occurring after switchover are consistent, but the timestamps of the two groups of
timestamps (before and after switchover) are degraded with respect to each other.
During normal operation the C300 Controller maintains a timeout on the current system
time source so that the controller can detect an interruption and switch to an alternative
time source. The controller will attempt periodically to re-establish a connection to a
better time source when it is not currently connected to its configured time source. If the
connection with the configured time source is lost, the controller will timeout after 90
seconds and will transition to use CDA - provided the controller remains connected to the
FTE network. The controller generates diagnostic and state notifications announcing the
change of the time source.
If the CDA time source becomes unavailable, the controller will continue to run and
execute control. The controller will use its internal Wall Clock Time as it time source
and will continue attempts to reconnect with its configured time source. The controller
generates diagnostic and state notifications announcing the change of the time source
Hardware Watchdog Timer
A Hardware Watchdog Timer is employed in conjunction with the Health Monitor and
the internal Memory Management Unit to ensure that a catastrophic failure which disrupts
the controller's internal instruction execution or timing results in the controller
achieving a fail-safe state. The timer is refreshed periodically during normal controller
operation. If a refresh does not occur within the required time interval, the controller
suspends control execution and is placed into a safe state. A hardware watchdog timeout
may cause the controller faceplate display to become blank and the Status LED will blink
red in ¼ second intervals. The controller will attempt to re-boot into the FAIL state.
A refresh of the watchdog timer later than expected in normal operation, but not late
enough to cause a timeout produces the soft failure condition: WDT Software Warning.
Critical Task Monitor
The Critical Task Monitor detects conditions for tasks executing within the controller
which are critical to proper control and view. Alarms and soft failures are generated
when any of these tasks execute less frequently than expected.
Tasks critical to control
When a timeout occurs in the Critical Task Monitor for a task critical to performing
control, the controller asserts a hard failure, suspends normal operation and re-boots into
the FAIL state. If the controller is redundant and synchronized with the secondary
controller prior to the failure on the primary, a switchover occurs to allow the secondary
to assume control. If the controller is non-redundant or the controller is redundant but
was not synchronized with its secondary, the failed controller is placed into a fail safe
To Next Page
Loading...
