Arduino 555 watchdog timer

[Steve AddyParticipant @steveaddy35670]

Hi folks

I am building a WW1 Baldwin Gas Mechanical in 7 1/4" gauge as mentioned elsewhere on the forum. I want to make it fly by wire using an Arduino and servos to control the Eaton Hydrostat and the engine revs. The code wasn't much of a problem and worked within a week of starting from having never seen an Arduino.

However, a friend said, "What if it crashes?" Well you turn the ignition off, I had been more concerned about making it go! What you need is a 555 watchdog timer. A what?

The idea is that a capacitor charges through a resistor, but never reaches the 2/3 rail voltage required to trigger the 555, as a discharge "heartbeat" comes from the living Arduino to drop it back down every 500 milliseconds or so. If the pulse stops, the 555 grounds the reset pin of the Arduino and discharges the timing capacitor to 1/3 rail through another resistor. Thus the grounding pull down time is adjustable and predictable.

Well I found a circuit which didn't work immediately, so I bought a DSO and found the capacitor was unable to charge sufficiently through the resistor specified. I reduced this and watched what happed – going down from 1M to 47k Ohms gave the desired result. I now have the working circuit which trips if the pulse is removed. It will not reset the Arduino though.

I wondered if the grounding period was insufficiently long and performed experiments with a push to make micro switch and the 'scope. The 555 was giving 50 odd milliseconds and not resetting the Arduino, but the switch would do it in less than 4 milliseconds. That wasn't the problem.

I have tried a PNP transistor in the circuit to control the grounding and also a miniature relay due to the success of the switch. Nothing has worked. I have also had a play about with an op amp, but didn't have a proper power supply to drive it. That has been a failure so far, although I have had it following an input in a separate rig.

My mother has dementia and is always harassing me, so I haven't been in the right frame of mind to be pushing back the boundaries of my electronic ignorance recently.

I now have a nice bench power supply and a signal generator to go with the 'scope, but peaceful contemplation is a rarity these days.

I am probably doing something really stupid, but I'm a complete novice in this area.

It is also worth noting that I got the internal watchdog to work on a test setup, but as I have spent so much on gear for this it would be nice to have both levels of reset.

Any ideas would be gratefully received.

Steve

[Steve AddyParticipant @steveaddy35670]

stuff to reset a rogue Arduino

[John HaineParticipant @johnhaine32865]

Much easier to help if you could provide a schematic, Steve.

[Steve AddyParticipant @steveaddy35670]

Fair enough – I'll do that at some point John. It did strike me, but I'd lost the will to live after typing all that.

[Steve AddyParticipant @steveaddy35670]

This is the original circuit, the values were changed to get it to charge and trigger. Pin D6 and the red LED serve no purpose other that pretty flashing. Pin D2 supplies the heartbeat grounding pulse. It all works but when 555 pin 3 goes low to reset the Arduino, it upsets the device but doesn't reset it. It has to be disconnected after tripping to get a reset to occur. That rather defeats to object!

[Andy HoldawayParticipant @andyholdaway]

Steve, what is the purpose of the IN4001 diode on pin 3 of the 555? Could the 0.7v drop across this mean that the reset pin on the Arduino isn't seeing a 'true' ground, but is floating above it?

I would remove the diode first and see what that does.

Andy

[Steve AddyParticipant @steveaddy35670]

I have learned about the voltage drop across a diode Andrew, I don't know why it is there, but it doesn't work without it either.

This is what the article said :-

Once the discharge of C2, is complete, the connection between pin 3 on the 555 and RESET on the Arduino is pulled low, thus resetting the Arduino through the diode D1.

This is a similar circuit on the net **LINK**

Thanks for responding- I hate not knowing about things like this. but it is a whole new world of fascination to me!

[Neil WyattModerator @neilwyatt]

Ahem…

All arduino boards use Atmel AVR chips… with built in watchdog timers.

All you need to do is programme the watchdog timer, put a 'kick dog' instruction somewhere where it is clear our code is working. If things go wrong the watchdog won't get reset and will time out, causing a watchdog interrupt. Just tell it what to do if you get a watchdog interrupt (throttle down/go into a safe mode etc.) and bobs your uncle.

Adding a 555 external watchdog to an AVR is like fitting an anchor to a Ferrari as a handbrake!

Neil

[Steve AddyParticipant @steveaddy35670]

Thanks Neil. As I said I have had that working. At first I read the internal one wasn't reliable hence the 555 steer from a friend. I'd still like to get it to work though.

Steve

[Andy HoldawayParticipant @andyholdaway]

Good catch Neil, I'd forgotten the Arduino has a built in watchdog. It also shows that I didn't fully read the original post! I've never used an Arduino for a 'safety critical' function, so have never had a need for a watchdog.

Steve, the page you linked to explains that the diode is to prevent the reset pin being held high, which would prevent the board from being reprogrammed unless you physically reset it every time.

I (like you), don't understand how this circuit can not work. If it works with a pushbutton (which will actually bounce and therefore switch the reset pin on and off many times in 4ms, a hard ground reset off the 555 should also work, unless the processor is missing the pulse. If you have also tried a relay from the 555 to the reset pin, the contacts will also ring or bounce, so you have theoretically reproduced that.

I'll give it some more thought when I've had some sleep!

Andy

Edited By Andrew Holdaway on 21/04/2016 00:23:38

[jason udallParticipant @jasonudall57142]

Have a care with internal wd…if set too short…the bootstrap “bootloader” code doesn’t finish before the wdt resets. ..ie you can’t boot load your audrino. ..this doesn’t kill it but will require using an ISP to get a fresh bootloader in…

[Speedy Builder5Participant @speedybuilder5]

being a mechanical sort of bloke, shouldn't the safety device be "outside" of of that circuitry. Ie: have a separate line of communication / power supply to stop/kill the engine ?
BobH

[Neil WyattModerator @neilwyatt]

Posted by jason udall on 21/04/2016 01:15:01:
Have a care with internal wd…if set too short…the bootstrap "bootloader" code doesn't finish before the wdt resets. ..ie you can't boot load your audrino. ..this doesn't kill it but will require using an ISP to get a fresh bootloader in…

Or load a very short bit of code that switches the WDT off

[John HaineParticipant @johnhaine32865]

What happens to D2 output when reset is asserted?

[Michael GilliganParticipant @michaelgilligan61133]

Posted by Speedy Builder5 on 21/04/2016 07:22:19:

being a mechanical sort of bloke, shouldn't the safety device be "outside" of of that circuitry. Ie: have a separate line of communication / power supply to stop/kill the engine ?
BobH

.

An excellent point, Bob

Something like a Dead Man's Handle … or a Motor Racing Cut-Out Switch

MichaelG.

Edited By Michael Gilligan on 21/04/2016 09:32:31

[Neil WyattModerator @neilwyatt]

Posted by Michael Gilligan on 21/04/2016 09:28:43:

Posted by Speedy Builder5 on 21/04/2016 07:22:19:

being a mechanical sort of bloke, shouldn't the safety device be "outside" of of that circuitry. Ie: have a separate line of communication / power supply to stop/kill the engine ?
BobH

.

An excellent point, Bob

Something like a Dead Man's Handle … or a Motor Racing Cut-Out Switch

MichaelG.

Edited By Michael Gilligan on 21/04/2016 09:32:31

But the 'external circuit' still relies on the arduino resetting correctly, so it isn't doing anything the WDT wouldn't do.

My loco controller uses a remote handset and communicates over a serial link. If the loco doesn't receive valid data for a while, it stops the train. It works because I tested it by tangling the cable in the wheels.

It was actually a watchdog reset that nearly fouled up the first moon landing IIRC – the calculations were getting too complex because it was trying to point a radio antennae (left on by mistake) as well as land the machine so it was timing out. Buzz Aldrin had to switch to manual. They also had to fire one set of rockets by poking a biro cap into a broken switch…

Neil

[Michael GilliganParticipant @michaelgilligan61133]

Posted by Neil Wyatt on 21/04/2016 12:00:05:

Posted by Michael Gilligan on 21/04/2016 09:28:43:

…

Something like a Dead Man's Handle … or a Motor Racing Cut-Out Switch

MichaelG.

Edited By Michael Gilligan on 21/04/2016 09:32:31

 

But the 'external circuit' still relies on the arduino resetting correctly, so it isn't doing anything the WDT wouldn't do.

.

I think we are at cross-purposed, Neil

'Mine' would disconnect the Arduino along with everything else !!

MichaelG.

.

Edit: Without wishing to prompt another Civil War about 'Elfin Safety'

… This is worth reading.

Edited By Michael Gilligan on 21/04/2016 13:00:37

[Neil WyattModerator @neilwyatt]

The thing about safety systems for powered systems is taht for s asfae solutiuon you need more than just switching off.

Even for a simple RC plane the drill should be to cut the motor while still allowing control of the aircraft, forcing a landing but ensuring it is under control.

For a loco, simply cutting the uP could leave all the controls set unless they are individually made to be fail-safe in the case of a lost control signal. What if the arduino is cut off with the regulator open?

Second issue -and external reset won't distinguish between power on and error conditions. It may also result in loss of data that could help you regain control of things.

Cutting and re-attaching power will probably result in any data in SRAM being lost -such as control positions etc.

Using an internal watchdog reset the processor knows that thing shave gone pear shaped, and that the device is likely to be running. It can do things like throttle back, apply brakes etc. in an 'intelligent' way if things like control positions are known. These can be different depending on things like speed – and may well be different from what you would want at normal startup.

Neil

[MuzzerParticipant @muzzer]

Posted by Steve Addy on 20/04/2016 23:51:46:

At first I read the internal one wasn't reliable hence the 555 steer from a friend. I'd still like to get it to work though.

2 watchdogs on a model loco must be a first. But surely, if the internal watchdog isn't reliable then you aren't going to be going very far. The problem with watchdogs and other monitors is that they can only go wrong and stop your system actually doing something. As MichaelG says, a red e-stop button would do the trick without any faffing about.

The normal principle is that you don't expect 2 errors to happen at once eg both the engine controls and the watchdog go tits up at the same time, requiring a 3rd line of defence.

Functional safety of electronic / electrical systems used in automotive applications is defined in ISO-26262, which is derived from IEC-61508. It would be considered unusual to have 2 watchdogs, even on a powerful vehicle that could run out of control with the risk of death. Might all seem a bit OTT but this is what is used to ensure that road vehicles are safe to drive on the road (apart from the nut behind the wheel, which isn't electronic). By and large it seems to work pretty well.

Murray

[Michael GilliganParticipant @michaelgilligan61133]

Neil,

I think Murray has made the point more expertly than I could.

My 'Cut-Out' would be in addition to all the clever 'Get-Out' devices.

… Remember HAL in 2001

MichaelG.

[John FieldingParticipant @johnfielding34086]

I don't know if Atmel have changed the original AVR processor but it was renowned for being sensitive to glitches. We almost went into full production with the AVR until a colleague discovered a real nasty effect!

Wrap a few turns of wire around the pcb and then charge up a large electrolytic capacitor and discharge it into the ring coil. Instant gaga state with the AVR going into sulk mode. It completely lost its brains and locked some ports high and some low. Only way to recover is to do a hard reset.

We changed to the Motorola GP32 processor, which is an automotive qualified device, and tried the same test. Absolutely no ill effects with the GP32 and we used it successfully ever after.

Glitch failures in automotive or other safety critical applications can be induced by erratic supply contacts and many other wonky wiring, connectors or fuse holders. Imagine you have a racing engine running at, say, 10,000rpm and a glitch occurs which throws the ignition timing way off target, could be many degrees of extra advance for example, and figure out what damage this will do.

A common fault of a competitors ECU (which used the AVR) was to do this when cold cranking, it snaps the starter motor pinion right off the shaft when it kicks back! On our ECU we added an additional external under voltage lockout just in case the battery took a dip under cranking to do a hard reset on the GP32 processor. Never saw a reset in the whole time we did the prototype testing but it was there just as an added safety feature.

Poor battery terminals can induce sudden low voltage transients under cranking, enough to cause a problem. Even when using a LDO regulator you can go below the critical voltage to the processor and then it can be slow to initiate an internal hard reset. Whilst it is thinking "Should I do a reset?" a lot of damage can occur. For really super critical applications you really need a last gasp method to kill everything to ensure 100% safety.

As I mentioned Atmel may have solved this problem, but I would test it before I had any confidence in using it again for critical applications.

[Neil WyattModerator @neilwyatt]

Posted by Michael Gilligan on 21/04/2016 13:30:26:

Neil,

I think Murray has made the point more expertly than I could.

My 'Cut-Out' would be in addition to all the clever 'Get-Out' devices.

… Remember HAL in 2001

MichaelG.

"Turn off the blower, Hal."

"I'm afraid I can't do that right now, Dave."

[Neil WyattModerator @neilwyatt]

Posted by John Fielding on 21/04/2016 13:44:46:

I don't know if Atmel have changed the original AVR processor but it was renowned for being sensitive to glitches. We almost went into full production with the AVR until a colleague discovered a real nasty effect!

We changed to the Motorola GP32 processor, which is an automotive qualified device, and tried the same test. Absolutely no ill effects with the GP32 and we used it successfully ever after.

You would probably be wanting these then:

http://www.atmel.com/products/microcontrollers/avr/automotive_avr.aspx

They may not have been available way back, if you were trying AVR back in the days of 1200 and 8515.

Neil

Edit: for those unfamiliar with these, they are versions of normal AVRS adapted for an automotive environment.

Edited By Neil Wyatt on 21/04/2016 15:05:46

[Steve AddyParticipant @steveaddy35670]

I wish I'd kept my gob shut!

Steve

[MuzzerParticipant @muzzer]

You wouldn't be allowed anywhere near a production vehicle without having passed a vast set of validation tests for both the hardware and the software. In particular, the "voltage reset" tests in ISO-7637 simulate the effects of voltage dips on the supply (battery) lines. The sort of misbehaviour described would certainly result in a fail and sounds as if it would most likely require a redesign. Clearly it's true that some microcontrollers are more sensitive than others in some areas but I've yet to hear of one that is somehow so flawed it can't be used consistently.

However, any microcontroller that sees any of its pins taken a few hundred mV below the substrate is liable to misbehave in an unpredictable way, so this is something that absolutely must be taken care of by good layout and following the application note very carefully. The device itself is tiny and is only susceptible to transients on account of the PCB layout itself – herein lies the skill of good design.

The normal approach to avoiding microcontrollers misbehaving due to supply voltage wobbles is to use an LDO incorporating a monitor (eg LP3871 from TI). You do the sums so that it flags an error before the micro has fallen out of its legal supply voltage range so that it goes safely into reset – it absolutely is possible. And of course you test it to demonstrate it works, not to find out. From a software POV, the micro is required to be able to wake up and find itself looking at a spinning engine and take control without doing anything silly. Again, this is simply a basic requirement for the software and anything less would not be acceptable.

[Author]

Posts