From aaed95cc9540502a7b84eb74776ee5fc1c897c87 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mario=20H=C3=BCttel?= <mario.huettel@gmx.net>
Date: Sat, 30 Jul 2022 16:04:46 +0200
Subject: [PATCH] Restructure safety handle function. Now returns worst flag
 state set. Used to blink LED

---
 .../reflow-controller/safety/safety-config.h  |  9 +++++++
 .../safety/safety-controller.h                |  4 ++--
 .../reflow-controller/safety/safety-memory.h  | 10 +-------
 stm-firmware/main.c                           |  5 ++--
 stm-firmware/safety/safety-controller.c       | 24 ++++++++++++++-----
 5 files changed, 33 insertions(+), 19 deletions(-)

diff --git a/stm-firmware/include/reflow-controller/safety/safety-config.h b/stm-firmware/include/reflow-controller/safety/safety-config.h
index 009ef27..21bb281 100644
--- a/stm-firmware/include/reflow-controller/safety/safety-config.h
+++ b/stm-firmware/include/reflow-controller/safety/safety-config.h
@@ -27,6 +27,15 @@
 #ifndef __SAFETY_CONFIG_H__
 #define __SAFETY_CONFIG_H__
 
+/**
+ * @brief Weights of error flags.
+ */
+enum config_weight {
+    SAFETY_FLAG_CONFIG_WEIGHT_NONE = 0, /**< @brief This flag has no global error consequence, but might be respected by certain software modules. */
+    SAFETY_FLAG_CONFIG_WEIGHT_PID = 1, /**< @brief This flag will force a stop of the temperature PID controller */
+    SAFETY_FLAG_CONFIG_WEIGHT_PANIC = 2, /**< @brief This flag will trigger the panic mode */
+};
+
 /**
  * @brief Enum type representing safety flags.
  *
diff --git a/stm-firmware/include/reflow-controller/safety/safety-controller.h b/stm-firmware/include/reflow-controller/safety/safety-controller.h
index 4390d73..a25a36d 100644
--- a/stm-firmware/include/reflow-controller/safety/safety-controller.h
+++ b/stm-firmware/include/reflow-controller/safety/safety-controller.h
@@ -75,9 +75,9 @@ void safety_controller_init(void);
 /**
  * @brief Handle the safety controller.
  * @note This function must be executed periodically in order to prevent the watchdog from resetting the firmware
- * @return 0 if successful
+ * @returns Worst flag weigth that is currently set.
  */
-int safety_controller_handle(void);
+enum config_weight safety_controller_handle(void);
 
 /**
  * @brief Report one or multiple errors to the safety controller
diff --git a/stm-firmware/include/reflow-controller/safety/safety-memory.h b/stm-firmware/include/reflow-controller/safety/safety-memory.h
index 0d03b0f..18e6094 100644
--- a/stm-firmware/include/reflow-controller/safety/safety-memory.h
+++ b/stm-firmware/include/reflow-controller/safety/safety-memory.h
@@ -24,6 +24,7 @@
 #include <stdint.h>
 #include <stddef.h>
 #include <stdbool.h>
+#include <reflow-controller/safety/safety-config.h>
 
 /** @addtogroup safety-memory
  * @{
@@ -131,15 +132,6 @@ enum config_override_entry_type {
 	SAFETY_MEMORY_CONFIG_OVERRIDE_PERSISTENCE = 2,
 };
 
-/**
- * @brief Weights of error flags.
- */
-enum config_weight {
-	SAFETY_FLAG_CONFIG_WEIGHT_NONE = 0, /**< @brief This flag has no global error consequence, but might be respected by certain software modules. */
-	SAFETY_FLAG_CONFIG_WEIGHT_PID = 1, /**< @brief This flag will force a stop of the temperature PID controller */
-	SAFETY_FLAG_CONFIG_WEIGHT_PANIC = 2, /**< @brief This flag will trigger the panic mode */
-};
-
 /**
  * @brief representation of a config override memory entry
  */
diff --git a/stm-firmware/main.c b/stm-firmware/main.c
index 1351e2c..d485043 100644
--- a/stm-firmware/main.c
+++ b/stm-firmware/main.c
@@ -286,6 +286,7 @@ int main(void)
 	shellmatta_handle_t shell_handle;
 	int menu_wait_request;
 	uint64_t quarter_sec_timestamp = 0ULL;
+	enum config_weight worst_safety_flag = SAFETY_FLAG_CONFIG_WEIGHT_NONE;
 
 	/** - Setup all the peripherals and external componets like LCD, EEPROM etc. and the safety controller */
 	setup_system();
@@ -328,7 +329,7 @@ int main(void)
 			/* Check if any flags are present, that disable the PID controller. Blink
 			 * LED 0 in this case
 			 */
-			if (oven_pid_get_status() == OVEN_PID_ABORTED)
+			if (worst_safety_flag >= SAFETY_FLAG_CONFIG_WEIGHT_PID)
 				led_set(0u, led_get(0u) ? 0 : 1);
 			else
 				led_set(0u, 0);
@@ -346,7 +347,7 @@ int main(void)
 		temp_profile_executer_handle();
 
 		/** - Handle the safety controller. This must be called! Otherwise a watchdog reset will occur */
-		safety_controller_handle();
+		worst_safety_flag = safety_controller_handle();
 
 		/** - If the Oven PID controller is running, we handle its sample function */
 		if (oven_pid_get_status() == OVEN_PID_RUNNING)
diff --git a/stm-firmware/safety/safety-controller.c b/stm-firmware/safety/safety-controller.c
index af2c762..c8239fd 100644
--- a/stm-firmware/safety/safety-controller.c
+++ b/stm-firmware/safety/safety-controller.c
@@ -1117,12 +1117,15 @@ static void safety_controller_do_systick_checking(void)
  * is set, the appropriate action defined by the flag weight is executed.
  * @note If no flag weigth is present for a given error flag, it is treated as the most critical category
  * (@ref SAFETY_FLAG_CONFIG_WEIGHT_PANIC)
+ *
+ * @returns Worst config weight set
  */
-static void safety_controller_handle_weighted_flags(void)
+static enum config_weight safety_controller_handle_weighted_flags(void)
 {
 	uint32_t flag_index;
 	volatile struct error_flag *current_flag;
 	enum config_weight flag_weigth;
+	enum config_weight worst = SAFETY_FLAG_CONFIG_WEIGHT_NONE;
 
 	for (flag_index = 0u; flag_index < COUNT_OF(flags); flag_index++) {
 		current_flag = &flags[flag_index];
@@ -1132,6 +1135,11 @@ static void safety_controller_handle_weighted_flags(void)
 			continue;
 
 		flag_weigth = get_flag_weight(current_flag);
+
+		/* Override the worst flag weigt set, if it is worse than the previous ones */
+		if (flag_weigth > worst)
+			worst = flag_weigth;
+
 		switch (flag_weigth) {
 		case SAFETY_FLAG_CONFIG_WEIGHT_NONE:
 			break;
@@ -1147,6 +1155,8 @@ static void safety_controller_handle_weighted_flags(void)
 		}
 
 	}
+
+	return worst;
 }
 
 #ifndef DEBUGBUILD
@@ -1156,9 +1166,9 @@ static void external_watchdog_toggle(void)
 }
 #endif
 
-int safety_controller_handle(void)
+enum config_weight safety_controller_handle(void)
 {
-	int ret = 0;
+	enum config_weight worst_weight_set;
 #ifndef DEBUGBUILD
 	static uint32_t watchdog_counter = 0UL;
 #endif
@@ -1168,9 +1178,10 @@ int safety_controller_handle(void)
 	safety_controller_handle_memory_checks();
 	safety_controller_do_systick_checking();
 	safety_controller_process_monitor_checks();
-	safety_controller_handle_weighted_flags();
+	worst_weight_set = safety_controller_handle_weighted_flags();
 
-	ret |= watchdog_ack(WATCHDOG_MAGIC_KEY);
+	/* Ignore error here. Will trigger restart anyway */
+	(void)watchdog_ack(WATCHDOG_MAGIC_KEY);
 
 #ifndef DEBUGBUILD
 	if (get_pcb_hardware_version() != HW_REV_V1_2) {
@@ -1181,7 +1192,8 @@ int safety_controller_handle(void)
 		}
 	}
 #endif
-	return (ret ? -1 : 0);
+
+	return worst_weight_set;
 }
 
 int safety_controller_enable_timing_mon(enum timing_monitor monitor, bool enable)