Discusses the value of a µP supervisor reset circuit in a microprocessor-based system. Explains the terms associated with a supervisory circuit and how they should be implemented. Subjects discussed include power-on reset (POR), brownout conditions, and low-power failure. Features discussed include undervoltage/overvoltage detection, manual reset input, power fail comparator, and watchdog timer.
Battery backup circuits with chip enable gating feature also explored. In addition, the document discusses future requirements such as multivoltage systems.
A similar article appeared in the November 2000 issue of Sensors.
The world throws a wide range of problems at microprocessor-system designers. Power supplies come up in the wrong sequence, ramp up too slowly, and stabilize too slowly. Supply voltages glitch up and down due to external-component loads, or they drift in and out of tolerance as the bus voltages fluctuate or system batteries begin to fail. Peripheral components and boards fail to power up and communicate in synchronization with the needs of the processor. In spite of lengthy preintroduction software analysis, bugs sneak into the system code and are shipped to the field.
System designers do everything they can to minimize these events within a fixed-cost budget, but careful engineers want their system to operate safely even when a problem occurs. They want to ensure that the microprocessor-based system starts properly every time; that it detects when a system error has occurred or is about to occur; that it minimizes the effect of these errors; and that it returns safely from an error with little or no user intervention.
The modern microprocessor-supervisor circuit is a low-cost and effective method for monitoring and maintaining such system activity. Applying techniques developed over the past several years, today's supervisors provide the insurance needed by microprocessor systems. They feature low power consumption, low cost, and a wide range of integrated functions in very small packages.
The first and most commonly used safeguard for microprocessor systems is the power-on reset (POR) function. Almost every computer and embedded processor includes a means for cold-starting the system in the proper configuration when power is first applied. Most processor data sheets provide a minimum reset period, during which the device should remain out of operation until the local power supply has stabilized for a specified interval (200ms is typical). The processor is not guaranteed to operate correctly if brought out of reset too quickly. During this reset interval, the processor's clock is allowed to stabilize and the internal registers have time to load properly. Most processor data sheets specify a minimum reset time, but they provide few guidelines for achieving this delay.
A common approach that is inexpensive but risky is to delay the reset signal using a resistor-capacitor (RC) lowpass filter at the microprocessor's reset-input pin (Figure 1). You can select the component values to provide a wide range of reset delays based on a slow, exponential RC rise time. As the capacitor charges from ground to VCC, the voltage crosses a threshold recognized by the microprocessor as a valid (high) input voltage (VIH). This action releases the processor from reset, and it should (ideally) begin normal operation. Unfortunately, this approach has several drawbacks.
The first power-on problem is seen when the supply voltage rises slowly relative to the processor's reset time period. The capacitor voltage closely follows VCC for low slew rates. As a result, the reset input voltage at the processor can reach a valid VIH level before VCC arrives within the tolerance range specified for the device. For a 3.3V supply with ±10% tolerance, for example, the reset should not deassert until VCC > 2.97V. The system, however, can achieve a minimum VIH level of 2.31V (0.7Vcc for most processors) long before the supply is ready for processor operation. That is, the processor can be released from reset when the supply is still 20% or more below its nominal operating level.
A second shortfall of RC circuits is the lengthy reset-delay interval required for most processors (200ms typical), which compels a low rate of voltage slew at the processor's reset input. Reset logic inputs are usually designed to recognize digital signals that make quick transitions from VIL to VIH. The delayed reset voltage, filtered to a slow µV/µs slew rate, can provide insufficient overdrive to the processor's digital input, a condition that results in reset metastability. A Schmitt trigger between the RC filter and processor input can increase the apparent slew rate, but it can contribute power-up concerns of its own (besides additional cost and component area).
Brownout and Glitch Detection
Brownout detection, the second-most-common reset requirement, is closely related to POR and highlights a third problem with the low-cost RC delay circuit. Assuming the RC delay provides a reasonable interval for the processor to properly initialize before releasing the reset, the system is at risk if the supply voltage glitches or droops below its operating tolerance for any significant time interval.
Because the RC circuit was selected to create a long rise-time delay on the reset signal, it filters out the relatively fast undervoltage glitches before the filtered reset signal can fall to VIL. A fast negative glitch (relative to the reset delay time) can wreak havoc on the processor's internal registers, forcing it to execute wrong instructions, process incorrect data, or issue dangerous system signals. A supply droop, which can be sustained for a long period, can bring VCC below the processor's operating tolerance while maintaining the reset voltage above its reset-switching threshold.
An improved but still risky solution adds a diode to the RC circuit, thereby creating a fast filter response for large negative-going VCC signals (Figure 2). As VCC drops below the charged capacitor voltage, the diode turns on and pulls the reset signal downward. This approach can be satisfactory for a hard drop of VCC, but a smaller drop (brownout) may not turn the diode on. For a 2.5V processor, for instance, the supply must drop more than 20% before the diode begins to discharge the capacitor voltage. If the glitch or droop is more than the processor tolerance but less than the diode's forward turn-on voltage, the processor's internal registers can be corrupted even though the supply recovers to its full VCC specification without triggering a processor reset.
Integrated Reset Generators
Problems associated with RC delay circuits are easily solved by IC reset generators like the SOT23 MAX6332̵MAX6334 and the SC70 MAX809/MAX810/MAX803. By integrating an accurate voltage monitor with precise timing circuitry, these modern reset generators detect when the supply voltage is within the processor's tolerance and provide a guaranteed reset delay.
A typical reset device (Figure 3) incorporates a voltage reference, a voltage comparator, a supply voltage resistor-divider network, a fixed-delay-time circuit, and an output driver stage. The resistor network can be adjusted at the factory for a wide range of supply-voltage tolerances, allowing the user to select a specific reset threshold for each processor application. The reset generator's accurate voltage detector, independent of its logic output stage, does not rely on the processor's HIGH and LOW logic-input levels to determine when the supply is within its allowable operating tolerance.
For POR, the internal voltage comparator turns on the delay circuit only when the supply voltage exceeds the selected threshold for a sufficient period of time. Delay generators, offering processor-compatible reset times ranging from 1ms to 1s, hold the output stage in reset until the minimum-specified period has expired. The generator output, available with several logic options, is then deasserted to quickly drive the processor out of reset and into normal operation.
The voltage comparator in most reset generators also detects when the supply voltage drops back below the processor tolerance. If it drops below the selected threshold for sufficient time, the reset output quickly asserts its active-drive logic to suspend and reinitialize all processor activities. The reset can be activated at any time: a jagged startup of the power supply, large VCC glitches, brownout, or shutdown of the system.
A wide range of VCC reset thresholds are available in the industry today. Many suppliers offer standard reset options for nominal supply voltages of 5, 3.3, 2.5, 1.8, and 1.2V. The customer can select a standard, fixed reset threshold to match a given nominal processor supply voltage and its minimum tolerance. Or select an adjustable reset threshold to monitor wider voltage ranges down to 0.5V (MAX16052/MAX16053). Reset tolerances are commonly available in processor-compatible options of -5% and -10%. For nonstandard fixed reset voltages, some suppliers offer 100mV breaks over a wide VCC range of 1.2V to 5V. This flexible range allows users to optimize the threshold for specific combinations of component tolerance and supply voltage.
Tighter accuracy for reset thresholds generally helps support looser and lower-cost power-supply specifications. For example, a system that guarantees operation for its 5V ±10% processor needs to initialize a reset before the supply drops to 4.5V. If the supervisor device has an accuracy of ±2.5%, guaranteed over temperature relative to the nominal VCC, the typical reset threshold is 4.625V and the maximum reset threshold is 4.75V. Due to the supervisor's ±2.5% accuracy specification, the processor can reset for any VCC below 4.75V and is guaranteed to reset before VCC drops below 4.5V.
To support the supervisor accuracy overhead and avoid areas of unknown reset conditions, the resulting power supply should be specified for a tighter minimum limit (4.75V). The resulting 5V, -5%/+10% VCC specification could increase the power-supply cost substantially. Thus, a more accurate ±1% or ±1.5% supervisor, though more expensive than ±2.5% devices, can actually lower the system cost.
An important function of the modern reset generator is to minimize nuisance resets: the undesired system restarts that occur when a short-duration small-magnitude spike depresses the supply voltage below its minimum-allowed level. To determine if a system reset is required, the voltage detector integrates glitch duration and intensity. A plot of the maximum supply-transient duration versus overdrive can illustrate how a reset generator responds to noise in the system supply (Figure 4).
Undervoltage/Overvoltage Detection Circuits
Some power supplies must be monitored for undervoltage and overvoltage conditions. Overvoltage monitoring has become necessary in many systems to prevent damage to expensive processors and ASICs. A window detector, which monitors both overvoltage and undervoltage conditions, can be constructed with two voltage detectors and a reference. Alternatively, you can use a dedicated window-detector IC, such as the MAX6754 family (Figure 5).
An input for manual (pushbutton) reset is a useful addition to the simple reset generator. Manual reset allows the user or an external system component to trigger a microprocessor reset while the supply voltage remains within tolerance. If the processor locks up for some unknown reason, the manual reset lets you start again without turning off the system power. This function is especially important for products that never power down the controlling processor, even in the "off" mode. It is also useful for debugging and for final system testing. In all cases, a manual reset can guarantee that the processor receives the necessary timeout period during reset.
Manual resets are often initiated with a low-cost pushbutton switch, and reset devices like the MAX6335–MAX6337 series usually include input-debouncing circuitry to mask the effect of ringing initiated by contact closure in the grounded switch. Because the switch can be remote to the processor (often on a back panel or hidden in a battery or power-supply compartment), the best manual-reset circuits accommodate long board runs by rejecting short (100ns typical) noise-induced pulses. To guarantee valid reset inputs (1µs typical), they also require a minimum input pulse width. The manual reset can be implemented as an independent input to the supervisor or as a dual-function pin that serves both as reset output and manual-reset input.
Some microprocessors now integrate the power-on reset circuitry with their power-management functions. Although these embedded reset circuits are usually better than the RC-delay approach, the µP IC process is optimized for high-speed or low-power digital performance rather than accurate and reliable analog measurement and timing. Thus, internal resets can provide reasonable power-on timing under normal operating conditions, but they are poorly qualified to handle the supply transients and brownouts that can cause processor errors. For robust operation, most processors provide an additional reset input that can be driven by an external, dedicated reset supervisor.
Power-Fail and Low-Battery Indicators
Many systems cannot afford to lose data even when the power supply drops out completely and the microprocessor fails. A hard reset resulting from loss of supply voltage causes the processor to dump any information held in its internal registers. A system can minimize this potential data loss by saving data continuously in a nonvolatile memory, but that approach reduces the processor efficiency and stresses the write endurance of flash or EEPROM memories.
An improved method, implemented by the SOT23-packaged MAX6342–MAX6345 supervisors, employs a power-fail or low-battery indicator that enables the processor to anticipate a loss of supply voltage. With advance warning, the processor can store information in nonvolatile memory before the system initiates a reset (Figure 6).
Typical systems power the processor by regulating voltage from a primary supply or battery. This processor supply voltage is monitored by a standard power-on/brownout reset, but an independent low-voltage indicator also monitors the primary supply. The threshold for this indicator is set above the regulator dropout voltage, and its output drives a nonmaskable interrupt (NMI). This NMI instructs the processor to begin saving data into nonvolatile memory. If implemented properly, the low-voltage indicator provides sufficient time for storing all data before the regulated supply voltage drops below the processor's minimum operating specification.
Battery-Backup and Chip-Enable Gating
When a system lacks time to transfer large amounts of data to nonvolatile memory, battery backup is an attractive alternative. To accommodate dual supplies, devices such as the SOT23 MAX6361/MAX6363/MAX6364 provide one input for the primary VCC and one for an onboard battery (Figure 7).
When the supply level is sufficient to maintain volatile RAM activity, an internal switch connects the supervisor's voltage output to VCC. When VCC drops below a specified threshold, the supervisor disables further memory writes by issuing a reset to the microprocessor. If VCC drops too low to maintain the RAM contents, the supervisor switches the RAM supply from VCC to the backup battery. Memory devices with low suspend current can hold data for very long periods, until the system VCC can be brought back to its proper operating level. If desired, the same battery-backup process can also sustain real-time clocks and certain processor activities.
Even the best-designed systems are subject to errors other than power-supply fluctuation. Bad program code, incorrect clocking signals, or poorly responding peripherals can all force the processor out of its normal operating code or into a dead-end loop. When a processor leaves the expected instruction path, it may have no way of knowing that it is operating incorrectly and needs to restart.
To solve this problem, many supervisor ICs (like the industry-standard MAX823 and newer MAX6316–MAX6318 devices) include a watchdog timer as a low-cost means for ensuring that the processor is executing within the proper code boundaries. This scheme requires that the processor update a watchdog logic input continually, within a specified minimum time period. Otherwise, the supervisor issues a system alert (Figure 8).
A common industry-standard timeout period for watchdogs is 1.6s, but suppliers offer options from 1ms to 1 minute. Because the watchdog update consumes processor-cycle overhead, you should select the watchdog period by asking "how long can the system be allowed to operate incorrectly before a reset is initiated?" Some devices allow a longer startup timeout (1 minute, for example) before dropping back to the normal 1.6s short-timeout operating mode. This dual-timeout capability allows the system to execute a lengthy boot process during startup and then become responsible for the faster, routine watchdog updates.
The watchdog output can at times be tied to a nonmaskable processor input, which lets the supervisor attempt to bring the processor back to normal operation without losing volatile memory data. To fully reinitialize the system on detection of any error, the watchdog can be tied in common with the POR/brownout-detect output.
Many microprocessors now provide an internal watchdog timer to monitor their own internal state. Because the watchdog is only a support feature for the processor, it usually offers a range of programmable timeout periods and disable options. The processor can also have the ability to modify its watchdog monitor function through software control. Because the programmable watchdog operates from the same supply voltage and clock inputs as the processor, however, it is often subject to the same transient errors as the processor itself. Thus, the most robust systems include an independent watchdog, which guarantees proper inputs to the processor each and every time.
The newer processors and many other systems require multiple-supply voltages. The trend toward multiple-supply devices is especially evident in high-speed small-geometry digital signal processors, which can communicate with a standard system I/O voltage of 3.3V but operate with core logic of 2.5V or lower. These devices often require that both supplies be within the processor's tolerance before the POR is released. Similarly, a complex receiver system can maintain four or five supply voltages (12V, 5V, -5V, 3.3V, and 2.5V, for example), which support a variety of analog and digital components. An undervoltage condition on any of these voltages can cause a system failure.
In spite of its low cost, a simple RC network cannot monitor multiple supplies simultaneously while providing a single valid logic level for the system reset. Historically, manufacturers have created multiple-supply monitor circuits with multiple power-fail/reset detectors or by wiring the outputs of several single-supply reset devices in common. Then, any supply voltage that sits below its specified tolerance holds off release of the processor reset.
Some of the newer supervisors support multivoltage monitoring in single-package designs (Figure 9). The MAX6351–MAX6360 family, designed for dual- and triple-supply applications, offers several options for factory-trimmed standard reset thresholds (that is, those associated with supply voltages of 3.3V and 2.5V, for example). An adjustable detector allows users to monitor a third supply voltage (as for a 5V analog peripheral) and hold off the processor start until all voltages are within tolerance. Modern packages and processes allow Maxim to squeeze extra functionality into the multivoltage SOT23 reset supervisor, along with a watchdog timer of an extended start period and a manual-reset input.
As processors demand greater performance from steadily shrinking integration processes, we should see lower operating voltages. If the current processor-supply tolerances of ±5% and ±10% remain unchanged, designers will demand even more accurate analog voltage detectors to replace their discrete-component alternatives. An older 5V-reset architecture that successfully monitors maximum supply deviations of -250mV may be incapable of supporting a new 1.2V monitor with a -60mV undervoltage limit. Because many of these low-voltage systems will need to support a range of dual-supply devices and slower-changing legacy supply devices, the need for multivoltage monitoring to ensure proper operation should become more critical.
We should also witness the introduction of new integrations that combine supervisors with other components now surrounding the microprocessor. If an external chip provides power or communications for the processor, its integration offers an opportunity to shrink board area, cut power consumption, and reduce cost. A few of the functions being combined with supervisors today include low-dropout regulators, DC-DC converters, nonvolatile memory, and real-time clocks.
The best microprocessor supervisors are so designed and applied that the customer never knows they are in the system. Such systems always power up properly, at no time lose or destroy data, and never lock up unexpectedly.
System designers appreciate the modern supervisor as a low-cost insurance policy that keeps the product working all the time. Supervisors also improve the manufacturer's time to market, while minimizing field problems, customer service, and failure returns. Because of the wide range of products now available in very small SOT23, SC70, and TDFN packages, you can optimize an application requiring low power, low voltages, multiple-supply voltages, and low cost without sacrificing its functionality.