A quasi-B class microcontroller platform

Since October 2007, in order to prevent personal injury in the event of malfunction, all newly listed home appliances must comply with the IEC60335 standard. For the first time, the new standard has enabled the concept of software detection and software classification. According to the software category (A/B/C), the new standard requires the detection of microcontroller components (such as CPU registers or memory) at power-up and monitors the performance of these components during operation, similar to the industrial or medical device market. According to the SIL2/SIL3 standard, IEC61508 or UL1998 standard, the safety critical parts are evaluated.

This article refers to the address: http://

The new standard divides the inspection software into three categories based on the degree of danger of the equipment in the event of a failure. If the safety of the home appliance is not related to the software, it belongs to the class A device. For example, an indoor thermostat or a lighting control switch is classified as Class A. Conversely, if the software is used to prevent special hazards, such as the explosion-proof function of an electronic ignition gas stove, the software is rated as Class C software. This article does not discuss the second case, because this type of system may require multiple microcontrollers, which is beyond the scope of this article; secondly, because most home appliances electronically controlled switches must have unsafe operational protection, this type of The product belongs to category B. This is the case, for example, in an electronically controlled door lock of a washing machine or a pump drive with a motor overheat detection function of the dishwasher.

For Class B devices to be tested, the IEC60335 standard allows us to refer to another standard, IEC60730, as it covers all electronically controlled switching products. Table H.11.12.7 of Annex H of this standard lists the microcontroller components to be tested for Class B and Class C software, faults to be tested, and compliance values.

These test procedures can be performed directly through a piece of hardware in the microcontroller or using software methods. STMicroelectronics' 32-bit microcontroller based on the Cortex-M3 core STM32 is a quasi-B product with built-in hardware that monitors CPU program counter abort, abnormal clock frequency and flash content integrity.

The standard proposes an "independent time slot monitoring" concept to prevent the CPU from getting out of control in the event of a PC failure. Most microcontrollers have a built-in watchdog timer. However, the watchdog that assumes this responsibility must be an independent circuit. For this reason, the STM32 has two watchdogs: the first watchdog timer is a normal windowed watchdog, the clock signal comes from the main clock source; the second watchdog consists of a separate internal oscillator. The driver runs from an optional byte in the flash. This design ensures that at least one watchdog can continue to operate in the event of a crystal failure, regardless of the clock circuit configuration.

Figure 1 is a simplified diagram of the clock circuit of the STM32, depicting various clock sources and methods of connection to other parts of the chip.


The source of the real-time clock can be an internal low-speed (LSI) RC oscillator. This feature provides a way to monitor the external clock by comparing the external expected frequency with the internal frequency required by the clock component. At the system level, this method can save the cost of a 50Hz/60Hz AC power zero-crossing detection circuit, except when the application system initiates a bidirectional transistor that requires this circuit.

Finally, the STM32 also includes a 32-bit hardware CRC calculation unit that speeds up flash data integrity checks and reduces CPU load (the amount of CPU processing during runtime) to a negligible level.

If the test program is executed in hardware, most tests require a fairly large chip area. For example, a single bit error in RAM memory requires a parity bit to be added to all data words. The STM32 microcontroller has abandoned this solution because it can affect the cost-effectiveness of the chip, and the test function can be easily implemented using only software. Therefore, STMicroelectronics provides users with a self-diagnostic firmware library free of charge. The firmware library contains the following C modules for detection: CPU register detection; clock monitoring; RAM function check; ROM checksum integrity check; watchdog self-test and stack Zone overflow monitoring (this feature can improve the overall coverage of error detection even if the standard does not explicitly require this).

Now discuss one of the detection modules, the RAM detection module helps to understand the restrictive requirements of the B-type software. This standard requires periodic detection of DC faults in the RAM (such as stalls or coupling faults). The March C algorithm can detect all of these errors and the number of channels occupied is very limited. However, in order to improve energy efficiency, it requires consideration of the physical implementation of the memory. STM32 has a logic-to-physical addressing scrambling function. The Cortex-M3 core has a powerful register array that inserts scrambling into the algorithm without the need for RAM memory cells (this detection is destructive and the entire memory array must be verified). As an additional requirement, this test must be carried out on a regular basis. If the application device is powered up by the system and then used for a short period of time, the post-boot detection can be considered a periodic test. Conversely, if the application device remains powered up, it must be re-detected during operation, and the situation becomes more complicated: the RAM test must be transparent because the test is related to the memory unit that the application is occupying. The test operation principle is shown in Figure 2.


The firmware library provides a different set of C functions for runtime testing. The C function must be executed in the highest priority interrupt routine. To avoid excessive CPU load and affect real-time response performance, the firmware library also provides several optional features. Users can choose the March C or March X algorithm. For limited coverage loss, the speed of the two algorithms is slightly faster. The number of memory cells to be tested in one test can be modified in the header file so that the duration of the interrupt routine can be fine-tuned to a level of a few nanoseconds.

This example proves that a firmware library like this can bring great benefits to customers during development time. Similarly, similar tests are performed during the packaging process (usually CPU testing, C language hardly allows direct processing of kernel registers and flag signals); package-optimized routines provided with the firmware library to the customer do not require the client. Learn the Cortex-M3 instruction set.

In addition to these separate tests, the self-diagnostic firmware provides a Class B software reference framework, including a development tool studio, modified vector tables, and custom linker scripts for handling Class A and Class B variables when creating a new project. file. After the reset vector is taken, the boot sequence begins execution immediately and all necessary tests (CPU, watchdog, clock monitoring, RAM, and flash tests) are completed before the application starts, and the boot sequence can be reused as it is. After the test is complete, the secure boot sequence is immediately returned to the startup entry point of compiler C, so that from the development tool's point of view, all initial tests are completely transparent (verify the RAM before the data is automatically initialized). Use a counter method to monitor the program sequence itself so that you can verify that all tests have been executed.

The firmware library does not include every test item in the H.11.12.7 table. Some are only relevant for systems with external memory (part 5 on data channels) or ASIC/gate arrays (part 9 on custom chips). Some checks are related to the application: Part 6 on the External Communication Interface, Part 2 on Interrupt Control, and Part 7 on Input and Output Peripherals. Let's take a quick look at how to test interrupts and input and output circuits.

If you need to monitor the interrupt signal transmission rate and detect "no interrupt signal" or "interrupt too frequent", cross-checking several independent time bases is a good solution. Implementing this method is fairly easy and simple, but each case needs to be customized one by one, depending on the number of ISRs being served and their frequency. For this reason, this method is not included in the firmware library.

For input and output peripherals, a Class B software must detect any faults on the digital input and output and analog channels. This test is a hypothetical test. Taking a heating component as an example, the power supply is controlled by a bidirectional thyristor and the temperature is regulated by a negative temperature coefficient (NTC) resistor connected to the analog to digital converter. If the triac is turned on and the temperature does not rise, this indicates that the digital output or the triac is damaged, or the analog-to-digital converter is not working properly. In any case, Class B software must detect these error conditions and take appropriate action.

The firmware library is also equipped with technical documentation and a useful RS-232 based Verbose mode. This firmware was field tested by the European testing organization VDE under real conditions and was tested and certified by the agency. The STM32's self-diagnostic routine is certified to IEC60335-1. If these modules are not modified before use and are used in accordance with ST's integration guidelines, these modules do not need to be re-evaluated, simplifying the final application certification process, reducing time-to-market and reducing development costs.

The STM8 series of 8-bit microcontrollers are also positioned in the home appliance market. They also integrate dual watchdog timers and fail-safe circuits. Their self-diagnostic routines were certified by VDE in February 2008.

PA Woofer

Woofer Speaker,Pa Subwoofe,Speaker Sub Woofer,96Dbw/M Professional Speaker

NINGBO RFUN AUDIO TECHNOLOGY CO.,LTD , https://www.mosensound.com

This entry was posted in on