Watchdog

Birket Engineering Cookbook

There are many applications where you need to know if a connection to a remote device is intact and/or that the remote device is functioning.

Examples include:

  • Main PLC to Subsystem PLC via remote I/O
  • Main PLC to Subsystem PLC via hardwired lines
  • Dual PLCs to each other via DH+ network
  • PLC to (dumb) remote rack via remote I/O
  • SLC-500 to SLC-500 via DH-485
  • PLC to any remote device via connectorized cable

You can usually detect the failure of the link or the remote device by sending a alternating signal to the remote device and back, then looking at the return signal. If the return signal should stop alternating, either in the 0 or 1 state, either the link or the device which reflects the signal may be bad. When this occurs, your PLC can report a fault message, ignore the inputs from the remote device, disable the affected device or whatever other action is appropriate. Here is a simple implementation of a watchdog circuit in PLC logic:

Watchdog Figure 1

The watchdog signal returning from the remote (slave) device is inverted by the N/C -|/|- contact and sent back to the remote device. The remote device returns the unchanged signal immediately to be inverted again. This constant inversion causes the watchdog signal to oscillate between 0 and 1 at high speed, limited only by the scan rate of the PLC(s) and the response time of the link. The TON and TOF instructions detect if the oscillating signal ever stops in either the 1 or 0 states respectively. Choose the time-outs to reflect the worst case round trip speed of the link and scan times. The Done (DN) bits from the two timers are ANDed together to determine if the link and device is still running. The DOG_OK bit is not latched but may be latched for an alarm and acknowledgment. Either the unlatched or latched version can be used to qualify inputs from the remote device, disable the device, Emergency Stop the system or other appropriate action. If the unlatched bit is used the system will recover immediately when the link is restored; the latched version will require an operator acknowledgment.

Watchdog Figure 2

The slave device merely has to return the watchdog signal. Note that the symbols in the Slave PLC may not match those in the Master. I’ve used the same symbols here to make the relationship clear. If the slave device is also a PLC, it can also use the TON and TOF instructions and the DOG_OK rung to check the link for its purposes. However, only the master should use the N/C contact to invert the watchdog signal.

The advantages to this system are:

  • As with any WatchDog circuit, it can detect both stuck-ON and stuck-OFF cases, so it doesn’t require periodic validation as a static loop-back does.
  • It requires almost nothing from the remote device to implement. In the simplest case, the remote device requires nothing more than a loop-back jumper at the connector. The cost to a PLC is merely an input and an output and the simplest of rungs. Even the most uncooperative vendor should be willing to loop the signal back.
  • It requires only the two timers to test the returning signal. The natural oscillator eliminates the need for another timer or two to generate the alternating signal. The scheme is actually simple enough to implement entirely in hardware where there is no PLC. (If timers are at a premium, a variant scheme using a dual edge detector would require only one timer, but this method is less obvious to an unfamiliar reader. See Figure 33Figure 3)
  • Since the oscillation free-runs at a frequency limited by the scan time of the processor(s) and the bandwidth of the link, the test can also detect if the link degrades below the time-out set in TOF and TON. This can be very useful on remote I/O, DH-485, and DH+ links. Also as the signal alternates (by definition) as fast as possible, a break in the link can be detected faster than if a slower alternating signal were used.
  • Since the signal won’t oscillate unless there is a complete loop, the test can detect a break in the link in either direction. If your output dies, but not your input, you’ll still know. Some schemes have each PLC generate its own alternating signal to transmit to the other. This allows each to detect if the input from the other is intact, but fails to check if the output to the other is OK.
  • The signal is naturally synchronized to the update activity of the remote I/O or DH+ link. The signal may be used to blink a remote light as fast as possible, or at any divisor of the watchdog frequency without the erratic “beat” patterns that occur when using an unsynchronized timer to create the blinker bit.
  • With the addition of a counter and a timer, you can easily determine the update rate of the link in cycles per second. Simplye count the number of cycles in one or more seconds. This figure can be very useful in debugging a possibly overloaded DH+ or DH-485 link, or a troublesome Remote I/O link.
  • If so desired, the same I/O line can be used for multiple devices, but this makes the failing device anonymous. -JT (in a series loop? -DB)

The disadvantages of this system are:

  • The test does not distinguish between failure of the input, output, outward link, inward link, or loop-back (indicating the remote PLC is running). Any of these failures are reported as the same fault – watchdog died.
  • If the output involves a relay, the relay will wear out more rapidly than if a slower alternating signal is used (which will also wear out eventually, so don’t use a relay.)
  • The time-out must be determined after evaluating the oscillation period, instead of just adding 10% to 50% to the known oscillation period of a timer- driven signal.

Watchdog Figure 3

The single timer variation detects both the rising and falling edge of the watchdog signal by comparing it to the last output (prior to inverting the output again). As long as the signal continues to rise and fall more frequently than the time-out of the TOF, the TOF will receive a periodic pulse, keeping the Done bit of the TOF high and satisfying the OK bit. This test is unfortunately sensitive to the order of the rungs as the inversion and output of the watchdog signal must follow the edge detector rung. (The OK bit rung can come before or after the output rung, as long as it follows the edge detector.)