• State Resolved
  • Locked Locked
  • Replies 21 replies
  • Answers 1 answer
  • Subscribers 32 subscribers
  • Views 1925 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

TM4C129ENCPDT: Detect bad RTC crystal or other

Brian Willoughby18
Intellectual 935 points
Part Number: TM4C129ENCPDT


Is there any way to detect that the RTC (Real Time Clock) crystal is bad? Is there any way to detect that some other aspect of the RTC clock source is not working for the purposes of the Watchdog?

I see example code that tests the HIBRIS.WC bit for the crystal to stabilize. Is this method guaranteed to detect a bad crystal or other clock failure? How long would be considered long enough to wait for this bit to be set before deciding that there is an unrecoverable error (other than using a fallback clock source)?

In this particular application, the RTC is not used for anything other than the Watchdog. In other words, no Wall Clock or Time of Day function is being used. Thus, if the RTC fails, there's no great loss to work around the missing feature. However, the Watchdog itself is critical, and must work if at all possible, and be detected if it's not going to work. Thus, if there is a way to detect a failed RTC, then the Watchdog could fall back to the less-accurate HIB LFIOSC at the same speed. The latter has been tested as sufficient, although the accuracy is not preferred. At least if the RTC is broken, the LFIOSC can perform within -70% to +127% of nominal.

Extra credit for detecting RTC failure on the fly, but I suppose that might require periodic testing - I dont see how it could be automatic since the Watchdog would stop working if the RTC failed after launch.

p.s. I noticed that the example code that I have found in TivaWare sets the Hibernate Oscillator into Low Drive mode after waiting for the crystal to stabilize. Is that the correct order? That's not supposed to be done first? The data sheet says that the drive should not be changed after the Hibernation Oscillator is running, so this looks suspicious. However, the example code does not Enable the RTC or select it as the Counter Mode until afterwards, so perhaps all is well. i.e. is it correct to wait for the crystal to stablize before setting the drive, but to make all other settings after the drive level?

  • 0
    TI__Guru**** 191906 points

    Hi Brian,

      Did you have a chance to detect RTC failure as a form of tamper event. Please see below excerpt. You might be able to detect the RTC failure before the watchdog expires

      In another TI MCU that I'm familiar with, there is a on-chip frequency counter that will take two clock sources (e.g. RTC clock and MOSC) and constantly compare between them. If the clock source under test is deviating from the reference clock, it is detected as a failure. This is done periodically. However, this feature is not available in the Tiva device.

      However, I can image that you setup a timer (Systick or GPTM) that will periodically interrupt. In the interrupt, you will read the watchdog value register (WDTVALUE) and see the amount of elapsed counts against the expected. This can also give an early warning. If you fail the early warning test, you can fallback to the LFIOSC before the WD expires. 

      

  • 0
    Guru 117855 points

    Extra credit Greetings,   (for detecting RTC failure on the fly)   Young staff's FLYING Hands (they are out of school) have awakened company mutt!   (et moi)

    In several of our firm's designs - external crystal (or oscillator) failure (or deviation) is detected by, "Strapping the xtal output to (both) its intended MCU source AND an appropriate buffer.   (the buffered output then "feeds" one of the MCU's unused Timer inputs.)

    In our case we most always have at least one free buffer stage - such may not (always) be strictly needed.

    As the crystal/oscillator frequency is known - we simply test for "deviation beyond the norm" - signalling "Crystal Issue!"   This method HAS SUCCEEDED in well detecting "Crystal Temperature AND Shock/Vibration weaknesses!"    (several of our designs are defense-based - where such IS a requirement!)

    Vendor Charles' idea of "Watchdog Comparison" exceeds (i.e. betters) ours - we may have to "borrow & incorporate" (i.e. steal) that...   Fear not Charles ... your (almost) virus-free check is (not yet) "Lost in the mail..."    (Damn post office!)

  • 0 in reply to Charles Tsai
    Intellectual 935 points

    Thank you, Charles.

    Sounds like the tamper detection system can detect *subsequent* failures in the RTC, is that system also able to detect initial failures? In other words, I believe that I need to check on every cold boot whether the RTC is working, and if not, then fall back right away.

    It looks like if the RTC is good at cold start, then the tamper detection should be able to cause the Watchdog to fall back to the LFIOSC if the RTC fails later.

  • 0 in reply to Brian Willoughby18
    TI__Guru**** 191906 points

    Hi Brian,

      I think when you boot up you can enable the tamper module but not the tamper I/O pins. In another word, don't let any tamp I/O pins create tamper event but rather based on the RTC fail to cause an tamper event. Per the datasheet, the switching to the LFIOSC is done automatically. 

    Tamper Clocking
    The Hibernate clock is the clock source for the Tamper module. When an external oscillator is used
    and tamper is enabled, the external oscillator is monitored by the Tamper module. If the external
    oscillator stops for any reason, the XOSCFAIL bit is set in the HIBTPSTAT register and the Hibernate
    clock source is switched to the HIB LFIOSC immediately. When the XOSCST bit in the HIBTPSTAT
    register is 0, indicating the external oscillator is active, a 1 can be written to the XOSCFAIL bit to
    clear it and re-enable the external 32.768-kHz oscillator.

  • 0 in reply to Charles Tsai
    Guru 117855 points

    Hello Charles,

    May it be asked, "If the external oscillator stops for any reason" ... is it known if (only) oscillator stoppage is checked?

    Poster has not clearly specified what he defines as, "Bad RTC Crystal."   We suspect that "Bad RTC Crystal Circuit" (to include bypass caps) strengthens)

    Our group has noted:

    • unacceptable frequency drift (even shift) w/temperature
    • same as above - due to altitude
    • brief - yet impacting frequency excursions due to shock/vibration

    Depending upon the amplitude & duration of these conditions the RTC's accuracy may be jeopardized.   If "Stoppage" alone is checked - then the method my group has earlier proposed appears a stronger (more encompassing) alternative...

  • 0 in reply to cb1_mobile
    TI__Guru**** 191906 points

    Hi cb1,

      Your concern is valid. The datasheet does not elaborate beyond the external oscillator stoppage as a fail condition. Therefore, I do not know if the external oscillator is running too fast (up to what upper freq) or too slow (down to what lower freq) will be detectable. Brian's main use for the 32.768kHz oscillator is to feed the watchdog. If he adds some margin to the Watchdog timeout period then I think it should take care of the too fast scenario. Therefore, if the intention is to be able to generate a WD NMI or reset then some deviation on the oscillator frequency is probably acceptable. When XOSC fails, the internal LFIOSC is switched in, its accuracy is much worst. Brian must have to take this into account in his watchdog timeout already. 

      With all that said, your solution is a good recommendation. My earlier proposal to periodically check the XOSC frequency using the SysTick/GPTM running on a reference clock can also be considered. 

  • 0 in reply to Charles Tsai
    Guru 117855 points

    Hi Charles,

    Thank you - as always your insight & guidance is much appreciated.

    Young staff recalls my "reminding" (their word - "harping") upon the importance of, "Early Detection" of:

    • improper (i.e. out of spec) MCU functionality
    • and/or especially "failed performance"
      • by the MCU
      • its peripheral
      • or even another (non-MCU) critical system component or sub-system.

    Staff notes that "Poster's promised Extra Credit for, "Detecting RTC Failure 'On the Fly' - has been accomplished (only) via their proposal - which has received "No Credit" - yet alone its deserved Extra Credit!   Clever/Resourceful youth (really) should be (properly) served!   (rewarded)

  • 0 in reply to Charles Tsai
    Intellectual 935 points

    Thanks, Charles. I just read the note on page 540 that says, "Hibernation clock input failure detect with a switch to the internal oscillator on detection."

    I'm not sure whether I even need to enable the tamper interrupt and provide a interrupt handler. However, I will enable this at least to read the XOSCST bit in HIB_TPSTAT so that the failure can be logged. Actually, it seems like it might be necessary to explicitly change the Watchdog clock source from RTCOSC to LFIOSC in this interrupt, because even though the Hibernate Tamper module will automatically switch over, I'm not convinced that the Watchdog module will also automatically switch over.

    These features will have to be tested once implemented, so I'm trying to figure out how to temporarily cause the crystal to "fail" without permanently cutting leads or otherwise making irreversible changes. Any suggestions for testing would be appreciated. I assume that temporarily grounding the XOSC0 input might be a non-destructive way to trigger the tamper detection.

    I don't think I will design the firmware to write a 1 to XOSCFAIL, but it's good to know that option exists.

  • 0 in reply to Brian Willoughby18
    TI__Guru**** 191906 points

    Hi Brian,

      Do you have the function generator to provide XOSC input? You can vary the frequency as well as stop the input. 

  • 0 in reply to Charles Tsai
    Guru 117855 points

    Hello Charles,

    Sufficient change in, "Bypass Cap Value" often will, "Stall the Xtal!"   (An MCU gpio can switch in (i.e. ground) a paralleled bypass cap.)   Our local U.L. Lab regularly employs such "MCU disabling techniques" ... we're uncertain as to its efficacy at/around 32KHz...

    You may note too that this proves a means to (somewhat) "Pull" the Main (i.e. HF) Xtal frequency - as well as determine "Crystal Circuit: Range, Sensitivity & Robustness!"

  • 0 in reply to Charles Tsai
    Intellectual 935 points

    Our boards have already been manufactured, and this is a firmware improvement. Since the boards are already manufactured, it seems easier to short XOSC0 than insert a function generator. I also have the LaunchPad boards, but I'd rather not damage the 32,768 Hz crystal there, so again it's easier to short out than attach a function generator. I assume that none of the jumpers on the LaunchPad do not disconnect the 32,768 Hz crystal, because the crystal would probably perform poorly if the traces covered such a large loop.

  • 0
    Intellectual 935 points

    My apologies for adding a slightly off-topic question, but:

    Does the Tamper module generate an interrupt on XOSCFAIL?

    There is an interrupt vector for the tamper module, but what kind of interrupt is it (NMI or maskable) and what events are handled here?

    Does the main NMI interrupt vector handle Tamper events as well as the NMI signal? I see the NMIC register has a TAMPER bit to show that the Tamper module was the source of the NMI, but I'm not clear on whether I should add code to my NMI vector handler for Tamper, or if I should add code to the Tamper vector handler for this.

    I suppose it's also possible that the Tamper module provides no interrupt at all for XOSCFAIL, in which case I would need to poll for that. Since the firmware feeds the Watchdog timer periodically, I might just use that function to poll the XOSCFAIL bit and switch the Watchdog over to the fallback clock source when feeding the watchdog.

  • 0 in reply to Brian Willoughby18
    TI__Guru**** 191906 points

    Brian Willoughby18 said:
    so again it's easier to short out than attach a function generator.

    Hi Brian,

      You probably can use a tweezer or use the suggestion by cb1 to test the XOSC fail. 

  • 0 in reply to Brian Willoughby18
    TI__Guru**** 191906 points

    Brian Willoughby18 said:

    Does the Tamper module generate an interrupt on XOSCFAIL?

    There is an interrupt vector for the tamper module, but what kind of interrupt is it (NMI or maskable) and what events are handled here?

    Yes, you will need to handle the XOSC NMI in your system NMI handler. 

  • 0 in reply to Charles Tsai
    Intellectual 935 points

    Thank you.

    For my edification, what is the purpose of the Tamper interrupt at Vector Number 91, Interrupt Number 75, Vector Address/Offset 0x0000016C ? It doesn't seem that I need it, but I am still curious what sorts of interrupts are handled by that vector.

  • 0 in reply to cb1_mobile
    Intellectual 935 points

    I thought there was a suggestion to change one or both of the XOSC pins to GPIO to simulate a bad 32,768 Hz crystal, but the problem with the simplest possibility there is that both XOSC0 and XOSC1 are a fixed pin assignment. Neither pin appears on a GPIO, so it is not possible to directly ground one or both of the crystal leads. In other words, these pins are dedicated to crystal functions and nothing else.

    I realize that it might be possible to connect a crystal pin to a normally-floating GPIO and then conditionally ground it for testing, but I do not want to change the circuit board design to allow for that nonstandard configuration. In other words, there's no sense wasting a third or fourth pin just to test and prove the tamper function. I'll just manually ground XOSC0 and see how that works for testing.

    I also plan to check whether Watchdog Timer 1 will automatically switch over from RTCOSC to LFIOSC at the same time that the Tamper module of the Hibernation peripheral switches over. I doubt that this will happen, since the RTCOSC is not even available as a source for Watchdog Timer 1 unless a dedicated gate is enabled, so I'm assuming there's not any automatic tracking here. A quick test should prove that hunch.

  • 0 in reply to Brian Willoughby18
    Guru 117855 points

    Greetings,

    Brian Willoughby18 said:
    I thought there was a suggestion to change one or both of the XOSC pins to GPIO to simulate a bad 32,768 Hz crystal

    No - that was not our suggestion.   Instead - as is "SOP" at Chicago's U.L. Lab - a 2nd bypass capacitor is (effectively) parallel connected w/one of the existing crystal bypass capacitors - this fully under MCU GPIO command/control via switching the "floating end" of the newly "tacked in" bypass cap. to ground.   (again - the "added/failure causing" crystal circuit bypass cap" has one end "tack soldered to one of the existing bypass caps" (XOSC connected) pins - the remaining (added capacitor) pin is then "switched to ground."   

    We now do this as a "Matter of Course" - as it "Speeds, Eases & Enhances" our U.L. Regulatory Screening.   (by our anticipation & execution - the UL test is simplified - even our "test costs" benefit - that's the best of both worlds - is it not?)

    Brian Willoughby18 said:
    I realize that it might be possible to connect a crystal pin to a normally-floating GPIO and then conditionally ground it for testing, but I do not want to change the circuit board design to allow for that nonstandard configuration.

    Again - that is (Not) what we've suggested - we propose the addition of an "Added (i.e. paralleled) bypass cap" - sufficient in value to cause the crystal to cease oscillation.   While the desire to, "Not change the pcb design" is reasonable - such was nowhere stated earlier (w/in this thread) & all alternative methods proposed - to our group's mind - cannot meet the advantages offered by our (far more reaching & exhaustive) technique...

    Brian Willoughby18 said:
    I'll just manually ground XOSC0 and see how that works for testing.

    It IS your project - however that's an especially brutal test - and may cause 'unanticipated' damage - which does not reveal until long downstream.   Working w/Venture Capital firms (as we do) - such (potentially damaging) "test" is (Not) recommended.

    Brian Willoughby18 said:
    there's no sense wasting a third or fourth pin just to test and prove the tamper function.

    We do not see how the "Single (or dual), sacrificial GPIO pin(s)" has (somehow) now risen to three - or (even) four!    Nowhere was that our suggestion!   In addition - our method (to include a buffer which feeds an MCU Timer pin - avoids any/all limitations which the tamper function likely imposes (i.e. Only checks for oscillator stoppage!)   Component aging, temperature induced deviation, shock/vibration & even MCU process variants are ALL detected by the method my group(far earlier) described...

    In summary - it is good that you've recognized a (likely) design weakness ... not so good that there (appears) unwillingness to deal w/it effectively...

  • 0 in reply to Charles Tsai
    Intellectual 935 points

    Charles is correct. The Watchdog is currently running with the LFIOSC clock as an input, and it's accuracy is horrible. Even if the RTCOSC is running drastically fast or slow, it cannot be as bad as the LFIOSC. Only complete failure of the RTC is grounds for switching to an alternate clock source for the watchdog.

  • 0 in reply to Charles Tsai
    Intellectual 935 points

    I devised a method to detect a failed or missing RTC clock source. By skipping the ROM based Hibernate functions, it's possible to time out while waiting for Write Complete. If more than 1.5 seconds (1500 ms) transpires, then the Hibernate peripheral can be Reset and OSCSEL can be set in HIBCTL on the second attempt. At the same time, OSCBYP and the usual CLK32EN are set. This will use the LFIOSC to run the Hibernate module, which will then report the XOSCFAIL bit.

    When the RTC crystal is present and functioning, the Tamper module will detect XOSCFAIL and switch over. Based on my testing so far, it seems that there is no need to manually switch Watchdog Timer 2 from RTCOSC to LFIOSC. Apparently, when the Hibernate module fails over from RTCOSC to LFIOSC, the Watchdog Timer 2 follows the change. At least I am able to trigger the firmware to hang in an infinite loop, and the WDT still catches it, even with the RTC crystal grounded and reporting XOSCFAIL via the Tamper module.

  • 0 in reply to Brian Willoughby18
    TI__Guru**** 191906 points

    Hi Brian,

      Thank you for coming up with this method of detecting the XOSC fail. If the WRC bit is not set in 1.5sec you assume the XOSC is bad and switch to the LFIOSC. I will reference your post when other people come up with the same question.

  • 0 in reply to Charles Tsai
    Intellectual 935 points

    I tested this on the LaunchPad. I found a small clip that stays attached to the exposed lead on the 32,768 Hz crystal that has no DC offset. I assume this connects to XOSC0. I tested the firmware by connecting and disconnecting the other end of the jumper to one of the ground pins on the LaunchPad, both before power-up and during firmware operations. It's basically a modification of the Watchdog test, but with some additions for the Tamper module.