Watchdog Picaxe as Fail-Safe?

Andrei IRL

Senior Member
Hi everyone.

I am designing a controller for which is important to stay within programmed parameters.

The Controlling Picaxe (CP) will be sending a high signal on one of the pins for the length 100ms (the time will be adjustable between 40ms and 120ms in the final code) at a time when two button are pressed.

It is important that the signal does not significantly exceed the 100ms time (staying high) and goes low after.

To do this i was thinking to use a second Watch Dog PICAXE (WDP) as a watch dog with the controlling one.

Here are the ideas i have so far:
1. Use WDP to supply power to the CP using a PNP transistor.
2. Use WDP to monitor the HIGH Signal and if its more then 100ms cut the power to the PNP transistor and liight up RED LED.
3. Use some sort of pulsing signal within Main Routine in CP and use WDP to monitor this signal, if signal no received then cut power to PNP and light RED LED.

-I am not sure what else would be good a good practice for a watchdog set up.
-Are there any hardware additional functions that can be used to monitore Controlling PICAXE?
-Would it be more beneficial using i2c set up and have?

Basically i would like to build as much Fail-Safe as possible, in the even Controlling PICAXE fails for any reason i would like to cut the power to it.

All suggestions are welcome.

Thanks very much.
 

hippy

Technical Support
Staff member
Why do you need a watchdog ? What is the danger if the watchdog doesn't turn off the power to the PICAXE ?

I am not necessarily against having a watchdog but what makes you think the PICAXE would fail, or that an output signal would be longer than it should be ?

For monitoring if a CP is still alive it can toggle an output every so often. The WDP can then check that it has toggled that signal within a certain period of the last toggling. The code below is an example which runs in the simulator. Every time the code hits the "PAUSE 5000" toggle the C.3 pin. If you don't ( in the real world, have not toggled the signal with 5 seconds of the last ) the "FAILED" state will occur.

Code:
#Picaxe 08M2

Symbol hadIrq = b1

Gosub Interrupt_Enable
Do
  hadIrq = 0
  Pause 5000
Loop Until hadIrq = 0
Do
  SerTxd( "FAILED " )
Loop

Interrupt:
  hadIrq = 1

Interrupt_Enable: ;  543210
  b0 = pinC.3 ^ 1 * %001000
  SetInt b0,        %001000
  Return
For a watchdog system I would probably use two PICAXE chips. One monitoring the toggling signal, another monitoring the pulse length. Wire-Or/Wire-And the power control so the power can be killed by either.

You could also have the CP watched by the Pulse-WDP, the CP and Pulse-WDP watched by the Toggle-watching-WDP, so if the Pulse-WDP fails that will also shut the system down. And maybe a third WDP watching that incase it fails.
 

Andrei IRL

Senior Member
Why do you need a watchdog ? What is the danger if the watchdog doesn't turn off the power to the PICAXE ?

I am not necessarily against having a watchdog but what makes you think the PICAXE would fail, or that an output signal would be longer than it should be ?

For monitoring if a CP is still alive it can toggle an output every so often. The WDP can then check that it has toggled that signal within a certain period of the last toggling. The code below is an example which runs in the simulator. Every time the code hits the "PAUSE 5000" toggle the C.3 pin. If you don't ( in the real world, have not toggled the signal with 5 seconds of the last ) the "FAILED" state will occur.

Code:
#Picaxe 08M2

Symbol hadIrq = b1

Gosub Interrupt_Enable
Do
  hadIrq = 0
  Pause 5000
Loop Until hadIrq = 0
Do
  SerTxd( "FAILED " )
Loop

Interrupt:
  hadIrq = 1

Interrupt_Enable: ;  543210
  b0 = pinC.3 ^ 1 * %001000
  SetInt b0,        %001000
  Return
For a watchdog system I would probably use two PICAXE chips. One monitoring the toggling signal, another monitoring the pulse length. Wire-Or/Wire-And the power control so the power can be killed by either.

You could also have the CP watched by the Pulse-WDP, the CP and Pulse-WDP watched by the Toggle-watching-WDP, so if the Pulse-WDP fails that will also shut the system down. And maybe a third WDP watching that incase it fails.
Thanks very much.

I am working on an automotive system which has the ability to control throttle hippy.

so safety would be my main concern, reason why i want to have as many fail-safes as possible.

Thanks very much for the code and ideas.

Your input is always Much appreciated.
 

Andrei IRL

Senior Member
hippy.

You code looks to be working very well.

Would you mind explaining the code to me if you'll get a minute please.

I get the idea and the whole picture but not individual lines.

Thanks very much in advance.
 

Dartmoor

Member
IMHO the 2 input buttons are the main concern if you are worried about safety?
They should be wired separately to individual picaxe pins and tested that they were both released before being pressed?
Even better is to make one pressed & released before the other is pressed but that is unlikely to be possible in your system? (I guess you need to keep pressing the buttons to accelerate?).

No harm in using the watchdog but I feel proving the operation of the inputs is more important than checking that the Picaxe is functioning correctly. You are obviously considering this by the use of 2 buttons.
 

Andrei IRL

Senior Member
Dartmoor:314614 said:
IMHO the 2 input buttons are the main concern if you are worried about safety?
They should be wired separately to individual picaxe pins and tested that they were both released before being pressed?
Even better is to make one pressed & released before the other is pressed but that is unlikely to be possible in your system? (I guess you need to keep pressing the buttons to accelerate?).

No harm in using the watchdog but I feel proving the operation of the inputs is more important than checking that the Picaxe is functioning correctly. You are obviously considering this by the use of 2 buttons.
Thanks for your input.

You are correct.

When two buttons are pressed together the controller will operate the fly by wire system to brin the rpm up for a pre set duration of time.

The safety had to be built around this yup make sure that in the event of malfunction picaxe will fail inn such a way that would not affect the fly by wire system.
 

hippy

Technical Support
Staff member
I am working on an automotive system which has the ability to control throttle
We would not recommend the use of a PICAXE in any safety critical application which an automotive system is.

Modifying an automotive system which is used on public roads is extremely unwise and may be illegal or render any insurance invalid.

Would you mind explaining the code to me if you'll get a minute please.
The basic concept is an interrupt handler which is set to interrupt when the signal level on pin C.3 changes to the opposite of what it currently is. Whenever an interrupt occurs the 'hadIrq" flag is set.

The main loop then clears the flag and waits 5 seconds. If an interrupt occurs the PAUSE will be terminated early and the 'hadIrq' flag will be set. If so, an interrupt occurred within 5 seconds of the last and we repeat to check the next does also.

If no interrupt occurs, the PAUSE will complete but 'hadIrq' will not have been set, which represents a fault condition.

Unfortunately this does not detect nor prevent all failure modes so would need to be modified to detect other failure modes, such as the CP crashing and toggling the signal line far more often than it should, or the monitoring signal wire becoming open circuit.

One would need to undertake a complete failure mode analysis to determine what all possible fault conditions could be and ensure a watchdog can detect and protect against those.
 

Andrei IRL

Senior Member
We would not recommend the use of a PICAXE in any safety critical application which an automotive system is.

Modifying an automotive system which is used on public roads is extremely unwise and may be illegal or render any insurance invalid.



The basic concept is an interrupt handler which is set to interrupt when the signal level on pin C.3 changes to the opposite of what it currently is. Whenever an interrupt occurs the 'hadIrq" flag is set.

The main loop then clears the flag and waits 5 seconds. If an interrupt occurs the PAUSE will be terminated early and the 'hadIrq' flag will be set. If so, an interrupt occurred within 5 seconds of the last and we repeat to check the next does also.

If no interrupt occurs, the PAUSE will complete but 'hadIrq' will not have been set, which represents a fault condition.

Unfortunately this does not detect nor prevent all failure modes so would need to be modified to detect other failure modes, such as the CP crashing and toggling the signal line far more often than it should, or the monitoring signal wire becoming open circuit.

One would need to undertake a complete failure mode analysis to determine what all possible fault conditions could be and ensure a watchdog can detect and protect against those.
Thanks very much hippy.

I understand the implications of such a system and it would not be used on public roads.

It is for Racing application only in a controlled environment.

Thanks very much for taking the time to explain the code, i really appreciate it.

Andrei.
 
Top