Watchdog und Brown-Out mit dem TC1232 am ATMEGA2560

1
2
Page 1 of 2

pvs-deck

PowerUser

Gender:
Age: 53
Homepage: pvs-deck.de
Posts: 1340
Registered: 02 / 2009

Subject:

Watchdog und Brown-Out mit dem TC1232 am ATMEGA2560

· Posted: 06.09.2010 - 21:49 · #1

Hallo Leute,

ich bin gerade beim "Feinschliff" meines BETA-Boards, jetzt stellt sich mir noch eine Frage!

Externe-Brown-Out und/oder externe Watchdog-Überwachung, denn ich bin bei verschiedenen ATMEGA-Boards (im Internet) auf externe Watchdog-ICs gestoßen, aber WARUM?!?! Gibt es dafür einen Grund?

Der Atmega2560 hat doch selbst eine BrownOut-Überwachung die ich aktivieren und nutzen kann.
(siehe BOD, BODLEVEL-Fuses)

Auch einen Watchdog-Timer gibt es! (WDT), bei dem ich einen Counter regelmäßg rücksetzen muss. ansonsten gibt es einen Reset!

Im Gegenteil, ich denke mal eine Externe-Beschaltung könnte unter umständen störend sein:
z.B. bei einen FlashVorgang der TC1232 würde dann bereits nach 200ms, 600ms oder 1200ms reagieren und die CPU unter umständen während des Flashvorgangs reseten! Wenn ich dabei nicht regelmäßig den Timer-Pin bediene.

Also warum machen das verschiedene Board-Entwickler? Bei einem 8051/8052 Kann ich das ja verstehen, aber warum bei einem ATMEGA 1280/2560. Oder habe ich da einen Denkfehler?

Bei der Gelegenheit, gibt es im AVRco eigentlich eine fertige Routine für den Watchdog um die Überwachung zu steuern (ein/aus-schalten, rückstellen usw.)?

Vieleicht kann mir einer von euch erfahrenen ATMEGA-Kennern den Grund sagen.
Funktionieren die Internen-Funktionen evtl. nicht richtig?
Oder haben die anderen Leute das evtl. nicht kapiert, das es da was FERTIGES von ATMEL gibt?

Gruß
Thorsten

Merlin

Administrator

Gender:
Age: 24
Posts: 1372
Registered: 03 / 2005

Subject:

Re: Watchdog und Brown-Out mit dem TC1232 am ATMEGA2560

· Posted: 07.09.2010 - 09:58 · #2

Hi Thorsten.

Some standards call for it.

The problem with an internal watchdog is that it is conceivable that a rogue operation (e.g. a jump caused by an electrical glitch or simply a misread instruction) could cause the internal watchdog to be turned off.

An external watchdog cannot be turned off.

Similarly you must never trigger a watchdog from a timer (or any other) interrupt because the program could go rogue and still execute the watchdog on a regular interval because the interrupt is still being executed.

Regards

Merlin.

pvs-deck

PowerUser

Gender:
Age: 53
Homepage: pvs-deck.de
Posts: 1340
Registered: 02 / 2009

Subject:

Re: Watchdog und Brown-Out mit dem TC1232 am ATMEGA2560

· Posted: 07.09.2010 - 12:25 · #3

Hi Merlin.

Quote by Merlin

Some standards call for it.

The problem with an internal watchdog is that it is conceivable that a rogue operation (e.g. a jump caused by an electrical glitch or simply a misread instruction) could cause the internal watchdog to be turned off.

An external watchdog cannot be turned off.

hmm, but i think, this can handle with a clean-software-function. I can check this every start on the Main-Loop, if the watchdog is off i can turn it on.

A electrical glitch an a misread instruction is not an normal operation! If the MCU make an misread instruction it can go in an illegal-instruction-Mode, this is the moment for an reset from the watchdog1 Or?

OK, with an externel, how it works if the MCU are in BOOT-Mode-ROM, the TC1232 must than switch OFF or the Trigger must keep alive in the BOOT-Mode.

Quote by Merlin

Similarly you must never trigger a watchdog from a timer (or any other) interrupt because the program could go rogue and still execute the watchdog on a regular interval because the interrupt is still being executed.

OK, but i have up to 8s Time to keep alive the internal Watchdog, i thing this is a BIG-Timezone to work with my other functions.

And i think i don't must make a Jump to the interrupt. Or?

If i clear the Counter in the Watchdog on every 500-1000 cycles in my Main-Loop, it works. I think so! Or you mean other?

Regards
Thorsten

mc-electronic

Benutzer

Gender: n/a
Location: Sauerland NRW
Posts: 372
Registered: 03 / 2008

Subject:

Re: Watchdog und Brown-Out mit dem TC1232 am ATMEGA2560

· Posted: 07.09.2010 - 12:52 · #4

Hello Thorsten,

some more remarks on the WatchDog(WDT)/Brown Out Detection(BOD): Merlin is right, that glitches may cause unpredictable behaviour of your system. I had that problem using BOD on a system once, that was controlling 400V 3 Phase Power Relais via Opto Couplers. The µP would reset once in a while (1day, 2 days) and I couldn't find the problem. Finally, I found a note on the ATMEL site (Document AVR 040) on hardware-design, suggesting mass shielding and an LC filter for the Vcc / analog Vcc of the µP. That did the trick, never a problem again - the noise emitted from the relais was the problem, without galvanic connection. The ATmega is sensitive there, use in all cases LC filters on the µP.

Concerning the WDT: it is very easy to use with AVRco, read the section in the compiler manual 4.18.14 (don't forget to define/import it). Remember: some Fat16 Routines may take VERY long, you may have to disable the WDT when calling them.

I would also try to use the internal functions first and see, if they are enough.

Best regards, Michael

Merlin

Administrator

Gender:
Age: 24
Posts: 1372
Registered: 03 / 2005

Subject:

Re: Watchdog und Brown-Out mit dem TC1232 am ATMEGA2560

· Posted: 07.09.2010 - 13:03 · #5

Hi Thorten.

The standards I am thinking of are safety critical. If your application is not safety critical you do not need an external watchdog. Mostly your statements are correct, but safety critical applictions like to be 'belt and braces'.

Strictly speaking, what this kind of standard calls for is really if the program gets into an unexpected state it is forced to return to a known good state. It need not be an external watchdog, but this is the simplest solution - i.e. if for any reason the processor goes into the weeds it is rebooted, which is a known good state. It can be much harder to demonstrate that this will happen if you use the internal watchdog, because, by definition, the program is not behaving as you expect.

Other alternatives exist. For example in multiprocessor systems this could involve each processor keeping an eye on its neighbours, but the mechanism is essentially the same. You are entitled to assume that two processors will not fail simultaneously.

On Dev boards it is a pain. The chip nearly always ends up getting (temporarily) disabled for a time, so if you do decide to fit an external watchdog, on a dev board I suggest a jumper to allw simple disconnection from the reset line ( and perhaps add an LED to the reset line to indicate a watchdog would have occurred.

Boot mode must allow for the watchdog too, as you say.

Quote

hmm, but i think, this can handle with a clean-software-function. I can check this every start on the Main-Loop, if the watchdog is off i can turn it on.

Sadly no. If your program has locked in a subroutine, the main loop may never get executed, unless you are using multitasking which raises a whole host of problems of its own (which has been discussed in another thread). Also you could be masking a problem.

Quote

And i think i don't must make a Jump to the interrupt. Or?

You must not toggle the watchdog line in an interrupt.

Cheers

Merlin.

pvs-deck

PowerUser

Gender:
Age: 53
Homepage: pvs-deck.de
Posts: 1340
Registered: 02 / 2009

Subject:

Re: Watchdog und Brown-Out mit dem TC1232 am ATMEGA2560

· Posted: 07.09.2010 - 13:24 · #6

Hello Michael.
Hello Merlin.

Thank you for your good statement and info, I think i make first an externel Watchdog with the TC1232 too. And test the problems first with my Beta-Board, with a Jumper and a LED.

On the Endproduct i can fix the SMD-Pads on the Bottonside-Layer, if i need the externel Watchdog i can use it in later productions too.

Regards
Thorsten

Administrator

Gender:
Location: Germany
Age: 24
Homepage: e-lab.de
Posts: 5558
Registered: 03 / 2002

Subject:

Re: Watchdog und Brown-Out mit dem TC1232 am ATMEGA2560

· Posted: 07.09.2010 - 15:40 · #7

Hello Merlin,

there is always a problem with no absolute resolution. Each kind of Watchdog can be triggered by accident!
I always prefer the AVR mode because it needs a very special sequence to retrigger the Watchdog. Of course the underlying function can also be called by accident. But there is a little bit more security as by simply setting a port bit for the external Watchdog.

rolf

Merlin

Administrator

Gender:
Age: 24
Posts: 1372
Registered: 03 / 2005

Subject:

Re: Watchdog und Brown-Out mit dem TC1232 am ATMEGA2560

· Posted: 07.09.2010 - 16:39 · #8

Hello Rolf.

As you say - a problem with no absolute resolution.

Triggering a watchdog by accident is not really the issue, though.

A single accidental triggering of the watchdog is not important. The aim is to not trigger the watchdog when a program is running wild.

This applies to both kinds of watchdog, but with the internal watchdog one also has to contend with the possibility that it is accidentally disabled. An external watchdog cannot be disabled, but an internal one can.

A 'glitch' could keep a watchdog alive a little longer than it should, but that is not really an issue.

There are ways to make the port handling a little more secure, for example separating the set and reset of the port pin and making use of the DDR register too, but that is not really necessary. Toggling the port pin is a method used in many, many approved products, so an external assesser could not really justify rejecting it IMHO. They are mainly looking to see that it is not triggered independantly of the rest of the program.

One could try and argue with an external assessor that the internal watchdog mechanism is more secure but if you put the watchdog handling in a 'routine' I suspect your argument would be doomed to failure. The problem is really one of not putting all ones eggs in one basket.

Regards

Merlin.

1
2
Page 1 of 2

Watchdog und Brown-Out mit dem TC1232 am ATMEGA2560

Registered users in this topic