H-Bridge during processor fail

[jjwsei]

I am looking for any advice on how to best address the following issue:

A generic 8-bit microcontroller using an external crystal for clocking has two I/O pins being used to drive a discrete MOSFET h-bridge. If the controller should be at a point in the code that is commanding the h-bridge to be in an active state (one I/O line high and the other low) and the crystal of the microcontroller fails, the I/O lines will remain in the last set state. This means that the h-bridge will continue to run unimpeded which could be bad. Obviously the microcontroller WDT will be of no use since the crystal has died.

Thoughts or experiences on addressing this scenario would be welcome.

 

[crutschow]

Crystal failure is highly unlikely. Why are you worrying about that?

If you are really concerned about any failure that could hang the bridge, you could use an external Missing Pulse Detector circuit to shut the bridge off if the signal to the bridge quits.

 

[jjwsei]

Crystal failure is highly unlikely. Why are you worrying about that?

If you are really concerned about any failure that could hang the bridge, you could use an external Missing Pulse Detector circuit to shut the bridge off if the signal to the bridge quits.

I understand that crystals are relatively reliable but I have seen the case that I mentioned happen to a product that was using a BJT to drive a DC motor. Luckily the motor running uncontrolled, while bad, was not dangerous. Seeing this just brought to mind my question of what, if anything, people typically do to protect such a runaway situation.

My assumption would be that the reliability of an internal oscillator, built into more and more microcontrollers these days, is even more reliable than a crystal but I have no data to back up my assumption.

The missing pulse detector approach was my first thought also. However could it be even more simple than that? For example what if the motor drive transistor where PWM controlled and you coupled the PWM signal to the base of the drive transistor through a capacitor, then as long as the PWM signal were active the motor would be driven. If the PWM signal failed, do to a microntroller failure or the microcontroller halting the PWM signal, then the motor would stop. Seems simply and easy enough to do as a safety backup so why is it not implemented by default in most drive circuits i have seen? What am I missing?

 

[Tahmid]

You can enable IESO in the (PIC) configuration settings (if it exists in the microcontroller you're using). There's a fail-safe clock monitor that monitors the external clock source (LP, XT, HS, RC, EC) and switches to the internal oscillator when it detects the failure of the external clock source.

Hope this helps.
Tahmid.

 

[FvM]

I don't understand why you don't utilize the watchdog to handle the claimed problem. A watchodg reset will tristate the outputs, with respective external circuitry the system will fall into a safe state. This would be also the case for a number of more likely failure scenarios.

 

[crutschow]

...................................
The missing pulse detector approach was my first thought also. However could it be even more simple than that? For example what if the motor drive transistor where PWM controlled and you coupled the PWM signal to the base of the drive transistor through a capacitor, then as long as the PWM signal were active the motor would be driven. If the PWM signal failed, do to a microntroller failure or the microcontroller halting the PWM signal, then the motor would stop. Seems simply and easy enough to do as a safety backup so why is it not implemented by default in most drive circuits i have seen? What am I missing?

Certainly a capacitor would suffice if you biased the transistor to be off with no input. You may also need a diode to ground at the transistor input to act as a clamp and avoid excursions below ground.

It's likely not included in most designs because of the extra cost and complexity, and that the probability of such a failure occurring is considered very small. When is the last time you heard of a processor failing in a PC?