High Performance Voltage Supervisors Explained—Part 2: Addressing Various System Faults

×

Figure 1

   

要約

High performance voltage supervisors are used to put downstream microcontroller systems into reset mode during the detection of fault conditions, such as in a power supply, to avoid system errors and malfunctions. Aside from this function, certain Analog Devices supervisory circuit products are incorporated with complementary capabilities, making them integrated solutions for detecting system faults and random hardware failures. These functions provide output signals that trigger necessary actions to protect downstream circuits.

This article shows how high performance voltage supervisors address the common system limitations and faults affecting system performance in various applications.

Introduction

Part 1 of this article series discussed the basics of a voltage supervisor as well as its value in increasing the reliability of electronic systems that are based on digital computing devices such as microcontrollers as they have power supply requirements and limitations. However, this doesn’t end with putting these systems in reset mode during an undervoltage condition and expecting everything to run smoothly over time.

Aside from power requirements, system design flaws and component imperfections and limitations, if neglected, can affect the overall system performance, making it unstable and less dependable. For instance, consider the typical architecture of systems that are based on digital computing devices, shown in Figure 1. These kinds of applications often encounter problems brought by device limitations such as frozen microcontrollers and software code hang-ups, complications triggered by the environment such as sudden power failures, and faults from design flaws such as operation outside specifications and others. Supervisory circuits have evolved, incorporating improved functionalities significant in addressing these limitations that are critical in the system, which are discussed in the succeeding sections of this article.

Protecting Systems from Imminent Power Failure

Most power sources of downstream circuits come from a stepped-down main supply. Failures in this upstream supply cause such circuits, and the whole system, to fail eventually. If not anticipated in advance, this power failure can cause significantly undesirable effects on the system, including damage to hardware, which can be critical in data processing or storage operations. It can lead to system malfunction, data loss, and damage that can incur additional repair costs or, worse, a temporary shutdown of operations.

Failures in the downstream circuits due to the main supply are hard to detect in advance, especially if the step-down DC-to-DC regulator, such as in Figure 2a, has a wide acceptable input range. The DC-to-DC regulator can continue operating within its range without issuing any warnings to the whole system.

The power-fail warning circuit detects an imminent failure in the system’s upstream supply. It generates a power-fail output (PFO) for early warning of a failure. Component values can be chosen such that the voltage at PFI falls below the reference several milliseconds before the DC-to-DC regulator output falls. This setting gives the microcontroller some time before its power totally goes out, as shown in Figure 2b. The PFO signal is usually used to interrupt the microcontroller to execute necessary processes and shutdown procedures.

Some good examples of supervisory circuits with this feature are the MAX16020, MAX16033, ADM69x, LTC6911-x, and products in LTC69x family such as the LTC692 and LTC693. Other power system diagnostics can be done using this power-fail warning feature such as monitoring battery voltage level in battery-operated devices.

Ensuring Operation Within Power Supply Specification

In systems wherein a tight voltage regulation is required, and overvoltage faults may cause catastrophic effects, a window voltage supervisor is necessary. As an example, complex electronics systems nowadays are often based on FPGAs, which have a tight power supply regulation requirement. Operating outside this power supply window specification may lead to an unoptimized design that can cause excessive power dissipation and shorten the lifetime of these devices.

Window voltage supervisors also have a significant role in achieving a certain level of system safety. They are often used as power supply diagnostics to detect undervoltage (UV) and overvoltage (OV) faults and trigger a mechanism to bring the system into a safe state.

Figure 3 shows an example of a window voltage supervisor simplified block diagram of the MAX16009 with dedicated UV and OV output and resistor-configured trip points. While this is just one known architecture of window voltage supervisor, other implementations are available to fit different preferences in applications. A comprehensive discussion of a window voltage supervisor can be found in the article “Optimize Your System Design with the Right Window Voltage Supervisor.”

Detecting Microprocessor Inactivity and System Hang-Ups

Watchdog timers offer the ability for voltage supervisors to monitor microprocessor inactivity along with monitoring the supply voltage, thus further avoiding system hang-ups.

There are several factors that can cause a microcontroller to freeze, stick, and stop its operation. It can be due to power-supply problems, electrical interference, and software or coding issues. Optimizing power supply design and implementing voltage monitoring helps improve noise and stability performance, which are usually the causes of rising device temperature and slowed down device performance, leading to system hang-ups. Electrical interference problems can be addressed by implementing design techniques that increase the system’s immunity to such an intrusion, which reduces the risk of freezing microcontrollers. Meanwhile, system inactivity due to software issues, such as being locked up in an infinite loop, processes that are too long, or logic errors in the code, can be detected by implementing watchdog timers. Clock signals coming from the microcontroller or processor are monitored within a specified time frame. Failure to provide clock signals within the time frame indicates the system inactivity or software freeze. The watchdog timer provides an output signal, which can be a watchdog output (WDO) or the reset output signal.

Figure 4 shows an application use case in remote wireless sensor nodes where watchdog timers monitor the system inactivity and its output triggers a redundant reset mechanism—a soft reset and a hard reset through power cycling. Note that the second watchdog, WD2, has a longer watchdog timeout period and is used to drive a high-side MOSFET switch for power cycling if inactivity persists.¹

Watchdog timers continue to improve in terms of architecture, thus becoming more stringent in monitoring a processor’s activity. The window watchdog operates in a very similar fashion but features a service cycle that is split into durations called windows. Since a service is only valid at certain times in the windowed cycle, this requires more precise timing for valid services. The challenge/response watchdog, which is a more recent watchdog architecture from ADI, requires a processor or microcontroller to perform a task or computation to ensure that it is fully operational. In this type of watchdog timer, such as the MAX42500, there is a key-value register within the watchdog timer IC. The microcontroller must read this value and use it to compute the appropriate response. This type of watchdog eliminates the possibility of being stuck in a routine that is just giving a mere periodic signal.^2,3

Enabling User Control

The ability to put the system into reset mode, in addition to automatic triggers such as voltage faults and watchdog timers, is often desirable for any system. Manual reset (MR) allows users to perform activities such as testing and debugging without needing to do a hard reset or power off the system. An example is enabling users to restart the system when addressing software issues.

The manual reset feature also allows the user to force a restart during system lockup without recycling power. Doing this will save time and energy, as reinitialization of the whole system is not needed. In applications, this is used along with an emergency stop and ensures a controlled shutdown when necessary.

In applications such as in the circuit in Figure 5a, when the MR pin is used with a mechanical interface (a switch, for instance), or even with external logic that can be influenced by noise and glitches, a reset output can be falsely triggered. To prevent this scenario, internal circuit techniques are being implemented in manual reset features such as the debounce circuit and long manual reset setup period requirement.⁴ Figure 5b shows an example of how a manual reset setup period in the MAX6444 works and assures certainty of an input signal. A good discussion of addressing false triggers in manual reset can be read in the article “How Voltage Supervisors Address Power Supply Noise and Glitches.”

Continuing Operation and Avoiding Data Corruption During Power Loss

Some applications require nonvolatile memory to preserve data across power cycles. This requires the contents of a complementary metal-oxide semiconductor, random-access memory (CMOS RAM), and other critical functions of the system to be continuous even when the power supply is lost. Supervisory circuits that have a battery backup feature can address this problem.⁵

An example of such can be found in Figure 6. When the input supply V_CC is present, this voltage is routed to the output V_OUT. If V_CC fails, the battery voltage (V_BATT), in this case, is routed to V_OUT. The switchover circuit compares the input supply voltage to the V_BATT input and connects the output to whichever is higher. Usually, hysteresis is present, which prevents repeated and rapid switching if the V_CC falls very slowly or remains nearly equal to the battery voltage.

V_OUT can supply a limited current from V_CC through an internal switch. If more current is required, such as in larger loads, an external PNP transistor can be added. When V_CC goes back to proper regulation and becomes higher than V_BATT, the BATT ON output goes low.

Complementing the battery backup feature is the active-low chip-enable (CE) gating, which protects data and prevents it from being corrupted. The active-low CE line from a microprocessor or address-decode logic is routed through the supervisory chip instead of going directly to the SRAM. This signal passes through the supervisory chip unaffected. During reset, the CE line is forced high to disable access to the memory, protecting the SRAM contents from unwanted data corruption and erroneous writing.⁵ With the introduction of flash memory, this feature of battery backup started to decline. However, there are still many systems that find this feature beneficial for their application.

While some supervisory circuits come with each of the features discussed previously, some parts come with all the features together in one component, thus offering a more comprehensive and complete solution.

Conclusion

While detecting undervoltage faults in voltage supervisors increases system reliability, other diagnostic functions and mitigating features are added to address various system faults and further enhance system robustness and dependability. Additional features such as power-fail warning, window voltage monitoring, watchdog timer, manual reset, and battery backup help address possible scenarios that could arise and cause errors due to limitations of microcontroller- and microprocessor-based systems. Having these scenarios monitored, and executing actions to avoid the catastrophic effects, offers a high level of confidence to system designers as well as to end-users.

References

¹ Niño Angelo Pesigan, Ron Rogelio Peralta, and Noel Tenorio. “Driving a High-Side MOSFET Input Switch Using Active Low Output for System Power Cycling.” Analog Dialogue, Vol. 58, No. 1, February 2024.

² “The Basics of Windowed Watchdogs.” Analog Devices, Inc., December 2021.

³ Bryan Borres and Christopher Macatangay. “Improving Industrial Functional Safety Compliance with High Performance Supervisory Circuits: Safety Critical Features—Part 3.” Analog Dialogue, Vol. 59, June 2025.

⁴ Noel Tenorio. “How Voltage Supervisors Address Power Supply Noise and Glitches.” Analog Dialogue, Vol. 57, November 2023.

⁵ “Supervisory Circuits Keep Your Microprocessor Under Control.” Analog Devices, Inc., April 2002.

著者について