電子發燒友App
Abstract: Watchdog timers are used to monitor and minimize code execution errors. Internal watchdog timers are subject to code execution problems, making external watchdog circuits invaluable in preventing system lockup.
This document provides assistance in selecting the right time of watchdog/supervisory product for different type of applications and how to apply the circuit without the software code.
Many circuit functions previously realized with dedicated hardware are now implemented in software, due in part to today's broad choice of low-cost microprocessors (μPs). While software is often the lowest cost and most flexible way to solve a problem, it forces the designer to take extra measures to ensure system reliability. While there is no such thing as a program without code errors, careful testing can reduce the number of errors to one to ten per 1000 lines of code. Therefore, designers must expect a minimum of 10 code errors in a typical control software program with 10,000 lines of code.
Desktop application software errors that cause a system crash are not critical since the user can reboot the system with only a minor loss of data. However, for industrial control software, the system must be able to recover from code errors without human intervention. This feature is critical for two main categories: systems that have high availability, such as servers, telephone systems, and production lines; and systems that must be highly reliable because a crash could lead to injuries, as with automobiles, medical instruments, industrial control, robots, and automatic doors. Even if neither of these criteria apply, system crash/recovery without user intervention (pressing reset or power cycling) is preferred. If a device recovers from an error without human intervention, the perceived quality of this device is good, as the user is unaware that something went wrong inside the device. A simple and effective method of achieving such improved system reliability is to use a watchdog.
Figure 1. The microprocessor clears the watchdog timer with a pulse on the WDI pin to prevent a reset.
The command to clear the watchdog counter must occur within the main program loop (Figure 2). If the watchdog is not cleared, a reset occurs and the software branches to address 0000 (startup routine). Calculating the time it takes to execute the main loop is often difficult, as numerous subroutines might be called, depending on the inputs to the system. Therefore, the designer normally chooses a watchdog timeout that is much longer than the longest measured or calculated loop time.
Figure 2. This figure shows a typical program flow with the WDI signal generated within the main loop.
Figure 3 shows the watchdog and reset signal for normal operation (watchdog is cleared within timeout period). In Figure 4, a reset is generated after the watchdog counter reaches the timeout. Industry-standard watchdog circuits have timeouts in the 100ms to 2s range, although there are adjustable and customized watchdogs covering a much wider range (30ms to minutes). If the execution time of the main loop is too long for the watchdog, the designer can implement multiple watchdog-toggle commands within different sections of the main loop or use a device with longer timeout.
Figure 3. If the WDI pin is always toggled within the watchdog timeout, no reset is generated.
Figure 4. As soon as the watchdog counter reaches the timeout value, a reset is generated.
A technique that prevents the system from being stuck in a parasitic loop is to set the relevant I/O pin high at the beginning of the main loop, and to set it low in another section of the main loop. If the software gets stuck in a parasitic loop at the start of the main loop, the watchdog times out and the system recovers, as WDI remains high (Figure 5). If a low-high-low pulse is used (as in Figure 2), the watchdog will be cleared, but the system will remain stuck. A more sophisticated scheme might be necessary for programs with multiple tasks that require monitoring. Each task sets a flag, and the watchdog is only toggled if all flags are set. The duration of all tasks must be shorter than the watchdog timeout period. Figures 2 and 5 might seem simplistic compared to actual programs, but they illustrate the relevant concepts. Other potential problems in more complex systems, such as memory leakage and stack overflow, should also be monitored. This is beyond the scope of this article, but is typically done by using suitable design procedures, performing a careful code review, and employing specialized software tools.
Figure 5. An improved program flow has two separate watchdog-toggle commands, which generate a rising-and a falling-edge signal on the WDI pin. This prevents the program from being stuck in a parasitic loop.
Figure 6. The MAX823-MAX825 family integrates two popular functions: watchdog and reset.
Table 1. Features of Selected Supervisory Products
Figure 7. This figure shows a typical application circuit for the capacitor-adjustable watchdog family MAX6346-MAX6353.
Figure 8 shows the watchdog-timeout range for CSWT values from 100pF to 100nF. With this wide range of available watchdog timeouts, the designer has a solution for any application. The MAX6301-MAX6304 family has basically the same features as the MAX6746-MAX6753 family, but is available in SO and DIP packages.
Figure 8. This figure shows the wide range of available watchdog timeouts.
This document provides assistance in selecting the right time of watchdog/supervisory product for different type of applications and how to apply the circuit without the software code.
Many circuit functions previously realized with dedicated hardware are now implemented in software, due in part to today's broad choice of low-cost microprocessors (μPs). While software is often the lowest cost and most flexible way to solve a problem, it forces the designer to take extra measures to ensure system reliability. While there is no such thing as a program without code errors, careful testing can reduce the number of errors to one to ten per 1000 lines of code. Therefore, designers must expect a minimum of 10 code errors in a typical control software program with 10,000 lines of code.
Desktop application software errors that cause a system crash are not critical since the user can reboot the system with only a minor loss of data. However, for industrial control software, the system must be able to recover from code errors without human intervention. This feature is critical for two main categories: systems that have high availability, such as servers, telephone systems, and production lines; and systems that must be highly reliable because a crash could lead to injuries, as with automobiles, medical instruments, industrial control, robots, and automatic doors. Even if neither of these criteria apply, system crash/recovery without user intervention (pressing reset or power cycling) is preferred. If a device recovers from an error without human intervention, the perceived quality of this device is good, as the user is unaware that something went wrong inside the device. A simple and effective method of achieving such improved system reliability is to use a watchdog.
The Watchdog
The watchdog is a counter that must be cleared within the watchdog timeout period. If clearing does not occur, the watchdog generates a reset to cause system reboot or creates a non-maskable interrupt (NMI), causing a program branch to a fault-recovery subroutine. Most watchdogs are edge triggered. Therefore, either a rising or a falling edge on the watchdog input (WDI) will clear the counter. The WDI pin is connected to a processor I/O pin, which is toggled by the software (Figure 1).Figure 1. The microprocessor clears the watchdog timer with a pulse on the WDI pin to prevent a reset.
The command to clear the watchdog counter must occur within the main program loop (Figure 2). If the watchdog is not cleared, a reset occurs and the software branches to address 0000 (startup routine). Calculating the time it takes to execute the main loop is often difficult, as numerous subroutines might be called, depending on the inputs to the system. Therefore, the designer normally chooses a watchdog timeout that is much longer than the longest measured or calculated loop time.
Figure 2. This figure shows a typical program flow with the WDI signal generated within the main loop.
Figure 3 shows the watchdog and reset signal for normal operation (watchdog is cleared within timeout period). In Figure 4, a reset is generated after the watchdog counter reaches the timeout. Industry-standard watchdog circuits have timeouts in the 100ms to 2s range, although there are adjustable and customized watchdogs covering a much wider range (30ms to minutes). If the execution time of the main loop is too long for the watchdog, the designer can implement multiple watchdog-toggle commands within different sections of the main loop or use a device with longer timeout.
Figure 3. If the WDI pin is always toggled within the watchdog timeout, no reset is generated.
Figure 4. As soon as the watchdog counter reaches the timeout value, a reset is generated.
A technique that prevents the system from being stuck in a parasitic loop is to set the relevant I/O pin high at the beginning of the main loop, and to set it low in another section of the main loop. If the software gets stuck in a parasitic loop at the start of the main loop, the watchdog times out and the system recovers, as WDI remains high (Figure 5). If a low-high-low pulse is used (as in Figure 2), the watchdog will be cleared, but the system will remain stuck. A more sophisticated scheme might be necessary for programs with multiple tasks that require monitoring. Each task sets a flag, and the watchdog is only toggled if all flags are set. The duration of all tasks must be shorter than the watchdog timeout period. Figures 2 and 5 might seem simplistic compared to actual programs, but they illustrate the relevant concepts. Other potential problems in more complex systems, such as memory leakage and stack overflow, should also be monitored. This is beyond the scope of this article, but is typically done by using suitable design procedures, performing a careful code review, and employing specialized software tools.
Figure 5. An improved program flow has two separate watchdog-toggle commands, which generate a rising-and a falling-edge signal on the WDI pin. This prevents the program from being stuck in a parasitic loop.
Internal vs. External Watchdog
Many μPs have an integrated programmable watchdog that can be disabled under software control. The internal watchdog is prone to code errors, so does not provide the same protection as an independent external watchdog. For safety-critical applications (i.e., automatic doors, medical devices, robots), the internal watchdog is unacceptable. Regulating bodies demand use of a separate, external watchdog. Thus, it is good practice to use an external watchdog to reduce the risk of critical system failures.Simple Watchdog Plus Reset
Since a watchdog timeout normally resets the system, most watchdogs are integrated with a μP reset that also monitors the processor supply voltage. The reset is activated either by the watchdog or by an undervoltage condition. The MAX823-MAX825 family shown in Figure 6 combines these two functions and is available with standard reset voltages, one nominal watchdog, one reset-timeout, and only 6μA current consumption. These devices are available in the ultra-small SC70 package.Figure 6. The MAX823-MAX825 family integrates two popular functions: watchdog and reset.
Factory-Preset Watchdog Families
The MAX6316-MAX6322 family offers a choice of 26 factory-preset reset voltages, four nominal-watchdog and four nominal-reset timeouts, and four output configurations (see Table 1).Table 1. Features of Selected Supervisory Products
|
|
|
|
|
|
|
|
|
MAX824 |
|
|
|
|
|
|
MAX6322 |
|
|
|
|
|
|
MAX6753 |
|
|
|
|
|
MAX6304 |
| ||||
|
|
MAX6374 |
|
|
|
|
|
|
MAX6360 |
|
|
|
|
|
MAX6767 |
| ||||
|
|
MAX6324 Dual Mode |
|
|
|
|
Capacitor-Adjustable Watchdogs
If the application requires a flexible watchdog timeout, the designer can use an adjustable circuit. The MAX6746-MAX6753 family offers either factory-preset or voltage-divider-programmable reset voltages, as well as external capacitor adjustment of watchdog and reset timeouts. Figure 7 shows a typical operating circuit where:- the reset voltage is determined by the voltage divider R1/R2,
- the reset timeout is determined by the capacitor to set the reset timeout (CSRT), and
- the watchdog timeout is set by the capacitor to set the watchdog timeout (CSWT).
Figure 7. This figure shows a typical application circuit for the capacitor-adjustable watchdog family MAX6346-MAX6353.
Figure 8 shows the watchdog-timeout range for CSWT values from 100pF to 100nF. With this wide range of available watchdog timeouts, the designer has a solution for any application. The MAX6301-MAX6304 family has basically the same features as the MAX6746-MAX6753 family, but is available in SO and DIP packages.
Figure 8. This figure shows the wide range of available watchdog timeouts.
工商網監
評論