e005068.pdf

APPLICATION NOTE

The content of this note is based on information received from manufacturers in the electrical and electronics industries or

their representatives and does not imply practical experience by Elektor Electronics or its consultants.

MAX807 watchdog for

provides operational safeguards

Design by Prof B vom Berg and P Groppe

Microcontrollers are used in ever-increasing numbers, not only in

technical and engineering applications, but also in domestic products and

motor vehicles. This proliferation makes increased demands on the

operational safety of microcontroller systems. After all, their failure may

damage or even destroy the equipment they are used in. Even worse,

such failure may create a danger to the health or the life of the operator.

Figure 1. Block diagram, typical operating circuit and pin conﬁguration of the MAX807.

Elektor Electronics

5/2000

microcontroller systems

APPLICATION NOTE

pin is pulled high, whereupon the microcontroller

restarts its program execution.

Manual reset

A reset may be generated manually by a push-b ut-

ton operated switch connected between the MR

input and ground (GND). When this switch is

closed, the reset output is pulled low, whereupon

the microcontroller is reset.

Figure 2. Switching arrangement of the RAM supply.

Watchdog

The internal watchdog may be used for intelligent

monitoring of the correct program execution. It is

started by applying a high or low logic level to the

wdi (watchdog in) pin. When the level at this pin

remain s con stant (high or low) for longer than 1.6 s,

output WDO (watchdog out) changes from high to

low and remains so until the level at wdi changes

state.

When th e WD I pin is linked to a microcontroller

output and WDO , say, to the mr pin of the MAX807,

the microcontroller program must change the level

at the wdi input at intervals not exceeding 1.6 s to

prevent the wdo pin being pulled to low which

results in the microcontroller being reset.

The i nse rtion of regular level-change instruc-

tions for WDI into the program ensures that there is

no forced reset when the program runs correctly.

When the program crashes, for instance, because

of an error in an e ndle ss loop program and the con-

trol instruction for WDI is absent, the microcontroller

is forcibly reset and restarts the program execution

error-free from the beginning.

The watchdog can be disabled only by leaving

WDI open when the supply voltage is being

switched on.

Two examples serve to illustrate the risks

ensuing in an equipment against which

the microcontroller must be protected.

Semiconductor producers guarantee

error-free operation of their microcon-

trollers when the supply voltage is

5 V ±10%. Overvoltages are readily

negated by the use of appropriate regula-

tion of the supply lines. When, however,

for whatever reason the supply voltage

drops below 4.5 V, the reaction of the

microcontroller cannot be foreseen.

Relays may open and close at random;

data memories may be adversely

affected, and so on. It is obvious that in

the case of undervoltages the microcon-

troller must be disabled by a reset for as

long as the supply voltage is below par.

It happens frequently that important

data are held in RAM that must be saved

when the supply voltage fails. To ensure

that this happens, it must be impossible

for the microcontroller to access the RAM

module in the write mode when the sup-

ply voltage falls out, and at the same

time, the RAM must be powered by a

standby buffer battery.

The MAX807 Supervisory Circuit from

Maxim provides power-supply monitor-

ing, back-up battery switch-over, and pro-

gram execution watchdog functions in

microprocessor systems—see block dia-

gram in Figure 1. Use of BICMOS tech-

nology results in 1.5% reset-threshold pre-

cision while keeping the supply current

typically below 70 µA.

The 70 µA supply current makes the

device ideal for use in battery-powered

applications that require high reset-thresh-

old precision, allowing a wide power-sup-

ply operating range, while preventing the

system from operating below its speciﬁed

voltage range. Moreover, a 2 ns chip-

enable propagation delay and 250 mA out-

put current capability (20 mA in battery-

backup mode) make it suitable for use in

larger, higher-performance equipment.

The MAX807, which comes in 16-pin

DIP and SO packages, provides the fol-

lowing functions:

• automatic power-on-reset;

• manual reset input;

• watchdog;

• chip-enable protection when the overall

system voltage fails;

• monitoring the system voltage;

• monitoring the supply voltage;

• backup-battery switch-over for RAM,

real-time clocks, or other low-power logic.

Automati c po wer-on-reset

The MAX807 RESET output ensures that

the microprocessor powers up in a known

state, and prevents code execution errors

during power-down and brownout condi-

tions. It accomplishes this by resetting

the microprocessor, terminating program

execution when Vcc dips below the reset

threshold or m r is pu lled low.

Each time RESET is asserted, it stays

low for the 200 ms reset time-out period,

which is set by an internal timer to

ensure the microprocessor has adequate

time to return to an initial state.

Any time Vcc goes below the reset

threshold before the reset time-out period

is completed, the internal timer restarts.

The wa tchd og timer can a lso initiate a

reset if WDO is connected to MR .

When V CC drops below the reset

threshold of 4.675 V (in the case of the

MAX807L), the reset output is pulled to

earth, so that the microcontroller con-

nected to it is pulled to the reset state.

The controller can then no longer perform

random actions at the critical instant

when the supply voltage drops below the

absolute limit of 4.5 V.

It is only 200 ms after the system volt-

age is restored to ≥ 4.675 V that the reset

Chip enable protection

A critical situation arises in a microcontroller sys-

tem when the system voltage fails, whether by

intentional switching off or by interference. At the

instant this happens, the microcontroller may ran-

domly access the RAM and mutilate or even

destroy important data. Obviously, this situation

must be avoided at all costs.

Similarly, when a system contains a real-time

clock (RTC), this should not be affected in any way

when the supply voltage fails.

It is clear that the RAM and RTC must be

switched instantaneously to a buffer battery when

the system voltage fails.

Switching the RAM from the normal supply

lines to a buffer battery is not straightforward and

will be described with reference to Figure 2.

The RAM is enabled for access by the micro-

controller by the level at CE IN . When this level is

high, the RAM is disabled, irrespective of any other

signals from the microcontroller. When the level

goes low, the RAM is enabled. The enable signal is

provided by the M AX80 7.

The signal at CE IN that normally enables the

5/2000

Elektor Electronics

APPLICATION NOTE

RAM is generated by the CE decoder. With the use

of the supervisory circuit, h oweve r, the RAM is

actuated by the signal at the CE OUT pin.

Internal monitoring and switching logic in the

MAX807 ensure the correct setting of switch S.

When the system voltage, V CC , is correct (+5 V),

and there is no reset, the sw itch is in position a.

The RAM is then enabled via CE OUT and driven as

normal by the microcontroller.

When the system voltage fails, or a reset is ini-

tiated, the MAX807 senses this immediately – well

before the microcontroller can re act – and sets

switch S to position b. The CE OUT pin is then iso-

lated from the RAM; its level is either that of the

positive supply voltage, V CC , or of the buffer battery

voltage, BATT, whichever is the higher. This

arrangement precludes uncontrolled driving of the

RAM by the microcontroller, and ensures that the

RAM is powered by the battery (although it cannot

be accessed).

Only when the system voltage has returned to

normal and there is no manual reset initiated, is

switch S returned to position a, whereupon the

microcontroller can once again access the RAM.

Figure 4. Arrangement of the two-stage monitoring of the supply and system

voltages, including the integrated buffer battery.

4.727 V is reached, so that it can initiate a

non-maskable interrupt (NMI) at an early

stage. As a further safeguard, PFI is inter-

nally provided with a 20 mV hysteresis.

When the supply voltage fails, a three-

stage warning procedure is initiated.

1. Initial warning (high priority interrupt)

when the supply voltage drops to

below, say, 8 V.

2 Second warning (non-maskable inter-

rupt – NMI), when the system voltage

drops below 4.727 V.

3. A microcontroller reset that disables

the whole system when the system

voltage drops below 4.675 V.

the RAM and RTC are powered by the

normal system voltage.

V CC <reset threshold, and

V CC <BATT.

In these situations, switch S bat is in posi-

tion b, so that the battery voltage is

linked to OUT, that is, the RAM and RTC

are powered by the battery.

The maximum current drawn from the

battery should not exceed 20 mA, which is

more than adequate for all current RAMs

and RTCs.

Du ring battery operation, the level at

CE OUT is high (provided the battery volt-

age >2 V) so that the RAM cannot be

accessed by any external signal or com-

bination of signals.

If battery operation is not needed, the

BATT pin must be strapped to GND and

the V CC pin to OUT.

Monitoring the system voltage

It is a frequent requirement in a system that the

microcontroller carries out some important tasks

before the system voltage breaks down. This pre-

supposes that the controller is made aware of an

imminent breakdown. This is effected by a low-line

comparator in the MAX807, which monitors the

system voltage. When this voltage drops to a level

52 mV above the reset leve l, that is, below 4.727 V,

the comparator pulls the LOW LINE output of the

MAX807 from high to low, which, for instance, ini-

tiates a non-maskable interrupt (NMI) of the micro-

controller.

The microcontroller then instantly abandons its

usual program routine and initiates the interrupt

service routine to stabilize the system before the

system voltage breaks down entirely. An internal

switchin g hysteresis of 13 mV prevents the

LOW LINE output from ﬂuttering.

If this procedure is not needed, the

PFI pin mus t be linked to earth (GND) to

ensure that PFO is not switched.

Buffer battery

management

To ensure that important data in the RAM

and, where applicable, the correct action

of an RTC are retained, the RAM and

RTC must be powered by a buffer battery

when the normal supply fails. The instan-

taneous switch-over from the normal sup-

ply to the battery is carried out by the

MAX807—see Figure 3.

The battery, preferably a 2.5–5 V

lithium type, is connected between BATT

and GND. The supply to the RAM and,

where applicable, the RTC, is taken from

the OUT pin.

The logic circuits in the MAX807 con-

stantly compare the two external volt-

ages, V CC and BATT, and recognize the

following situations.

V CC >reset threshold, or

V CC >BATT.

In these situations, switch S bat is in posi-

tion a and V CC is linked to OUT, so that

Finally

The level at the BATT ON pin indicates

which voltage source supplies the OUT

pin: when it is high, the buffer battery,

and when it is low, V CC . It is therefore pos-

sible to connect some kind of indicator to

this pin to display which source is being

used.

The level at the BATT OK output indi-

cates whether the battery voltage is nor-

mal, in which case it is high. When the

level is low, that is, when the battery volt-

age <2.265 V, it is high time to replace

the battery by a fresh one.

Monitoring the supply voltage

In certain cases, it may be necessary for the micro-

controller to be warned of an imminent break-down

of the system or supply voltage. This is made pos-

sible by the power fail comparator (PFI) in the

MAX807. This comparator monitors the overall sup-

ply voltage to the microcontroller system, for

instance, the 12 V mains adaptor output preceding

the +5 V regulator.

When the potential at th e PFI input drops below

2.265 V, the level at the PFO output is switched from

high to low, whereupon the microcontroller initiates

an interrupt. This interrupt actuates the program

of the early warning stage in the supply failure

monitor. In this way, the microcontroller is given

more time before the final warning threshold of

[990089]

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika: