Control systems typically require redundancy or fail-safe mechanisms of some kind. In the event of the unexpected failure of some component of the system, the fail-safe mechanism will take over and place the system into a known safe state. The digital I/O watchdogs on the new NI industrial digital products provide a method for detecting system errors and recovering from them safely. Note that the NI-DAQmx Watchdog feature is meant to protect a system from software errors and hangs. In the case of a PXI system with remote control via MXI, a lost MXI connection could result in unexpected Watchdog behavior and therefore improperly implemented Watchdog states.
Bubble gum is cut and packaged at a candy factory. A blade slices the gum into pieces, and a conveyer moves the pieces into a packaging machine. Both the blade and the conveyer are controller by digital output lines. If the control application hangs, the conveyer would ideally stop moving and the blade would be moved away from the gum. Otherwise, machinery could be damaged, and gum could be needlessly wasted. Digital I/O watchdogs provide a way to set the outputs of a digital device to known safe states in the event of a system fault or failure. The digital device constantly receives confirmation that the computer is still functioning properly. If this confirmation is not received within a programmable timeout, the safe states are written to the outputs. Figure 7 below shows the flow of information during normal operation.
Figure 7. Watchdog Timer Flowchart Showing Separate Hardware and Software Levels
Once the watchdog is configured and started, the software application must continuously reset the timer to avoid expiration. This task is done with the NI-DAQmx Control Watchdog Task VI as shown in Figure 8. This reset serves as the confirmation discussed above.
Figure 8. Configuring and Resetting Watchdog Timer
In the continued flow chart in Figure 9, if a fault occurs (such as the computer hanging), the hardware will continue to count down until the timeout expires. At this time, the predefined safe states are written to the outputs, and all future writes are ignored.
Figure 9. Flowchart Showing Watchdog Timer Expiration
In order for the device to become responsive to hardware commands again, the expiration must be cleared, again using the NI-DAQmx Control Watchdog Task VI as in Figure 10.
Figure 10. Clearing the Expiration
Digital I/O watchdogs protect against various types of failures, including application hangs, computer hangs, and overall system crashes. Important to note from the above description is that once configured, the watchdog does not rely on software to output the safe states. Software is required only to reset the timer.