摘要
Watchdog timers increases reliability in microprocessor-based systems. Pin-selectable watchdog timers allow the watchdog time-out period to be adjustable, thus allowing more flexibility to meet different processor timing requirements. Windowed watchdog circuits provide protection against systems from running too fast and too slow. A separate open-drain, active-low, output is used to signal a watchdog time-out.
In many of these circuits, additional features are included for more functionality. Such features include a voltage-reset circuit with either a push-pull or open-drain reset output. In some circuits, a manual reset input is included.
Microprocessors executing critical or safety-related functions demand a high level of supervision to ensure that faults can be properly detected and corrected. A critical function can be defined as one for which down time cannot be tolerated, and (in many cases) one for which repair is very costly. Such functions are found in almost every segment of the microprocessor market: patient-monitoring systems, process-control plants, and safety-related automotive applications, for example.
Description of Operation
To implement a watchdog, the µP is programmed to send pulses to a watchdog timer circuit at specified intervals. If the watchdog timer (WDT) is not toggled within that time, it sends a pulse to the µP warning that a fault has occurred. The warning signal can be a reset to the µP or a narrow pulse fed to the µP's non-maskable interrupt (NMI) port. The fault can be a code-execution error or an error in the timing circuit that generates the WDT pulse. New supervisor ICs discussed in this article provide extra security by warning the µP not only when it toggles the WDT too late, but also when it toggles too soon. Thus, two time intervals are specified, and their difference forms the watchdog window.
As the µP executes a routine, it typically sets a flag at some point in the code. At preset intervals, it then responds to an interrupt service routine (ISR) which notes, among other things, whether the watchdog flag has been set. If so, the µP issues a pulse to the WDT. If not, the processor is assumed to have hung up; perhaps executing an endless loop. A fault in the µP could also mean that the ISR was executed too often. Standard WDTs cannot detect that case, but MAX6323/MAX6324 WDTs can detect it.
Three modes of WDT operation are possible: When the WDT is toggled sooner than the fast timeout interval (tWDI < tWD1(min)), an active-low signal (1ms typical) is triggered at the Active-Low WDPO pin (Figure 1a); or when a pulse sent by the µP exceeds the slow watchdog timeout time tWD2 (Figure 1b). During normal µP operation, the falling edge of the second pulse in the watchdog timer sequence (at the WDI pin) occurs after tWD1 and before tWD2 (Figure 1c).
For MAX6323/MAX6324 devices, the window (tWD2-tWD1) is wide enough to minimize the effect of tolerance in both timeouts, and to provide flexibility for implementing the WDT function in a variety of applications. Besides the windowed-watchdog function, these ICs generate a reset in response to a power-on, brownout, or power-down condition. Six laser-trimmed versions are available, corresponding to reset thresholds of ±2.5% accuracy ranging from 2.32V to 4.63V.
The reset-output configuration is push-pull for the MAX6323 and open-drain for the MAX6324. Both parts guarantee valid Active-Low RESETs down to Vcc = 1.2V. The open-drain version is recommended if the supervisor must share the µP-reset pin with other sources (Figure 2a). If the supervisor Active-Low RESET is the only input to the µP reset pin, then the push-pull version (MAX6323) offers an advantage as shown in Figure 2b: connecting a pull-down resistor to its Active-Low RESET output makes that output valid down to 0V.
Another feature offered by MAX6323/MAX6324 devices is the debounced manual-reset function. To prevent the µP from writing corrupted data into RAM when a WDT fault occurs, certain applications call for the supervisor to issue a reset pulse. To implement this function, simply tie the Active-Low WDPO and Active-Low MR pins together (Figure 3a). Manual reset also allows an operator to perform in-circuit tests of the µP while power is on (Figure 3b). When the WDT times out with Active-Low WDPO connected to the processor's NMI input, the µP can either wait for user intervention (as for a PC), or recover from the fault by redirecting the software execution to initialize a different section of code.
Waveforms are illustrated for fast timeout faults (Figure 4a) and slow timeout faults (Figure 4b). For fast timeouts, note that the WDT begins to count from the last falling edge of WDI after WDPO is de-asserted. That behavior does not apply to the slow timeout fault.
MAX6323/MAX6324 devices come in eight standard windowed-watchdog versions as shown in Table 1. The narrower and faster watchdog-window times are recommended for time-critical applications like those found in automotive safety. For applications that involve slower events (like patient monitoring), the versions with wider watchdog windows are more suitable. Because automotive applications require the windowed-watchdog function, these two ICs are specified from -40°C to 125°C. Their RESET function offers some immunity to short-duration Vcc transients. For greater immunity, connect a small RC low-pass filter on the Vcc pin.
Watchdog Timeout* | ||||
Suffix | Fast | Slow | ||
Max | Units | Min | Units | |
A | 1.5 | ms | 10 | ms |
B | 15 | ms | 100 | |
C | 15 | ms | 300 | |
D | 15 | ms | 10 | s |
E | 15 | ms | 60 | |
F | 23 | ms | 47 | ms |
G | 39 | ms | 82 | |
H | 719 | ms | 1.3 | s |
Applications
As mentioned above, a windowed watchdog can be attractive in various applications that require higher levels of µP supervision at low cost. Automotive circuits, for instance, often implement extra security with redundant µPs that supervise each other. The MAX6323 and MAX6324 offer low-cost, space-saving alternatives to those approaches. In vehicle-stability control, for example, the inputs from yaw-rate and acceleration sensors are processed to determine how the system should intervene to apply brakes in a critical situation for which the driver has no control.
One can imagine other applications for detecting events that are expected within a time interval that has both a minimum and a maximum. A discrete-component version of this circuit is shown in Figure 5. Though the timer and one-shot components have been omitted for simplicity, it is obvious that by doing the job with no external components, a MAX6323/MAX6324 IC offers advantages in cost, size, and design simplicity.
When Enough is Just Not Enough
By narrowing a watchdog window you can achieve tighter control of a system. If the window must be very narrow, a combination of two MAX6324s can be used (Figure 6). (This configuration also offers the flexibility to monitor two voltages.) The F version has a fast timeout of 39ms maximum, and the G version has a slow timeout of 47ms minimum. The watchdog window within which Active-Low WDPO is guaranteed not to be asserted is 8ms. Failure of the timing circuit to cycle the WDTs during this narrow time will trigger a fault.
Another way to ensure that the system is operating properly is to have µP monitoring the supervisor as well as the supervisor monitoring the µP (Figure 7). A µP port (P2 in this case) is made to go high, thereby disabling the OR gate in the high state. The µP causes the MAX6323 to issue a pulse on Active-Low WDPO, either by toggling the WDI pin faster than the fast timeout interval, or by not toggling at all. The Active-Low WDPO pulse is then received as an acknowledge signal at another port (P1 in this case), thereby indicating proper operation of the WDT.
Analog has also introduced the MAX6369-MAX6374 family of pin-selectable WDT ICs (Figure 8). They provide flexibility in the start-up delay and watchdog timeout, and offer a choice of watchdog-output pulse widths and output stage configurations. They can also be reprogrammed during operation.
Conclusion
The concept of a windowed-watchdog timer arose from the need to offer higher operational security in applications that run critical functions. By upgrading existing supervisory circuits using a standard WDT function, MAX6323/MAX6324 ICs address this need with simplicity and low cost.
A similar version of this article appeared in the October 2001 issue of Elecktronik Informationen magazine.