User's Manual
Turbo PMAC User Manual
Making your Application Safe 215
; Logic to clear fault status
IF (Mtr1OpenLoop=0 AND Enc1LossIn=OK AND Mtr1EncLossStatus=0)
Mtr1EncLossStatus=0
ENDIF
CLOSE
Refer to the individual hardware reference manuals for more details of the implementation of this
function.
User-Written Safety Algorithms
You can write your own safety-checking algorithms easily in a PLC program. These algorithms are best
implemented in a compiled background PLC program, which scans at the same rate as Turbo PMAC’s
own built-in safety checks – once per background cycle. The above program of monitoring encoder loss
is a good example of this type of program.
Watchdog Timer
Turbo PMAC has an on-board watchdog timer. This subsystem provides a fail-safe shutdown to guard
against software and hardware malfunction. To keep it from tripping the hardware circuit for the
watchdog timer requires that two basic conditions be met. First, it must see a DC voltage greater than
approximately 4.75V. If the supply voltage is below this value, the circuit’s relay will trip and the card
will shut down. This prevents corruption of registers due to insufficient voltage.
The second necessary condition is that the timer must see a square wave input (provided by the Turbo
PMAC software) of a frequency greater than approximately 25 Hz. In the foreground, the servo-interrupt
routine decrements a counter (as long as the counter is greater than zero), causing the least significant bit of
the timer to toggle. This bit is fed to the timer itself. At the end of each background cycle, the CPU resets
the counter value to a maximum value set by variable I40 (or to 4096 if I40 is set to the default of 0).
If the card, for whatever reason, due either to hardware or software problems, cannot set and clear this bit
repeatedly at 25 Hz or greater, the timer will trip and the Turbo PMAC system will shut down.
Actions on Watchdog Timer Trip
When the timer trips due to either under-voltage or under-frequency, the system is latched into a reset
state, with a red LED indicating watchdog failure. The processor stops operating and will not
communicate. All Servo, MACRO, and I/O ICs are forced into their reset states, which force discrete
outputs off, and proportional outputs (DAC, PWM, PFM) to zero-level.
Turbo PMAC systems have discrete outputs indicating the state of the watchdog timer. On Turbo PMAC
boards, there is a solid-state open-collector output called “FEFCO/” that is turned on when the timer trips.
In Turbo PMAC2 systems there is a hard-contact relay with both normally open and normally closed
contacts. In a system, these outputs should be used to drop power to the amplifiers and other key circuitry
if the card fails.
Once the watchdog timer has tripped, power to the Turbo PMAC must be cycled off and on, or the INIT/
hardware reset line must be taken low, then high, to restore normal functioning.
Diagnosing Cause of Watchdog Timer Trip
Because the watchdog timer is designed to trip on a variety of hardware and software failures, and the trip
makes it impossible to query the card, it can be difficult to determine the cause of the trip. The following
procedure is recommended to figure out the cause:
1. Reset the Turbo PMAC normally (with the re-initialization jumper OFF). If it does not trip again
immediately, there is an intermittent software or hardware problem. Check for the following:
• Software events that overload the processor at times (e.g. additional servo-interrupt tasks,
intensive lookahead) or possible erroneous instruction (look for firmware or program checksum).
Review the Evaluating the Turbo PMAC’s Computational Load section of this manual.