Secure Design Using a Microcontroller III http://dev.emcelettronica.

com/print/51833

Your Electronics Open Source

(http://dev.emcelettronica.com)
Home > Blog > allankliu's blog > Content

Secure Design Using a Microcontroller III

By allankliu
Created 10/07/2008 - 04:51

BLOG Microcontrollers

Crystal and Watchdog Timer

Crystals are key component of practical electronics devices.

The product will malfunction if the crystal stops. They are
heartbeat of the product. Because crystals are mechanical
devices, it is sensitive to the mechanical damage.

Crystals can present challenges to design engineers.

However, new packaging methods and careful circuit layout
can help to minimize many issues. Improved package
designs, such as surface mount, incorporate lower mass and
higher pin count to support the crystal body. This are
excellent solutions for mechanical vibration related failures.
SMT spreads mass over larger base and uses additional
leads and improved lead strength. Regardless of the package style used, the body of the crystal
should be mounted flush with the board. This will greatly reduce rocking movement (pendulum
effect) of the package and thereby lessen the stress on the leads. There are many other issues
not discussed here that can lead to frequency drift and crystal failures, including thermal
instability from electrolytic capacitor drift, board layout, and package density.

If the electronics devices have strict requirements for safety, we should consider preventing such
crystal failure issues, at least the system design should be capable to minimize the damages
caused by the crystal failure. It is a challenging task in electronics design.

Microcontrollers are often used in harsh environments where power supply transients,
electromagnetic interference (EMI), and electrostatic discharge (ESD) are abundant. Program
corruption caused by bus corruption and electromagnetic discharges can cause a
microprocessor to execute erroneous instructions. In these environments, a watchdog timer is a
useful peripheral that can help catch and reset a microcontroller that has gone "out of control."
But what if the crystal stops? Can watchdog help out? No, the reason is quite simple - the
watchdog gets its own beat from the failed crystal.

NXP P87LPC7xx offers many options such as , local crystal oscillator, and internal RC oscillator.
Many customers prefer to use internal RC oscillator in order to reduce the BOM cost. However I
do not recommend it in a safety critical application. The best practice is using both oscillators in

1 din 3 11.07.2008 09:31

Secure Design Using a Microcontroller III http://dev.emcelettronica.com/print/51833

operation, even with external watchdog or backup microcontroller. The designer can use local
oscillator with a crystal for the normal operation of microcontroller, while enable internal RC
oscillator for watchdog. If the crystal fails, the watchdog is running anyway. After predefined
timeout, the whole system can be reset. P89LPC9xx improved the design, it offers 400 KHz
independent RC oscillator for watchdog timer, so its system clock could be selected from
external input, crystal oscillator, internal RC, and watchdog has own RC oscillator.

Somebody may wonder, what would happen if system has reset and yet crystal fails ? In fact, in
case the crystal failure is permanent, what we can do is trying to reduce the harm done by the
system or to the whole system itself. The watchdog triggered reset can help us to stop the power
of peripherals, for example, high speed spinning cutting knife, write head in credit card read/write
device.

I checked the manual of NXP. It is not a perfect one, because the source can not be
reconfigured on the fly or during reset period. It can only be re-configured during programming
flash. Silicon Labs has C8051Fxxx family. These parts support more oscillators than NXP's.
During reset, the internal oscillator is enabled, and they can switch the clock source to crystal on
the fly. And these parts also support Missing Clock Detector Reset and PCA Watchdog Timer
Reset. Those reset register bits are very useful to detect crystal failure. It is a better part for
safety critical application. However, it still has a limitationl, the source is coming from one
selected source, which means watchdog timer may fail as well. As a complement, clock detector
will reset the part (But which clock is the source for this detector ?). However, I still prefer a
watchdog that can have its own clock source, like NXP does.

Finally, the watchdog timer clock should be separated from main clock source in a safety critical
application.

References

HALT and Crystal Failures, by David Rahe

[1]

Using the Secure Microcontroller Watchdog Timer from maxim.

The PDF version is located in
http://www.maxim-ic.com.cn/pdfserv/en/an/AN101.pdf [3].

[2]

2 din 3 11.07.2008 09:31

Secure Design Using a Microcontroller III http://dev.emcelettronica.com/print/51833

Product selection table from Silicon Labs Inc.,

[4]

Secure Design Using a Microcontroller (I) [5]

Secure Design Using a Microcontroller (II) [6]

Trademarks

Source URL: http://dev.emcelettronica.com/secure-design-using-microcontroller-iii

Links:
[1] http://www.chinarel.com/zhishiku/halt/2006-12-18/354.htm
[2] http://www.maxim-ic.com.cn/appnotes.cfm/an_pk/101
[3] http://www.maxim-ic.com.cn/pdfserv/en/an/AN101.pdf
[4] http://www.silabs.com/tgwWebApp/appmanager/tgw/tgwHome?_nfpb=true&_pageLabel=interactiveGuide
[5] http://dev.emcelettronica.com/secure-design-using-microcontroller-i
[6] http://dev.emcelettronica.com/secure-design-using-microcontroller-ii

3 din 3 11.07.2008 09:31