Professional Documents
Culture Documents
com/print/51833
BLOG Microcontrollers
If the electronics devices have strict requirements for safety, we should consider preventing such
crystal failure issues, at least the system design should be capable to minimize the damages
caused by the crystal failure. It is a challenging task in electronics design.
Microcontrollers are often used in harsh environments where power supply transients,
electromagnetic interference (EMI), and electrostatic discharge (ESD) are abundant. Program
corruption caused by bus corruption and electromagnetic discharges can cause a
microprocessor to execute erroneous instructions. In these environments, a watchdog timer is a
useful peripheral that can help catch and reset a microcontroller that has gone "out of control."
But what if the crystal stops? Can watchdog help out? No, the reason is quite simple - the
watchdog gets its own beat from the failed crystal.
NXP P87LPC7xx offers many options such as , local crystal oscillator, and internal RC oscillator.
Many customers prefer to use internal RC oscillator in order to reduce the BOM cost. However I
do not recommend it in a safety critical application. The best practice is using both oscillators in
operation, even with external watchdog or backup microcontroller. The designer can use local
oscillator with a crystal for the normal operation of microcontroller, while enable internal RC
oscillator for watchdog. If the crystal fails, the watchdog is running anyway. After predefined
timeout, the whole system can be reset. P89LPC9xx improved the design, it offers 400 KHz
independent RC oscillator for watchdog timer, so its system clock could be selected from
external input, crystal oscillator, internal RC, and watchdog has own RC oscillator.
Somebody may wonder, what would happen if system has reset and yet crystal fails ? In fact, in
case the crystal failure is permanent, what we can do is trying to reduce the harm done by the
system or to the whole system itself. The watchdog triggered reset can help us to stop the power
of peripherals, for example, high speed spinning cutting knife, write head in credit card read/write
device.
I checked the manual of NXP. It is not a perfect one, because the source can not be
reconfigured on the fly or during reset period. It can only be re-configured during programming
flash. Silicon Labs has C8051Fxxx family. These parts support more oscillators than NXP's.
During reset, the internal oscillator is enabled, and they can switch the clock source to crystal on
the fly. And these parts also support Missing Clock Detector Reset and PCA Watchdog Timer
Reset. Those reset register bits are very useful to detect crystal failure. It is a better part for
safety critical application. However, it still has a limitationl, the source is coming from one
selected source, which means watchdog timer may fail as well. As a complement, clock detector
will reset the part (But which clock is the source for this detector ?). However, I still prefer a
watchdog that can have its own clock source, like NXP does.
Finally, the watchdog timer clock should be separated from main clock source in a safety critical
application.
References
[1]
[2]
[4]
Trademarks
Links:
[1] http://www.chinarel.com/zhishiku/halt/2006-12-18/354.htm
[2] http://www.maxim-ic.com.cn/appnotes.cfm/an_pk/101
[3] http://www.maxim-ic.com.cn/pdfserv/en/an/AN101.pdf
[4] http://www.silabs.com/tgwWebApp/appmanager/tgw/tgwHome?_nfpb=true&_pageLabel=interactiveGuide
[5] http://dev.emcelettronica.com/secure-design-using-microcontroller-i
[6] http://dev.emcelettronica.com/secure-design-using-microcontroller-ii