Design Feature:September 28, 1995
Supervisory ICs establish system boundaries
Bill Schweber,
Technical Editor
Although they don't have the glamour of CPUs, memories, or sophisticated peripheral ICs, supervisory ICs perform unseen yet critical tasks in reset, memory protection, and watchdog functions. You have to choose among a wide variety of ICs and levels of functional integration, and you must decide what level of confidence you need in your watchdog operation.
Whether your system uses a high-performance processor supported by fast memory or a basic microcontroller in an embedded application, there are some common requirements. You need to make sure that your system's ICs get a well-defined reset pulse on any power-up, that the systems monitor the supply rails and sense any drop below valid operating levels soon enough to protect volatile memory and even to switch to a backup supply, and that your program software is executing properly and on functional hardware (Fig 1).
PICTURE 1
Supervisory ICs provide solutions to these requirements in single-function or multifunction ICs. Despite the apparent simplicity of these ICs, you should consider the accuracy of reference trip points, the transient immunity, operating headroom in 3V systems, reset implementation, memory protection and gate delay, and switching between primary and backup sources. Your selection can become confusing as you look at the many combinations of features, functions, and performance specifications that manufacturers offer.
Ready, reset, go...
The most basic requirement for nearly all systems is a reset pulse for most system ICs, including the CPU. This pulse should appear after the power-supply output has stabilized, clearing any inappropriate conditions or registers in individual ICs as well as presenting a uniform start signal. Depending on your system, you'll need an active-low or active-high signal typically more than 140 msec long after power reaches specified operating voltage. Carefully check this spec: Some ICs need a longer reset-pulse width. Most supervisory ICs fix the timing using internal components; others, such as the Cherry Semiconductor CS-8151, let you set the width with an external capacitor.
The supply rail's falling below a threshold also initiates the reset pulse. Most vendors offer a selection of thresholds; carefully analyze the best value for your system. It's not a trivial choice (see box, "Where to draw the line?"). For applications that also need a manual reset switch, select a reset IC with a debounced external switch input to simplify your task. You can get a basic reset IC in packages as small as a three-pin SOT-23 or TO-92.
If your system has multiple supply rails, such as 3 and 5V, decide if resetting based on the value of one of these is sufficient. If the 3V rail derives from the 5V supply, the value is usually sufficient for you to monitor the upstream point. You may want to monitor both supply rails if you need to have separate reset actions for the parts of the system, such as CPU vs peripheral functions.
Finally, consider sensitivity to glitches. You don't want a short glitch--one that crosses the threshold by a small margin--on the dc supply to cause a reset, if your loads have sufficient local bypassing and filtering. These unnecessary resets can wreak havoc on continuous system operation. Another approach is to simply hold the processor, but not force a reset, during glitches. The Maxim MAX809 and MAX810 characterize glitch immunity with a duration-vs-transient chart. For example, a VCC transient that goes less than 100 mV below the reset threshold and that is 20 µsec or less does not cause a reset output.
Some supervisory ICs provide signal lines and functions so that your system can retain memory even though your main power source has failed. This requirement is significant: Your system must sense that power is failing while you still have time to take appropriate action. Further, you must protect the memory from "illegal," or random, write operations during power failures or brownouts, and you must switch to a backup supply source to retain data and perhaps even limited system operation.
Where to draw the line? |
|---|
|
In a perfect world, your reset function would trip at precisely 4.75V (5V 5% IC operating voltage tolerance). This precision requires a reset threshold that is both initially accurate and also stable over various operating conditions, including VCC and temperature variations. Unfortunately, if you design for worst-case operation, you have some difficult choices to make, because specified threshold accuracies range from 1 to 3%. Vendors offer thresholds of various closely spaced nominal values, so the burden is on you to make the choice.
If the reset threshold is actually below 4.75V and if you are making the assumption that ICs that are guaranteed to operate down to 4.75V in fact will work below that level--down to around 4.5V, for example--then you're probably safe in this unspecified operating range. Alternatively, you could use a higher nominal threshold, such as 4.85V, to ensure a high enough supply rail. You will likely then see unnecessary resets, however, because the supply drops to a value below 4.85V but still above 4.5V.
Another alternative is to add a trim function to your reset circuit or use a reset IC that has built-in user-trim capability (costing components and manufacturing time). You also have to look at the trade-off between nominal reset accuracy and, thus, cost vs guaranteed system operation and then compare this solution to one using a trim. The output tolerance and noisiness of your supply under all operating conditions and whether improvements in these can reduce potential reset threshold problems are also factors to consider.
 Use vendor specs to analyze the following four ranges of interest (seeFig A):
- potential unspecified operating range, where VCC is below the minimum for assured system operation but above the minimum reset threshold;
- system IC guard-band range, where VCC is above the operating minimum and below the minimum reset threshold, and your system is, therefore, operating within system specs;
- power-supply guard-band range, where VCC is below minimum (4.75V, for example) but above the maximum reset threshold;
- reset/power-supply overlap range, where you could see a reset, even though the supply and VCC are above minimum.
|
A low-line-detection function is the place to start. This supervisory IC output becomes valid when the power rail drops from its nominal value and crosses a threshold typically 50 to 60 mW higher than the reset threshold. Normally, this signal drives a processor-interrupt line, initiating a software routine whereby the CPU saves critical data in memory. Ensure that the worst-case power-rail falloff rate (dV/dt) for your system supply is slow enough and that the interrupt-service routine is fast enough that the CPU can complete this memory-save operation in the time that the supply rail drops between the low-line threshold and the reset threshold.
Be sure things ain't misbehavin' |
|---|
|
Like the curious incident of the dog that did not bark in the Sherlock Holmes story "Silver Blaze," a watchdog timer produces no output during normal system operation if everything appears OK. To effectively use a watchdog IC, however, both your hardware and software should make it difficult for the system to accidentally retrigger or even to disable the watchdog, which would incorrectly indicate that all is well. No watchdog scheme provides you with 100% confidence. You can, however, take a few extra steps--some free and some not--to help ensure your detection of hard faults and latent software bugs that disturb program execution.
First, fully decode the watchdog-timer address, so that the software has to write to that unique valid address within a larger block of addresses, rather than just anywhere, to retrigger. For added security, consider a two-write scheme, in which the only way to retrigger is to have the software perform successive writes to two addresses within a few instruction cycles.
Minimize the chance that software can accidentally disable the watchdog timer. To achieve this goal, use the full address decode, two successive writes, or simply eliminate any software-linked disable. If you use a microcontroller with a built-in watchdog function that can't be locked out from software disable, frequently re-enable the watchdog timer.
Provide a way to disable the watchdog during your designing and debugging. This function is important because emulators and other test equipment normally stop or affect software execution when they hit breakpoints, affecting watchdog retriggering and initiating whatever time-out action you have built into your system. Consider providing a hardware jumper on your prototype to circumvent the watchdog function, but design it out of the final product or provide some absolutely secure procedure to ensure that you remove the jumper before shipment.
Because many software-execution faults still leave some of the program executing, how you set up your software to retrigger the watchdog is also critical. Normally, a real-time program has both a background task and various interrupt-driven or foreground tasks. If you place the watchdog retrigger instruction in the background, everything will appear fine, even when a software bug leaves interrupts or the foreground task is disabled. Conversely, if you retrigger the watchdog from an interrupt or foreground task, the background task may be corrupted, but the other routine still executes properly.
One way to resolve this problem is to have the background task and the other task check on each other by setting and clearing flags before the background task actually writes to the watchdog. Determine the longest time interval that can occur between opportunities to retrigger the watchdog, with all interrupts or foreground tasks running and the processor fully loaded. Otherwise, your watchdog output and its consequences may be due to system loading rather than to an actual hardware failure or software problem. Note that you may want to know that the system software load exceeds your design's capacity, in which case the watchdog triggering is significant.
|
Make sure that the accuracy and tracking between the low-line threshold and the reset threshold are close enough for your application (ñ2% or better is a good value with which to start). Otherwise, the voltage span between the two thresholds may shrink so that your system has insufficient time to save data, even at the worst-case power-rail falloff rate.
An alternative to the low-line output is a power-fail comparator, an uncommitted circuit within the supervisory IC. You can connect the comparator to any supply line, such as the unregulated supply or a higher voltage supply, such as 12V. The higher supply value gives you more advance warning, and the opportunity to set the comparator trip point via external resistors provides more tolerance headroom between the measured signal and the reset VCC threshold. There's potential added benefit, as well: You get independent monitoring of the non-VCC supply.
To protect memory from false writes, the supervisory IC gates the memory-chip enable. This procedure allows the signal to pass from the processor to memory when power conditions are normal. When power is failing or has failed, the supervisory IC holds chip enable inactive, despite what the processor indicates. The supervisory IC's interposition means that you must factor its gate delay into your memory-timing calculations, which cuts into your timing margins. Supervisory ICs have typical gate delays of 10 nsec or less. Make sure that the vendor specifies the gate delay using a load that is appropriate for your system design, such as 50ê and 50 pF, and also provides worst-case figures for your analysis.
Watch that drop
For designs with both a primary power source and a backup battery (usually not for the entire system, but for selective SRAM and real-time clocks), the supervisory IC switches the power rail from primary to secondary dc source when the IC determines that the primary has failed. Lower on-resistance is a big advantage in the path between the primary dc source and the supervisory IC output and in the path between the backup source and the same output. The lower on-resistance lowers the unavoidable IR drop through the supervisory IC, which you must factor into your dc-rail calculations in both primary and backup operational modes.
IR drop is a reason to minimize current consumption in your system, because this drop decreases operating and standby supply voltage margins. Typical on-resistance between the primary source and the supervisory power output ranges from about 0.5 to 10ê, depending on the device. The corresponding figure for the path between backup battery and output is far higher--typically, several hundred ohms. A few 25ê devices are available, but, fortunately, system current consumption should be much lower in standby. If it's not, rethink your backup scenario in terms of backup-supply nominal value, minimum allowed operating voltages for ICs, how much circuitry you operate from the backup supply, and active vs standby modes for the ICs.
If the dog barks...
The principle of watchdog timers is simple: Your system's software pulses (retriggers) and thus periodically resets the watchdog circuitry (typically, about once per second) to indicate that all is apparently well with both the software and hardware. If the watchdog retriggers within the time period, you take no action at all. If the watchdog does not retrigger, however, the timer generates an output, which you can use for several purposes. Most watchdog functions have their time-out period fixed, although a few, such as TelCom Semiconductor's TC1232, allow you to select one of several values by pin-strapping.
First, use the watchdog to initiate a system recovery function via a nonmaskable interrupt. This approach is effective if the system can still operate but has lost its way due to an intermittent software or hardware problem. A more extreme action is to force a complete reset, as if from power-up, but this may not be the right choice for your application. In addition, you may want to signal an operator via a hard-wired indicator and latch that a watchdog time-out has occurred. Although watchdogs can be useful, they are not absolute guarantees of system integrity (see box, "Be sure things ain't misbehavin'").
Despite their simple functionality, the many ICs from which you must choose encompass many combinations of both function and performance grades (Table 1).
Table 1--Representative supervisory ICs |
|---|
| Vendor | Model | Reset | Watchdog | Power fail | Comments | Price |
| Analog Devices Inc | ADM705 series | X | X | -- | Low-power versions of industry 705, ADM708 is reset only | $0.97 (1000) |
| Benchmarq Micro-electronics | bq4845 | X | X | X | Includes real-time clock, backup battery, and nonvolatile SRA | $3.72 (10,000) |
| Cherry Semiconductor Corp | CS-5111 | X | X | | Also has 100-mA linear regulator, 1.5A switching regulator | $2.50 (10,000) |
| Dallas Semiconductor Corp | DS1236A | X | X | X | Includes early-warning and pushbutton reset inputs | $2.80 (10,000) |
| Linear Technology Corp | LTC693 | X | X | X | VCC to 1V | $3.55 (10,000) |
| Maxim Integrated Products Corp | MAX814 series
MAX811 | X
X | X
- | X
| 1% accuracy, MAX816 has adjustable threshold Three-pin SOT23 package | $3.73 (5000)
$0.99(1000) |
| SGS-Thomson Microelectronics Inc | M48T59 | X | X | -- | 8kx8 SRAM, real-time clock, battery backup | $11.50 (1000) |
| TelCom Semiconductor Inc | TC1232 | X | X | -- | Selectable watchdog timer | $2.09 (1000) |
| Temic Semiconductor | U5020M | -- | X | -- | Dual windows for active, sleep modes | $0.69 (100,000) |
| Texas Instruments Inc | TPS73xx series | X | -- | -- | Includes regulator with 35-mV dropout at 100-mA load | $1.70 (1000) |
| Xicor Inc | X25043 | X | X | X | Also has 512x8-bit EEPROM | $1.50 (10,000) |
The basic reset device begins with the 705 family from many vendors. It provides reset, power-fail, and watchdog functions and manual reset input.
To further complicate your choice, some vendors combine supervisory functions with other functions or provide advanced variations on the basic functions. For example, Temic's U5020M provides separate watchdog windows--one short and one long--to match a processor's normal and sleep operating modes. Benchmarq Microelectronics' bq4845 and SGS-Thomson's M48T59 provide real-time clocks, integral battery and nonvolatile RAM, and supervisory functions.
In many cases, it's logical to combine a voltage regulator or memory with supervisory functions. The TPS73xx series from Texas Instruments provides a low-dropout regulator with a reset function. If you need more power options, Cherry Semiconductor's CS-5111 combines a linear regulator, a switching regulator, a watchdog, and a reset function in a single IC. Xicor's 25043 provides watchdog and reset functions with 512x8 bits of EEPROM.
Even µCs may need help
Most microcontrollers incorporate one or more supervisory functions into their design, eliminating another IC in your system design. You may want to supplement these functions with some external help, however. For example, many microcontrollers reset the watchdog timer simply by writing any value to an internal memory-mapped register. Others easily disable the timer by a single write or cannot disable the timer, once it starts, which is useful for debugging purposes. In these situations, an external watchdog timer may add the functionality and assurance you need.
Looking ahead |
|---|
|
Supervisory circuits are following the trends of many of the ICs they support: lower voltage operation, lower quiescent and operating current, more flexible battery options, and smaller packages. Like test equipment, which must have specs superior to those of the device they test, supervisory ICs must operate at supply voltages below the lowest valid supply rails in the system. Some of the newest supervisory ICs operate at as low as 1V.
For systems with nominal 3V system operation, the battery-switch-over mode of supervisory ICs must also change. Vendors build a simple assumption into the switch-over strategy: that the nominal battery voltage is always less than the primary nominal value. This assumption may not be true, however, if the backup is a 3.6V lithium source at full charge. Therefore, vendors are developing ICs, such as the Maxim 690, that don't switch to the backup until primary source drops below 2.4V.
Increasingly, supervisory ICs are going into smaller packages. This trend is especially worthwhile when the IC provides just a basic reset function or a little more, so an SOT-23 package is sufficient.
|
You can reach Technical Editor Bill Schweber at (617) 558-4484; fax (617) 558-4470.
AcknowledgmentThanks to Eric Munro at Maxim Integrated Products for his valuable insight.
For more information...
|
|---|
|
For more information on supervisory ICs such as those described in this article, circle the appropriate numbers on the postage-paid Information Retrieval Service card or use EDN's Express Request service. When you contact any of the following manufacturers directly, please let them know you read about their products in EDN. |
Analog Devices Inc
Norwood, MA
(617) 937-1428 |
Benchmarq Microelectronics Inc
Dallas, TX
(800) 966-0011 |
Cherry Semiconductor Corp
East Greenwich, RI
(800) 272-3601 |
Dallas Semiconductor Corp
Dallas, TX
(214) 450-0448 |
Linear Technology Corp
Milpitas, CA
(800) 454-6327 |
Maxim Integrated Products Inc
Sunnyvale, CA
(408) 737-7600 |
SGS-Thomson Microelectronics Inc
Lincoln, MA
(617) 259-0300 |
TelCom Semiconductor Inc
Mountain View, CA
(415) 968-9241 |
Temic Semiconductors
Santa Clara, CA
(800) 554-5565 |
Texas Instruments Inc
Dallas, TX
(800) 477-8924, ext 4500 |
Xicor Inc
Milpitas, CA
(408) 432-8888 |
| EDN Access | feedback | subscribe to EDN! |
| design features | design ideas | columnist |
Copyright © 1995 EDN Magazine. EDN is a registered trademark of Reed Properties Inc, used under license.