CCS C Software and Maintenance Offers
FAQFAQ   FAQForum Help   FAQOfficial CCS Support   SearchSearch  RegisterRegister 

ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

CCS does not monitor this forum on a regular basis.

Please do not post bug reports on this forum. Send them to CCS Technical Support

Watchdog timer, yes or no and why [SOLVED]
Goto page 1, 2  Next
 
Post new topic   Reply to topic    CCS Forum Index -> General CCS C Discussion
View previous topic :: View next topic  
Author Message
wangine



Joined: 07 Jul 2009
Posts: 98
Location: Curtea de Arges, Romania

View user's profile Send private message Send e-mail Yahoo Messenger

Watchdog timer, yes or no and why [SOLVED]
PostPosted: Fri Nov 06, 2015 5:06 am     Reply with quote

My question is not that simply than look like. I never use watchdog, i always disable this, long time i used for watch ext interrupt pin during to sleep. Normally anyone want the code to run nicely and don't get stuck but i need some advice to light up my opinion. First of all i want to count any ms past during in a execution program and read on randomly functions, no more than 40 seconds. My all timers are configured already and the fast of them is timer 2 at 2ms, used for 2 channels pwm. Now the questions, if i use watchdog
Code:
#FUSES WDT32768                 //Watch Dog Timer uses 1:32768 Postscale
, will it affect other timers or other timers will affect him?
I use a 8MHz oscillator, then the clock is accurate enough. Watch dog matter on different PIC family? No less then PIC18xx. If i put that fuse on, timers already configured will change ? Exist any built in function to read any ms past in ? Exist other solutions or is better to configure timer2 for 1ms res and read this, that will affect that my pwm channels? (timer will count just 2 variable in this case and set one flag). Thanks Idea


Last edited by wangine on Tue Nov 10, 2015 2:40 pm; edited 1 time in total
Ttelmah



Joined: 11 Mar 2010
Posts: 19537

View user's profile Send private message

PostPosted: Fri Nov 06, 2015 8:43 am     Reply with quote

You need to say what chip.

Watchdogs differ most from the 'series' of PIC involved (not the family). So early PIC's all tend to have relatively inaccurate RC watchdogs that will often have -50%+250% timing accuracies!. More modern members of the families often have much better watchdogs.
On a lot of the very old chips the watchdog prescaler is shared with Timer0. On these selecting the watchdog _will_ affect the prescaler available for timer0. However more modern chips usually have a separate prescaler. The place to start is the datasheet for the chip you are using.
wangine



Joined: 07 Jul 2009
Posts: 98
Location: Curtea de Arges, Romania

View user's profile Send private message Send e-mail Yahoo Messenger

PostPosted: Fri Nov 06, 2015 9:19 am     Reply with quote

The controllers are bought recent, then i think are the new series, on subject is a PIC18F97J60 and PIC18F4550 and i'm still confused, to use or not watchdog timer. Is not difficult to use a timer, so... what to do?
Ttelmah



Joined: 11 Mar 2010
Posts: 19537

View user's profile Send private message

PostPosted: Fri Nov 06, 2015 2:45 pm     Reply with quote

It is actually very difficult to use the watchdog to do anything worthwhile.

Problem is that the commonest problem is not the processor actually stopping, but jumping to an incorrect location. If you have 'restart_wdt' calls scattered round the code, the watchdog won't actually do anything, since these will still be reached....
Unfortunately CCS's appraoch of offering 'automatic' watchdog restarts in delays etc., is just about the worst way to try to use a watchdog.

To use a watchdog properly requires that the restart, is protected by code that makes it impossible to reach _except_ when the code is running correctly. This is then only called when everything is doing exactly what it is meant to do. This way the watchdog can only get restarted, when things are OK.

Then the watchdog should only be added after the code is 100% running correctly.

Some regulatory authorities, require that the watchdog is only enabled after the system has already passed full operational testing.
wangine



Joined: 07 Jul 2009
Posts: 98
Location: Curtea de Arges, Romania

View user's profile Send private message Send e-mail Yahoo Messenger

PostPosted: Fri Nov 06, 2015 4:15 pm     Reply with quote

Hahaha, Rolling Eyes , is much more than i need to know about watchdog. Anyway my code run now with timer count is on 2ms count but i divide by 2 and my error is 0.5, that operation don't need necessarily a fixed 1 ms, I use just for some filter references not critical. I ask about watchdog because i never use him, and i was thinking is a built in function, like on Arduino for example millis();, return any ms past on code execution and is more easy to implement, and sure more fast .... but in conclusion watchdog is a end story.
Thanks Ttelmah, your answers became fast usually, like others guys here. Awesome forum, awesome users. Wink
wangine



Joined: 07 Jul 2009
Posts: 98
Location: Curtea de Arges, Romania

View user's profile Send private message Send e-mail Yahoo Messenger

PostPosted: Fri Nov 06, 2015 7:25 pm     Reply with quote

I forgot about watch dog and i continue research. Actually exist a built in function to return a timer tick, of course depends on osc rate. I just found
Code:
#USE TIMER(TIMER=3,TICK=1ms,BITS=32,ISR)

but i noticed the NOISR and ISR. I searched in 18fxx.h and i didn't find anything about it. It suggests interrupt or not interrupt. Then i made some tests.
Code:
get_ticks();
and
Code:
set_ticks(desire_value);
works just fine. On first attempt at 8MHz precise osc, the tick was on 1.02 ms on my scope , and that's normal according on clock frequency. With
Code:
#USE TIMER(TIMER=3,TICK=1ms,BITS=32,NOISR)

but .... if i configure the timer just to interrupt empty without any instructions, counting variable, set flags , etc, with ISR
Code:

setup_timer_3(T3_INTERNAL | T3_DIV_BY_4); // aprox 260 ms overflow
enable_interrupts(INT_TIMER3);
enable_interrupts(GLOBAL);

the timer will return the ticks randomly, my scope can't synchronize without setting a manual trigger Laughing, but if i keep the
Code:

#USE TIMER(TIMER=3,TICK=1ms,BITS=32,ISR)
enable_interrupts(INT_TIMER3);
enable_interrupts(GLOBAL);

without setting a timer, the interrupt will work with 2.0us resolution and 131ms period. Then in conclusion, if i use that function i simplified my code but timer ISR will gone, its something, like you use a PWM, you're not able to touch the timer interrupt or use. Is reserved for pwm only. I miss something or i am right ?
Ttelmah



Joined: 11 Mar 2010
Posts: 19537

View user's profile Send private message

PostPosted: Sat Nov 07, 2015 1:48 am     Reply with quote

As a general comment (going back to the watchdog), have a look at this site, which gives a very good overview:

<http://betterembsw.blogspot.co.uk/2014/05/proper-watchdog-timer-use.html>
Ttelmah



Joined: 11 Mar 2010
Posts: 19537

View user's profile Send private message

PostPosted: Sat Nov 07, 2015 2:25 am     Reply with quote

On the timer, 'of course' if you use a timer, you can't change it for anything else, but you can still use an ISR. The point about ISR/NO_ISR, is the timer _wrap_.
If you have a timer ticking at (say) 1mSec, and the hardware handles counts to 65535, then for a 32bit tick counter, _something_ has to handle when the timer overflows. Now the get_ticks function will handle this, provided it is called more often than once every 65536 counts. So for a tick at 1mSec, which you are checking several times a minute, the ISR gains nothing. However if you programmed a tick at (say) 1uSec, and only checked this every second, the ISR is necessary to handle when the timer overflows, since it could have overflowed 16 times in a second.....
You can still add your own extra code to the timer3 ISR, but, you need to understand, that the interrupt is only called on the overflow, _not_ on the tick.
So with your 1.02mSec tick, it'll only be called once ever 67 seconds. Not surprising your scope can't then sync....
asmboy



Joined: 20 Nov 2007
Posts: 2128
Location: albany ny

View user's profile Send private message AIM Address

PostPosted: Sat Nov 07, 2015 10:33 am     Reply with quote

true confession:
I have had to add a watchdog code to two designs i have done for no other reason than legal/regulatory compliance.
One was a very simple military emergency light charger/controller.
the other was a non-life-critical medical monitor device.

In both cases i believed it was a worse than useless addition-
since watchdog reset and recovery code could have added potentially harmful
changes to the well-tested time domain performance of the design, that themselves are test resistant.

I will never use a watchdog unless the customer's requirements demand it.
Ttelmah



Joined: 11 Mar 2010
Posts: 19537

View user's profile Send private message

PostPosted: Sun Nov 08, 2015 2:43 am     Reply with quote

Interesting. I have to use watchdog's in a lot of code, again for regulatory reasons. However we are always required to test sequence the code, with dummy code replacing the watchdog functions that takes the same time, and the watchdog must record that it has occurred is real use. Then also to demonstrate a watchdog recovery, and the time involved.

Watchdog's can be a very powerful tool. If you look at the link I gave, he is advocating a bit mask, built as segments of the code function correctly, which then enables the watchdog restart. So the watchdog become a 'everything is working' test. This is particularly useful, when there is a lot of other hardware involved, since each segment and it's communications can flag that everything is OK, and if the restart is built to also power down/up these other sections, it can trap hardware errors , and in many cases recover from them. I use a similar approach, and the record made at a watchdog restart, includes the data on which segment/device actually did not flag it was OK (remember RAM is preserved on a watchdog restart), and it can become a fabulous tool, when at routine maintenance machines that are still apparently working OK, are recording restarts from one specific sub-module at increasing frequency. Great time for preventative replacement....

In some ways, watchdog's can be considered like checksums in communication. A vital, and powerful tool that can show incipient failures, and allow you to ensure data is reliable. However the approach of adding a watchdog to code, and scattering restarts around the code, is just like a person coding a checksum, who then at the receive, doesn't actually bother to test it's value. A waste of code space and time. They need to be coded with understanding, and used with care.
wangine



Joined: 07 Jul 2009
Posts: 98
Location: Curtea de Arges, Romania

View user's profile Send private message Send e-mail Yahoo Messenger

PostPosted: Mon Nov 09, 2015 11:31 pm     Reply with quote

I don't know what to say, sincerely i agree the _asmboy_ opinion 100%, but.... in _Ttelmah_ link is a great tip to use the watchdog.
[/url] http://betterembsw.blogspot.co.uk/2014/05/proper-watchdog-timer-use.html [url]
To be on the point because my application who need a watchdog is not a secret, is a scanning photo and image copier with 3 laser devices at 2W,
each one copies a low image at standard 640/360 at 16/9 format. The mechanism is taken from a old and big laser printer. The principle is the same, and the power of each laser color on that speed is reduced as <100mW each one, but the problem is with too many interrupts and if motor stop, laser will develop entire energy and can burn some eyes. Now the answer is again on top. The driver for pwm channels and motor also for all code is a dsPIC33, and my idea to don't overload the first dsPIC has to comunicate with any type of PIC, in my case a 18Fxx family, with a watchdog on to verify any success, pass function of first dsPIC, otherwise restart entire system. The code in dsPIC is directly on each register, is less than 60% C code, is difficult now to put flags and enable watchdog for him, that is why my idea was to use other PIC to monitor, dsPIC send on a 3 pins a condition if all functions pass. The code has worked nicely with a 3-input AND gate conected to pins and to MCLR pin, in case of any function fail, but i want to be more fancy. Again now i still am thinking, i need some tests, for moment thanks for all suggestions. Wink
Ttelmah



Joined: 11 Mar 2010
Posts: 19537

View user's profile Send private message

PostPosted: Tue Nov 10, 2015 2:29 am     Reply with quote

What you need is to start with the hardware.
An example would be to have the actual drive hardware built so it always turns itself off. It requires a 'kick' (a pulse signal), perhaps every second, and if it does not receive this 'goes off' automatically. If the pulses stop, the dangerous hardware _turns itself off_.

This is 'fail safe' design.

In software you have for example a sequence packet passed forwards between each part of the code. One part is a counter, and one a set of 'I am OK' flags. The supervisor program has to see both the flags going true, and the counter advancing by the correct amount, to accept that the sub components are all working as expected. The flags are like the old 'semaphore' railway signalling, with a train not being allowed to proceed unless it had the semaphore in it's hand, while the counter is rather like the 'distance behind' measure in the railway. Again if the counter does not advance as expected, or the required semaphores don't change, the supervisor code has to switch to fail in a safe manner (stopping the train...). The supervisor can be a program in the main chip, or a separate chip itself, and again the hardware should be built so a signal stopping 'fails' to a automatically safe condition.

A watchdog restart can be used by the supervisor as a way of restarting a particular piece of hardware, but there has to be safe operation if this occurs.

Remember though in some types of system 'stopping' may not be the safe condition. So the hardware needs to be designed to take the system to perhaps a 'reduced' operating mode, rather than a stop in these circumstances. Possibly even a complete alternative reduced system.

You need to draw a big diagram, with 'what must happen', and 'what is going to ensure this'. This must include 'what happens if each part fails'.
You may need to consider 'lateral' ways of giving safety. For instance, if the laser stays on, could you have a system that after a few seconds starts a bright xenon strobe?. This ensures that people automatically 'look away'.

If a device physically 'must always be safe', you may well need to be using a processor that is 'certifiably safe' (look for COTS). This may well rule out your current design....
wangine



Joined: 07 Jul 2009
Posts: 98
Location: Curtea de Arges, Romania

View user's profile Send private message Send e-mail Yahoo Messenger

PostPosted: Tue Nov 10, 2015 11:57 am     Reply with quote

Ttelmah wrote:
If a device physically 'must always be safe', you may well need to be using a processor that is 'certifiably safe' (look for COTS). This may well rule out your current design....


Hmm, really i don't know what is COTS. I remember something about FPGA but i don't know if Microchip PICs family can provide that. Anyway is not a big deal, the project it was my draft license from a second faculty, was made on Motorola - DSP56F805FV80 device and after some years one good friend ask me if i can give him for a disco-club. I say NO but i decided to make him a new one , porting my code on a new dsPIC33 was not so hard. I remember the hard one was the mechanical part, new motor, new control .....etc. Device has been working day by day for so many years, and this year when i ask if my device is still working, my friend say, didn't use anymore, because has stuck several times in last period and don't want to hurt someone eyes . Like that i research the all option to made a _safe_product_ Rolling Eyes . That why my question about _WATCHDOG_
and was purely for my knowledge and my amour de l'artt . Can you give me advice on Microchip products with COTS ? if exist, maybe can be useful in my feature projects. Thanks for all time.
gaugeguy



Joined: 05 Apr 2011
Posts: 303

View user's profile Send private message

PostPosted: Tue Nov 10, 2015 1:12 pm     Reply with quote

C O T S
Commercial Off The Shelf

https://en.wikipedia.org/wiki/Commercial_off-the-shelf
Ttelmah



Joined: 11 Mar 2010
Posts: 19537

View user's profile Send private message

PostPosted: Tue Nov 10, 2015 1:33 pm     Reply with quote

Particularly COTS safe & secure.
Stuff that is certified for safe applications.
Display posts from previous:   
Post new topic   Reply to topic    CCS Forum Index -> General CCS C Discussion All times are GMT - 6 Hours
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group