Introducing Watchdog Function in MCU Applications with Increasing Importance and Development Needs_Kellysun Semiconductor

  The complexity of multithreaded, real-time, and multitasking embedded systems makes it increasingly difficult to predict when microprocessors will fail. There are so many services running independently to some extent, and some of them are likely to survive, while others are locked, abandoned, or execute useless code.

  Therefore, it is now more difficult for embedded system designers to protect the entire system and prevent failures when some low-level service routines or kernels deviate.

  This article describes the evolutionary needs of watchdog functions that technical engineers can use to ensure reliable MCU operation. This article will examine in detail the deficiencies that need to be overcome externally in hardware and internally in software, and introduce some sample watchdog parts. All parts, data sheets, guides and development tools referenced in this document can be found online on the Kelly Semiconductor website.

  simple protection

  A watchdog function is required for machines ranging from 4-bit to advanced 32-bit and above. Simple processors that work in potentially dangerous situations are not uncommon. For example, a throttle control loop requires only a simple 8-bit mixed-signal microcontroller to achieve stable closed-loop control locally. The controller can accept commands on the vehicle CAN bus to offload all processing tasks from the remote on-board computer. However, if this simple processor fails, the entire throttle valve will do nothing.

  It is safe to say that almost every modern microcontroller has some simple watchdog function - a dedicated watchdog hardware block or a timer that can be used to perform a software-controlled watchdog function. These devices are all synchronized to the system clock in the processor.

  As processors become more complex, so does the clock structure and clock distribution within the processor. Oscillators are particularly vulnerable to ESD strikes, for example, if the clock performance is degraded, the synchronous watchdog will be useless.

  The R/C oscillator and time constant, although conservative, can provide an independent clock mechanism and reset mechanism for emergency or backup purposes. Likewise, redundant internal and external oscillator sources can implement some form of heartbeat effect to ensure that the circuit is monitored during critical failures. In addition, selectable clock integration is as important as clock location in the tree (Figure 1).

  

  Figure 1: The combination of the system clock and the backup R/C oscillator saves power and provides a reliable and independent backup clock in the event of a system clock crash, ensuring that the watchdog functions properly. Note how the two R/C oscillators are used here.

  The same is true for low-voltage detection circuits. While basic accuracy can be achieved with internal voltage references, comparators, and detectors, higher resolution and more precise voltage level selectivity can be achieved with external circuitry. For example, if some of your voltage failure mode software includes a write EEPROM function, you may want the low voltage detector threshold to trip early to give the capacitive charge memory enough time to perform the EEPROM write function before shutting down sequentially. Modern voltage detectors are capable of voltage resolution as low as 0.05 V for accurate use of all energy. Usually, this resolution is much better than what you can achieve internally with a microcontroller.

  Another thing to understand is that a separate max timeout doesn't always work. Most watchdog solutions basically perform the function of a retriggerable monostable multivibrator (retriggerable one-shot). If the software or hardware cycle clock fails to reset the timer within the maximum allowable time frame, the watchdog trips and resets the processor (or initiates a failover service routine).

  Minimum time requirements should also be considered. For example, if a service routine is synchronized to the zero crossing of a 60 Hz power line, the pulse interval should be 8.33 ms. If these pulses arrive prematurely, noise or fault conditions that typically affect safety must be overcome.

  There are special cases for multiprocessor and multicore designs. Individual watchdogs should be set up to monitor these processors or cores with the unique code conditions running in each processor at the time. That is, some software development for a core in a multi-core environment should have a watchdog condition that indicates the failure of a particular block of code.

  Also, watchdog reports should be hierarchical. Each core should report to a higher-level watchdog that ties together all failure modes reported by all sub-cores and processes. As a high-level system function, the watchdog executor works synchronously with the main task executor, which assigns blocks of code to specific cores. Also, work closely with an external watchdog system.

  The wired-OR type multiple watchdog module function block can be easily extended to report using I/O specific to a core (Figure 2). The function block can be an independent logic block in an FPGA or CPLD, and is easily expandable to handle multiple processors and function blocks. The registers can accumulate the individual states of all reporting function blocks in an attempt to recover that core individually. As you can imagine, the recovery procedure at this level becomes more complicated, like restarting the kernel while keeping the rest of the system running.

  


  Figure 2: The top level of the watchdog hierarchy can use an extensible wire-OR function so that all microprocessors or cores can report at their own rate. Each "one shot" should allow the processes it monitors to be programmed at continuous intervals. Each code block carries watchdog parameters.


  Parts with special watchdog function

  There are various microprocessors with unique or different functions when it comes to how to implement the watchdog function. Take the 16-bit Maxim MaxQ family of microcontrollers, which combine a wide variety of flexible timers with cleverly designed circuits for added usefulness. Parts like the Maxim MAXQ2000-RBX+ have secondary alarms. If there is no alarm and the MAXQ2000's watchdog (WTD) overflows, the microcontroller triggers an interrupt after another 512 system clock cycles count. It then resets all timers if not disabled or overridden.

  Such interrupts provide a "last chance" to save debug information—one that most designers agree on and is very useful during circuit development, fault clearing. Also, the interrupt can be used to recover the watchdog from errors and clear it, rather than saving debug information. However, the latter approach impairs system reliability in the event of a system failure.

  Similar to other internal WDTs, the MAXQ2000's watchdog can be disabled by software. It should be noted, however, that this functionality is a double-edged sword: the runaway code disables the watchdog and remains in a runaway state.

  The WDT of some microprocessors is connected to an internal oscillator that is independent of the system clock. Some microprocessors also use internal or external R/C oscillators, and some use both. An interesting feature on the WDT of the Maxim MAXQ2000 is the ability to switch to a backup oscillator if the primary oscillator fails, although the watchdog timing function is driven from the system clock.

  Another interesting MCU with a unique watchdog function is the STM32F100 series (provided by STMicroelectronics) with two watchdog timers. Parts like the STM32F100CBT6B are aimed at smart grid and smart health applications that require high reliability. Like most microprocessors, the device employs multiple timers (here, six), and two additional 16-bit timers are dedicated to the watchdog function.

  Each watchdog has a selectable prescaler (1 - 64 K) that clocks the watchdog timer, also triggers DMA requests and captures the compare channel. Another independent watchdog is based on a 112-bit downconverter and 8-bit prescaler, and is clocked by an independent 40 kHz internal R/C oscillator. Notice how these two parts rely on the R/C component as an ultra-reliable fallback technology.

  An attractive feature of STMicroelectronics parts is the analog watchdog function. Accurate monitoring of one or both A/D-converted voltage levels enables reset transitions when analog levels exceed preset thresholds. This feature can be useful for medical applications where sensors are connected to the body area network for health monitoring or active drug delivery (Figure 3). To facilitate design, STMicroelectronics provides engineers with product training modules on health and healthcare design.

  


  Figure 3: As medical devices become more actively integrated with our body area network, some devices (pacemakers, defibrillators, insulin pumps, etc.) may play a vital role in sustaining human life effect. A reliable watchdog needs to be integrated into these systems.


  Looking from the outside in

  Many good building block external solutions include simple R/C threshold generators, bias transistors, low-power timers, and dedicated power-on reset and watchdog coprocessors. In addition, development environments are now available, encouraging experimentation and simplifying testing. Texas Instruments offers an interesting solution with its TPL5000 nanopower programmable timer, which consumes only 30 nA over a wide voltage range of 1.8 - 5 VCC. The TPL5000EVM evaluation kit allows you to test and optimize this functionality in a small and sophisticated self-contained module.

  Currently, there are several discrete watchdogs that can be combined with other useful functions, such as real-time clock and monitoring functions. Lattice Semiconductor offers an interesting combo with its ISPPAC-POWR607-01SN32I power supply supervisor, watchdog, and reset generator (Figure 4). Note the 1% analog trip point step value and in-system programming macrocells for state machine and combinatorial customization.

  

  Figure 4: With in-system user-programmable parameters, dynamic determination of the watchdog function can be achieved through the use of combinatorial and state-machine-based user-configurable logic.


  Summarize

  Remember that sometimes nothing will help your system recover. Some failures are not recoverable. For example, if system memory crashes, there is nothing left to trust.

  Another situation is if there is a very high level of noise. Even if the watchdog resets the processor, this noise can still affect the watchdog-level initialization of the processor. If the watchdog function is not initialized, the watchdog is useless.

  No one can expect any MCU to be 100% trouble-free at all times. Microprocessors can also go wrong. However, whether there is only a minor failure, catastrophic property damage, or even death, the key is the rational use of internal and external resources.

Guess you like

Origin http://43.154.161.224:23101/article/api/json?id=324822971&siteId=291194637