Chapter 4 - Software Design
SYSTEM LEVEL SOFTWARE INITIALISATION
The initialization process initializes the processor registers and interrupts, starts the watchdog timers (used by the
hardware to determine whether the software is still running), starts the real-time operating system and creates
and starts the supervisor task. In the initialization process the device checks the following:
The status of the backup battery
The integrity of the battery-backed SRAM that is used to store event, fault and disturbance records
The operation of the LCD controller
The watchdog operation
At the conclusion of the initialization software the supervisor task begins the process of starting the platform
PLATFORM SOFTWARE INITIALISATION AND MONITORING
When starting the platform software, the IED checks the following:
The integrity of the data held in non-volatile memory (using a checksum)
The operation of the real-time clock
The optional IRIG-B function (if applicable)
The presence and condition of the input board
The analog data acquisition system (it does this by sampling the reference voltage)
At the successful conclusion of all of these tests the unit is entered into service and the application software is
When the IED is in service, it continually checks the operation of the critical parts of its hardware and software. The
checking is carried out by the system services software and the results are reported to the platform software. The
functions that are checked are as follows:
The Flash memory containing all program code and language text is verified by a checksum.
The code and constant data held in system memory is checked against the corresponding data in Flash
memory to check for data corruption.
The system memory containing all data other than the code and constant data is verified with a checksum.
The integrity of the digital signal I/O data from the opto-inputs and the output relay coils is checked by the
data acquisition function every time it is executed.
The operation of the analog data acquisition system is continuously checked by the acquisition function
every time it is executed. This is done by sampling the reference voltages.
The operation of the optional Ethernet board is checked by the software on the main processor card. If the
Ethernet board fails to respond an alarm is raised and the card is reset in an attempt to resolve the problem.
The operation of the optional IRIG-B function is checked by the software that reads the time and date from
In the event that one of the checks detects an error in any of the subsystems, the platform software is notified and
it attempts to log a maintenance record.
If the problem is with the battery status or the IRIG-B board, the device continues in operation. For problems
detected in any other area, the device initiates a shutdown and re-boot, resulting in a period of up to 10 seconds
when the functionality is unavailable.
A restart should clear most problems that may occur. If, however, the diagnostic self-check detects the same
problem that caused the IED to restart, it is clear that the restart has not cleared the problem, and the device takes
itself permanently out of service. This is indicated by the ''health-state' LED on the front of the device, which
switches OFF, and the watchdog contact which switches ON.