Index: firmware/App/Services/WatchdogMgmt.c =================================================================== diff -u -r48e631c97a8d1c3ed420e138ee0fbf991ad4e71e -r5f1eb7d49fc2965ea93ca8028ed1b749a5f44e6d --- firmware/App/Services/WatchdogMgmt.c (.../WatchdogMgmt.c) (revision 48e631c97a8d1c3ed420e138ee0fbf991ad4e71e) +++ firmware/App/Services/WatchdogMgmt.c (.../WatchdogMgmt.c) (revision 5f1eb7d49fc2965ea93ca8028ed1b749a5f44e6d) @@ -17,7 +17,8 @@ #include "CPLD.h" #include "InternalADC.h" -#include "OperationModes.h" +#include "OperationModes.h" +#include "SafetyShutdown.h" #include "SystemCommMessages.h" #include "Timers.h" #include "WatchdogMgmt.h" @@ -38,6 +39,8 @@ #define MAX_ISOLATED_24V_LEVEL_ON_WD_EXPIRED 22.6F ///< Maximum voltage on isolated 24V line when watchdog is expired. 10% of 24V. #define MIN_24V_LEVEL_ON_WATCHDOG_RECOVER 22.6F ///< Minimum voltage on 24V line when watchdog is recovered. +#define MAX_SAFETY_SHUTDOWN_MISMATCH_MS 100 ///< Maximum time (in ms) that safety shutdown cmd vs. feedback can be mismatched. + /// List of watchdog states. typedef enum Button_Self_Test_States { @@ -55,6 +58,7 @@ static WATCHDOG_SELF_TEST_STATE_T watchdogSelfTestState; ///< Watchdog self-test current state. static SELF_TEST_STATUS_T watchdogSelfTestStatus; ///< Watchdog self-test status. static U32 watchdogSelfTestTimerCount; ///< Watchdog self-test timer count. +static U32 safetyShutdownFeedbackMismatchTS; ///< Persistence timestamp for safety shutdown cmd vs. feedback mismatch. // ********** private function prototypes ********** @@ -78,6 +82,7 @@ watchdogSelfTestState = WATCHDOG_SELF_TEST_STATE_START; watchdogSelfTestStatus = SELF_TEST_STATUS_IN_PROGRESS; watchdogSelfTestTimerCount = 0; + safetyShutdownFeedbackMismatchTS = getMSTimerCount(); // initialize task check-ins to false for ( i = 0; i < NUM_OF_TASKS; i++ ) @@ -98,7 +103,9 @@ *************************************************************************/ void execWatchdogMgmt( void ) { - BOOL allTasksCheckedIn; + BOOL allTasksCheckedIn; + PIN_SIGNAL_STATE_T safetyShutdownFeedbackSignal = getCPLDWatchdogExpired(); + PIN_SIGNAL_STATE_T safetyShutdownSoftwareCmd = ( TRUE == isSafetyShutdownActivated() ? PIN_SIGNAL_LOW : PIN_SIGNAL_HIGH ); // called by background task, so give bg task credit for checking in checkInWithWatchdogMgmt( TASK_BG ); @@ -113,20 +120,23 @@ resetWDTaskCheckIns(); } - // check to see if watchdog has expired - if ( PIN_SIGNAL_LOW == getCPLDWatchdogExpired() ) - { - // ignore expired watchdog until after watchdog POST - if ( getCurrentOperationMode() != DG_MODE_INIT ) + // Check to see if watchdog has expired or safety shutdown feedback does not match s/w command (only after POST completed) + if ( ( safetyShutdownSoftwareCmd != safetyShutdownFeedbackSignal ) && ( getCurrentOperationMode() != MODE_INIT ) ) + { + if ( ( PIN_SIGNAL_LOW == safetyShutdownFeedbackSignal ) || ( TRUE == didTimeout( safetyShutdownFeedbackMismatchTS, MAX_SAFETY_SHUTDOWN_MISMATCH_MS ) ) ) { /* DEBUG WARNING * It may be necessary to comment out the following * line to prevent the alarm from occurring while * debugging. - */ - activateAlarmNoData( ALARM_ID_DG_WATCHDOG_EXPIRED ); - } - } + */ + activateAlarmNoData( ALARM_ID_HD_WATCHDOG_EXPIRED ); + } + } + else + { + safetyShutdownFeedbackMismatchTS = getMSTimerCount(); + } } /*********************************************************************//**