In automotive design, more and more electronic systems are gradually replacing mechanical functions – from engine timing control to braking and steering wheel control, while electronic systems are relatively prone to failure, which requires careful consideration of system safety and ensuring that the system has High fault tolerance. The driver or passenger should not be in a dangerous situation in the event of a single point of failure, at least to enable the car to "walk" to a location outside the main road or to the nearest service station. When the electronic device fails, in order to ensure the safe driving of the car, it is necessary to use the monitoring circuit to open the backup circuit and safely take over the system operation.

This article refers to the address: http://

In the automotive era of purely mechanical systems, the engine ignited the air-fuel mixer in response to mechanically generated signals. The mechanical distributor selects the appropriate spark plug to transmit the signal along the line. The brake system transmits the pressure acting on the pedal to the brake caliper through the brake shaft, the brake master cylinder, and the hydraulic pipe. The clutch and throttle are simply controlled by a steel cable attached to the pedal. The steering wheel controls the corners of the wheel through a metal steering wheel, steering shaft, steering gearbox and steering gear. Engine control is also different from the highly reliable electronic control unit (ECU) we use today, which does not have a computer-assisted braking system, clutch, throttle or steering system. Of course, there is no need to consider the conditions such as μC failure, short circuit of the control unit, etc. The main cause of failure failure is the mechanical device. However, because people trust the reliability of mechanical equipment, system backup or fault tolerance issues are rarely considered. Of course, once a device in the system fails, it is very dangerous. Even if there is no danger, the car can only be anchored at the accident site. You have to ask the trailer to drag the car to the repair center.


In order to improve the comfort and convenience of driving, car manufacturers need to provide electronic equipment for cars, which has achieved higher efficiency, cleaner environment and higher driving safety. Early ECUs could only be stopped in the event of a fault, especially the operation of the electronics depends on the μC. If μC fails, there is no alternative to avoid life-threatening accidents, which is unacceptable to users and manufacturers; at least the backup system needs to be used in the design to drive the car to the service station, thus people are fault-tolerant. The level of attention has also increased rapidly. According to actual needs, many MCUs are beginning to be equipped with the “going home” management mode.


Minhang home management mode


The “going home” mode refers to a redundancy function inside the ECU. In the physical architecture, this is a completely independent part of the circuit, which can be turned into the fail-safe state from the standby mode. This mode allows the car to exit the road in the event of an electronic system failure, although it does not maintain the original driving performance, but it can ensure safety.


The new generation of engine ECUs are equipped with monitoring devices, such as the watchdog timer, which is used to test whether the ECU is operating normally. Once an abnormality is detected and the electronic device or μC is found to be inoperative (software operation failure), the monitoring device will turn on the "going home" control mode. For example, when the car engine fault light is on, the cylinder only injects half of the fuel into the engine, at which point the engine produces very low heat, but can start the car at a moderate speed, driving the car home with energy that just supports the car. Drive to the car repair center.


Another good example is the "body control computer" in the new car, which can control the window lift, front light / tail light, turn signal and windshield wiper, automatic shift control of the car. The monitoring circuit monitors the working condition of the ECU. When a circuit unit or μC malfunction occurs, the standby circuit is activated and the driving is degraded, for example, reducing the brightness of the high beam, the tail light/brake light, or only maintaining the second gear. Of course, this situation limits the maximum speed of the car, but the car still keeps working, can drive safely in the "going home" mode, and drive the car to the repair shop.

redundancy


The computer control application is called "electrically controlled operation", and most of the mechanical control systems inside and outside the power system have been replaced by electromechanical controls. For example, interconnected ECU electronic controls have replaced all mechanical units between the steering wheel and the wheels. The steering wheel position that the driver moves will be detected and converted into digital electronic signals that are transmitted to the intelligent electromechanical transmission to ultimately control wheel motion.


The electronically controlled brakes also replace the early brake shafts, brake master cylinders and other units with automotive computers, servo motors or electromechanical brake calipers. In general, these systems have higher security requirements and therefore higher requirements for fault tolerance.


Engineers have designed backup circuits in these applications to build a complete redundant electronic control and monitoring unit. The redundant system should be completely independent of the main control unit in its physical structure, ensuring that the system provides an efficient and safe electronic control unit. The ECU monitoring circuit maintains continuous monitoring of the main system and reliably switches to the backup system if necessary.


Advantages of high-voltage watchdogs


In view of safety issues, automotive electronic systems require monitoring circuitry to monitor fault tolerance or safety. The MAX16997/MAX16998 watchdog timers are ideal for this type of demand. By detecting the periodic pulses generated by the microcontroller (μC) under normal operating conditions, the failure state of the circuit or μC is detected. Once a fault occurs, it can be immediately switched to Backup/redundant system.

The MAX16997/MAX16998 feature timeout and windowed watchdog monitoring with a Watchdog Trigger Input (WDI), open-drain μC reset output (RESET), and open-drain redundancy system enable output (ENABLE) .


For the MAX16998, the reset threshold can be set by an external resistor divider (shown in Figure 1) between the low-voltage supply (for example: μC supply), the external voltage monitor input (RESETIN), and GND. The MAX16997 can read the KL15 (ignition switch) state at the enable input (EN) and enable the internal supervisor timer after the car is started (Figure 2). At this time, the watchdog's timeout period is extended to 8 times the nominal period, leaving enough open time for the μC.


Figure 1: The MAX16998 high-voltage watchdog timer is powered by a separate downstream low-voltage power supply (LDO) that provides a safety barrier for battery short-circuit protection, allowing the device to reliably switch to redundant circuits under fault conditions.


Figure 2: Similar to the MAX16998, the MAX16997 can safely switch to a redundant circuit in a fault condition. It also has an active-high enable input (EN) to turn the watchdog timer on or off.

The external delay (set to SRT and SWT inputs) can be used to independently set the reset delay (MAX16998) and the watchdog timeout. The watchdog window monitoring can be factory preset to 50% or 75 of the adjustable watchdog cycle. %.


The 18μA (typ) ultra-low operating current makes the MAX16997/MAX16998 important in automotive ECU applications because these circuits are always on. In addition, these devices are available in a 3mm x 3mm, 8-pin MAX package, ensuring operation over the -40°C to +125°C automotive temperature range.


These ICs are powered directly from a 12V car battery and can withstand voltage transients up to 45V (IN and ENABLE pins), while the typical watchdog timer is powered by a downstream low voltage supply (eg 5V). Therefore, the MAX16997/MAX16998 can remain active and safely switch to the redundant circuit (by triggering the ENABLE pin) even when the downstream circuitry is powered down or shorted to ground. To enable these devices to support higher fault tolerances, the device provides fault protection on the RESET, WDI, EN, and RESETIN pins to withstand 20V (Figures 1 and 2). It can be seen that these circuits also provide a reliable protection barrier against the failure of downstream circuit faults. The backup circuit should be physically independent of the "regular" control circuit and can be safely switched to backup mode in the event of a fault. .


MAX16997/MAX16998 Timing


After power-up, when the RESETIN pin voltage (VRESETIN) is above the power-on reset threshold (VPON), RESET will remain low for the reset time (tRESET) and then high. At the same time, the watchdog timer starts timing (tWP). If the WDI trigger signal is not generated within the specified open time window (tOW), RESET will be asserted low again, resetting μC. If the trigger signal is in the close window (tCW) or after the end of the watchdog period (tWP) in consecutive three triggers, the ENABLE signal will be deasserted. If the WDI trigger signal is returned to the open watchdog cycle window (tWDI) in three consecutive watchdog trigger signals, ENABLE will return to high level and the system switches to normal operation mode (Figure 3). .


Figure 3: MAX16998 timing diagram (window watchdog).

Watchdog timeout with windowed watchdog


The MAX16997/MAX16998A provide a standard watchdog timeout period, while the MAX16998B/D provides a windowed watchdog function (Figure 4). Select different types of devices according to the actual application requirements for the security level. Adjust the watchdog timeout to ensure that the timer is cleared during the watchdog timing cycle, otherwise the device will generate a reset signal. Thus, the failure states of these watchdog detection programs can be utilized, for example, if the program is running too slowly or the digital clock (for example, the clock generated by the crystal oscillator) is slowed down, and the windowed watchdog needs to ensure that the timer is specified. The timers are cleared in the time window, so that they can detect some additional faults, such as programs running too fast or clocks too fast, which can support a higher level of security.


Figure 4: MAX16998 Watchdog Timing Period (Window Watchdog).


The third case in Figure 4 illustrates the case where WDI is triggered within a specified time window; in the first case, WDI is triggered erroneously, and the signal triggers WDI prematurely to generate a fault indication, causing the failure to occur. The program runs too fast or the oscillator clock frequency is faster; the second case is also a manifestation of a WDI triggered by a fault - the watchdog trigger signal output delay is too large, indicating that the program is running too slowly or the oscillator clock frequency is slow.

I summarize:

Fault tolerance and vehicle safety have become key factors in automotive electronics design. In order to improve vehicle efficiency, improve comfort and reduce risk, it is necessary to efficiently manage the various units of the system: hardware, software, sensors, actuators and operating units. High-voltage watchdog timers (such as the MAX16997/MAX16998) play a key role in achieving this goal.

Top Plug

Top Plug,Top Plug In,Standard Power Conversion Plug,Power Conversion Plug

WENZHOU TENGCAI ELECTRIC CO.,LTD , https://www.tengcaielectric.com