DOCSLIB.ORG

Watchdog Timers Keep Computer Failures from Having Catastrophic Results

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Watchdog Timers Keep Computer Failures from Having Catastrophic Results Watchdog Timers Keep Computer Failures from Having Catastrophic Results Digital computers do only what they're told - or what they think they're told. It's not unheard of for a computer to suddenly latch up or get lost in a program with potentially catastrophic results if it's controlling a critical process. To minimize the damage of a computer failure, good designs include a watchdog timer - a device that monitors host activity and triggers appropriate action if it notices that the computer isn't functioning as expected. These devices come as low-cost ICs or modules and are not only easy to integrate into a system, but it's highly recommended you do so in any control application. Implementation strategies You can interface your system When implementing a watchdog Watchdog timers easily integrate to a watchdog timer in several reset, especially in control with Industrial I/O Control Systems configurations. An easy yet applications, examine the overall effective way to detect a computer impact of the sudden initialization derivative) algorithms and special fault is by programming one or of the I/O (hot start) and loss of data arithmetic functions. Here, a more digital output bits to toggle in RAM. Consider, for example, the watchdog alarm should alert a On/Off continuously, and if that bit simple case where a microcontroller skilled operator to manually control stops at one state longer than a acts as the brain of a toaster oven the situation until the computer designated time period, then the and controls temperature and again comes up to speed. This watchdog timer monitoring the toasting time. If the computer action is the most appropriate signal assumes a computer fault. latches up and is reset by a because it's unlikely you'd want to An easy way to hook up a watchdog watchdog while toasting a melted- shut down the power plant because in a PC-based system is to add a cheese sandwich, the fact that it was of a computer fault. However, if the digital I/0 board and configure one in the process of toasting and the computer is reset with a hot start of its output lines to toggle the elapsed toasting time would likely such as noted above, it might watchdog. be information previously contained initialize variables in the control When any watchdog detects a in RAM and might be difficult to algorithms and lose track of phase, failure, there are three major courses ascertain. Thus, such a design flow and other vital parameters. of action it can take: reset, alarm or should also contain circuitry to Shutdown in response to a shutdown. monitor the temperature to see if the watchdog signal is common for Reset or an attempt to reset is a oven is already hot when the system critical industrial-control common approach in less-than- resets, or use a nonvolatile memory applications where a computer fault critical applications such as running to store timing data. could have unpredictable results, a business application or simple Alarming is generally used and it's generally used in datalogging where a reset can along with other watchdog functions conjunction with the Alarm establish system recovery. In such and is common in applications function. Shutdown implies that a cases where a computer fault is where a human operator must human operator must investigate the recoverable, the fault and the action determine why a computer fault cause of the computer fault and of the watchdog timer are often occurred and manually clear the manually clear it. Note in this mode transparent to the user. On a PC, for alarm. A good example is a that the watchdog should deactivate instance, the watchdog could controller for a hydroelectric power devices being controlled, such as activate the reset line (the same as plant. Regulation of turbine flow motors or heaters, but not hitting <ctrl> <alt> <del>. and other parameters likely requires necessarily the computer. PID (proportional integral Depending on the type of equipment being controlled, it might be wise to have the watchdog initiate a predetermined shutdown sequence to prevent damage to a process or equipment. Which level of response you want—reset, alarm or shutdown—also plays a role in how you implement the watchdog timer. Consider, for example, watchdog ICs that are sometimes included on function cards for industrial PCs. These devices might monitor power- supply voltages and have a toggle input. When they detect a computer failure, they simply strobe a Reset line and don't have any means of activating an alarm or shutting down a process. Further, most watchdog IC designs place the device local to Figure 1 - Take care when decoding the address that activates the watchdog timer the system CPU, and because they so that it does not receive erroneously TRUE signals. don't monitor the control output, they leave much of the output watchdog—rather than reading just timer be a control output from one hardware unsecured. one address—is toggled by a or more data bits of a decoded Watchdogs with relay outputs number of addresses, specifically address (see Figure 1). are better suited to control hex $70, $74, $78, $7C, $F0, $F4, applications because they can be $F8 and $FC. The chances of a In control applications with more implemented local to the control runaway program hitting the one than one I/O rack, you can increase outputs. They can provide fault absolute address that toggles the system integrity by configuring a indication and the correct response watchdog timer and fools it into watchdog on an output of each rack to most failure modes, including thinking everything is functioning and cascading their outputs. This loss of power or control signal. It's properly is relatively low, but approach assures computer control also easy to cascade multiple chances of a false signal to the timer at each control branch, and thus it watchdogs with relay outputs. are greater as you increase the indicates loss of control at any rack However, these devices are number of addresses to which it (see Figure 2). relatively large and may be costly responds. Thus, it's recommended Another consideration when for systems that need only low that the output to the watchdog implementing watchdogs in control levels of system integrity. When implementing a watchdog Control Computer timer, take care when determining the system output it monitors. You Put I/O Lines should decode that signal to at least Protective the level of the control outputs, if Devices In not beyond. Many control systems Series I/O Rack #1 I/O Rack #2 require much less I/O than the computer is capable of, so you WDT #1 WDT #2 might be tempted not to perform I/O I/O Other address decoding to the highest Modules Modules Devices possible level. For instance, assume that a watchdog timer monitors an output bit mapped at binary address X111XX00 (where X indicates a don't care). Because for each one of Figure 2 - When working with multiple I/O racks, it is a good idea to cascade the those undefined bits you can come outputs from a watchdog timer located on each rack. up with an absolute address, the applications is to use an energized unknown address values—in which toggles the timer so that it believes dry contact as the output. One the computer might get stuck in a the system is operating properly. advantage of this approach is that subroutine or roam aimlessly Upon servicing the interrupt, loss of power is detected as a fault through the address space without though, program control returns condition, and Fail-Open is common getting back to the main program. from where it originally left—even in fault reporting because of It's not advisable to place code that if it's the wrong place. Under such constant continuity. toggles the watchdog in an circumstances you could toggle the Finally, note that some interrupt-service routine, for watchdog even though the main designers combine watchdogs with example; even if program control program loop never gets serviced. other means of securing a computer. gets lost in the address space, an To see an example of how to set You can, for instance, make interrupt takes higher priority and up a watchdog properly, consider frequent checksums of memory, sends program control to the the program in Figure 3, which uses look for bus errors or feed back appropriate servicing routine, which the ROM BASIC resident on an control outputs to verify their presence. The bottom line, though, REM MAIN PROGRAM LOOP is to never design a control 10 GOSUB 1000 : REM INITIALIZE I/O computer without a watchdog timer. 20 IF STRT=L THEN GOSUB 2000 : REM CHECK TEMP SWITCH/CONTROL HEATER 30 IF STRT=O THEN XBY(4011H=(XBY(4011H) AND. OBFH) : REM HEAT OFF Software aspects 40 WDT=ABS(WDT-1) : REM COMPLIMENT LAST WATCHDOG STATE 50 IF WDT=1 THEN XBY(4011H)=(XBY(4011H) .OR. 01H) : REM SET WDT=1 When setting up a program with 60 IF WDT=0 THEN XBY(4011H)=(SBY(4011H) .AND.FEH) : REM RESET WDT=0 watchdog-timer capability, keep 70 GOTO 20 several things in mind. Foremost, remember that perhaps the most useless type of watchdog is one REM INITIALIZATION SUBROUTINE implemented completely in 1000 ONEXT1 3000 : REM INITIALIZE START SWITCH INTERRUPT software. It should be apparent 1010 XBY(4011H)=OOH : REM INITIALIZE OUTPUTS even to a casual observer that such 1020 WDT=O : STRT=O : TEMP=O : REM INITIALIZE VARIABLES an approach implies that the 1030 RETURN microprocessor is alive enough to run the code section that indicates a REM HEAT CONTROL computer fault.
Load more

Recommended publications
  • Tms320dm35x Dmsoc Timer/Watchdog Timer User's Guide
    TMS320DM35x Digital Media System-on-Chip (DMSoC) Timer/Watchdog Timer Reference Guide Literature Number: SPRUEE5A May 2006–Revised September 2007 2 SPRUEE5A–May 2006–Revised September 2007 Submit Documentation Feedback Contents Preface ............................................................................................................................... 6 1 Introduction................................................................................................................ 9 1.1 Purpose of the Peripheral....................................................................................... 9 1.2 Features ........................................................................................................... 9 1.3 Functional Block Diagram ..................................................................................... 10 1.4 Industry Standard Compatibility Statement ................................................................. 10 2 Architecture – General-Purpose Timer Mode ................................................................ 10 2.1 Backward Compatible Mode (Timer 3 Only) ................................................................ 10 2.2 Clock Control.................................................................................................... 11 2.3 Signal Descriptions ............................................................................................. 12 2.4 Timer Modes .................................................................................................... 13 2.5 Timer
    [Show full text]
  • SPECIFICATION (General Release)
    HC05LJ5GRS/H REV 1 68HC05LJ5 SPECIFICATION (General Release) November 10, 1998 Semiconductor Products Sector Motorola reserves the right to make changes without further notice to any products herein to improve reliability, function or design. Motorola does not assume any liability arising out of the application or use of any product or circuit described herein; neither does it convey any license under its patent rights nor the rights of others. Motorola products are not designed, intended, or authorized for use as components in systems intended for surgical implant into the body, or other applications intended to support or sustain life, or for any other application in which the failure of the Motorola product could create a situation where personal injury or death may occur. Should Buyer purchase or use Motorola products for any such unintended or unauthorized application, Buyer shall indemnify and hold Motorola and its officers, employees, subsidiaries, affiliates, and distributors harmless against all claims, costs, damages, and expenses, and reasonable attorney fees arising out of, directly or indirectly, any claim of personal injury or death associated with such unintended or unauthorized use, even if such claim alleges that Motorola was negligent regarding the design or manufacture of the part. Motorola, Inc., 1998 November 10, 1998 GENERAL RELEASE SPECIFICATION TABLE OF CONTENTS Section Page SECTION 1 GENERAL DESCRIPTION 1.1 FEATURES.....................................................................................................
    [Show full text]
  • Software Techniques for Improving Microcontrollers EMC Performance
    AN1015 Application note Software techniques for improving microcontrollers EMC performance Introduction A major contributor to improved EMC performance in microcontroller-based electronics systems is the design of hardened software. Problems induced by EMC disturbances need to be considered as early as possible in the design phase. EMC-oriented software increases the security and the reliability of your application. EMC-hardened software is inexpensive to implement, improves the final goods immunity performance and saves hardware and development costs. You should consider EMC disturbances to analog or digital data just like any other application parameter. Examples of problems induced by EMC disturbances: Microcontroller not responding Program Counter runaway Execution of unexpected instructions Bad address pointing Bad execution of subroutines Parasitic reset and/or parasitic interrupts Corruption of IP configuration I/O deprogramming Examples of consequences of failing software: Unexpected response of product Loss of context Unexpected branch in process Loss of interrupts Loss of data integrity Corrupted reading of input values. This application note deals with two categories of software techniques, namely: Preventive techniques: these can be implemented in existing designs, their purpose is to improve product robustness. Auto-recovery techniques: when a runaway condition is detected, a recovery subroutine is used to take the decision to execute fail-safe routines, optionally sending a warning and then automatically returning back to normal operations (this operation may be absolutely transparent to the user of the application). June 2014 DocID5833 Rev 2 1/19 www.st.com Contents AN1015 Contents 1 Related documents . 5 2 Preventive techniques . 6 2.1 Using the watchdog and time control techniques .
    [Show full text]
  • Lecture 2 General Concepts of RTOS (Real-Time Operating System)
    CENG 383 Real-Time Systems Lecture 2 General Concepts of RTOS (Real-Time Operating System) Asst. Prof. Tolga Ayav, Ph.D. Department of Computer Engineering İzmir Institute of Technology Operating System z Specialized collection of system programs is called operating system. z Must provide at least three specific functions: − Task scheduling − Task dispatching − İntertask communication z Kernel (Nucleus): The smallest portion of OS that provides those three essential functions. İzmir Institute of Technology Embedded Systems Lab Role of the Kernel İzmir Institute of Technology Embedded Systems Lab Three Kernel Functions OS Kernel - 3 functions: z Task Scheduler : To determine which task will run next in a multitasking system z Task Dispatcher: To perform necessary bookkeeping to start a task z Intertask Communication: To support communication between one process (i.e. task) and another İzmir Institute of Technology Embedded Systems Lab Kernel Design Strategies z Polled Loop Systems z Cyclic Executive z Cooperative Multitasking z Interrupt-Driven Systems z Foreground/Background Systems z Full featured RTOS İzmir Institute of Technology Embedded Systems Lab 1. Polled Loop Systems Polled loops are used for fast response to single devices. In a polled-loop system, a single and a repetitive instruction is used to test a flag that indicates whether or not some event has occurred. If the event has not occurred, then the polling continues. Example: suppose a software system is needed to handle packets of data that arrive at a rate of no more than 1 per second. A flag named packet_here is set by the network, which writes the data into the CPU’s memory via direct memory access (DMA).
    [Show full text]
  • F MC -8L MB89580B/BW Series HARDWARE MANUAL
    FUJITSU SEMICONDUCTOR CM25-10142-3E CONTROLLER MANUAL F2MCTM-8L 8-BIT MICROCONTROLLER MB89580B/BW Series HARDWARE MANUAL F2MCTM-8L 8-BIT MICROCONTROLLER MB89580B/BW Series HARDWARE MANUAL FUJITSU LIMITED PREFACE ■ Objectives and Intended Reader The MB89580B/BW series of products has been developed as one of the general products of F2MC-8L family. The F2MC-8L family is an original 8 bit one-chip microcontroller that can be used for Application Specific ICs (ASICs). The MB89580B/BW series has a wide range of uses in consumer and industrial equipment. This manual covers the functions and operations of the MB89580B/BW series and is designed for engineers who develop products using the MB89580B/BW series of microcontrollers. For information on the microcontroller’s instruction set, refer to the F2MC-8L Programming Manual. ■ Trademarks F2MC is the abbreviation of FUJITSU Flexible Microcontroller. Other system and product names in this manual are trademarks of respective companies or organizations. The symbols TM and ® are sometimes omitted in this manual. ■ Structure of This Manual This manual consists of the following 13 chapters and appendix. CHAPTER 1 "OVERVIEW" This chapter explains the features and basic specifications of the MB89580B/BW series of microcontrollers. CHAPTER 2 "HANDLING DEVICE" This chapter explains the precautions to be taken when using the USB general-purpose one- chip microcontroller. CHAPTER 3 "CENTRAL PROCESSING UNIT (CPU)" This chapter explains the functions and operation of the CPU. CHAPTER 4 "I/O PORTS" This chapter explains the functions and operation of the I/O ports. CHAPTER 5 "TIMEBASE TIMER" This chapter explains the functions and operation of the timebase timer.
    [Show full text]
  • Atrwdt, Atxwdt
    PC Watchdog Timer Card CE Models: ATRWDT and ATXWDT Documentation Number ATxWDT-1303 This product designed and manufactured in Ottawa, Illinois USA of domestic and imported parts by International Headquarters B&B Electronics Mfg. Co. Inc. 707 Dayton Road -- P.O. Box 1040 -- Ottawa, IL 61350 USA Phone (815) 433-5100 -- General Fax (815) 433-5105 Home Page: www.bb-elec.com Sales e-mail: [email protected] -- Fax (815) 433-5109 Technical Support e-mail: [email protected] -- Fax (815) 433-5104 European Headquarters B&B Electronics Ltd. Westlink Commercial Park, Oranmore, Co. Galway, Ireland Phone +353 91-792444 -- Fax +353 91-792445 Home Page: www.bb-europe.com Sales e-mail: [email protected] Technical Support e-mail: [email protected] B&B Electronics -- Revised March 2003 Documentation Number ATxWDT-1303 ATRWDT & ATXWDT Cover Page B&B Electronics Mfg Co – 707 Dayton Rd - PO Box 1040 - Ottawa IL 61350 - Ph 815-433-5100 - Fax 815-433-5104 B&B Electronics Ltd – Westlink Comm. Pk – Oranmore, Galway, Ireland – Ph +353 91-792444 – Fax +353 91-792445 Table of Contents CHAPTER 1: GENERAL INFORMATION...................................1 INTRODUCTION..................................................................................1 FEATURES..........................................................................................1 SPECIFICATIONS ................................................................................1 CHAPTER 2: SETUP AND INSTALLATION...............................2 INSPECTION .......................................................................................2
    [Show full text]
  • Binary Tree Classification of Rigid Error Detection and Correction Techniques Angeliki Kritikakou, Rafail Psiakis, Francky Catthoor, Olivier Sentieys
    Binary Tree Classification of Rigid Error Detection and Correction Techniques Angeliki Kritikakou, Rafail Psiakis, Francky Catthoor, Olivier Sentieys To cite this version: Angeliki Kritikakou, Rafail Psiakis, Francky Catthoor, Olivier Sentieys. Binary Tree Classification of Rigid Error Detection and Correction Techniques. ACM Computing Surveys, Association for Com- puting Machinery, 2020, 53 (4), pp.1-38. 10.1145/3397268. hal-02927439 HAL Id: hal-02927439 https://hal.archives-ouvertes.fr/hal-02927439 Submitted on 29 Jan 2021 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. 1 Binary Tree Classification of Rigid Error Detection and Correction Techniques ANGELIKI KRITIKAKOU, Univ Rennes, Inria, CNRS, IRISA, France RAFAIL PSIAKIS, Univ Rennes, Inria, CNRS, IRISA, France FRANCKY CATTHOOR, IMEC, KU Leuven, Belgium OLIVIER SENTIEYS, Univ Rennes, Inria, CNRS, IRISA, France Due to technology scaling and harsh environments, a wide range of fault tolerant techniques exists to deal with the error occurrences. Selecting a fault tolerant technique is not trivial, whereas more than the necessary overhead is usually inserted during the system design. To avoid over-designing, it is necessary to in-depth understand the available design options. However, an exhaustive listing is neither possible to create nor efficient to use due to its prohibited size.
    [Show full text]
  • Computer Science & Engineering
    Computer Science & Engineering B.TECH. PROGRAMME FIRST YEAR FIRST SEMESTER A. Theory Sl. No Code Subject Contacts Credit Points Periods/ Week L T P Total 1 HMTS1101 Business English 2 0 0 2 2 2 CHEM1001 Chemistry I 3 1 0 4 4 3 MATH1101 Mathematics I 3 1 0 4 4 4 ELEC1001 Basic Electrical Engineering 3 1 0 4 4 5 MECH1101 Engineering Mechanics 3 1 0 4 4 Total Theory 18 18 B. Laboratory 1 CHEM1011 Chemistry I Lab 0 0 3 3 2 2 ELEC1111 Basic Electrical Engineering Lab 0 0 3 3 2 3 MECH1012 Engineering Drawing 1 0 3 4 3 4. HTMS1111 Language Practice(Level 1) Lab 0 0 2 2 1 Total Practical 12 8 C. Sessional 2 HMTS1121 Extra Curricular Activity 0 0 2 2 1 Total Sessional 2 1 Total of Semester 32 27 SECOND SEMESTER A. Theory Sl. No Code Subject Contacts Credit Periods/ Week Points L T P Total 1. CSEN1201 Introduction to Computing 3 1 0 4 4 2. PHYS1001 Physics I 3 1 0 4 4 3. MATH1201 Mathematics II 3 1 0 4 4 4. ECEN1001 Basic Electronics Engineering 3 1 0 4 4 5. MECH1201 Engineering Thermodynamics and 3 1 0 4 4 Fluid Mechanics Total Theory 20 20 B. Laboratory 1. CSEN1211 Introduction to Computing Lab 0 0 3 3 2 2. PHYS1011 Physics I Lab 0 0 3 3 2 3. ECEN1011 Basic Electronics Engineering Lab 0 0 3 3 2 4. MECH1011 Workshop Practice 1 0 3 4 3 Total Practical 13 9 Total of Semester 33 29 SECOND YEAR THIRD SEMESTER A.
    [Show full text]
  • Architecure of the Linux Watchdog Software for the Ip Pbx
    U.P.B. Sci. Bull., Series C, Vol. 73, Iss. 4, 2011 ISSN 1454-234x ARCHITECURE OF THE LINUX WATCHDOG SOFTWARE FOR THE IP PBX Mihai Constantin1 În această lucrare sunt proiectate propunerile de arhitectură referitoare la software-ul de Watchdog pentru monitorizarea unui IP PBX. IP PBX conţine două aplicaţii principale care interacţionează între ele: Common Media Server şi IpSmallOfice. Common Media Server oferă capabilităţile de codec VoIP, iar IPSmallOffice, aplicaţia principală care rulează pe Linux PC, controlează apelurile telefonice şi oferă telefonie IP. Watchdog reprezintă o aplicaţie de sine stătătoare şi necesită un fişier de configurare care să citească date despre procesele pe care le monitorizează. De asemenea, această aplicaţie rulează ca „daemon” şi este pornită la startup-ul întregului sistem IP PBX. The architecture proposals of a Watchdog software for the IP PBX monitoring are designed in this paper. IP PBX contains two main applications which interact between them: Common Media Server and IpSmallOffice. Common Media Server provides VoIP codec capabilities, and IpSmallOffice is the main application running on a Linux PC, controls the phone calls and provides IP telephony switching. The Watchdog is a stand-alone application and it needs a configuration file to read the data about the processes it monitors. Moreover, this application will be demonized and is added to start at system startup. Keywords: Watchdog, Common Media Server, IpSmallOffice,Linux, Processes,Polling,SIP,Keepalives 1. Introduction IPSmallOffice and Common Media Server are interdependent applications. Given this, when one of them is shutdown or, in a worse case, crashes, both of them need to be restarted.
    [Show full text]
  • Coverstory by Markus Levy, Technical Editor
    coverstory By Markus Levy, Technical Editor ACRONYMS IN DIRECTORY ALU: arithmetic-logic unit AMBA: Advanced Microcontroller Bus Architecture BIU: bus-interface unit CAN: controller-area network CMP: chip-level multiprocessing DMA: direct-memory access EDO: extended data out EJTAG: enhanced JTAG FPU: floating-point unit JVM: Java virtual machine MAC: multiply-accumulate MMU: memory-management unit NOP: no-operation instruction PIO: parallel input/output PLL: phase-locked loop PWM: pulse-width modulator RTOS: real-time operating system SDRAM: synchronous DRAM SOC: system on chip SIMD: single instruction multiple data TLB: translation-look-aside buffer VLIW: very long instruction word Illustration by Chinsoo Chung 54 edn | September 14, 2000 www.ednmag.com EDN’s 27th annual MICROPROCESSOR/MICROCONTROLLER DIRECTORY The party’s at the high end elcome to the year 2000 version of tectural and device features that will help you the EDN Microprocessor/Microcon- quickly compare the important processor dif- troller Directory: It’s the 27th consec- ferences. These processor tables include the Wutive year of this directory, and we standard fare of features and contain informa- certainly have something to celebrate. The en- tion related to EEMBC (EDN Embedded Mi- tire processor industry has seen incredible croprocessor Benchmark Consortium, growth, but the real parties have been happen- www.eembc.org). EEMBC’s goal is to provide ing in the 32-bit, 64-bit, and VLIW fraternities. the certified benchmark scores to help you se- Although a number of new architectures have lect the processor for your next design. Rather sprung up, processor vendors have primarily than fill an entire table with the processor focused on delivering newer versions or up- scores, EDN has indicated which companies grades of their existing architectures.
    [Show full text]
  • Intel® Quickassist Technology (Intel® QAT) Software for Linux* Release Notes Package Version: QAT1.7.L.4.6.0-00025
    Intel® QuickAssist Technology (Intel® QAT) Software for Linux* Release Notes Package Version: QAT1.7.L.4.6.0-00025 June 2019 Document Number: 336211-011 You may not use or facilitate the use of this document in connection with any infringement or other legal analysis concerning Intel products described herein. You agree to grant Intel a non-exclusive, royalty-free license to any patent claim thereafter drafted which includes subject matter disclosed herein. No license (express or implied, by estoppel or otherwise) to any intellectual property rights is granted by this document. Intel technologies' features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No computer system can be absolutely secure. Check with your system manufacturer or retailer or learn more at intel.com. Intel technologies may require enabled hardware, specific software, or services activation. Check with your system manufacturer or retailer. The products described may contain design defects or errors known as errata which may cause the product to deviate from published specifications. Current characterized errata are available on request. Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade. All information provided here is subject to change without notice. Contact your Intel representative to obtain the latest Intel product specifications and roadmaps. Copies of documents which have an order number and are referenced in this document may be obtained by calling 1-800-548- 4725 or visit www.intel.com/design/literature.htm.
    [Show full text]
  • Great Watchdogs Version 1.2, Updated January 2004
    Great Watchdogs Version 1.2, updated January 2004 Jack G. Ganssle [email protected] The Ganssle Group PO Box 38346 Baltimore, MD 21231 (410) 496-3647 fax (647) 439-1454 Jack Ganssle believes that embedded development can be much more efficient than it usually is, and that we can – and must – create more reliable products. He conducts one-day seminars that teach ways to produce better firmware faster. For more information see www.ganssle.com. Building a Great Watchdog Launched in January of 1994, the Clementine spacecraft spent two very successful months mapping the moon before leaving lunar orbit to head towards near-Earth asteroid Geographos. A dual-processor Honeywell 1750 system handled telemetry and various spacecraft functions. Though the 1750 could control Clementine’s thrusters, it did so only in emergency situations; all routine thruster operations were under ground control. On May 7, 1994, the 1750 experienced a floating point exception. This wasn’t unusual; some 3000 prior exceptions had been detected and handled properly. But immediately after the May 7 event downlinked data started varying wildly and nonsensically. Then the data froze. Controllers spent 20 minutes trying to bring the system back to life by sending software resets to the 1750; all were ignored. A hardware reset command finally brought Clementine back on-line. Alive, yes, even communicating with the ground, but with virtually no fuel left. The evidence suggests that the 1750 locked up, probably due to a software crash. While hung the processor turned on one or more thrusters, dumping fuel and setting the spacecraft spinning at 80 RPM.
    [Show full text]