Reliability Design Based on MC68HC376 Single Chip Microcomputer

1 Introduction

With the continuous development of industrial technology, the requirements for single-chip microcomputer control are getting higher and higher. Single-chip microcomputers are required to have higher response speed and stronger data processing capabilities. Various high-performance new single-chip microcomputers have been rapidly developed and applied. Single-chip microcomputers mainly carry high-speed digital signals. Weak signals are easily affected by external electromagnetic interference. At the same time, single-chip microcomputer systems may also suffer from power failures, dead loops and other problems. In industrial control situations, once a control error occurs, it will cause inestimable losses. Therefore, how to improve the reliability of control has long been an important issue. This article introduces a practical development plan using the 32-bit high-performance single-chip microcomputer MC68HC376, and focuses on the design and implementation methods to improve system reliability.

MC68HC376 is a new 32-bit high-performance single-chip microcomputer launched by Motorola. It has extremely strong data processing, logical operation and information storage capabilities, and supports BDM (Background Debug Mode) mode. Through a simple dedicated cable interface, the microcontroller system can be directly simulated and developed and the program burned. In addition, due to the high internal integration of MC68HC376 and the small external expansion work, it has strong anti-interference ability. At the same time, through the anti-interference design of external hardware circuit and software, the control system can achieve high reliability.

2 Basic structural design of the control system

MC68HC376 has a high integration level. Its main functional modules include 32-bit CPU; system integration module (SIM); 4K backup RAM; 8K on-chip ROM; 10-bit queue analog-to-digital converter (QADC); queue serial communication module (QSM); configurable clock module (CTM4); time processing unit (TPU); 3.5K static TPURAM; CAN control module (TOUCAN). Its basic performance is as follows:

(1) 24-bit address bus, 16-bit data bus structure, support 32-bit data operation.

(2) 2 8-bit dual-function I/O, 1 7-bit dual-function I/O, 16~44 analog input channels.

(3) It has system protection logic and can perform clock monitoring and bus monitoring at the same time.

(4) Fast speed, the system clock can reach 20.97MHz under the 4.194MHz crystal oscillator.

(5) Low power consumption, with low-power sleep function.

(6) Support high-level language and background debugging.

Basic structure of system expansion MC68HC376 has a high internal integration, so it requires less peripheral expansion work. The basic structure includes external Flash ROM, RAM, analog input channel, digital input channel, keyboard, LCD display, RS-232 level converter MAX232 and CAN controller CAN250, etc. Its structural block diagram is shown in Figure 1. This article focuses on the reliability design of the system.

3 System reliability design

3.1 Microprocessor hardware monitoring circuit

This paper uses the monitor MAX705 chip to form an external monitoring circuit. The external wiring of the circuit is shown in Figure 2. The circuit has a watchdog timer, automatic and manual reset functions, and voltage threshold monitoring functions.

Since the CPU and bus logic states are uncertain when the system is powered on, powered off, or the power supply voltage is insufficient, the microcontroller should be maintained in a reset state to avoid control errors. For MAX705, the reset threshold voltage is 4.65V, so when Vcc is lower than 4.65V, the system remains in a reset state. At the same time, Vcc is connected to the PFI pin. When Vcc is lower than 1.25V, the PFO pin outputs an alarm signal. If it is in the power alarm state for a long time, a power failure may occur and should be handled.

When the system is running normally, the CTD4 channel of the CTM4 module of the MC68HC376 provides pulses to the WDI pin of the MAX705 at intervals of less than 1.6s; once the system fails to run normally and the WDI pin of the MAX705 loses pulses, the watchdog timer overflows and makes /WDO low. Since /WDO is connected to the manual reset pin /MR, the /RESET pin sends a low-effective reset signal to the MC68HC376 to restore the system to the reset state.

3.2 External filter circuit

Since the system uses an external reference frequency source, in order to improve the stability and reliability of the system frequency, it is necessary to connect a filter circuit to the XFC pin of the MC68HC376. This circuit should reduce the leakage current of the XFC pin as much as possible to improve the stability of the clock and the performance of the internal phase-locked loop. Figure 3 shows a high-stability filter circuit.

3.3 Reliability Design of Output Drive

Circuit After monitoring and analyzing the system status, the control device provides control signals to the control and regulation action units. If the output signal is interfered with or an erroneous control signal is issued due to a device failure, the system will be harmed due to the erroneous regulation control action. Therefore, the output drive circuit should be subjected to corresponding locking control and anti-interference design to improve the reliability of control. (1) Locking control circuit Here, the retriggerable dual/monostable multivibrator 74LS123 is used to form the output locking circuit. The circuit wiring is shown in Figure 4. The A pin of 74LS123 is connected to the CTD4 channel of the CTM4 module of MC68HC376. Under normal circumstances, CTD4 provides pulses regularly, so that the oscillation circuit cannot flip. At this time, /Q remains 1; if the device fails and CTD4 loses the pulse, the oscillation circuit causes /Q to flip to 0, so the locking signal becomes 0 to lock the output control signal. At the same time, the other foot of AND gate 4081 is connected to the TCH15 foot of the TPU module of MC68HC376, which is directly controlled by MC68HC376. In normal operation, when the control signal needs to be output, TCH15 is set to 1; when the control signal does not need to be output, TCH15 is set to 0, which makes the blocking signal 0 and blocks the output part, thus preventing malfunctions caused by interference or other reasons. (2) Anti-interference design of the control signal output part When the blocking signal is turned on, the output control signal may deviate due to disturbances, so the corresponding output circuit form should be designed to reduce the influence of disturbances. The form of the output circuit is shown in Figure 5 (only one output signal is drawn here).

When single-line control is used, once it is disturbed, the level of the control signal will change, causing malfunction. Here, the "0,1" control method is adopted, using two adjacent control lines, one directly connected to the AND gate 4081, and the other connected to 4081 through the NOT gate 4069, that is, when the two control lines are "0,1", a valid level signal 1 is output. In this way, when there is high disturbance or low disturbance that makes the control line become 1 or 0 at the same time, an invalid level signal 0 is output. In this system, the CPWM7 pin of the CTM4 module and the lock signal are used together to control the start signal; the start signal and the control signal of the MC68HC376 control the action output signal together. In this way, the reliability of the output control is fully improved. Note that the I/O control signal of the single-chip microcomputer should use a pull-up resistor. 3.4 Power-off alarm circuit When a certain level of the system's working power is off, the control device will not operate normally, or the control signal will not be correctly executed. At this time, an alarm signal should be issued, and the power-off alarm circuit is shown in Figure 6. Connect the working power of each level in series through the MOC8050 disconnector. Once a power failure occurs, the level of the power failure alarm changes from high to low, and the alarm device is activated. Software Reliability Design 3.5 Software Watchdog In the SIM module of MC68HC376, there is a software watchdog. In the monitoring program, the software watchdog can be turned on to improve the reliability of the system. The software watchdog is controlled by the SWE bit in the system protection control register (SYPCR) of MC68HC376. When the SWE bit is 1, the watchdog is activated and the timing begins. When the device is working normally, the program should write 55H and AAH to the software service register (SWSR) before the software watchdog overflows. When the writing is completed, the software watchdog will clear the current timing value and restart the timing. If the timing value overflows, the /RESET pin of MC68HC376 will be valid and the system will be reset. In this way, it can automatically return to the reset state when the program is in an infinite loop or the program jumps due to other reasons. The overflow time of the watchdog is determined by the system frequency and the watchdog frequency division bit (SWP) and watchdog timing zone (SWT[1:0]) of the SYPCR register, as shown in Table 1. When selecting the overflow time of the watchdog, you should pay attention to the appropriate value. If the value is too large, the program may be in a dead loop or jump state for a long time, resulting in control errors or failures; if the value is too small, it will increase the burden of the program and reduce the operating efficiency of the device.

3.6 Program Area Division and Operation Level Control

CPU32 can perform two priority levels of operation: monitoring level and user level. At the monitoring level, the CPU can operate all internal integrated resources and all instructions, while at the user level, its access to some registers and instructions will be restricted. Effective use of this priority level in the program will allow controlled access to internal resources and some system instructions, thereby improving the reliability of system operation. The S bit in the status register SR of CPU32 determines the working level of the CPU. When S=1, the CPU is at the monitoring level; when S=0, the CPU is at the user level.

Generally, the program area and data area of ​​the microcontroller are in the same physical address space. For MC68HC376, the function code FC[2:0] can be used to expand and divide the external physical space, and external decoding of FC[2:0] can be implemented, so that the monitoring level program, monitoring level data, user level program, and user level data can use their own independent address space. For each module inside the MC68HC376, the address space of the general register of this part can be determined by the SUPV bit in its corresponding structure register. When SUPV=1, the relevant register is placed in the monitoring level data address space, and the CPU can access and operate it only at the monitoring level; when SUPV=0, the relevant register is placed in the data level data address space, and the CPU can access and operate it at will. In this way, the entire program has a strong structure, and access is controlled by level, which enhances the reliability of operation.

3.7 Bus Monitor

When the MC68HC376 performs internal bus operations, the data strobe response pin (/DSACK) and the automatic vector pin (/AVEC) should have corresponding response signals. The bus monitor in the SIM module can monitor the /DSACK and /AVEC signals, and when the response time exceeds the timing value, the bus error (/BERR) pin is enabled. The program should monitor the status of /BERR so that the bus error can be handled in time.

The timing value of the bus monitor is determined by the bus monitoring time area (BMT[1:0]) in the system protection control register (SYPCR). When BMT[1:0]=00, the timing value is 64 system clocks; when BMT[1:0]=01, the timing value is 32 system clocks; when BMT[1:0]=10, the timing value is 16 system clocks; when BMT[1:0]=11, the timing value is 8 system clocks. Programmers should make choices based on the actual operating conditions.

Other measures to improve reliability include configuring decoupling capacitors; the system clock circuit is powered by an independent power supply VDDSYN to reduce interference with the MCU, and the system clock can still run when the MCU is powered off. When wiring, the clock circuit is set in the center of the circuit board; the Standby RAM is powered by two power supplies VDD and VSTBY. During normal operation, VDD is used for power supply, and when power is off, it automatically switches to VSTBY for power supply. At the same time, in the software, storing the stack and some important data in the Standby RAM is conducive to the preservation of important operating parameters.

4 Conclusion

This solution uses the high-performance, highly integrated and reliable 32-bit new microcontroller MC68HC376 as the core, and adopts a variety of design measures to improve system reliability in hardware, software, board wiring, etc. The digital low-frequency low-voltage control device RSA800 using this solution has passed the product type test of the Power Equipment and Instrument Quality Inspection and Testing Center of the Ministry of Electric Power Industry. For more information, please log in to the Electronic Enthusiast Network