
  • trigger
  • dispense
  • pick/place
  • actuate

So when idempotency is impossible, tracking and reconciliation become even more important.

7. Unknown outcome must be represented

One of the worst design mistakes is forcing every result into:

  • success
  • failure

Real systems often need:

  • Success
  • Rejected
  • Failed
  • TimedOut
  • Cancelled
  • UnknownOutcome
  • RequiresStateVerification

This is much closer to production truth.

Good vs bad model

Bad

text
Caller -> Device API -> bool success/fail

Problems:

  • no lifecycle
  • no correlation
  • no late response handling
  • no ambiguity model
  • retry decisions made blindly
  • poor observability

Good

text
Caller
  |
  v
Command Manager
  |- validates allowed state
  |- assigns correlation id
  |- records lifecycle
  |- supervises timeout
  |- applies retry policy
  |- reconciles late/duplicate responses
  v
Device Adapter
  v
Physical Device

Diagram

text
+------------------+
| Workflow / HMI   |
+------------------+
          |
          v
+------------------+
| Command Manager  |
|------------------|
| Validate         |
| Track lifecycle  |
| Timeout control  |
| Retry policy     |
| Correlation      |
+------------------+
          |
          v
+------------------+
| Device Adapter   |
|------------------|
| Protocol call    |
| SDK invocation   |
| Response parsing |
+------------------+
          |
          v
+------------------+
| Physical Device  |
+------------------+

This structure is one of the practical patterns that makes hardware-heavy systems survivable over time.

PART 9 — INTERVIEW / REAL-WORLD TALKING POINTS

Here are strong ways to explain this topic in interviews or architecture discussions.

1. How to explain the device command model clearly

A good summary:

In industrial software, a device command is not just a method call. It is a request to an external system with its own timing, state, and failure modes. Because of that, command handling has to model lifecycle, timeouts, correlation, and uncertain outcomes explicitly.

That sentence is strong because it shows you understand the boundary problem.

2. Difference between sync and async command handling

A good explanation:

Synchronous handling assumes the caller can wait safely and that result timing is tightly coupled to the call. In real machine systems, many commands are physically asynchronous. The device may accept now, execute later, and complete through a later response or event. So we usually separate command submission from completion tracking rather than blocking threads and pretending the operation is local.

That shows system-level thinking, not just API preference.

3. Common mistakes engineers make

The most common ones:

  • treating device commands like local method calls
  • assuming ACK means execution completed
  • using a single timeout policy for everything
  • blindly retrying non-idempotent commands
  • not correlating responses explicitly
  • ignoring late responses after timeout
  • assuming timeout means nothing happened
  • allowing multiple callers to issue conflicting commands
  • not modeling unknown/partial outcome
  • weak logging that cannot reconstruct timing

These are exactly the kinds of mistakes that create race conditions and inconsistent states in production.

4. What strong engineers understand about reliability

Strong engineers understand that reliability is not just about catching exceptions.

It is about designing for these truths:

  • devices are external and imperfect
  • timing variability is normal
  • some failures create ambiguity, not clean failure
  • retries can be more dangerous than errors
  • software must reconcile with actual device state
  • observability must reconstruct the command story after the fact

A strong engineer also knows that the command model is a control boundary, not just a coding abstraction. If that boundary is weak, the whole machine becomes fragile.

FINAL MENTAL MODEL

The simplest correct mental model is this:

A device command is a tracked conversation with an external actor.

That conversation has:

  • intent
  • send time
  • acceptance rules
  • execution delay
  • completion or failure signals
  • timeout windows
  • ambiguity cases
  • recovery consequences

If you design device command handling like a local function call, you will get fragile systems.

If you design it like a time-aware, stateful, failure-prone interaction with physical consequences, you will build systems that behave much better in production.

A CONCISE INTERVIEW ANSWER

If someone asks, “What is important about device command execution in industrial software?”, a strong answer is:

The key is that device commands are external, asynchronous, and uncertain. You are not calling local code; you are interacting with hardware or firmware that may accept, delay, partially execute, or fail silently. So good industrial software explicitly tracks command lifecycle, correlates responses, handles timeouts carefully, retries only when semantics are safe, and treats uncertain outcomes as a real state that often requires re-validating actual device state before continuing.

If you want, I can continue with the next topic in the same style for 2.5 Initialization & Shutdown Sequencing or 2.11 Threading/Concurrency around device control.

Docs-first project memory for AI-assisted implementation.

LCN Wafer Inspection Prototype