|
| ( 01 Nov 2010 ) |
| By Jeff Eckel, Mark Baynham and John Day, Microchip Technology Inc. |
|
The advancement of electronics within the vehicle is being driven by automotive OEMs’ quest to make their vehicles safer, smarter and more energy efficient. Electronics continues to be the fastest growing sector of automotive content, over mechanical, pneumatics and hydraulics.
Most of the growth in automotive electronics can be attributed to the growing demand for safer vehicles. That growth area is being stimulated by both consumer preferences and governmental actions in an environment where the OEMs are cost conscious due to the competitive global market.
Electronic control systems are becoming common in more critical applications. When the application is not critical, failure results only in some inconvenience. With safety-critical applications, a failure could cause a mishap and sometimes even a fatality. Safety-critical automotive applications can be found in airbag control, anti-skid brakes and electric power steering.
With the proliferation of electronic control units (ECUs) throughout the automobile, there is a need for a distributed intelligence system with robust integrity requirements that can be implemented under a constrained power budget. The sub-systems suppliers are continuously working with their suppliers to develop innovative solutions that are reliable and cost effective. One example that addresses the challenge of system robustness is the implementation of a monitoring mechanism based on low-cost microcontrollers (MCUs), which can be deployed as system-watchdog devices.
Primary MCUs in many safety-critical applications, such as engine management, electronic power steering, ABS and airbags, share a number of important characteristics (Figure 1). They feature 16-/32-bit microcontroller computing capability, large on-chip memory sizes (typically in the range of 256kB or greater), and are expected to be fail-proof with a zero probability of failure. So how do designers ensure the safety of critical systems in an automotive application?
FUNDAMENTALS OF BASIC WATCHDOG OPERATION
The purpose of a watchdog MCU is to ensure that the primary MCU and/or system are operating properly. The watchdog MCU guards against random upsets that may occur due to transient events, power-supply fluctuations, environmental influences, hardware failure and unknown modes of software or hardware operation.
When a fault condition is detected or suspected, the watchdog MCU may initiate a hardware system reset on the primary MCU—or on the entire system—through power cycling or by resetting itself (Figure 2). In some cases, the watchdog MCU may send a command via serial communication to the primary MCU to acknowledge the same. Even if the primary MCU is malfunctioning, it probably still has the interrupt capability to properly respond to a sent command that can be executed in an interrupt service routine. The watchdog MCU is also capable of logging the nature and frequency of system upset events.
Designers of safety-critical applications use fault-tolerant designs to reduce the probability and severity of a mishap, using one or a combination of the following techniques: Failure Mode Effects Analysis (FMEA), redundant software and redundant hardware. FMEA involves the evaluation of all possible failures. It can be used to analyze the effect of the failure on the system and determine a plan to deal with each failure.
Redundant software uses several different methods in an application to calculate a result. If the results are different, there may be a problem. Redundant software requires the designer to plan for each possible failure mode, in order to respond quickly to the situation.
There are some advantages to using redundant hardware. It will prevent a complete failure of a single key component that has the potential to stop the system. Or, in some cases, the key component failure may lead to a serious compromise in performance. Redundant hardware also gives designers the ability to detect impending failure, and it enables the designer to provide a safety net where all failure modes can be addressed.
There are drawbacks to using redundant hardware. First, there is a lot of complexity introduced into the automotive design to support redundant hardware. Second, for the same reason, there is a steep increase in the cost to provide for the redundant hardware. These reasons have compelled designers to explore alternate means of implementing redundant functionality for safety-critical applications, without incurring a severe cost penalty. Guided by this reasoning, designers have opted for fault-detection techniques instead of fault-correction functionality. A way forward is to deploy acceptable fault detection that can be achieved by having redundant hardware only in key parts of the system.
FUNCTIONS OF WATCHDOG MCUS
Let us explore how the watchdog MCU works in concert with the main MCU in key subsystems. The watchdog MCU is always engaged in a simple communication task with the main controller. It sends a signal to the main controller to ensure that the MCU is operating in a non-fault condition. There are some key attributes of a watchdog MCU.
PWM Peripheral
Since the frequencies and duty cycles vary according to the nature of the application, it is useful to have a flexible, on-chip PWM peripheral on the watchdog MCU. In automotive applications, frequencies typically tend to be in the Hz to kHz range. Therefore, duty cycles that are less than fifty percent are preferred and deployed because there is a likelihood of an ‘accidental’ fifty-percent duty cycle being created while in a fault mode. However, there is another reason why it is not always preferable to have on-chip hardware PWM peripherals. Since hardware peripherals run without software intervention once they are configured and enabled, they cannot detect code corruption in real-time. In these cases, the use of the onboard watchdog timer is advised. For this reason, software PWM controls are preferred over hardware PWM modules.
The same frequency and duty-cycle characteristics apply here, just as they do in case of the hardware PWM peripheral. A software PWM can be implemented in source code in a real-time loop. Considered by some designers to be a “best practice” in fault-tolerant design, any corruption in software can be quickly detected when compared to the response time of a hardware PWM peripheral. In some applications, which are not safety critical, the usage of a periodic single pulse to monitor an activity is quite sufficient. In this case, there is typically a window of time, during which a pulse must be received by the main controller.
Serial Communication
The watchdog MCU uses proprietary protocols, or industry-standard protocols, such as I2C, UART or SPI, to communicate with the system controller. Even then, there are several variations on the mode of data transfer. Data may be sent only at startup for mode configuration, or data may be requested as needed by either the main or watchdog MCU. In some cases, data may be offered periodically at a predetermined time interval. Packets of data, which may be commands, responses or status information, can be packed, compressed and sent to the receiver—with or without the need to evaluate a CRC or Checksum.
EXPANDED WATCHDOG MCU FUNCTIONS
In a supervised system, the deployment of redundant hardware still increases cost—even when only applied to a portion of a circuit. How can this condition be avoided? The solution to this problem is to leverage “redundant” hardware to add functionality to the system. In addition to the primary function of the secondary MCU, the watchdog MCU may also possess enough resources to handle some of the fundamental system functionality (Figure 3). When viewed this way, the watchdog MCU has the potential to assist in offloading the primary processor tasks and providing other forms of redundancy. This design feature can reduce discrete part counts and lower system costs where redundancy is required. For example, onboard analog-to-digital converters (ADCs) on watchdog MCUs can be used to provide redundancy for the primary device responsible for analog voltage conversion.
This leads to a question of what makes a good watchdog processor or supervisor processor, or how to select the right watchdog MCU for your automotive application.
Onboard hardware PWM peripherals in some applications can be used to run small, simple motors, such as stepper motors or brushed or brushless DC motors. Where possible, PWMs can be filtered and used to provide a DAC function. Onboard NVM or Flash memory can be used to store fault codes. The same memory can also be used to store calibration and operational parameters, either at final assembly or in real-time operation. Therefore, it is important to have reliable Flash memory on a watchdog MCU. Changes in the main MCU control program may require changes in the watchdog MCU. Some vendors, such as Microchip Technology, offer MCUs that feature proprietary Flash memory technology that has “best in class” endurance of 1 million erase/write cycles and data retention of 40-plus years.
Watchdog processors can assist in keeping the serial-communication tasks error free. Bootloader programs may be used so that the watchdog MCU can be Flash upgraded by the primary MCU. The watchdog MCU can be used as a system supervisor, to lower module power consumption by putting the more powerful primary MCU into a sleep mode. Then, the primary MCU can be woken up periodically to perform system status checks, followed by re-entry into sleep mode if no “housekeeping” is found to be required. Some functions require the watchdog MCU to be active when the car engine is switched off. In such a case, the nanoWatt technology features found on Microchip Technology’s low-power microcontrollers address the challenge of power consumption faced by embedded system designers. The nanoWatt Technology features of Microchip Technology’s PIC microcontrollers provide flexible power-managed modes over their operating-frequency range. nanoWatt technology was developed to give designers technically feasible and cost-effective options to address the complex challenges associated with reliable low-power operation.
Microchip Technology provides the designer with a broad family of microcontrollers that create a platform upon which to innovate creative power-saving routines. The PIC MCU architecture includes a comprehensive array of on-chip peripherals with selectable oscillator options and multiple crystal modes, external clock modes, external RC oscillator modes, plus an internal oscillator block that generates multiple clock frequencies under software control. The versatility of the microcontrollers from Microchip Technology makes them suitable to serve as a system monitor, or as a supervisory microcontroller or as a co-processor device.
CONCLUSION
As more critical automotive applications are transitioning to MCU-controlled systems, watchdog or supervisor MCUs are required by automotive embedded designers of mission critical systems utilizing a 16- or 32-bit microcontroller as the main system controller. With these safety- or mission-critical applications, it is highly probable that they will incorporate a watchdog MCU in the system. Watchdog or supervisory MCUs are a practical and popular method of managing this risk. With ECUs implementing safety-critical functions, the role of the watchdog MCU is crucial because it directly impacts overall system integrity and the driver’s experience with the vehicle.
|
| |
|
|
|
|
| |
|
|
Average Rate:
No rating yet |
| |
| |
|
|
|
|
| |
|
|
| |
|
|
| 25/4/2012 |
|
| 25/4/2012 |
|
| 24/4/2012 |
|
| |
|
|
|
|
|
|
|
| |
|
| |
|
| 30/3/2012 |
|
| 22/3/2012 |
|
| 1/3/2012 |
|
| |
|
|
|
|
|
