Embedded Systems November 2000 Vol13_12

Issue link:

Contents of this Issue


Page 119 of 189

The solution I will describe was used on a medical ventilator running on the RTXC real-time operating sys- tem. The idea was loosely influenced by Agu tu P. Lowell 's article "The Care and Feeding of Watchdogs," which describes a way to build the watchdog cheme into the RTOS itseJ er, this scheme can run on top of any RTOS, without requiring changes to the RTOS code. This scheme uses a task dedicated £.2 Unlike Lowell 's scheme, howev- to the watchdog. This task wakes up at a regular interval and checks the sani- ty of all other tasks in the sy tern. If all tasks pass the test, the watchdog is kicked. The watchdog monitor task runs at a higher priority than the tasks it is monitodng. The nature of the tasks Most tasks have some minimum peri- od during which they are required to run. A task may run in reaction to a timer that occurs at a regular interval. These tasks have a start point through which they pass in each execution loop. These tasks are referred to as reg- ular tasks. Other tasks respond to out- side events, the frequency of which cannot be predicted. These tasks are referred to as waiting tasks. First we will discuss how the scheme will work if all tasks are regular and then we will explain what extra work has to be done for waiting tasks. The watchdog timeout can be cho- u:.T_·-~-~-~_;_~-o-op-..of_c_o_d_e_, -~ + Flag2 = TRUE; .., I; , sen to be the maximum time during which all regular tasks have had a chance to run from their start point through one fu ll loop back to their start point agai n. Each task has a flag which can have two values, ALIVE and UNKNOWN. The flag is later read and written by the monitor. The monitor's job is to wake up Flag3 = TRUE; If all flags are TRUE { Kick the dog else { Record failure } Clear all flags to FALSE Waiting tasks Waiting t.:"lsks can' t be guaran teed to pass through their start point within any finite amoun t of time. These tasks normally have one or more points at which they are waiting on an external event, such as a user key action or communication from another proces- sor. At those poin ts , the fl ags are set to the value ASLEEP. After the wait, the 118 NOVEMBER 2000 Embedded Systems Programming before the watchdog timeout expires and check the sta tus of each flag. If all flags contain the value ALIVE, every task got its turn to execute and the watchdog may be kicked. Some tasks may have executed several loops and set their fl ag to ALIVE several times, which is acceptable. After kicking the watchdog, the monitor set all of the flags to UNKNOWN. By the time the moni tor task executes again, all of the UNKNOWN flags should have been overwritten with ALIVE. Figure 3 shows an example with three tasks.

Articles in this issue

Archives of this issue

view archives of EETimes - Embedded Systems November 2000 Vol13_12