Safeguard MCU outputs against faults and errors
Microcomputer systems often drive output stages in applications where safety is paramount, such as automobile or industrial setups. The reliable management of errors and faults is a priority for designers of automotive electronics and industrial systems.
Besides the often necessary conversion of levels between the microcontroller and the output stage, in the event of errors "of the first order" it is absolutely crucial that the critical signals are placed in a state which is both defined and safe. As a rule it is usually sufficient to study individual fields here, such as:
Today the need for some form of supply voltage monitor can be easily satisfied by using a suitable monitoring IC (i.e. a reset or watchdog device). Among other things this provides a reset signal, for the microcontroller, for example, when the supply voltage is turned on and off.
An incorrect ground level caused by a cold soldering joint or a broken bonding wire in the driver, for example, is usually recognized by measuring current. But the time and effort involved in setting up a suitable discrete monitoring circuit for this purpose is considerable.
If there is a short circuit in the output lines the driver stages must be designed in such a way that the outputs are guaranteed to shut down. If, for instance, when two outputs (where one of the output drivers is high and the other low) short, the active low-side output transistor of the one output must be able to overrule the active high-side transistor of the other, and switch it to low. This must be taken into consideration when dimensioning the driver circuitry.
Outputs must be protected against burst transients being induced in the connected lines by Zener or clamp diodes. One device which is suitable for the suppression of switching errors caused by bursts at the driver input is the Schmitt trigger circuit.
Open connections can be caused by disconnected cables, cold solder joints, or broken wires. If an input line is open, the drivers must be shut down. This is done by pull-down resistors or current sources at the input. In addition to the above requirements, levels between the 3.3V microcontroller and the output drivers also have to be adjusted.
Satisfying all of these requirements using only discrete components is expensive and takes up a great deal of space. Integrated solutions can help to cut costs and make systems failsafe. The diagram below gives the basic circuitry of a failsafe driver stage coupled with a 5V logic level n-FET and a microcontroller.
The eight-channel failsafe n-FET driver (iC-MFN) has all the necessary functions integrated into the device. The inputs have Schmitt trigger circuits and can process 1.5 to 5V for the adaptation of transistor-transistor logic (TTL) and CMOS logic levels. The outputs have a current-limited soft start and a voltage limiter, which from an output voltage of 6.5V upwards, drives the current to ground via an internal resistor of typically 150Ω.
Another of the n-FET driver's functions is the integrated supply voltage and ground (GND) monitor. Should the supply voltage sink below 3.5V, all of the output stages are switched to low. If the supply voltage fails completely, the outputs are passively tied to GNDR potential by integrated pull-down resistors.
For a mass error to be correctly recognized a second mass connection (GNDR) is needed. If the mass monitor pinpoints a GND interrupt, all output stages are shutdown and the output level tied to the GNDR potential by the integrated pull-down resistors. If GNDR is interrupted, the high-side transistors are shutdown and the low-side transistors switched to GND potential.
The system is "enabled" by the input EN which can be activated by a reset or watchdog component, for example, or the microcontroller itself, as shown in the figure.
David Lin is an application engineer for iC-Haus, Bodenheim, Germany