Critical systems typically require redundancy or fail-safe mechanisms of some kind. In the event of the unexpected failure of some component of the system, the fail-safe mechanism takes over and places the system into a known safe-state. The Watchdog timer provides a method for supplying such a mechanism. The Watchdog timer is used to monitor and identify if the system is operating correctly. If the system is not operating as intended, it can be placed in a safe-state. You can configure the Watchdog timer for your device to take over the output channel and place the system into a known safe-state if an undesired event occurs such as a software hang that causes a confirmation to not be received within a programmable time-out period. Note that the NI-DAQmx Watchdog feature is meant to protect a system from software errors and hangs. In the case of a PXI system with remote control via MXI, a lost MXI connection could result in unexpected Watchdog behavior and therefore improperly implemented Watchdog states.
The Watchdog timer works by having the device constantly receive confirmation that the computer is still functioning properly or that the device is still connected to the network. If this confirmation is not received within a programmable time-out, the safe-states are written to the configured outputs. Once the Watchdog timer is configured and started, the software application must continuously reset the timer to avoid expiration. This reset confirms to the device that the computer is functioning properly. Figure 1 below shows the flow of information during normal operation between the software and hardware levels.
Figure 1. The Watchdog timer flowchart shows separate hardware and software levels.
If a fault occurs, the hardware continues to count down until the timer expires. At this time, the predefined safe-states are written to the configured outputs. For the device to become responsive to hardware commands again, the expiration of the Watchdog timer must be cleared. Figure 2 below shows a flowchart of the software and hardware levels reacting to the computer hanging. From the flowchart you can see the hardware continues to count down until the time-out expires. Once the time-out expires, the predefined safe-states are then written to the outputs and all future writes to the device are ignored.
Figure 2. The flowchart shows the Watchdog timer expiration.
The Watchdog timer provides a way to set the outputs of a device into known safe-states in the event of a system fault or failure. This fail-safe mechanism that the Watchdog timer provides protects your hardware connected to your device if the system stops functioning as intended. For example, consider monitoring at a lumber mill. In this situation, you could use the cDAQ-9185/9189 to monitor various elements within the mill such as the speed of the blade, the position and vibration of the blade, and the temperature of the kiln. The CompactDAQ hardware would also be continually sending a notification to the controller, controlling all of the machinery, and letting the controller know the CompactDAQ hardware is still connected to the network and able to monitor the different values. If the cDAQ-9185/9189 loses its connection to the network and the user can no longer monitor the different values, it then sends a digital signal to the controller to shut down all of the machinery to ensure safety. Without the Watchdog timer as a safety mechanism in this application, the machinery could have been damaged and in the need of repair or replacement. Several applications use Watchdog timers for the fail-safe mechanism that causes the system to stop producing, using the predefined safe-states, and avoid damage to the system.
Within the Watchdog API, which is included with the NI-DAQmx device driver, you can set up and configure the Watchdog timer for your devices’ output channels. The configurable Watchdog options change depending on which of the Watchdog timer supported devices you have. The options for configuring the Watchdog timer change depending on the device you have. Figure 3 shows a screenshot of the Watchdog API within NI LabVIEW system design software. The different VIs within the palette includes:
You use these functions to create, set up, and control the Watchdog timer within your application.
Figure 3. The VIs within the Watchdog API create, set up, and control the Watchdog timer.
You can configure the Watchdog timer for the digital outputs of X Series devices and various industrial DIO devices. For the cDAQ-9185/9189, you can configure the Watchdog timer for your digital outputs and analog and counter outputs as well. In addition to the increased output types for the cDAQ-9185/9189, you can also use the DAQmx Watchdog property node to trigger the expiration on a network connection loss from the chassis. With this feature, you can now have the timer expire if the system is experiencing unexpected failure or if the network connection is lost between the cDAQ-9185/9189 and the host. Table 1 lists the features included in the Watchdog API and the devices that can use them.
Watchdog Supported Devices | |||
Feature | X Series Cards | Industrial DIO Products | cDAQ-9185/9189 |
Digital Output Safe-State | Low/High/Tristate/No Change | Low/High/Tristate/No Change | Low/High/Tristate/No Change |
Analog Output (Current) Safe-State | − | − | Current Level/No Change |
Analog Output (Voltage) Safe-State | − | − | Voltage Level/No Change |
Counter Output Safe-State | − | − | Low/High/No Change |
Trigger Expiration Off Network Connection Property | − | − | Enabled/Disabled |
Table 1. See the available features for the supported Watchdog devices.
The Watchdog timer is implemented in the same manner any NI-DAQmx task is created. First, you create a Watchdog timer task by using the DAQmx Create Watchdog Timer Task VI. With this VI, you configure the reference to your device and the length of the time-out for the timer.
After you have created the task, you can configure it using the DAQmx Configure Watchdog Expiration States VI. With this polymorphic VI, you can configure the expiration states of the output channels you are watching with the Watchdog timer. For digital output, you can choose to have the channel write high or low or enter into the tristate mode when the timer expires. With the Watchdog timer task for the cDAQ-9185/9189, you can also configure analog and counter outputs. For analog output, you can select if it is a current or voltage task and then set which value you want the channel to write when the timer expires. For the counter output channels, you can configure if you want the channel to write high or low or stay the same when the timer expires. Another tool for configuring the Watchdog task is the DAQmx Watchdog property node. This lets you configure all expiration states, set the time-out value, and enable/disable the option for the cDAQ-9185/9189 where you can trigger the expiration of the timer through a network connection loss.
After the task is configured, it then needs to be started using the DAQmx Start VI. When the Watchdog task starts, it constantly looks for the confirmation that the computer is still functioning properly. To tell the task the computer is properly working, the DAQmx call, DAQmx Control Watchdog Task VI, is used to reset the timer before the configured time-out value. Figure 4 shows an example of a Watchdog task being used for the cDAQ-9185/9189. In this example, a Watchdog task is set up for the cDAQ-9185/9189 and has an analog output channel configured for the channel to enter the safe-state if the timer enters the expiration state or if the chassis is disconnected from the network.
Figure 4. The Watchdog task has an analog channel configured in the cDAQ-9185/9189.
If the timer goes out and the channels enter their safe-states, the expiration must be cleared for the device to become responsive to hardware commands again. Clear the expiration through the DAQmx Control Watchdog Task VI as seen in Figure 5 or reset the hardware device. If you are using the cDAQ-9185/9189, the watchdog timer expiration can only be cleared by resetting the hardware device.
Figure 5. Clear the expiration with the DAQmx Control Watchdog Task VI.
The Watchdog timer can provide a fail-safe mechanism or redundancy in the event of unexpected failure of a system component in your application. With the Watchdog timer, you can set the outputs of a device into known safe-states in the event of a system fault or failure. Using X Series multifunction DAQ cards or industrial DIO products, you can set a Watchdog timer on the digital output channels. For the cDAQ-9185/9189, the Watchdog timer can be set on the digital, analog (voltage or current), or counter outputs and also monitor the network connection and enable the safe-states if connection is loss.