51 MCU software triple monitoring anti-interference technology

The single-chip microcomputers used in industrial process control and intelligent instrumentation are inevitably subject to various electromagnetic interferences due to the often harsh field conditions. When the interference injected into the system acts on the CPU components inside the single-chip microcomputer, the consequences are more serious and will cause the system to lose control. The most typical out-of-control failure is to destroy the state of the program counter PC, causing the program to "fly around" in the address space or fall into a "dead loop". Therefore, it is an important part of the anti-interference design of the single-chip microcomputer application system to detect the program out of control as early as possible and take corresponding remedial measures.

The method of getting the program back on track from the "random" state is called program interception technology, including instruction redundancy technology, software trap technology, etc. To get the program out of the "dead loop", usually a monitoring technology implemented by hardware circuits is used, also known as "watchdog" technology (Watchdog). Common hardware "watchdog" circuits include monostable "watchdog" circuits, counter-type "watchdog" circuits, microprocessor monitoring dedicated chips, etc. The above anti-interference methods can be referred to in relevant literature. This article will discuss the "watchdog" technology implemented by software.

The "watchdog" technology implemented by hardware circuits can effectively overcome the adverse consequences caused by the main program or interrupt service program falling into a "dead loop". However, in industrial applications, serious interference sometimes destroys the interrupt mode control word, causing the interrupt to be closed. At this time, the general hardware "watchdog" will not be able to restore the interrupt to normal. Relying on software for multiple monitoring can make up for the above shortcomings.

The basic idea of ​​software "watchdog" technology is: monitor the operation of interrupt service program in the main program; monitor the operation of main program in the interrupt service program; use two interrupts to implement mutual monitoring, which is called software triple monitoring anti-interference technology. From a probabilistic point of view, this interdependent and mutually restrained anti-interference measure will greatly improve the reliability of the system.

This article takes MCS-51 microcontroller as an example to illustrate the basic principle of software triple monitoring. The system software includes three parts: main program, T0 timer interrupt subroutine and T1 timer interrupt subroutine. T0 is designed as a high-level interrupt and T1 is designed as a low-level interrupt, thus forming interrupt nesting.

1 Main program monitoring process design

While the main program completes the system measurement and control function, it also monitors the interrupt closure failure caused by interference in the T0 interrupt service program. A0 is the observation unit of the running status of the T0 interrupt service program. Every time T0 is interrupted, the A0 counting unit is interrupted less (the T0 timing overflow time is less than the running time of the measurement and control function module), causing A0 to change. At the exit of the measurement and control function module, the A0 value is compared with the E0 value to determine whether A0 has changed. If A0 changes, it means that the T0 interrupt is running normally; if A0 does not change, it means that the T0 interrupt is closed, then go to the program entry 0000H, and after error handling, the program resumes normal operation.

Assume that the A0, E0, and M counting units are 30H, 40H, and 50H units in the internal RAM respectively, and the monitoring program is as follows:

loop1: MOV 50H, #00H; clear M unit

MOV 40H, 30H; Temporarily store A0 unit

…; Measurement and control function module

CLR C

MOV A, 30H

SUBB A, 40H; Determine the change of A0

JZ loop

MOV 30H, #00H

LJMP loop1

loop: LJMP 0000H

2 T1 interrupt service program monitoring process design

While completing specific measurement and control functions, the T1 interrupt service program also monitors the running status of the main program. A main program running timer M1 is set in the interrupt service program. Every time T1 is interrupted, M automatically increases by 1. The product of the value in M ​​and the T1 timing overflow time represents the time value. If the time value represented by M is greater than the running time of the main program, it means that the main program has fallen into an "infinite loop" due to interference. The T1 interrupt service program will modify the breakpoint address, return to 0000H, and handle the error. If M is not greater than the running time of the main program, it means that the main program is running normally and the interrupt service program also returns normally. The M unit is cyclically cleared to "0" during the operation of the system main program.

Assume that the crystal frequency of the microcontroller is 6MHz, and T1 generates a 2ms timer interrupt in working mode 1, then the initial count value of T1 is:

(216-N)×2×10-6=2×10-3

N=64536D=FC18H

The maximum cycle time of the main program is 200ms, and the value of T should not be less than 64H, and can be 68H. A1 is the T1 interrupt program running status monitoring unit, taking the internal RAM 31H unit, M still takes the 50H unit, 60H and 61H are temporary storage units, then the T1 interrupt monitoring program is as follows:

PUSH PSW ; protect the scene

PUSH ACC

MOV TH1, #0FCH; Initialize T1

MOV TL1, #18H

INC 31H ;A1 unit plus 1

INC 50H; M unit plus 1

CLR C

MOV A, #68H

SUBB A, 50H; T≥M?

JC loop

... ;Interrupt the measurement and control program

POP ACC ;Recovery site

POP PSW

RETI ; return

loop: POP ACC; restore the scene

POP PSW

POP 60H ; Original breakpoint pops up

POP 61H[page]

MOV 60H, #00H; change the breakpoint to 0000H

MOV 61H, #00H

PUSH 60H

PUSH 61H

RETI ; return

3 T0 interrupt service program monitoring process design

The function of T0 interrupt is to monitor the running status of T1 interrupt service program. Since T0 interrupt service program is short, the probability of "dead loop" caused by interference is very small, and the interrupt shutdown failure is considered. A1 and B1 are T1 interrupt running status observation units. The initial value of A1 is 00H. Every time T1 is interrupted, A1 is increased by 1. If A1>0 is detected in T0 interrupt service program, it means that T1 interrupt is normal; if A1=0, B1 unit is increased by 1 (the initial value of B1 is 00H). If the accumulated value of B1 is greater than Q, it means that T1 interrupt is invalid, and the invalid time is the product of T0 timing overflow time and Q value. For example: T0 timing overflow time is 4ms, T1 timing overflow time is 2 ms, when Q=5, it means that T1 invalid time is allowed to be 20 ms. In such a long time, T1 has not been interrupted, indicating that T1 interrupt has a fault. Since T0 interrupt level is higher than T1 interrupt level, any fault of T1 (such as dead loop, interrupt shutdown) will be detected by T0. The T0 interrupt service program is generally very short, and the probability of an "infinite loop" occurring is very small.

Assume that the crystal oscillator frequency of the microcontroller is 6MHz, and T0 generates a 4 ms timing interrupt in working mode 1, then the initial count value of T0 is:

(216-N)×2×10-6=4×10-3

N=63536D=F830H

Design the data units A0, A1, B1 as internal RAM 30H, 31H, 32H respectively, Q=5, 60H, 61H as temporary storage units, then the T0 interrupt monitoring program is as follows:

PUSH PSW ; protect the scene

PUSH ACC

MOV TH0, #0F8H; set T0 initial value

MOV TL0, #30H

INC 30H ;A0 plus 1

MOV A, 31H; A1 unit is judged as 0

JZ loop1

CLR A ; Clear A1, B1 units

MOV 31H, A

MOV 32H, A

loop0: POP ACC; restore the scene

POP PSW

RETI ; return

loop1: INC 32H; B1 plus 1

CLR C

MOV A, 32H; B1 ≥ Q?

SUBB A, #05H

JC loop0

POP ACC ;Recovery site

POP PSW

POP 60H ; Original breakpoint pops up

POP 61H

MOV 60H, #00H; modify breakpoint 0000H

MOV 61H, #00H

PUSH 60H

PUSH 61H

RETI

When the system is disturbed, the main program may have an "infinite loop", the interrupt service program may also fall into an "infinite loop", or the interrupt may be disabled due to the destruction of the interrupt mode word. The "infinite loop" of the main program can be monitored by the T1 interrupt service program; the "infinite loop" and interrupt disable failure of the T1 interrupt service program are monitored by the T0 interrupt service program; the interrupt failure of T0 can be monitored by the main program. The triple software monitoring method has greatly improved the reliability of system operation.