Secure Design Using a Microcontroller III

Your Electronics Open Source
Home > Blog > allankliu's blog > Content

Secure Design Using a Microcontroller III
By allankliu Created 10/07/2008 - 04:51

BLOG Microcontrollers Crystal and Watchdog Timer Crystals are key component of practical electronics devices. The product will malfunction if the crystal stops. They are heartbeat of the product. Because crystals are mechanical devices, it is sensitive to the mechanical damage. Crystals can present challenges to design engineers. However, new packaging methods and careful circuit layout can help to minimize many issues. Improved package designs, such as surface mount, incorporate lower mass and higher pin count to support the crystal body. This are excellent solutions for mechanical vibration related failures. SMT spreads mass over larger base and uses additional leads and improved lead strength. Regardless of the package style used, the body of the crystal should be mounted flush with the board. This will greatly reduce rocking movement (pendulum effect) of the package and thereby lessen the stress on the leads. There are many other issues not discussed here that can lead to frequency drift and crystal failures, including thermal instability from electrolytic capacitor drift, board layout, and package density. If the electronics devices have strict requirements for safety, we should consider preventing such crystal failure issues, at least the system design should be capable to minimize the damages caused by the crystal failure. It is a challenging task in electronics design. Microcontrollers are often used in harsh environments where power supply transients, electromagnetic interference (EMI), and electrostatic discharge (ESD) are abundant. Program corruption caused by bus corruption and electromagnetic discharges can cause a microprocessor to execute erroneous instructions. In these environments, a watchdog timer is a useful peripheral that can help catch and reset a microcontroller that has gone "out of control." But what if the crystal stops? Can watchdog help out? No, the reason is quite simple - the watchdog gets its own beat from the failed crystal. NXP P87LPC7xx offers many options such as , local crystal oscillator, and internal RC oscillator. Many customers prefer to use internal RC oscillator in order to reduce the BOM cost. However I do not recommend it in a safety critical application. The best practice is using both oscillators in

1 din 3

11.07.2008 09:31

Secure Design Using a Microcontroller III

operation, even with external watchdog or backup microcontroller. The designer can use local oscillator with a crystal for the normal operation of microcontroller, while enable internal RC oscillator for watchdog. If the crystal fails, the watchdog is running anyway. After predefined timeout, the whole system can be reset. P89LPC9xx improved the design, it offers 400 KHz independent RC oscillator for watchdog timer, so its system clock could be selected from external input, crystal oscillator, internal RC, and watchdog has own RC oscillator. Somebody may wonder, what would happen if system has reset and yet crystal fails ? In fact, in case the crystal failure is permanent, what we can do is trying to reduce the harm done by the system or to the whole system itself. The watchdog triggered reset can help us to stop the power of peripherals, for example, high speed spinning cutting knife, write head in credit card read/write device. I checked the manual of NXP. It is not a perfect one, because the source can not be reconfigured on the fly or during reset period. It can only be re-configured during programming flash. Silicon Labs has C8051Fxxx family. These parts support more oscillators than NXP's. During reset, the internal oscillator is enabled, and they can switch the clock source to crystal on the fly. And these parts also support Missing Clock Detector Reset and PCA Watchdog Timer Reset. Those reset register bits are very useful to detect crystal failure. It is a better part for safety critical application. However, it still has a limitationl, the source is coming from one selected source, which means watchdog timer may fail as well. As a complement, clock detector will reset the part (But which clock is the source for this detector ?). However, I still prefer a watchdog that can have its own clock source, like NXP does. Finally, the watchdog timer clock should be separated from main clock source in a safety critical application. References HALT and Crystal Failures, by David Rahe


Using the Secure Microcontroller Watchdog Timer from maxim. The PDF version is located in [3].


2 din 3

11.07.2008 09:31

Secure Design Using a Microcontroller III

Product selection table from Silicon Labs Inc.,


Secure Design Using a Microcontroller (I) [5] Secure Design Using a Microcontroller (II) [6]


Source URL: Links: [1] [2] [3] [4] [5] [6]

3 din 3

11.07.2008 09:31

Sign up to vote on this title
UsefulNot useful