在线观看www成人影院-在线观看www日本免费网站-在线观看www视频-在线观看操-欧美18在线-欧美1级

High-voltage watchdog timers e

來源:www.elecfans.co 作者:本站2010年06月26日 09:14
[導讀] Most automotive electronic systems need supervisory circuits to provide the required level of failure tolerance and safety. The MAX16997/MAX16998 watchdog timers are ideal for use in these circuits as supervisory devices, as they watch for
關鍵詞:automo
Most automotive electronic systems need supervisory circuits to provide the required level of failure tolerance and safety. The MAX16997/MAX16998 watchdog timers are ideal for use in these circuits as supervisory devices, as they watch for program-generated pulses produced during normal operation of the microcontroller (µC) and switch to backup/redundant circuitry in case of an electrical or µC failure. This provides the limp-home functionality required for an automobile to be fail-safe and be serviced without experiencing a hard stoppage.

As electronic systems take over more and more of the mechanical functions in a car—everything from engine timing to braking and steering—and electronics can fail, there is a growing concern to ensure that systems are fault tolerant. There should not be a single point of failure that would cause a dangerous situation (for a driver or a passenger) or prevent a car from at least "limping" off the road and making it to the nearest service station. To ensure that a car can safely continue when an electrical failure occurs, supervisory circuits are employed to reroute signals to backup circuits that can take over operation during that event.

Back to the days of pure mechanical systems in a vehicle. Early engines, for instance, relied on mechanically generated signals to ignite the fuel/air mixture. A mechanical distributor selected the appropriate spark plug and sent a signal along a wire. Braking systems transferred the force applied to the pedal through the brake shaft, master brake cylinder, and hydraulic pipes straight to the brake calipers. Both clutch and throttle systems were simply controlled by a steel cable from the pedal. Steering was done through a metal steering wheel, steering shaft and its mount, steering gearbox, and steering rods, thereby transferring the desired steering angle to the wheels. Engine controls were entirely unlike the sophisticated digital electronic control units (ECUs) that we use today. There were no such functions as computer-assisted braking, clutching, throttle, or steering. Of course, there was nothing like a crashed µC or a short circuit on a control unit—there were only 99 mechanical parts that could fail. However, due to society's high confidence in mechanical systems, the concern about backup systems or fault tolerance was low. When something failed, a dangerous situation could occur or, in the best case, a driver would be stuck at the place of occurrence and have to call a tow truck to bring the failed vehicle to the nearest service station.

The increasing demand for more comfort and convenience, efficiency and environmental cleanliness, better performance, and safer vehicles drove car manufacturers to equip vehicles with electronics. However, many of the early ECUs simply stopped operating in the event of a system failure, particularly in which electronic operation was dependant upon a µC. As µCs sometimes crash and no provisions had been made to prevent life-threatening situations during such events, or at least to provide for short-distance travel to a repair location, the concern for fault tolerance grew rapidly. Because of this, many ECUs are now fitted with a "limp-home" mode.

Limp-home mode

Limp-home mode is the redundant functionality within an ECU in which a physically separated, mainly analog, standby circuit enables entering into a fail-safe mode. This mode allows a car experiencing electronic system trouble to be driven off the road with reduced performance, but in a safe manner.

Many modern engine ECUs feature a supervisory device, such as a watchdog timer, to examine the ECU regularly for correct operation. If an abnormality is detected, such as an electrical or µC (software crash) failure, the supervisory device enables the limp-home circuitry. For instance, the check engine light goes on, the fan kicks in immediately, and only half of the cylinders get fuel. With only half of the cylinders firing, the engine generates much less heat, yet is able to move the vehicle at moderate speeds. You would have just enough power to get the car home or to the nearest service station.

Other good examples are the "body control computer" in modern cars, which controls functions like window lifters, head/tail lights, turn indicators, and windshield washer/wipers, and the shift-control computer in cars with a computer-shifted transmission. Supervisory circuits monitor such ECUs for proper operations and, in case of an electrical or a µC failure, it activates the standby circuit, providing reduced performance operation like low beams, tail/ brake lights, or reverse and a second gear only. Of course, this limits your top speed. However, the automobile keeps functioning and allows you to "limp home" safely and get the car to a garage.

Bad? Well, no, not really. The alternative would be to either let you drive at regular speeds with the eventual danger of letting you ruin your car or preventing you from getting anywhere, even to safety.

Redundancy

The future of computer-controlled applications is what is called "by wire", which is where most mechanic control systems inside and outside the power train are replaced with electromechanical ones. For example, a steer-by-wire system replaces all of the mechanics between the steering wheel and the road wheels with ECUs linked by electrical connections (wires). The driver's physical movement of the steering wheel is sensed and converted into a digital electronic signal that is transmitted to a smart electromechanical actuation unit that controls the wheels.

A brake-by-wire system is the replacement of components like the brake shaft, master brake cylinder, and brake booster with two computers, servo motors or electromechanical calipers, and some wires.

By nature, these systems are more safety critical than the ones mentioned previously, as a loss of braking or steering would cause a life-threatening situation right away. Therefore, the required level of safety and failure tolerance is much higher.

Engineers designing backup circuits for these new applications have been building completely redundant electronic control and supervisory units, which are physically well-separated from the main control unit to keep the electronic system always available and safe. Supervisory ECUs are constantly monitoring the primary system and switching to the secondary, redundant one in case of failure. The theory behind the redundant systems is that the probability of multiple control units failing simultaneously is much smaller than the probability that a single defect may occur in a single ECU. Thus, redundant control units provide additional safety and security in safety-critical automotive applications.

High-voltage watchdog advances

Considering the potential safety issues, most automotive electronic systems need supervisory circuits to provide the required level of failure tolerance and safety. The MAX16997/MAX16998 watchdog timers are ideal to use in such circuits as supervisory devices, because they watch for program-generated pulses produced during normal operation of the µC and switch to backup/redundant circuitry in case of an electrical or µC failure.

The MAX16997/MAX16998 feature timeout and windowed watchdog functions, an open-drain µC-reset output (RESET), a watchdog-trigger input (WDI), and an open-drain redundant-system-enable output (ENABLE).

For the MAX16998, the reset threshold voltage is programmable using an external resistor divider between the low-voltage supply (e.g., a µC supply), the external-voltage-monitoring input (RESETIN), and GND (shown in Figure 1). The MAX16997 is capable of reading the KL15 (ignition switch) status at the enable input (EN) and activates the internal supervisor timer if the ignition is on (Figure 2). Here, the initial watchdog timeout period is prolonged by a factor of eight to give a µC sufficient time to start up.

Figure 1. The MAX16998 high-voltage watchdog timer operates independent of the downstream low-voltage supply (LDO) and provides a robust barrier against short circuits to battery voltage, thus enabling the device to safely switch to redundant circuitry during a fault condition.
Figure 1. The MAX16998 high-voltage watchdog timer operates independent of the downstream low-voltage supply (LDO) and provides a robust barrier against short circuits to battery voltage, thus enabling the device to safely switch to redundant circuitry during a fault condition.

Figure 2. Like the MAX16998, the MAX16997 enables safe switching to redundant circuitry during a fault condition. It also has an active-high enable input (EN) that turns the watchdog timer on and off.
Figure 2. Like the MAX16998, the MAX16997 enables safe switching to redundant circuitry during a fault condition. It also has an active-high enable input (EN) that turns the watchdog timer on and off.

The reset delay (MAX16998 only) and watchdog timeouts can be programmed independently using one external capacitor for each function (on the SRT and SWT inputs, respectively). The ratio for the open watchdog window is factory-set to 50% or 75% of the adjusted watchdog time.

Their ultra low, 18µA (typ) operating current makes the MAX16997/MAX16998 very valuable for automotive ECUs, which are always on. Moreover, these devices are available in an 3mm x 3mm, 8-pin µMAX® package and are fully specified over the -40°C to +125°C automotive temperature range.

As these ICs can be directly powered from the 12V car battery rail and are transient-voltage tolerant up to 45V (on the IN and ENABLE pins), unlike typical watchdog timer devices, they operate independently from a downstream low-voltage supply (e.g., 5V). Therefore, if the downstream circuitry is unpowered or short-circuited to GND, the MAX16997/MAX16998 continue to operate and can still switch to redundant circuitry (by asserting the ENABLE pin). Making these watchdog timers even more failure tolerant, the RESET, WDI, EN, and RESETIN pins are 20V tolerant in order to withstand even a short-to-car-battery voltage (Figures 1 and 2). Therefore, they provide a robust barrier against downstream high-voltage electrical failures, separate the backup circuitry physically from the "normal" control circuitry, and provide a safe switchover to backup mode when such a failure occurs.

MAX16997/MAX16998 timing

At startup, after the voltage on the RESETIN pin (VRESETIN) exceeds the power-on reset threshold (VPON), RESET stays low for the power-on reset time (tRESET) and then goes high. At the same time, the watchdog timer starts counting (tWP). If there is no trigger signal on the WDI pin within the open window of the watchdog period (tOW), RESET asserts low again, thus resetting the µC. After three consecutive bad watchdog triggers, if a signal is triggered either in the closed-window phase (tCW) or after the watchdog period (tWP) has elapsed, ENABLE then asserts low, thereby switching the system to redundant circuitry. After three consecutive good watchdog triggers, if the WDI trigger signal is again within the open watchdog window phase (tWDI), ENABLE then deasserts, thus switching the system back to normal circuitry (Figure 3).

Figure 3. Timing diagram of the MAX16998 (windowed watchdog versions).
Figure 3. Timing diagram of the MAX16998 (windowed watchdog versions).

Timeout watchdog vs. windowed watchdog

The MAX16997/MAX16998A provide standard timeout watchdog capabilities, while the MAX16998B/D feature a time-windowed watchdog function (Figure 4). Dependent upon the security level needed, either type of device can be chosen. Timeout watchdog variants ensure that the timer's clear signal occurs within the watchdog period, otherwise they will activate a system reset. Therefore, these watchdogs can detect a software failure, such as code executing too slowly or a slow-running digital clock (e.g., produced by a crystal oscillator). In contrast, the time-windowed watchdogs ensure that the timer's clear signal occurs within the correct time window; therefore, they detect additional errors, such as code executing too quickly or a fast-running oscillator, and provide a higher level of security.

Figure 4. MAX16998 watchdog period timing (windowed watchdog versions).
Figure 4. MAX16998 watchdog period timing (windowed watchdog versions).

Case 3 in Figure 4 shows a good WDI trigger occurring within the correct time window. Case 1 illustrates a bad WDI trigger in which a watchdog triggers a signal too soon, thereby indicating errors, such as code executing too quickly or a fast-running oscillator. Case 2 also shows a bad WDI trigger—the watchdog triggers a signal too slowly, the sign of code executing too slowly or a slow-running oscillator.

Conclusion

Failure tolerance and safety is becoming more and more of a discussion point in auto electronics. Improving efficiency and comfort, while reducing risk, requires effective management of all of the system's components: hardware, software, sensors, effectors, and the operator. Watchdog timers, such as the MAX16997/MAX16998, are clearly a milestone in achieving this target.

相關閱讀

發表評論
技術交流、我要發言! 發表評論可獲取積分! 請遵守相關規定。

推薦閱讀

每月人物

正面迎戰智慧家庭:從稱體重到“稱”健康,芯海智慧測量全包了!

正面迎戰智慧家庭:從稱體重到“稱”健康,芯海智慧測量全包
隨著科技的發展,人們對生活質量的追求越來越高,傳統的家庭生活方式已經無法滿足現代人的家居生活,智慧家庭的新型生活理念成為很多人夢寐以求的...

依托AI平臺,涂鴉智能開啟全屋智能2.0時代!

依托AI平臺,涂鴉智能開啟全屋智能2.0時代!
隨著物聯網技術的突飛猛進,生活中越來越多的家庭設備將會聯上網絡,變得“智慧”起來,智慧家庭的概念成了這幾年媒體、企業、用戶關注的焦點,而...

每周排行

  • 型 號
  • 產品描述
主站蜘蛛池模板: 青青热久久国产久精品秒播 | 恐怖片大全恐怖片免费观看好看的恐怖片 | 色网站免费视频 | 日韩精品一卡二卡三卡四卡2021 | 大学生一级特黄的免费大片视频 | 网站黄色在线观看 | 色系视频在线观看免费观看 | 色播.com | 亚洲国产婷婷综合在线精品 | www.伊人网| 欧美区在线 | 亚洲va久久久噜噜噜久久 | 九色亚洲| 亚洲欧洲国产精品你懂的 | 黄色片xxxx | 97视频免费上传播放 | 婷婷六月综合网 | 加勒比黑人喝羽月希奶水 | 色多多免费视频观看区一区 | 97dyy影院理论片 | 国产成人a一区二区 | 色综合狠狠 | 中文字幕在线观看日剧网 | 天天做天天爱夜夜想毛片 | 亚洲国产精品久久久久婷婷软件 | 午夜dy888理论 | 久久久久999| 国产香蕉在线精彩视频 | 视频一区视频二区在线观看 | 三级网站在线播放 | 日本高清加勒比 | 一级aa 毛片高清免费看 | 免费网站黄 | 天堂视频在线免费观看 | 亚洲婷婷综合中文字幕第一页 | 一区在线观看视频 | 狠狠综合欧美综合欧美色 | 嫩草影院永久入口在线观看 | sesese在线观看| 91av在线免费观看 | 人人爱人人射 |

电子发烧友

中国电子工程师最喜欢的网站

  • 2931785位工程师会员交流学习
  • 获取您个性化的科技前沿技术信息
  • 参加活动获取丰厚的礼品

完善您的日常需求 (更多了解更好服务)

1. 您日常打板的采购频率为:
2. 您最喜欢的其他快捷联络:
直接下单

PCB报价计算器:

板子大小: *

cm
X
cm

层数: *

2
  • 1
  • 2
  • 4
  • 6
  • 8
  • 10
  • 12
  • 14
  • 16

板子数量: *

10

厚度: *

1.6

手机号码 *

你的打板预算约:
59
工程费:
板材费:
菲林费: