I need to know what happens to digital outputs of a cFP DO-401 modules when the RT program crashes or the cFP processor fails. I already reset all outputs when the RT software starts or is stopped from the host. However, what happens when an output is turned on and the RT program crashes? If it stays on, then that could potentially be a hazard unless some other mechanism external to the cFP exists to clear the output. Thanks.
I think you have to assume that if the RT program or processor crashes, your outputs will stay in the worst possible configuration. If this will be more than an inconvenience, you should have some sort of independent hardware watchdog shutdown your process. We use a small box connected to the serial port. As long as the cFP sends a byte to the serial port every so often, the output relay stays closed. If the cFP misses the deadline, the relay opens and a horn sounds. Pretty simple, but effective.
The cFP does have a built-in watchdog available, which we also use. Our program has multiple parallel loops, each of which calls our watch-dog manager. If the manager has heard from each parallel loop within the alloted time, it tickles the watch-dog, otherwise the watch-dog restarts the cFP. This isn't a substitute, however, for a hardware watch-dog in a safety critical item.