As electronic systems take over more and more of the mechanical functions in a car—everything from engine timing to braking and steering—and electronics can fail, there is a growing concern to ensure that systems are fault tolerant. There should not be a single point of failure that would cause a dangerous situation (for a driver or a passenger) or prevent a car from at least "limping" off the road and making it to the nearest service station. To ensure that a car can safely continue when an electrical failure occurs, supervisory circuits are employed to reroute signals to backup circuits that can take over operation during that event.
Back to the days of pure mechanical systems in a vehicle. Early engines, for instance, relied on mechanically generated signals to ignite the fuel/air mixture. A mechanical distributor selected the appropriate spark plug and sent a signal along a wire. Braking systems transferred the force applied to the pedal through the brake shaft, master brake cylinder, and hydraulic pipes straight to the brake calipers. Both clutch and throttle systems were simply controlled by a steel cable from the pedal. Steering was done through a metal steering wheel, steering shaft and its mount, steering gearbox, and steering rods, thereby transferring the desired steering angle to the wheels. Engine controls were entirely unlike the sophisticated digital electronic control units (ECUs) that we use today. There were no such functions as computer-assisted braking, clutching, throttle, or steering. Of course, there was nothing like a crashed µC or a short circuit on a control unit—there were only 99 mechanical parts that could fail. However, due to society's high confidence in mechanical systems, the concern about backup systems or fault tolerance was low. When something failed, a dangerous situation could occur or, in the best case, a driver would be stuck at the place of occurrence and have to call a tow truck to bring the failed vehicle to the nearest service station.
The increasing demand for more comfort and convenience, efficiency and environmental cleanliness, better performance, and safer vehicles drove car manufacturers to equip vehicles with electronics. However, many of the early ECUs simply stopped operating in the event of a system failure, particularly in which electronic operation was dependant upon a µC. As µCs sometimes crash and no provisions had been made to prevent life-threatening situations during such events, or at least to provide for short-distance travel to a repair location, the concern for fault tolerance grew rapidly. Because of this, many ECUs are now fitted with a "limp-home" mode.
Limp-home mode
Limp-home mode is the redundant functionality within an ECU in which a physically separated, mainly analog, standby circuit enables entering into a fail-safe mode. This mode allows a car experiencing electronic system trouble to be driven off the road with reduced performance, but in a safe manner.Many modern engine ECUs feature a supervisory device, such as a watchdog timer, to examine the ECU regularly for correct operation. If an abnormality is detected, such as an electrical or µC (software crash) failure, the supervisory device enables the limp-home circuitry. For instance, the check engine light goes on, the fan kicks in immediately, and only half of the cylinders get fuel. With only half of the cylinders firing, the engine generates much less heat, yet is able to move the vehicle at moderate speeds. You would have just enough power to get the car home or to the nearest service station.
Other good examples are the "body control computer" in modern cars, which controls functions like window lifters, head/tail lights, turn indicators, and windshield washer/wipers, and the shift-control computer in cars with a computer-shifted transmission. Supervisory circuits monitor such ECUs for proper operations and, in case of an electrical or a µC failure, it activates the standby circuit, providing reduced performance operation like low beams, tail/ brake lights, or reverse and a second gear only. Of course, this limits your top speed. However, the automobile keeps functioning and allows you to "limp home" safely and get the car to a garage.
Bad? Well, no, not really. The alternative would be to either let you drive at regular speeds with the eventual danger of letting you ruin your car or preventing you from getting anywhere, even to safety.
Redundancy
The future of computer-controlled applications is what is called "by wire", which is where most mechanic control systems inside and outside the power train are replaced with electromechanical ones. For example, a steer-by-wire system replaces all of the mechanics between the steering wheel and the road wheels with ECUs linked by electrical connections (wires). The driver's physical movement of the steering wheel is sensed and converted into a digital electronic signal that is transmitted to a smart electromechanical actuation unit that controls the wheels.A brake-by-wire system is the replacement of components like the brake shaft, master brake cylinder, and brake booster with two computers, servo motors or electromechanical calipers, and some wires.
By nature, these systems are more safety critical than the ones mentioned previously, as a loss of braking or steering would cause a life-threatening situation right away. Therefore, the required level of safety and failure tolerance is much higher.
Engineers designing backup circuits for these new applications have been building completely redundant electronic control and supervisory units, which are physically well-separated from the main control unit to keep the electronic system always available and safe. Supervisory ECUs are constantly monitoring the primary system and switching to the secondary, redundant one in case of failure. The theory behind the redundant systems is that the probability of multiple control units failing simultaneously is much smaller than the probability that a single defect may occur in a single ECU. Thus, redundant control units provide additional safety and security in safety-critical automotive applications.
High-voltage watchdog advances
Considering the potential safety issues, most automotive electronic systems need supervisory circuits to provide the required level of failure tolerance and safety. The MAX16997/MAX16998 watchdog timers are ideal to use in such circuits as supervisory devices, because they watch for program-generated pulses produced during normal operation of the µC and switch to backup/redundant circuitry in case of an electrical or µC failure.The MAX16997/MAX16998 feature timeout and windowed watchdog functions, an open-drain µC-reset output (RESET), a watchdog-trigger input (WDI), and an open-drain redundant-system-enable output (ENABLE).
For the MAX16998, the reset threshold voltage is programmable using an external resistor divider between the low-voltage supply (e.g., a µC supply), the external-voltage-monitoring input (RESETIN), and GND (shown in Figure 1). The MAX16997 is capable of reading the KL15 (ignition switch) status at the enable input (EN) and activates the internal supervisor timer if the ignition is on (Figure 2). Here, the initial watchdog timeout period is prolonged by a factor of eight to give a µC sufficient time to start up.
Figure 1. The MAX16998 high-voltage watchdog timer operates independent of the downstream low-voltage supply (LDO) and provides a robust barrier against short circuits to battery voltage, thus enabling the device to safely switch to redundant circuitry during a fault condition.
Figure 2. Like the MAX16998, the MAX16997 enables safe switching to redundant circuitry during a fault condition. It also has an active-high enable input (EN) that turns the watchdog timer on and off.
The reset delay (MAX16998 only) and watchdog timeouts can be programmed independently using one external capacitor for each function (on the SRT and SWT inputs, respectively). The ratio for the open watchdog window is factory-set to 50% or 75% of the adjusted watchdog time.
Their ultra low, 18µA (typ) operating current makes the MAX16997/MAX16998 very valuable for automotive ECUs, which are always on. Moreover, these devices are available in an 3mm x 3mm, 8-pin µMAX® package and are fully specified over the -40°C to +125°C automotive temperature range.
As these ICs can be directly powered from the 12V car battery rail and are transient-voltage tolerant up to 45V (on the IN and ENABLE pins), unlike typical watchdog timer devices, they operate independently from a downstream low-voltage supply (e.g., 5V). Therefore, if the downstream circuitry is unpowered or short-circuited to GND, the MAX16997/MAX16998 continue to operate and can still switch to redundant circuitry (by asserting the ENABLE pin). Making these watchdog timers even more failure tolerant, the RESET, WDI, EN, and RESETIN pins are 20V tolerant in order to withstand even a short-to-car-battery voltage (Figures 1 and 2). Therefore, they provide a robust barrier against downstream high-voltage electrical failures, separate the backup circuitry physically from the "normal" control circuitry, and provide a safe switchover to backup mode when such a failure occurs.
MAX16997/MAX16998 timing
At startup, after the voltage on the RESETIN pin (VRESETIN) exceeds the power-on reset threshold (VPON), RESET stays low for the power-on reset time (tRESET) and then goes high. At the same time, the watchdog timer starts counting (tWP). If there is no trigger signal on the WDI pin within the open window of the watchdog period (tOW), RESET asserts low again, thus resetting the µC. After three consecutive bad watchdog triggers, if a signal is triggered either in the closed-window phase (tCW) or after the watchdog period (tWP) has elapsed, ENABLE then asserts low, thereby switching the system to redundant circuitry. After three consecutive good watchdog triggers, if the WDI trigger signal is again within the open watchdog window phase (tWDI), ENABLE then deasserts, thus switching the system back to normal circuitry (Figure 3).Figure 3. Timing diagram of the MAX16998 (windowed watchdog versions).
Timeout watchdog vs. windowed watchdog
The MAX16997/MAX16998A provide standard timeout watchdog capabilities, while the MAX16998B/D feature a time-windowed watchdog function (Figure 4). Dependent upon the security level needed, either type of device can be chosen. Timeout watchdog variants ensure that the timer's clear signal occurs within the watchdog period, otherwise they will activate a system reset. Therefore, these watchdogs can detect a software failure, such as code executing too slowly or a slow-running digital clock (e.g., produced by a crystal oscillator). In contrast, the time-windowed watchdogs ensure that the timer's clear signal occurs within the correct time window; therefore, they detect additional errors, such as code executing too quickly or a fast-running oscillator, and provide a higher level of security.Figure 4. MAX16998 watchdog period timing (windowed watchdog versions).
Case 3 in Figure 4 shows a good WDI trigger occurring within the correct time window. Case 1 illustrates a bad WDI trigger in which a watchdog triggers a signal too soon, thereby indicating errors, such as code executing too quickly or a fast-running oscillator. Case 2 also shows a bad WDI trigger—the watchdog triggers a signal too slowly, the sign of code executing too slowly or a slow-running oscillator.
用户评论
共 条评论