Index: firmware/App/Drivers/SafetyShutdown.c =================================================================== diff -u -r4d7d40a27130dc813d653f044cbb856b1b7d8481 -r53f4c6476728fdbfc76147062e66e8bb21d30841 --- firmware/App/Drivers/SafetyShutdown.c (.../SafetyShutdown.c) (revision 4d7d40a27130dc813d653f044cbb856b1b7d8481) +++ firmware/App/Drivers/SafetyShutdown.c (.../SafetyShutdown.c) (revision 53f4c6476728fdbfc76147062e66e8bb21d30841) @@ -17,8 +17,10 @@ #include "mibspi.h" +#include "InternalADC.h" #include "SystemCommMessages.h" #include "SafetyShutdown.h" +#include "Timers.h" /** * @addtogroup SafetyShutdown @@ -31,10 +33,30 @@ #define SET_SAFETY_SHUTDOWN() {mibspiREG1->PC3 |= SAFETY_SPI1_PORT_MASK;} ///< Set safety shutdown GPIO macro. #define CLR_SAFETY_SHUTDOWN() {mibspiREG1->PC3 &= ~SAFETY_SPI1_PORT_MASK;} ///< Clear safety shutdown GPIO macro. -// ********** private definitions ********** +#define SAFETY_SHUTDOWN_POST_TIMEOUT_MS 500 ///< Safety shutdown POST test timeout (in ms). +#define SAFETY_SHUTDOWN_RECOVERY_TIME_MS 500 ///< After safety shutdown POST test, wait this long (in ms) to recover before moving on. + +#define MAX_24V_LEVEL_ON_SAFETY_SHUTDOWN 5.0 ///< Maximum voltage on 24V line when safety shutdown asserted. +#define MIN_24V_LEVEL_ON_SAFETY_RECOVER 22.6 ///< Minimum voltage on 24V line when safety shutdown is recovered. + +/// Enumeration of safety shutdown self-test states. +typedef enum Safety_Shutdown_Self_Test_States +{ + SAFETY_SHUTDOWN_SELF_TEST_STATE_START = 0, ///< Safety shutdown self-test start state + SAFETY_SHUTDOWN_SELF_TEST_STATE_IN_PROGRESS, ///< Safety shutdown self-test in progress state + SAFETY_SHUTDOWN_SELF_TEST_STATE_RECOVER, ///< Safety shutdown self-test recovery state + SAFETY_SHUTDOWN_SELF_TEST_STATE_COMPLETE, ///< Safety shutdown self-test completed state + NUM_OF_SAFETY_SHUTDOWN_SELF_TEST_STATES ///< Number of safety shutdown self-test states +} SAFETY_SHUTDOWN_SELF_TEST_STATE_T; + +// ********** private data ********** -static BOOL safetyShutdownActivated = FALSE; ///< Status of safety shutdown signal. -static BOOL safetyShutdownOverrideResetState = FALSE; ///< Natural status of safety shutdown signal. Used to restore state on override reset. +static BOOL safetyShutdownActivated; ///< Status of safety shutdown signal. +static BOOL safetyShutdownOverrideResetState; ///< Natural status of safety shutdown signal. Used to restore state on override reset. +/// Current safety shutdown self-test state. +static SAFETY_SHUTDOWN_SELF_TEST_STATE_T safetyShutdownSelfTestState; +static SELF_TEST_STATUS_T safetyShutdownSelfTestStatus; ///< Safety shutdown self-test preliminary status. +static U32 safetyShutdownSelfTestTimerCount; ///< Safety shutdown self-test state timer counter. /*********************************************************************//** * @brief @@ -45,6 +67,11 @@ *************************************************************************/ void initSafetyShutdown( void ) { + safetyShutdownActivated = FALSE; + safetyShutdownOverrideResetState = FALSE; + safetyShutdownSelfTestState = SAFETY_SHUTDOWN_SELF_TEST_STATE_START; + safetyShutdownSelfTestStatus = SELF_TEST_STATUS_IN_PROGRESS; + safetyShutdownSelfTestTimerCount = 0; CLR_SAFETY_SHUTDOWN(); } @@ -73,6 +100,80 @@ return safetyShutdownActivated; } +/*********************************************************************//** + * @brief + * The execSafetyShutdownTest function executes the safety shutdown test. + * This function should be called periodically until a pass or fail + * result is returned. + * @details Inputs: safetyShutdownSelfTestState + * @details Outputs: safetyShutdownSelfTestState + * @return in progress, passed, or failed + *************************************************************************/ +SELF_TEST_STATUS_T execSafetyShutdownTest( void ) +{ + SELF_TEST_STATUS_T result = SELF_TEST_STATUS_IN_PROGRESS; + + switch ( safetyShutdownSelfTestState ) + { + case SAFETY_SHUTDOWN_SELF_TEST_STATE_START: + safetyShutdownSelfTestState = SAFETY_SHUTDOWN_SELF_TEST_STATE_IN_PROGRESS; + safetyShutdownSelfTestTimerCount = getMSTimerCount(); + activateSafetyShutdown(); + break; + + case SAFETY_SHUTDOWN_SELF_TEST_STATE_IN_PROGRESS: + if ( TRUE == didTimeout( safetyShutdownSelfTestTimerCount, SAFETY_SHUTDOWN_POST_TIMEOUT_MS ) ) + { + F32 v24 = getIntADCVoltageConverted( INT_ADC_PRIMARY_HEATER_24_VOLTS ); + + // Verify 24V is down when w.d. expired + if ( v24 > MAX_24V_LEVEL_ON_SAFETY_SHUTDOWN ) + { + SET_ALARM_WITH_2_F32_DATA( ALARM_ID_DG_SAFETY_SHUTDOWN_POST_TEST_FAILED, 1.0, v24 ); + safetyShutdownSelfTestStatus = SELF_TEST_STATUS_FAILED; + } + safetyShutdownSelfTestTimerCount = getMSTimerCount(); + CLR_SAFETY_SHUTDOWN(); + safetyShutdownActivated = FALSE; + safetyShutdownSelfTestState = SAFETY_SHUTDOWN_SELF_TEST_STATE_RECOVER; + } + break; + + case SAFETY_SHUTDOWN_SELF_TEST_STATE_RECOVER: + if ( TRUE == didTimeout( safetyShutdownSelfTestTimerCount, SAFETY_SHUTDOWN_RECOVERY_TIME_MS ) ) + { + F32 v24 = getIntADCVoltageConverted( INT_ADC_PRIMARY_HEATER_24_VOLTS ); + + // Verify 24V is down when w.d. recovered +// if ( v24 < MIN_24V_LEVEL_ON_SAFETY_RECOVER ) // TODO - talk with systems why 24V does not recover fully. +// { +// SET_ALARM_WITH_2_F32_DATA( ALARM_ID_DG_SAFETY_SHUTDOWN_POST_TEST_FAILED, 2.0, v24 ); +// safetyShutdownSelfTestStatus = SELF_TEST_STATUS_FAILED; +// } +// else + { + safetyShutdownSelfTestStatus = SELF_TEST_STATUS_PASSED; + } + safetyShutdownSelfTestState = SAFETY_SHUTDOWN_SELF_TEST_STATE_COMPLETE; + result = safetyShutdownSelfTestStatus; + } + break; + + case SAFETY_SHUTDOWN_SELF_TEST_STATE_COMPLETE: + // If we get called in this state, assume we are doing self-test again + result = SELF_TEST_STATUS_IN_PROGRESS; + safetyShutdownSelfTestState = SAFETY_SHUTDOWN_SELF_TEST_STATE_START; + break; + + default: + result = SELF_TEST_STATUS_FAILED; + SET_ALARM_WITH_2_U32_DATA( ALARM_ID_DG_SOFTWARE_FAULT, SW_FAULT_ID_SAFETY_SHUTDOWN_INVALID_SELF_TEST_STATE, safetyShutdownSelfTestState ) + break; + } + + return result; +} + /*********************************************************************//** * @brief * The testSetSafetyShutdownOverride function overrides the HD safety shutdown. Index: firmware/App/Drivers/SafetyShutdown.h =================================================================== diff -u -r54f45c387430e440ab4607451fc84dea61f273f1 -r53f4c6476728fdbfc76147062e66e8bb21d30841 --- firmware/App/Drivers/SafetyShutdown.h (.../SafetyShutdown.h) (revision 54f45c387430e440ab4607451fc84dea61f273f1) +++ firmware/App/Drivers/SafetyShutdown.h (.../SafetyShutdown.h) (revision 53f4c6476728fdbfc76147062e66e8bb21d30841) @@ -33,6 +33,7 @@ void initSafetyShutdown( void ); void activateSafetyShutdown( void ); BOOL isSafetyShutdownActivated( void ); +SELF_TEST_STATUS_T execSafetyShutdownTest( void ); BOOL testSetSafetyShutdownOverride( U32 value ); BOOL testResetSafetyShutdownOverride( void ); Index: firmware/App/Modes/ModeInitPOST.c =================================================================== diff -u -r1a5efe97f5f39594b45797fded52cafce92afe80 -r53f4c6476728fdbfc76147062e66e8bb21d30841 --- firmware/App/Modes/ModeInitPOST.c (.../ModeInitPOST.c) (revision 1a5efe97f5f39594b45797fded52cafce92afe80) +++ firmware/App/Modes/ModeInitPOST.c (.../ModeInitPOST.c) (revision 53f4c6476728fdbfc76147062e66e8bb21d30841) @@ -26,6 +26,7 @@ #include "OperationModes.h" #include "Pressures.h" #include "RTC.h" +#include "SafetyShutdown.h" #include "SystemCommMessages.h" #include "TemperatureSensors.h" #include "Thermistors.h" @@ -175,6 +176,11 @@ postState = handlePOSTStatus( testStatus ); break; + case DG_POST_STATE_SAFETY_SHUTDOWN: + testStatus = execSafetyShutdownTest(); + postState = handlePOSTStatus( testStatus ); + break; + // Should be last POST (and last POST test must be a test that completes in a single call) case DG_POST_STATE_LOAD_CELL: testStatus = execLoadCellsSelfTest(); Index: firmware/App/Services/AlarmMgmt.h =================================================================== diff -u -r1a5efe97f5f39594b45797fded52cafce92afe80 -r53f4c6476728fdbfc76147062e66e8bb21d30841 --- firmware/App/Services/AlarmMgmt.h (.../AlarmMgmt.h) (revision 1a5efe97f5f39594b45797fded52cafce92afe80) +++ firmware/App/Services/AlarmMgmt.h (.../AlarmMgmt.h) (revision 53f4c6476728fdbfc76147062e66e8bb21d30841) @@ -166,6 +166,7 @@ SW_FAULT_ID_INVALID_MONITORED_VOLTAGE_ID, // 85 SW_FAULT_ID_INVALID_LOAD_CELL_ID, SW_FAULT_ID_DG_CHEM_DISINFECT_INVALID_EXEC_STATE, + SW_FAULT_ID_SAFETY_SHUTDOWN_INVALID_SELF_TEST_STATE, NUM_OF_SW_FAULT_IDS } SW_FAULT_ID_T;