Table of Contents
Advertisement
C300 operating behaviors
Hardware Watchdog Timer
time source. The controller will attempt periodically to re-establish a connection to a
better time source when it is not currently connected to its configured time source. If the
connection with the configured time source is lost, the controller will timeout after 90
seconds and will transition to use CDA - provided the controller remains connected to the
FTE network. The controller generates diagnostic and state notifications announcing the
change of the time source.
If the CDA time source becomes unavailable, the controller will continue to run and
excute control. The controller will use its internal Wall Clock Time as it time source and
will continue attempts to reconnect with its configured time source.
Hardware Watchdog Timer
A Hardware Watchdog Timer is employed in conjunction with the Critical Task Health
Monitor and the internal Memory Management Unit to ensure that a catastrophic failure
which disrupts the controller's internal instruction execution or timing results in the
controller achieving a fail-safe state. The timer is refreshed periodically during normal
controller operation. If a refresh does not occur within the required time interval, the
controller suspends control execution and is placed into a safe state. A hardware
watchdog timeout may cause the controller faceplate display to become blank.
A refresh of the watchdog timer later than expected in normal operation, but not late
enough to cause a timeout produces the soft failure condition: WDT Software Warning.
Critical Task Health Monitor
The Critical Task Health Monitor within the controller detects conditions where tasks
critical to proper control and view appear to have ceased. Alarms and soft failures are
generated when any of these tasks execute less frequently than expected.
Tasks critical to control
When a timeout for a task critical to performing control occurs in the Critical Task
Health Monitor, the controller asserts a hard failure, suspends normal operation and re-
boots into the FAIL state. If the controller is redundant and the secondary controller was
synchronized prior to the failure on the primary, a switchover will occur to allow the
secondary to assume control. If the controller is non-redundant or the controller is
redundant but was not synchronized with its secondary, the failed controller will be place
into a fail safe state. If capable, the controller will re-boot into the FAIL state.
A timeout also occurs when the controller CPU is heavily loaded and the CPUFREE
parameter indicates less than 5%. A timeout of a control-critical tasks occurs and
appropriate alarms are generated by the controller, but no other action is taken by the
controller.
184
Experion C300 Controller User's Guide
Honeywell
R301.1
11/06
Advertisement
Table of Contents
Troubleshooting
