In the automotive era of purely mechanical systems, the engine ignites the air-fuel mixer according to the signals generated by the mechanical means. The mechanical distributor selects the appropriate spark plug and transmits the signal along the line. The brake system transmits the pressure acting on the pedal to the brake caliper through the brake shaft, brake master cylinder and hydraulic pipe. The clutch and throttle are simply controlled by a steel cable connected to the pedal. The steering wheel controls the turning angle of the wheels through a metal steering wheel, steering shaft, steering gear box and steering gear. Engine control is also different from the highly reliable electronic control unit (ECU) we use today. It does not have a computer-assisted brake system, clutch, throttle or control system. Of course, there is no need to consider the situation of C failure, short circuit of the control unit, etc. The main cause of failure is the mechanical device. However, because people trust the reliability of mechanical equipment very much, they rarely consider the problem of system backup or fault tolerance. Of course, once a device of the system fails, it is easy to be in danger. Even if there is no danger, the car can only be anchored at the accident site and have to ask the trailer to drag the car to the repair center.
In order to improve the comfort and convenience of car driving, car manufacturers need to provide electronic equipment for cars, which have obtained higher efficiency, cleaner environment and higher car driving safety. Early ECUs can only stop running when a fault occurs, especially the operation of electronic devices depends on? C. If? C fails, there is no backup plan to avoid life-threatening accidents, which is unacceptable to users and manufacturers; at least a backup system needs to be used in the design to drive the car to the repair station nearby. The level of attention has also rapidly increased. According to actual needs, many MCUs are equipped with a "limp home" management model.
Limp home management model
The "limp home" mode refers to a redundant function within the ECU. In the physical architecture, this is a completely independent part of the circuit, which can be turned on from the standby mode to enter the fail-safe state. This mode allows the car to drive off the road when the electronic system fails. Although it cannot maintain the original driving performance, it can ensure safety.
A new generation of engine ECUs are equipped with monitoring devices, such as watchdog timers, used to test whether the ECU is operating normally. Once an abnormal operation is detected and an electronic device or? C fails (software operation failure) is found, the monitoring device will turn on the "lame home" control mode. For example, when the fault light of a car engine lights and the cylinder injects only half of the fuel into the engine, the engine generates very low heat, but it can start the car at a moderate speed and drive the car home with the energy that just supports the car. Drive to the car repair center.
Another good case is the "body control computer" in the new car, which can control the window lift, front / rear lights, turn signals and windshield wipers, and the car's automatic shift control. The monitoring circuit monitors the working conditions of the ECU. When a circuit unit or? C malfunction occurs, the standby circuit will be activated to degrade the driving, for example: reduce the brightness of the high beam headlights, tail lights / brake lights, or only maintain the second gear. Of course, under this situation, the maximum speed of the car is limited, but the car still keeps working and can safely drive in the "lame home" mode and drive the car to the repair shop.
redundancy
Computer control applications are called "electrically controlled operations", and most mechanical control systems inside and outside the power system have been replaced by electromechanical controls. For example, interconnected ECU electronic control devices have replaced all mechanical units from the steering wheel to the wheels. The position of the steering wheel moved by the driver will be detected and converted into a digital electronic signal, which will be transmitted to the intelligent electromechanical transmission device to finally control the movement of the wheels.
The electronically controlled brake device also uses car computers, servo motors or electromechanical brake calipers to replace the early brake shafts, brake master cylinders and other units. Generally speaking, these systems have higher safety requirements and therefore higher fault tolerance requirements.
Engineers have designed backup circuits in these applications to build a complete redundant electronic control and monitoring unit. The physical structure of the redundant system should be completely independent of the main control unit, always ensuring that the system provides an effective and safe electronic control unit. The ECU monitoring circuit maintains continuous monitoring of the main system and reliably switches to the backup system when necessary.
Advantages of high voltage watchdog
Considering safety issues, automotive electronic systems require monitoring circuits to monitor fault tolerance or safety. The MAX16997 / MAX16998 watchdog timers are ideal for meeting these needs. By detecting the periodic pulses generated by the microcontroller (? C) under normal operating conditions, the failure state of the circuit or? C can be detected. Once a failure occurs, it can be immediately Switch to backup / redundant system.
The MAX16997 / MAX16998 have timeout and window watchdog monitoring functions. The device has a watchdog trigger input (WDI) that provides an open-drain? C reset output (RESET) and open-drain redundant system enable output (ENABLE ).
For the MAX16998, the reset threshold can be set by an external resistor divider (shown in Figure 1) between a low-voltage power supply (for example:? C power supply), an external voltage monitoring input (RESETIN), and GND. The MAX16997 can read the status of KL15 (ignition switch) at the enable input (EN) and enable the internal watchdog timer after the car starts (Figure 2). At this time, the watchdog time-out period is extended to 8 times the nominal period, leaving enough open time for? C.
Figure 1: The MAX16998 high-voltage watchdog timer is powered by an independent downstream low-voltage power supply (LDO) to provide a safety barrier for battery short-circuit protection, allowing the device to reliably switch to redundant circuits under fault conditions.
Figure 2: Similar to the MAX16998, the MAX16997 can safely switch to redundant circuits in a fault condition. It also has an active high enable input (EN) for turning on or off the watchdog timer.
The reset delay (MAX16998) and watchdog timeout can be set independently using external capacitors (respectively placed on the SRT and SWT inputs). The watchdog window monitoring can be preset by the factory at 50% or 75% of the adjustable watchdog fixed period %.
The 18? A (typical) ultra-low operating current makes the MAX16997 / MAX16998 very important in automotive ECU applications because these circuits are always on. In addition, these devices are available in a 3mm x 3mm, 8-pin? MAX? Package, ensuring operation in the automotive temperature range of -40 ° C to + 125 ° C.
These ICs are directly powered by 12V automotive batteries and can withstand voltage transients up to 45V (IN and ENABLE pins), while typical watchdog timers are powered by downstream low-voltage power supplies (for example, 5V). Therefore, even when the downstream circuit is powered off or short-circuited to ground, the MAX16997 / MAX16998 can keep working and safely switch to the redundant circuit (by triggering the ENABLE pin). To enable these devices to support higher fault tolerance, the device provides fault protection at the RESET, WDI, EN, and RESETIN pins and can withstand 20V (Figures 1 and 2). It can be seen that these circuits also provide a reliable protection barrier to avoid the failure of downstream circuit failures. The backup circuit should be physically independent of the "conventional" control circuit, and it can safely switch to the backup mode when a failure occurs .
MAX16997 / MAX16998 timing
After power-on, when the voltage of the RESETIN pin (VRESETIN) is higher than the power-on reset threshold (VPON), RESET will continue to be low during the reset time (tRESET), and then it will be high. At the same time, the watchdog timer starts counting (tWP). If the WDI trigger signal is not generated within the specified open time window (tOW), RESET will be set to low again, resetting? C. If in three consecutive triggers, the trigger signal is in the closed window (tCW) or after the end of the watchdog period (tWP), the ENABLE signal will be set low. If in three consecutive watchdog trigger signals, the WDI trigger signal returns to the open watchdog cycle window (tWDI), ENABLE will return to high level again, and the system switches to the normal operating mode (Figure 3) .
Figure 3: MAX16998 timing diagram (window watchdog).
Watchdog timeout and window watchdog
The MAX16997 / MAX16998A provide a standard watchdog timeout period, while the MAX16998B / D provide a window watchdog function (Figure 4). Choose different types of devices according to the actual application requirements for the security level, adjust the watchdog timeout to ensure that the timer is cleared within the watchdog timing period, otherwise the device will generate a reset signal. Therefore, these watchdogs can be used to detect the failure status of the program operation, for example, the program runs too slowly or the digital clock (for example, the clock generated by the crystal oscillator) is reduced; and the window watchdog needs to ensure that the timer is in The timer is cleared within the time window, so that they can detect some additional faults, for example, the program runs too fast or the clock is too fast, which can support a higher security level.
Figure 4: MAX16998 watchdog timing period (window watchdog).
The third case in Figure 4 illustrates the case of triggering WDI within a specified time window; the first case is that WDI is triggered by mistake, and the signal triggers WDI prematurely to generate a fault indication, and the cause of the fault is The program runs too fast or the oscillator clock frequency is accelerated; the second case is also a manifestation of triggering WDI at the wrong place-the watchdog trigger signal output delay is too large, indicating that the program runs too slowly or the oscillator clock frequency becomes slow.
Summary of this article
Fault tolerance and automotive safety have become key factors in automotive electronics design. In order to improve the efficiency of automobiles, improve comfort and reduce risks, it is necessary to efficiently manage the various units of the system: hardware, software, sensors, driven devices and operating units. High-voltage watchdog timers (such as MAX16997 / MAX16998) have played a key role in achieving this goal.
The Apple Lightning Cable is one kind of our mobile phone cables , this Apple Charger Cable Charging transfer two no error , charging / data transfer synchronization . It boasts increased durability , faster charging , faster data transfer and compatibility with almost all cases . Give your iPhone the treatment it deserves .
This apple iPhone charger cable Compatible With : iPhone 6s / 6s Plus / 6 / 6 Plus / 5s / 5c / 5 , iPad Air / Air 2 , iPad mini / mini 2 / mini 3 / mini 4 , iPad (4th generation), iPod nano (7th generation) and iPod touch (5th generation) .
We hope that we can become your trustful supplier with the best quality digital products at competitive prices . Every Apple Lighting Cord products has been test over 4000 times and saw no damage or change in performance. Premium nylon fabric feels great and doesn't tangle .
This data cable can be connected to all the smart devices with MICRO interface to your computer USB port for sync and charging .
Apple Lightning Cable
Apple Lightning Cable,Apple Charger Cable,Iphone Charger Cable,Red Apple Lightning Charger,Apple Lighting Cord
Hebei Baisiwei Import&Export Trade Co., LTD. , https://www.baisiweicable.com