Index: firmware/App/Controllers/ROPump.c
===================================================================
diff -u -rf2e1d5b6ec4faef967685db28cdba82b060e9e8d -r40de07bb0bdd986d1a33838f6444ff9c74aa79b9
--- firmware/App/Controllers/ROPump.c	(.../ROPump.c)	(revision f2e1d5b6ec4faef967685db28cdba82b060e9e8d)
+++ firmware/App/Controllers/ROPump.c	(.../ROPump.c)	(revision 40de07bb0bdd986d1a33838f6444ff9c74aa79b9)
@@ -27,6 +27,7 @@
 #include "PersistentAlarm.h"
 #include "Pressures.h"
 #include "ROPump.h"
+#include "SafetyShutdown.h"
 #include "SystemCommMessages.h"
 #include "TaskGeneral.h"
 #include "TaskPriority.h"
@@ -71,14 +72,15 @@
 #define FLOW_SENSOR_ZERO_READING                       0xFFFF                                      ///< Flow sensor reading indicates zero flow (or flow lower than can be detected by sensor).
 
 #define MAX_ALLOWED_FLOW_DEVIATION                     0.1                                         ///< Max allowed deviation from target flow.
-#define FLOW_OUT_OF_RANGE_PERSISTENT_INTERVAL          5 * MS_PER_SECOND                           ///< Flow out of range time out in counts.
+#define FLOW_OUT_OF_RANGE_PERSISTENT_INTERVAL          ( 5 * MS_PER_SECOND )                       ///< Flow out of range time out in counts.
 #define MAX_PRESSURE_TARGET_TOLERANCE                  5                                           ///< Pressure tolerance from maximum set pressure by user in psi.
 #define MAX_ALLOWED_PRESSURE_PSI                       130                                         ///< Maximum allowed pressure that the RO pump can go to.
 #define MIN_ALLOWED_PRESSURE_PSI                       10                                          ///< Minimum allowed pressure that the RO pump can go to.
 #define MAX_ALLOWED_MEASURED_PRESSURE_PSI              135                                         ///< Maximum allowed pressure that the sensor measures. RO pump shut off pressure is 140psi.
 #define MAX_PRESSURE_OUT_OF_RANGE_PERSISTENT_INTERVAL  MS_PER_SECOND                               ///< Maximum allowed time that the pressure can be very high.
 #define MAX_ALLOWED_RAMP_UP_TIME                       ( 5 * MS_PER_SECOND )                       ///< Maximum allowed ramp up time to a flow rate in ms.
 #define ROP_PSI_TO_PWM_DC(p)                           ( 0.2 + ( (F32)((p) - 100) * 0.01 ) )       ///< conversion factor from target PSI to PWM duty cycle estimate.
+#define SAFETY_SHUTDOWN_TIMEOUT_COUNT                  ( MS_PER_SECOND / TASK_PRIORITY_INTERVAL )  ///< RO pump safety shutdown activation timeout in counts.
 
 /// Enumeration of RO pump states.
 typedef enum ROPump_States
@@ -131,6 +133,7 @@
 
 static S32 measuredFlowReadingsSum = 0;                                                 ///< Raw flow reading sums for averaging.
 static U32 flowFilterCounter = 0;                                                       ///< Flow filtering counter.
+static U32 safetyShutdownTimeoutCounter = 0;                                            ///< Timeout counter to activate safety shutdown.
 
 // ********** private function prototypes **********
 
@@ -195,6 +198,7 @@
     roPumpState                       = RO_PUMP_OFF_STATE;
     roPumpControlMode                 = NUM_OF_PUMP_CONTROL_MODES;
     roPumpControlModeSet              = roPumpControlMode;
+    safetyShutdownTimeoutCounter      = 0;
 }
 
 /*********************************************************************//**
@@ -331,6 +335,17 @@
         }
     }
 
+    // If the pump is off and PPi + 5psi < PPo for a certain period of time, activate safety shutdown
+    if ( FALSE == isROPumpOn && ( getMeasuredDGPressure( PRESSURE_SENSOR_RO_PUMP_INLET ) + MAX_PRESSURE_TARGET_TOLERANCE < actualPressure ) )
+    {
+        // Check if it has timed out
+        if ( ++safetyShutdownTimeoutCounter > SAFETY_SHUTDOWN_TIMEOUT_COUNT )
+        {
+            activateSafetyShutdown();
+            safetyShutdownTimeoutCounter = 0;
+        }
+    }
+
     // Publish RO pump data on interval
     publishROPumpData();
 }