Features • • • • • Digital Self-supervising Watchdog with Hysteresis One 250-mA Output Driver for Relay Enable Output Open Collector 8 mA Over/Undervoltage Detection ENABLE and RELAY Outputs Protected Against Standard Transients and 40 V Load Dump • ESD Protection According to MIL-STD-883 D Test Method 3015.7 – Human Body Model: ±2 kV (100 pF, 1.5 kW) – Machine Model: ±200 V (200 pF, 0 W) Special Fail-safe IC Description The U6808B is designed to support the fail-safe function of a safety critical system (e.g., ABS). It includes a relay driver, a watchdog controlled by an external R/C-network and a reset circuit initiated by an over and undervoltage condition of the 5-V supply providing a low-level reset signal. U6808B Figure 1. Block Diagram VS VS + - Bandgap reference 2.44 V Power-on reset RESET Reset debounce Reset delay + RELAY Under/ overvoltage detection ENABLE RIN WDI + + - Internal oscillator Watchdog RC oscillator GND WDC Current limitation Rev. 4707A–AUTO–05/03 1 Pin Configuration Figure 2. Pinning SO8 RELAY 1 8 VS GND 2 7 RIN ENABLE 3 6 WDI WDC 4 5 RESET Pin Description Pin Symbol Type Function Logic 1 RELAY Open collector driver output Fail-safe relay driver No signal: driver off Low: driver on 2 GND Supply Standard ground No signal 3 ENABLE Digital output Negative reset signal Low: reset 4 WDC Analog input External RC for watchdog timer No signal 5 RESET Digital output Negative reset signal Low: reset 6 WDI Digital input Watchdog trigger signal Pulse sequence 7 RIN Digital input Activation of relay driver High: driver on Low: driver off 8 VS Supply 5-V supply – Fail-safe Functions A fail-safe IC has to maintain its monitoring function even if there is a fault condition at one of the pins (e.g., short circuit). This ensures that a microcontroller system is not brought into a critical status. A critical status is reached if the system is not able to switch off the relay and to give a signal to the microcontroller via the ENABLE and RESET outputs. The following table shows the fault conditions for the pins. Table 1. Table of Fault Conditions 2 Pin Function Short to Vs Short to VBat Short to GND Open Circuit RIN Digital input to activate the fail-safe relay Relay on Relay on Relay off Relay off WDI Watchdog trigger input Watchdog reset Watchdog reset Watchdog reset Watchdog reset OSC Capacitor and resistor of watchdog Watchdog reset Watchdog reset Watchdog reset Watchdog reset RELAY Driver of the fail-safe relay Relay on Relay off U6808B 4707A–AUTO–05/03 U6808B Truth Tables Table 2. Truth Table for Over and Undervoltage Conditions Supply Voltage (VS) Normal Too low Too high Relay Input (RIN) Relay Output Driver (RELAY) RESET Output (RESET) Enable Output Driver (ENABLE) Low Off High Off High On High Off Low Off Low On High Off Low On Low Off Low On High Off Low On Table 3. Truth Table for Watchdog Failures (Reset Output Do Not Care) Watchdog Input (WDI) Normal Too slow Too fast Relay Input (RIN) Relay Output Driver (RELAY) Enable Output Driver (ENABLE) Low Off Off High On Off Low Off On High Off On Low Off On High Off On Description of the Watchdog Figure 3. Watchdog Block Diagram Binary counter RCOSC Dual MUX WDI Slope detector Up/down counter RS-FF WD-OK RESET OSCERR Abstract The microcontroller is monitored by a digital window watchdog which accepts an incomming trigger signal of a constant frequency for correct operation. The frequency of the trigger signal can be varied in a broad range as the watchdog's time window is determined by external R/C components. The following description refers to the block diagram, see Figure 3. 3 4707A–AUTO–05/03 WDI Input The microcontroller has to provide a trigger signal with the frequency fWDI which is fed to the WDI input. A positive edge of fWDI detected by a slope detector resets the binary counter and clocks the up/down counter additionally. The latter one counts only from 0 to 3 or reverse. Each correct trigger increments the up/down counter by 1, each wrong trigger decrements it by 1. As soon as the counter reaches status 3 the RS flip-flop is set (see Figure 4). A missing incoming trigger signal is detected after 250 clocks of the internal watchdog frequency fRC (see section “WD-OK Output”) and resets the up/down counter directly. RCOSC Input With an external R/C circuitry the IC generates a time base (frequency fWDC) independent from the microcontroller. The watchdog's time window refers to a frequency of fWDC = 100 ´ fWDI OSCERR Input A smart watchdog has to ensure that internal problems with its own time base are detected and do not lead to an undesired status of the complete system. If the RC oscillator stops oscillating a signal is fed to the OSCERR input after a timeout delay. It resets the up/down counter and disables the WD-OK output. Without this reset function the watchdog would freeze in its current status when fRC stops. RESET Input During power-on and under/overvoltage detection a reset signal is fed to this pin. It resets the watchdog timer and sets the initial state. WD-OK Output After the up/down counter is incremented to status 3 (see Figure 4) the RS flip-flop is set and the WD-OK output becomes logic 1. This information is available for the microcontroller at the open-collector output ENABLE. If on the other hand the up/down counter is decremented to 0 the RS flip-flop is reset, the WD-OK output and the ENABLE output are disabled. The WD-OK output also controls a dual MUX stage which shifts the time window by one clock after a successful trigger, thus forming a hysteresis to provide stable conditions for the evaluation of the trigger signal good or false. The WD-OK signal is also reset in case the watchdog counter is not reset after 250 clocks (missing trigger signal). Watchdog State Diagram Figure 4. Watchdog State Diagram good Initial status 2/NF 1/NF bad bad bad good good bad O/F 3/NF bad good bad 1/F 2/F good good 4 U6808B 4707A–AUTO–05/03 U6808B Explanation In each block, the first character represents the state of the counter. The second notation indicates the fault status of the counter. A fault status is indicated by an F and a no fault status is indicated by an NF. When the watchdog is powered up initially, the counter starts out at the 0/F block (initial state). Good indicates that a pulse has been received whose width resides within the timing window. Bad indicates that a pulse has been received whose width is either too short or too long. Watchdog Window Calculation Example with Recommended Values Cosc = 3.3 nF (should be preferably 10%, NPO) Rosc = 39 kW (may be 5%, Rosc < 100 kW due to leakage current and humidity) tWDC(s) = 10-3 ´ [Cosc (nF) ´ [(0.00078 ´ Rosc (kW)) + 0.0005]] RC Oscillator fWDC(Hz) = 1/(tWDC) Watchdog WDI fWDI(Hz) =0.01 ´ fWDC tWDC = 100 µs ® fWDC = 10 kHz fWDI = 100 Hz ® tWDI = 10 ms WDI Pulse Width for Fault Detection after 3 Pulses Upper watchdog window Minimum: 169/fWDC = 16.9 ms ® fWDC/169 = 59.1 Hz Maximum: 170/fWDC = 17.0 ms ® fWDC/170 = 58.8 Hz Lower watchdog window Minimum: 79/fWDC = 7.9 ms ® fWDC/79 = 126.6 Hz Maximum: 80/fWDC = 8.0 ms ® fWDC/80 = 125.0 Hz WDI Dropouts for Immediate Fault Detection Minimum: Maximum: 250/fWDC = 25 ms 251/fWDC = 25.1 ms Figure 5. Watchdog Timing Diagram with Tolerances Time/s 79/fWDC 80/fWDC 169/fWDC 170/fWDC 250/fWDC 251/fWDC Watchdog window update rate is good Update rate is too Update rate is fast either too fast or good Reset Delay Update rate is Update rate is too Update rate is Pulse has either too slow or slow either too slow or dropped out good pulse has dropped out The duration of the over or undervoltage pulses determines the enable and reset output. A pulse duration shorter than the debounce time has no effect on the outputs. A pulse longer than the debounce time results in the first reset delay. If a pulse appears during this delay, a second delay time is triggered. Therefore, the total reset delay time can be longer than specified in the data sheet. 5 4707A–AUTO–05/03 Absolute Maximum Ratings Parameters Symbol Value Unit Supply-voltage range VS -0.2 to +16 V Power dissipation VS = 5 V, Tamb = -40°C VS = 5 V, Tamb = +125°C Ptot Ptot 250 150 mW mW Thermal resistance Rthja 160 K/W Tj 150 °C Ambient temperature range Tamb -40 to +125 °C Storage temperature range Tstg -55 to +155 °C Junction temperature Electrical Characteristics VS = 5 V, Tamb = -40 to +125°C, reference pin is GND, fintern = 100 kHz + 50% - 45%, fWDC = 10 kHz ±10%, fWDI = 100 Hz Parameters Test Conditions Symbol Min. Operation range general VS Operation range reset VS Typ. Max. Unit 4.5 5.5 V 1.2 16.0 V Supply Voltage Supply Current Relay off Tamb = - 40°C Tamb = +125°C 6 mA mA Relay on Tamb = - 40°C Tamb = +125°C 15 mA mA Digital Input WDI Detection low -0.2 0.2 ´ VS V Detection high 0.7 ´ VS VS + 0.5 V V 10 40 kW Resistance to VS Input current low Input voltage = 0 V 100 550 µA Input current high Input voltage = VS -5 +5 µA 20 24 V Detection low -0.2 0.2 ´ VS V Detection high 0.7 ´ VS VS + 0.5 V V 10 40 kW Zener clamping voltage VZWDI Digital Input RIN Resistance to GND Input current low Input current high Input voltage = 0 V -5 +5 µA Input voltage = VS 100 550 µA 20 24 V 0.7 ´ VS + 0.1 VS V 0 0.3 V VZRESET 26 30 V tdeb 120 500 µs Zener clamping voltage VZRIN Digital Output RESET with Internal Pull-up Voltage high Pull-up = 6 kW Voltage low I £ 1 mA 1.2 V < VS < 16 V Zener clamping voltage Reset debounce time 6 Switch to low 320 U6808B 4707A–AUTO–05/03 U6808B Electrical Characteristics (Continued) VS = 5 V, Tamb = -40 to +125°C, reference pin is GND, fintern = 100 kHz + 50% - 45%, fWDC = 10 kHz ±10%, fWDI = 100 Hz Parameters Test Conditions Reset delay time Switch back to high Symbol Min. tdel Typ. Max. 50 Unit ms Digital Output ENABLE with Open Collector Saturation voltage low I £ 8 mA Zener clamping voltage Current limitation 0.01 0.5 V VZEN 26 30 V Ilim 8 Leakage current VEN = 5 V VEN = 16 V VEN = 26 V IEN5 IEN16 IEN26 Reset debounce time Switch to low tdeb Reset delay time Switch back to high tdel 120 mA 320 20 100 200 µA µA µA 500 µs 85 ms Relay Driver Output RELAY Saturation voltage I £ 250 mA I £ 130 mA Maximum load current Tamb = -40 to +90°C Tamb > 90°C Zener clamping voltage IR IR 250 200 VZR 26 Turn-off enegy Leakage current 0.5 0.3 VRsat VRsat mA mA 30 30 VR = 16 V VR = 26 V V V V mJ IR16 IR26 20 200 µA µA 4.7 V Reset and VS Control Lower reset level VS 4.5 Upper reset level VS 5.35 5.6 V Hysteresis 25 100 mV Reset debounce time 120 320 500 µs Reset delay 20 50 80 ms fWDC 9 10 11 kHz tPOR 34 .3 103.1 ms tRCerror 81.9 246 ms Time interval for over-/undervoltage detection tD,OUV 0.16 0.64 ms Reaction time of RESET output over/undervoltage tR,OUV 0.187 0.72 ms RC Oscillator WDC Oscillator frequency ROSC = 39 kW, COSC = 3.3 nF Watchdog Timing Power-on-reset prolongation time Detection time for RC oscillator fault VRC = const. Nominal frequency for WDI fRC = 100 ´ fWDI fWDI 10 130 Hz Nominal frequency for WDC fWDI = 1/100 ´ fWDC fWDC 1 13 kHz Minimum pulse duration for a securely WDI input pulse detection tP,WDI 182 Frequency range for a correct WDI signal fWDI 64.7 µs 112.5 Hz 7 4707A–AUTO–05/03 Electrical Characteristics (Continued) VS = 5 V, Tamb = -40 to +125°C, reference pin is GND, fintern = 100 kHz + 50% - 45%, fWDC = 10 kHz ±10%, fWDI = 100 Hz Parameters Test Conditions Symbol Number of incorrect WDI trigger counts for locking the outputs Number of correct WDI trigger counts for releasing the outputs Detection time for a stucked WDI signal VWDI = const. Min. Typ. nlock 3 nrelease 3 tWDIerror 24.5 Max. Unit 25.5 ms Watchdog Timing Relative to fWDC Minimum pulse duration for a securely WDI input pulse detection 2 Frequency range for a correct WDI signal 80 Hysteresis range at the WDI ok margins Detection time for a dropped out WDI signal Cycles 169 Cycles 1 VWDI = const. 250 Cycle 251 Cycles Protection against Transient Voltages According to ISO TR 7637-3 Level 4 (Except Pulse 5) Voltage Source Resistance(1) Rise Time 1 -110 V 10 2 +110 V 10 3a -160 V 3b 5 Pulse Note: 8 Duration Amount 100 V/s 2 ms 15.000 100 V/s 0.05 ms 15.000 50 30 V/ns 0.1 s 1h +150 V 50 20 V/ns 0.1 s 1h 40 V 2 10 V/ms 250 ms 20 1. Relay driver: relay coil with Rmin = 70 W to be added U6808B 4707A–AUTO–05/03 U6808B Timing Diagrams Figure 6. Watchdog in Too-fast Condition Normal operation WDI too fast Normal operation 5V WDI 0V V Batt RELAY 0V 5V ENABLE 0V Don't care Figure 7. Watchdog in Too-slow Condition Normal operation WDI too slow Normal operation 5V WDI 0V V Batt RELAY 0V 5V ENABLE 0V Don't care 9 4707A–AUTO–05/03 Figure 8. Overvoltage Condition Overvoltage condition > 120 ms < 120 ms > 5.6 V > 5.6 V 5V VS 0V V Batt RELAY 0V 5V ENABLE 0V 5V RESET 0V 3 good WDI pulses Reset debounce time Don't care st 1 Reset delay 2nd Reset delay Figure 9. Undervoltage Condition Undervoltage condition > 120 ms < 120 ms 5V < 4.5 V VS < 4.5 V 0V V Batt RELAY 0V 5V ENABLE 0V 5V RESET 0V 3 good WDI pulses Reset debounce time 1st Don't care Reset delay 2nd Reset delay 10 U6808B 4707A–AUTO–05/03 U6808B Figure 10. Application Circuit mC 100 Hz mC mC 7 6 5 VS = 5 V 8 0.01 mF Rosc 39 kW U6808B 1 2 3 4 Relay Cosc 3.3 nF mC V Batt Ordering Information Extended Type Number Package U6808B Remarks SO8 – Package Information Package SO8 Dimensions in mm 5.2 4.8 5.00 4.85 3.7 1.4 0.25 0.10 0.4 1.27 6.15 5.85 3.81 8 0.2 3.8 5 technical drawings according to DIN specifications 1 4 11 4707A–AUTO–05/03 Atmel Headquarters Atmel Operations Corporate Headquarters Memory 2325 Orchard Parkway San Jose, CA 95131 TEL 1(408) 441-0311 FAX 1(408) 487-2600 Europe Atmel Sarl Route des Arsenaux 41 Case Postale 80 CH-1705 Fribourg Switzerland TEL (41) 26-426-5555 FAX (41) 26-426-5500 Asia Room 1219 Chinachem Golden Plaza 77 Mody Road Tsimhatsui East Kowloon Hong Kong TEL (852) 2721-9778 FAX (852) 2722-1369 Japan 9F, Tonetsu Shinkawa Bldg. 1-24-8 Shinkawa Chuo-ku, Tokyo 104-0033 Japan TEL (81) 3-3523-3551 FAX (81) 3-3523-7581 2325 Orchard Parkway San Jose, CA 95131 TEL 1(408) 441-0311 FAX 1(408) 436-4314 Microcontrollers 2325 Orchard Parkway San Jose, CA 95131 TEL 1(408) 441-0311 FAX 1(408) 436-4314 La Chantrerie BP 70602 44306 Nantes Cedex 3, France TEL (33) 2-40-18-18-18 FAX (33) 2-40-18-19-60 ASIC/ASSP/Smart Cards Zone Industrielle 13106 Rousset Cedex, France TEL (33) 4-42-53-60-00 FAX (33) 4-42-53-60-01 RF/Automotive Theresienstrasse 2 Postfach 3535 74025 Heilbronn, Germany TEL (49) 71-31-67-0 FAX (49) 71-31-67-2340 1150 East Cheyenne Mtn. Blvd. Colorado Springs, CO 80906 TEL 1(719) 576-3300 FAX 1(719) 540-1759 Biometrics/Imaging/Hi-Rel MPU/ High Speed Converters/RF Datacom Avenue de Rochepleine BP 123 38521 Saint-Egreve Cedex, France TEL (33) 4-76-58-30-00 FAX (33) 4-76-58-34-80 1150 East Cheyenne Mtn. Blvd. Colorado Springs, CO 80906 TEL 1(719) 576-3300 FAX 1(719) 540-1759 Scottish Enterprise Technology Park Maxwell Building East Kilbride G75 0QR, Scotland TEL (44) 1355-803-000 FAX (44) 1355-242-743 e-mail [email protected] Web Site http://www.atmel.com © Atmel Corporation 2003. Atmel Corporation makes no warranty for the use of its products, other than those expressly contained in the Company’s standard warranty which is detailed in Atmel’s Terms and Conditions located on the Company’s web site. The Company assumes no responsibility for any errors which may appear in this document, reserves the right to change devices or specifications detailed herein at any time without notice, and does not make any commitment to update the information contained herein. No licenses to patents or other intellectual property of Atmel are granted by the Company in connection with the sale of Atmel products, expressly or by implication. Atmel’s products are not authorized for use as critical components in life support devices or systems. Atmel ® is the registered trademark of Atmel. Other terms and product names may be the trademarks of others. Printed on recycled paper. 4707A–AUTO–05/03 xM