Features • • • • • Digital Self-supervising Watchdog with Hysteresis One 250-mA Output Driver for Relay Enable Output Open Collector 8 mA Over/Undervoltage Detection ENABLE and RELAY Outputs Protected Against Standard Transients and 40V Load Dump • ESD Protection According to MIL-STD-883 D Test Method 3015.7 – Human Body Model: ±2 kV (100 pF, 1.5 kΩ) – Machine Model: ±200 V (200 pF, 0Ω) Special Fail-safe IC U6808B 1. Description The U6808B is designed to support the fail-safe function of a safety critical system (e.g., ABS). It includes a relay driver, a watchdog controlled by an external R/C-network and a reset circuit initiated by an over and undervoltage condition of the 5-V supply providing a low-level reset signal. Figure 1-1. Block Diagram VS VS + - Bandgap reference 2.44 V Power-on reset RESET Reset debounce Reset delay + RELAY Under/ overvoltage detection ENABLE RIN WDI + + - Internal oscillator Watchdog RC oscillator GND WDC Current limitation Rev. 4707B–AUTO–10/05 2. Pin Configuration Figure 2-1. Table 2-1. 2 Pinning SO8 RELAY 1 8 VS GND 2 7 RIN ENABLE 3 6 WDI WDC 4 5 RESET Pin Description Pin Symbol Type Function Logic 1 RELAY Open collector driver output Fail-safe relay driver No signal: driver off Low: driver on 2 GND Supply Standard ground No signal 3 ENABLE Digital output Negative reset signal Low: reset 4 WDC Analog input External RC for watchdog timer No signal 5 RESET Digital output Negative reset signal Low: reset 6 WDI Digital input Watchdog trigger signal Pulse sequence 7 RIN Digital input Activation of relay driver High: driver on Low: driver off 8 VS Supply 5-V supply – U6808B 4707B–AUTO–10/05 U6808B 3. Fail-safe Functions A fail-safe IC has to maintain its monitoring function even if there is a fault condition at one of the pins (e.g., short circuit). This ensures that a microcontroller system is not brought into a critical status. A critical status is reached if the system is not able to switch off the relay and to give a signal to the microcontroller via the ENABLE and RESET outputs. The following table shows the fault conditions for the pins. Table 3-1. Table of Fault Conditions Pin Function Short to VS Short to VBat Short to GND Open Circuit RIN Digital input to activate the fail-safe relay Relay on Relay on Relay off Relay off WDI Watchdog trigger Watchdog reset input Watchdog reset Watchdog reset Watchdog reset OSC Capacitor and resistor of watchdog Watchdog reset Watchdog reset Watchdog reset Relay on Relay off RELAY Watchdog reset Driver of the failsafe relay 4. Truth Tables Table 4-1. Truth Table for Over and Undervoltage Conditions Relay Output Driver Supply Voltage Relay Input (RIN) (RELAY) (VS) Normal Too low Too high Table 4-2. Too slow Too fast Enable Output Driver (ENABLE) Low Off High Off High On High Off Low Off Low On High Off Low On Low Off Low On High Off Low On Truth Table for Watchdog Failures (Reset Output Do Not Care) Watchdog Input (WDI) Normal RESET Output (RESET) Relay Input (RIN) Relay Output Driver (RELAY) Enable Output Driver (ENABLE) Low Off Off High On Off Low Off On High Off On Low Off On High Off On 3 4707B–AUTO–10/05 5. Description of the Watchdog Figure 5-1. Watchdog Block Diagram Binary counter RCOSC Dual MUX WDI Slope detector Up/down counter RS-FF WD-OK RESET OSCERR 5.1 Abstract The microcontroller is monitored by a digital window watchdog which accepts an incoming trigger signal of a constant frequency for correct operation. The frequency of the trigger signal can be varied in a broad range as the watchdog's time window is determined by external R/C components. The following description refers to the block diagram, see Figure 5-1. 5.2 WDI Input The microcontroller has to provide a trigger signal with the frequency fWDI which is fed to the WDI input. A positive edge of fWDI detected by a slope detector resets the binary counter and clocks the up/down counter additionally. The latter one counts only from 0 to 3 or reverse. Each correct trigger increments the up/down counter by 1, each wrong trigger decrements it by 1. As soon as the counter reaches status 3 the RS flip-flop is set (see Figure 5-2). A missing incoming trigger signal is detected after 250 clocks of the internal watchdog frequency fRC (see section “WD-OK Output”) and resets the up/down counter directly. 5.3 RCOSC Input With an external R/C circuitry the IC generates a time base (frequency fWDC) independent from the microcontroller. The watchdog's time window refers to a frequency of fWDC = 100 × fWDI 5.4 OSCERR Input A smart watchdog has to ensure that internal problems with its own time base are detected and do not lead to an undesired status of the complete system. If the RC oscillator stops oscillating a signal is fed to the OSCERR input after a time-out delay. It resets the up/down counter and disables the WD-OK output. Without this reset function the watchdog would freeze in its current status when fRC stops. 4 U6808B 4707B–AUTO–10/05 U6808B 5.5 RESET Input During power-on and under/overvoltage detection a reset signal is fed to this pin. It resets the watchdog timer and sets the initial state. 5.6 WD-OK Output After the up/down counter is incremented to status 3 (see Figure 5-2) the RS flip-flop is set and the WD-OK output becomes logic 1. This information is available for the microcontroller at the open-collector output ENABLE. If on the other hand the up/down counter is decremented to 0 the RS flip-flop is reset, the WD-OK output and the ENABLE output are disabled. The WD-OK output also controls a dual MUX stage which shifts the time window by one clock after a successful trigger, thus forming a hysteresis to provide stable conditions for the evaluation of the trigger signal good or false. The WD-OK signal is also reset in case the watchdog counter is not reset after 250 clocks (missing trigger signal). 5.7 Watchdog State Diagram Figure 5-2. Watchdog State Diagram good Initial status 2/NF 1/NF bad bad bad good good bad O/F 3/NF bad good bad 1/F 2/F good good 5.8 Explanation In each block, the first character represents the state of the counter. The second notation indicates the fault status of the counter. A fault status is indicated by an F and a no fault status is indicated by an NF. When the watchdog is powered up initially, the counter starts out at the 0/F block (initial state). Good indicates that a pulse has been received whose width resides within the timing window. Bad indicates that a pulse has been received whose width is either too short or too long. 5 4707B–AUTO–10/05 5.9 5.9.1 Watchdog Window Calculation Example with Recommended Values Cosc = 3.3 nF (should be preferably 10%, NPO) Rosc = 39 kΩ (may be 5%, Rosc < 100 kΩ due to leakage current and humidity) 5.9.2 RC Oscillator tWDC(s) = 10-3 × [Cosc (nF) × [(0.00078 × Rosc (kΩ)) + 0.0005]] fWDC(Hz) = 1/(tWDC) 5.9.3 Watchdog WDI fWDI(Hz) =0.01 × fWDC tWDC = 100 µs → fWDC = 10 kHz fWDI = 100 Hz → tWDI = 10 ms 5.9.3.1 WDI Pulse Width for Fault Detection after 3 Pulses Upper watchdog window Minimum: 169/fWDC = 16.9 ms → fWDC/169 = 59.1 Hz Maximum: 170/fWDC = 17.0 ms → fWDC/170 = 58.8 Hz Lower watchdog window Minimum: 79/fWDC = 7.9 ms → fWDC/79 = 126.6 Hz Maximum: 80/fWDC = 8.0 ms → fWDC/80 = 125.0 Hz 5.9.3.2 WDI Dropouts for Immediate Fault Detection Minimum: 250/fWDC = 25 ms Maximum: 251/fWDC = 25.1 ms Figure 5-3. Watchdog Timing Diagram with Tolerances Time/s 79/fWDC 80/fWDC 169/fWDC 170/fWDC 250/fWDC 251/fWDC Watchdog window update rate is good Update rate is Update rate is too either too fast or fast good 5.9.3.3 Update rate is Update rate is Update rate is too either too slow or Pulse has either too slow or slow pulse has dropped out good dropped out Reset Delay The duration of the over or undervoltage pulses determines the enable and reset output. A pulse duration shorter than the debounce time has no effect on the outputs. A pulse longer than the debounce time results in the first reset delay. If a pulse appears during this delay, a second delay time is triggered. Therefore, the total reset delay time can be longer than specified in the data sheet. 6 U6808B 4707B–AUTO–10/05 U6808B 6. Absolute Maximum Ratings Stresses beyond those listed under “Absolute Maximum Ratings” may cause permanent damage to the device. This is a stress rating only and functional operation of the device at these or any other conditions beyond those indicated in the operational sections of this specification is not implied. Exposure to absolute maximum rating conditions for extended periods may affect device reliability. Parameters Symbol Value Unit Supply-voltage range VS –0.2 to +16 V Power dissipation VS = 5V, Tamb = –40°C VS = 5V, Tamb = +125°C Ptot Ptot 250 150 mW mW Thermal resistance Rthja 160 K/W Tj 150 °C Ambient temperature range Tamb –40 to +125 °C Storage temperature range Tstg –55 to +155 °C Junction temperature 7. Electrical Characteristics VS = 5V, Tamb = –40 to +125°C, reference pin is GND, fintern = 100 kHz + 50% – 45%, fWDC = 10 kHz ±10%, fWDI = 100 Hz Parameters Test Conditions Symbol Min. Operation range general VS Operation range reset VS Typ. Max. Unit 4.5 5.5 V 1.2 16.0 V Supply Voltage Supply Current Relay off Tamb = –40°C Tamb = +125°C 6 mA Relay on Tamb = –40°C Tamb = +125°C 15 mA V Digital Input WDI Detection low –0.2 0.2 × VS Detection high 0.7 × VS VS + 0.5V V 10 40 kΩ Resistance to VS Input current low Input voltage = 0V 100 550 µA Input current high Input voltage = VS –5 +5 µA 20 24 V Detection low –0.2 0.2 × VS V Detection high 0.7 × VS VS + 0.5 V V Zener clamping voltage VZWDI Digital Input RIN Resistance to GND 10 40 kΩ Input current low Input voltage = 0V –5 +5 µA Input current high Input voltage = VS 100 550 µA 20 24 V Zener clamping voltage VZRIN 7 4707B–AUTO–10/05 7. Electrical Characteristics (Continued) VS = 5V, Tamb = –40 to +125°C, reference pin is GND, fintern = 100 kHz + 50% – 45%, fWDC = 10 kHz ±10%, fWDI = 100 Hz Parameters Test Conditions Symbol Min. Typ. Max. Unit 0.7 × VS + 0.1 VS V 0 0.3 V Digital Output RESET with Internal Pull-up Voltage high Pull-up = 6 kΩ Voltage low I ≤ 1 mA 1.2V < VS < 16V VZRESET 26 Reset debounce time Switch to low tdeb 120 Reset delay time Switch back to high tdel Zener clamping voltage 320 30 V 500 µs 50 ms Digital Output ENABLE with Open Collector Saturation voltage low I ≤ 8 mA Zener clamping voltage Current limitation 0.01 0.5 V VZEN 26 30 V Ilim 8 Leakage current VEN = 5V VEN = 16V VEN = 26V IEN5 IEN16 IEN26 Reset debounce time Switch to low tdeb Reset delay time Switch back to high tdel 120 mA 320 20 100 200 µA µA µA 500 µs 85 ms Relay Driver Output RELAY Saturation voltage I ≤ 250 mA I ≤ 130 mA Maximum load current Tamb = –40 to +90°C Tamb > 90°C Zener clamping voltage IR IR 250 200 VZR 26 Turn-off energy Leakage current 0.5 0.3 VRsat VRsat mA mA 30 30 VR = 16V VR = 26V V V V mJ IR16 IR26 20 200 µA µA Reset and VS Control Lower reset level VS 4.5 4.7 V Upper reset level VS 5.35 5.6 V Hysteresis 25 100 mV Reset debounce time 120 320 500 µs Reset delay 20 50 80 ms fWDC 9 10 11 kHz tPOR 34.3 103.1 ms tRCerror 81.9 246 ms Time interval for over-/undervoltage detection tD,OUV 0.16 0.64 ms Reaction time of RESET output over/undervoltage tR,OUV 0.187 0.72 ms RC Oscillator WDC Oscillator frequency ROSC = 39 kΩ, COSC = 3.3 nF Watchdog Timing Power-on-reset prolongation time Detection time for RC oscillator fault 8 VRC = constant U6808B 4707B–AUTO–10/05 U6808B 7. Electrical Characteristics (Continued) VS = 5V, Tamb = –40 to +125°C, reference pin is GND, fintern = 100 kHz + 50% – 45%, fWDC = 10 kHz ±10%, fWDI = 100 Hz Parameters Test Conditions Symbol Min. Nominal frequency for WDI fRC = 100 × fWDI fWDI Nominal frequency for WDC fWDI = 1/100 × fWDC Max. Unit 10 130 Hz fWDC 1 13 kHz Minimum pulse duration for a securely WDI input pulse detection tP,WDI 182 Frequency range for a correct WDI signal fWDI 64.7 Number of incorrect WDI trigger counts for locking the outputs nlock 3 nrelease 3 Number of correct WDI trigger counts for releasing the outputs Detection time for a stucked WDI signal VWDI = constant tWDIerror Typ. µs 24.5 112.5 Hz 25.5 ms Watchdog Timing Relative to fWDC Minimum pulse duration for a securely WDI input pulse detection 2 Frequency range for a correct WDI signal 80 Hysteresis range at the WDI ok margins Cycles 169 Cycles 1 Detection time for a dropped out WDI signal VWDI = constant 250 Cycle 251 Cycles 8. Protection against Transient Voltages According to ISO TR 7637-3 Level 4 (Except Pulse 5) Note: Pulse Voltage Source Resistance(1) Rise Time Duration Amount 1 –110V 10 100V/s 2 ms 15.000 2 +110V 10 100V/s 0.05 ms 15.000 3a –160V 50 30V/ns 0.1s 1h 3b +150V 50 20V/ns 0.1s 1h 5 40V 2 10V/ms 250 ms 20 1. Relay driver: relay coil with Rmin = 70Ω to be added 9 4707B–AUTO–10/05 9. Timing Diagrams Figure 9-1. Watchdog in Too-fast Condition Normal operation WDI too fast Normal operation 5V WDI 0V V Batt RELAY 0V 5V ENABLE 0V Don't care Figure 9-2. Watchdog in Too-slow Condition Normal operation WDI too slow Normal operation 5V WDI 0V V Batt RELAY 0V 5V ENABLE 0V Don't care 10 U6808B 4707B–AUTO–10/05 U6808B Figure 9-3. Overvoltage Condition Overvoltage condition > 120 µs < 120 µs > 5.6 V > 5.6 V 5V VS 0V V Batt RELAY 0V 5V ENABLE 0V 5V RESET 0V 3 good WDI pulses Reset debounce time Don't care st 1 Reset delay 2nd Reset delay Figure 9-4. Undervoltage Condition Undervoltage condition > 120 µs < 120 µs 5V < 4.5 V VS < 4.5 V 0V V Batt RELAY 0V 5V ENABLE 0V 5V RESET 0V Reset debounce time 3 good WDI pulses Don't care st 1 Reset delay 2nd Reset delay 11 4707B–AUTO–10/05 Figure 9-5. Application Circuit µC 100 Hz µC µC 7 6 5 VS = 5 V 8 0.01 µF Rosc 39 kΩ U6808B 1 2 3 Relay µC 4 Cosc 3.3 nF V Batt 12 U6808B 4707B–AUTO–10/05 U6808B 10. Ordering Information Extended Type Number Package Remarks U6808B-MFPY SO8 Tube, Pb-free U6808B-MFPG3Y SO8 Taped and reeled, Pb-free 11. Package Information Package SO8 Dimensions in mm 5.2 4.8 5.00 4.85 3.7 1.4 0.25 0.10 0.4 1.27 6.15 5.85 3.81 8 0.2 3.8 5 technical drawings according to DIN specifications 1 4 12. Revision History Please note that the following page numbers referred to in this section refer to the specific revision mentioned, not to this document. Revision No. History 4707B-AUTO-10/05 • • • • Put datasheet in a new template Pb-free logo on page 1 added New heading rows on Table “Absolute Maximum Ratings” on page 7 added Table “Ordering Information” on page 13 changed 13 4707B–AUTO–10/05 Atmel Corporation 2325 Orchard Parkway San Jose, CA 95131, USA Tel: 1(408) 441-0311 Fax: 1(408) 487-2600 Regional Headquarters Europe Atmel Sarl Route des Arsenaux 41 Case Postale 80 CH-1705 Fribourg Switzerland Tel: (41) 26-426-5555 Fax: (41) 26-426-5500 Asia Room 1219 Chinachem Golden Plaza 77 Mody Road Tsimshatsui East Kowloon Hong Kong Tel: (852) 2721-9778 Fax: (852) 2722-1369 Japan 9F, Tonetsu Shinkawa Bldg. 1-24-8 Shinkawa Chuo-ku, Tokyo 104-0033 Japan Tel: (81) 3-3523-3551 Fax: (81) 3-3523-7581 Atmel Operations Memory 2325 Orchard Parkway San Jose, CA 95131, USA Tel: 1(408) 441-0311 Fax: 1(408) 436-4314 RF/Automotive Theresienstrasse 2 Postfach 3535 74025 Heilbronn, Germany Tel: (49) 71-31-67-0 Fax: (49) 71-31-67-2340 Microcontrollers 2325 Orchard Parkway San Jose, CA 95131, USA Tel: 1(408) 441-0311 Fax: 1(408) 436-4314 La Chantrerie BP 70602 44306 Nantes Cedex 3, France Tel: (33) 2-40-18-18-18 Fax: (33) 2-40-18-19-60 ASIC/ASSP/Smart Cards 1150 East Cheyenne Mtn. Blvd. Colorado Springs, CO 80906, USA Tel: 1(719) 576-3300 Fax: 1(719) 540-1759 Biometrics/Imaging/Hi-Rel MPU/ High Speed Converters/RF Datacom Avenue de Rochepleine BP 123 38521 Saint-Egreve Cedex, France Tel: (33) 4-76-58-30-00 Fax: (33) 4-76-58-34-80 Zone Industrielle 13106 Rousset Cedex, France Tel: (33) 4-42-53-60-00 Fax: (33) 4-42-53-60-01 1150 East Cheyenne Mtn. Blvd. Colorado Springs, CO 80906, USA Tel: 1(719) 576-3300 Fax: 1(719) 540-1759 Scottish Enterprise Technology Park Maxwell Building East Kilbride G75 0QR, Scotland Tel: (44) 1355-803-000 Fax: (44) 1355-242-743 Literature Requests www.atmel.com/literature Disclaimer: The information in this document is provided in connection with Atmel products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Atmel products. EXCEPT AS SET FORTH IN ATMEL’S TERMS AND CONDITIONS OF SALE LOCATED ON ATMEL’S WEB SITE, ATMEL ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL ATMEL BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION, OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF ATMEL HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Atmel makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Atmel does not make any commitment to update the information contained herein. Unless specifically provided otherwise, Atmel products are not suitable for, and shall not be used in, automotive applications. Atmel’s products are not intended, authorized, or warranted for use as components in applications intended to support or sustain life. © Atmel Corporation 2005. All rights reserved. Atmel ®, logo and combinations thereof, Everywhere You Are ® and others, are registered trademarks or trademarks of Atmel Corporation or its subsidiaries. Other terms and product names may be trademarks of others. Printed on recycled paper. 4707B–AUTO–10/05