Digital Replacing Analog

Well, by definition. Digital is a subset of analog.

Long, long gone are the days of big boards stuffed with op-amps (or with discrete logic, for that matter). More and more is integrated into MCUs, SoCs and such. They often still need op-amps for AFE, power amps for output, power switches, glue logic -- you're never going to eliminate all of those, in all situations. 2N3904 and CD4011 will never die, among many others. That's not the point, the point is everything inbetween.

Tim

--
Seven Transistor Labs, LLC 
Electrical Engineering Consultation and Design 
Website: https://www.seventransistorlabs.com/

Ah okay. It wasn't specified, so I was careful to accommodate the possibility that this was updating an old design.

Oh, is it a small quantity thing? (Production was also unstated.) By that I mean, I take it the development costs will not amortize effectively, which might be a good reason to avoid software development.

And also that the client is very confident in their spec, so changes are not expected -- programming "in solder" being a lot more expensive than software.

There are power management chips for that. Check hot-swap and wired-OR controllers. Though if you need a few more features than they offer, it might be best to integrate it by hand.

And again, (ab)using a switching reg (in this case, one that can deliver

100% duty cycle) looks attractive, offering a much longer overload period (e.g., continuous vs. a few ms), might be useful.

Eww, tons of excess loop gain! Try heavily degenerating the NFET, and putting some kind of local feedback around the PFET (source degeneration is best, but mind the voltage drop; a current-sense amp might be used here, though costing phase margin).

A charge pump to create an over-the-top rail isn't a bad idea, but not absolutely necessary. That allows a NFET follower (enh mode) -- much more stable. Depl. mode also an option, but fewer FETs to choose from.

And look at using a higher voltage op-amp, all that extra level shifting is a mess and why bother when you can do it straight away, y'know? Then you can direct drive the PFET /and/ sense its current (from a small shunt) to get a fast and stable loop.

As for compensation, try R+Cs instead of R (completely wastes loop gain) or C (wastes phase margin) across the op-amp (out to -in).

A partial solution to that, is to use source degeneration (again, mind the voltage drop, this isn't always viable) and a fairly tight gate voltage clamp (maybe a 5V zener?). Yanking down on the drain pulls big current, and gate capacitance pulls gate voltage down along with it. Zener yanks the gate back, limiting current. You can go from, say, >100A transients (under a momentary-shorting load condition), to only a modest factor above the design current limit (say 2-10x, the ratio of course depending on how much voltage drop you can afford on the shunt).

I was just browsing FPGAs the other day, actually; notice I didn't specify what range of FPGAs. I meant FPGAs as a whole. Median parts seem to be in the low $10s, with the smallest entry-level parts being $2.

MCUs start at a fraction of that, and median parts are a few bucks.

As for approval, some people consider FPGAs to be "hardware", but I don't know of any standards about that (for or against). Good luck.

Like I said, allowing for the possibility of it being an update thing instead. :) Though conceptually, if one is more accustomed to one or the other, there's some mental or diagrammatic "rewriting" to fit a given application to one system or the other. But that's high level, and fairly slight in the overall design process.

Ah good -- since this is apparently a low-quantity thing, working in what you know is well worth the development savings. And that's good justification for using a less cost-optimized platform.

Heh... I did a personal project over the summer, a little DSP (audio effects) in an ATXMEGA. Going from GCC 8, to hand optimized assembler, I expanded the DSP functions from 2 delay taps and 1 filter stage, to 6 delay taps and 2 filter stages (with CPU cycles to spare). avr-gcc is an abomination at optimizing.

arm-gcc likely does a hell of a lot better.

Yes, exactly. Doesn't sound like much bandwidth -- something that a 8051 could compute probably, but also well suited to FPGA where you have all the logic right there, ready to go. The Venn diagram has much overlap.

Complaining about top posting? In 2020? Hhhahahhahaha!

...Using newsgroups in 2020? Hhhahahhahaha!.. oh...

I'm not sure who should be more embarrassed, to be honest. We're both in a pretty silly circumstance.

Tim

--
Seven Transistor Labs, LLC 
Electrical Engineering Consultation and Design 
Website: https://www.seventransistorlabs.com/

n reaching an overload condition before it can tear up the gears or break t he shaft (which the others on the project have done several times). This s hut down was measuring the motor current and pulling the plug, then allowin g the MCU to restart it when needed.

so we need something to limit the voltage. A regulator often requires sign ificant head room to work, so I used the same pass transistor to add a volt age output limit.

ith a bunch of other stuff, and not cost any more. The design time will be a lot less as well although the analog circuit is already done in simulati on.

laced by a few FF and gates inside a chip where they will never be seen, ju st chug along.

of a new project and the develop environment for it?

e system if the software crashes. No?

But it is controlled and potentially corrupted by the software. In the FPG A the calcs will be done independently of the software and the interface wo n't provide a means of corrupting the alarms. We are looking at having the user interface controlled by the FPGA (it is very simple) reporting the in fo to the software and using what is needed in the FPGA. So no settings co rruption possible, except by the FPGA.

I've been looking at the I/O count and it's going to be dicey unless I use a honkin' big package because there are so few choices that aren't BGA. I really hate the QFP144, but that might be what we have to use. Without tha t there might not be I/Os for the over current control.

tage?

and the motor is over current, like when the software crashes and the motor rams into a solid stop.

he timer output/sets them to safe state, all in hardware

That's a great feature. Sounds like someone was paying attention. So this would be triggered by an input from the over current logic? I think we ar e using the PWM to control the motor controller. There are two pins to set direction and a PWM pin to control the duty cycle. I'll pass on your info . Maybe we will be happy with that. Right now they would be happy with th e software detecting and stopping the motor, but the early boards they are using have no working current measurement.

SD ADCs take three I/Os. 2 for the LVDS input and one more for the data ou tput to be filtered and used on the input. With multiple ADCs it adds up f ast!

--

  Rick C. 

  ++ Get 1,000 miles of free Supercharging 
  ++ Tesla referral code - https://ts.la/richard11209

I guess the typical FPGA load configuration at boot with each block defined in SRAM like registers

For a Class B product, one would need to check all those registers at interval in run mode. 60730 defines all the modes that must be tested at interval and at boot

I do not think a typical FPGA has this feature, so it cannot be approved as a HW block

On top of that, the oscillator frequency needs to be checked along with other parameters

Cheers

Klaus

I can't view that spec, but it claims to only apply to "household" electronics.

I don't know anything that does meet that requirement. I recall NASA gear that would reboot periodically to deal with soft radiation induced errors. Is that the sort of thing you are talking about?

--

  Rick C. 

  --- Get 1,000 miles of free Supercharging 
  --- Tesla referral code - https://ts.la/richard11209

I'm sorry Dave, I can't do that.

Normally, 'protection' functions don't use the same hardware (or board tracks/power sources/fusibles) as the control circuit, never mind the same firmware or software.

RL

ching an overload condition before it can tear up the gears or break the sh aft (which the others on the project have done several times). This shut d own was measuring the motor current and pulling the plug, then allowing the MCU to restart it when needed.

need something to limit the voltage. A regulator often requires significa nt head room to work, so I used the same pass transistor to add a voltage o utput limit.

bunch of other stuff, and not cost any more. The design time will be a lo t less as well although the analog circuit is already done in simulation.

by a few FF and gates inside a chip where they will never be seen, just ch ug along.

What is the advantage of using a different circuit for the control function from the protection function? The purpose of the protection function is i n case the software fails... that is a very different circuit although the same power. If the power goes nothing works. No, we don't have a battery backup on the alarm, but I have seen that on another vent. One company pro vides the plans for a vent they no longer make. It has a LOT of stuff. Th e alarm sounder has a battery backup, two sounders and a current sensor to know the sounders are getting current.

Damn! That's another input!!! I wonder if there is a creative way to use the output as an input at the same time??? Yeah, I bet I can.

--

  Rick C. 

  --+ Get 1,000 miles of free Supercharging 
  --+ Tesla referral code - https://ts.la/richard11209

Takes some thought and care to make protection circuitry that always does its job, without degrading performance.

It's not fool-proof. A protection function should perform, regardless of the failure mechanism, assuming single fault.

No point in getting more elaborate, unless it's uninsurable, or ~ nuclear.

RL

Yes, and that covers pretty much any electronics in your home or office

This is a requirement for any equipment with SW that control an element that can potentially heat up to unsafe levels. So in this case, a motor for a household gadget. In our case, it's a circulation pump

So, nothing to do with NASA, this is for "standard" electronics

About the oscillator check, that can be done quite simple inside the controller. You feed the main clock to a timer, and you then compare the main clock with say the watchdog clock/timer. They must not differ much, if they do, you pull the reset flag

Same for code check. During compile time, you calculate the code checksum. During runtime, the code checksum is calculated every 10 seconds. If it differs, you pull reset

eaching an overload condition before it can tear up the gears or break the shaft (which the others on the project have done several times). This shut down was measuring the motor current and pulling the plug, then allowing t he MCU to restart it when needed.

we need something to limit the voltage. A regulator often requires signifi cant head room to work, so I used the same pass transistor to add a voltage output limit.

a bunch of other stuff, and not cost any more. The design time will be a lot less as well although the analog circuit is already done in simulation.

ed by a few FF and gates inside a chip where they will never be seen, just chug along.

on from the protection function? The purpose of the protection function is in case the software fails... that is a very different circuit although th e same power.

You want different function paths. So that a fault in a system in a circuit is more likely to occur if the same circuit is duplicated in another path. They are then not separated and the probability of hazard is higher

really

here are

o list

e when

By that

ly, which

s are not

n AOD4185

to make

ower

e whole

d-OR

r, it

liver

period

efully.

der with

input and

eference.

FET, the

and

ation is

here,

not

ch more

fting is

en you

nt) to

gain) or

picked

t with

ind the

tage

rent, and

s the

s (under

the

ow much

corporate

is on the

at we are

be easier

specify

to be in

don't

efined in SRAM like registers

interval in run mode. 60730 defines all the modes that must be tested at i nterval and at boot

tronics.

Which has nothing to do with ventilators.

In 60730 what exactly is a class B product?

ved as a HW block

th other parameters

ear that would reboot periodically to deal with soft radiation induced erro rs. Is that the sort of thing you are talking about?

hat can potentially heat up to unsafe levels. So in this case, a motor for a household gadget. In our case, it's a circulation pump

Fine, but what electronics with digital "stuff" meets this requirement? Ho w do they meet it other than just not using digital "stuff"?

roller. You feed the main clock to a timer, and you then compare the main c lock with say the watchdog clock/timer. They must not differ much, if they do, you pull the reset flag

Who defines "not much"???

. During runtime, the code checksum is calculated every 10 seconds. If it d iffers, you pull reset

Ok then, reloading the config would meet that requirement. So the NASA app roach for FPGAs works well.

In this case I know of no such requirement. I think people accept that suc h errors are sufficiently rare. In our case the software and firmware can keep an eye on one another. If either sees something wonky the entire unit gets rebooted. The MCU can reboot the FPGA after the FPGA has rebooted th e MCU.

--

  Rick C. 

  -+- Get 1,000 miles of free Supercharging 
  -+- Tesla referral code - https://ts.la/richard11209

That's not the end of the story, though; safety-related functions really should be tested, and software testing is... a poorly characterized process. It costs a LOT of money, brains, and time. WOMBAT is the applicable acronym.

Most EEs don't understand that

I can see the 4011 etc being replaced by a multi-function logic IC. As transistors shink & si area cost falls it makes more sense at some point to throw a handful of logic in 1 IC & shrink the range.

NT

NT can see that because he's forgotten that the CD4011 can handled rail voltages up to 18V. Getting a programmable logic chip that cope with that kind of voltage isn't easy.

--
Bill Sloman, Sydney

Although, didn't the earliest EPROMs (and PLDs) need something absurd like

27.5V for programming?

Not that general logic functions might continue working that high. :)

Hm, never did read up on how that was possible; surely they weren't fabbing different voltage domains back then? That, or most EPROMs (or the older ones, at least) could actually withstand ludicrous voltages, just not meet spec (or function at all) up there? Hmm, never did test one for VDD breakdown voltage...

Tim

--
Seven Transistor Labs, LLC 
Electrical Engineering Consultation and Design 
Website: https://www.seventransistorlabs.com/

I believe EPROM always required a high voltage, they just made in on chip after the 1702A. The programmer for those things were atrocious. You had to pull the data and address lines to high voltages.

Hey, that's not a word you get to use every day, "atrocious" indeed!

--

  Rick C. 

  -++ Get 1,000 miles of free Supercharging 
  -++ Tesla referral code - https://ts.la/richard11209

:

t really

e

There are

to list

ode when

) By that

vely, which

ges are not

an

an AOD4185

y to make

power

the whole

red-OR

fer, it

deliver

d period

arefully.

vider with

g input and

reference.

ss FET, the

, and

eration is

d here,

t not

much more

.

hifting is

Then you

hunt) to

p gain) or

(picked

but with

mind the

oltage

urrent, and

nks the

nts (under

ve the

how much

incorporate

t is on the

that we are

l be easier

t specify

m to be in

s.

I don't

defined in SRAM like registers

at interval in run mode. 60730 defines all the modes that must be tested at interval and at boot

ectronics.

Sure it has. A ventilator, a pump, an air condition. Anything with a motor in it, or any product that has a power level that in case of a fault could heat a component up and exceed insulation specs or outright burst into flam es is covered.

Say one of your FETs that controls the motor shorts or operates in linear m ode that would not trigger a safety function will heat the motor up to abov e 150 degrees for Class F wire, would then fail the UL/IEC test

In case of a motor controlled with SW, there needs to be safeguards that ma kes sure the SW behaves correctly, even when you introduce errors into the microcontroller. Bit flip, timer going berserk, oscillator outside ranges e tc

We spend a LOT of time on these faults, component breakdown tests, to be su re the product is safe

Any household product. What standard have the approval body told you that y ou should comply to?

roved as a HW block

with other parameters

gear that would reboot periodically to deal with soft radiation induced er rors. Is that the sort of thing you are talking about?

that can potentially heat up to unsafe levels. So in this case, a motor fo r a household gadget. In our case, it's a circulation pump

How do they meet it other than just not using digital "stuff"?

Using Class B SW techniques. Like those described in this document from ST:

ntroller. You feed the main clock to a timer, and you then compare the main clock with say the watchdog clock/timer. They must not differ much, if the y do, you pull the reset flag

You do. You check that at the maximum range that the product is still safe. So if your clock will impact your product to have double heat consumption at half clock frequency and that is a problem, then that is your limit

um. During runtime, the code checksum is calculated every 10 seconds. If it differs, you pull reset

pproach for FPGAs works well.

Yes

uch errors are sufficiently rare. In our case the software and firmware ca n keep an eye on one another. If either sees something wonky the entire un it gets rebooted. The MCU can reboot the FPGA after the FPGA has rebooted the MCU.

That does not cut it. The approval body needs to approve your SW. If you do not have approved Class B SW, then your micro is considered to be one big fault generator. If you have your checks in place, then you can get it appr oved. The advantage of using the libraries from ST or Microchip and others is that they are preapproved, so you only need to argue about the applicati on layer when you talk to the approval body

Don't you do component breakdown tests and evaluation of Critical Component s (those that need UL/IEC approval, since they are connected to the line, Y caps, X caps, varistors etc)

Cheers

Klaus

te:

e:

n't really

the

. There are

us to list

code when

d.) By that

tively, which

anges are not

than

is an AOD4185

try to make

he power

e the whole

wired-OR

offer, it

n deliver

oad period

carefully.

divider with

ing input and

ge reference.

pass FET, the

ET, and

eneration is

sed here,

but not

- much more

om.

shifting is

Then you

shunt) to

oop gain) or

44 (picked

k but with

n, mind the

voltage

current, and

yanks the

ients (under

bove the

on how much

n incorporate

it is on the

d that we are

ill be easier

n't specify

eem to be in

cks.

ut I don't

ck defined in SRAM like registers

s at interval in run mode. 60730 defines all the modes that must be tested at interval and at boot

electronics.

ce

r in it, or any product that has a power level that in case of a fault coul d heat a component up and exceed insulation specs or outright burst into fl ames is covered.

mode that would not trigger a safety function will heat the motor up to ab ove 150 degrees for Class F wire, would then fail the UL/IEC test

makes sure the SW behaves correctly, even when you introduce errors into th e microcontroller. Bit flip, timer going berserk, oscillator outside ranges etc

sure the product is safe

you should comply to?

pproved as a HW block

g with other parameters

SA gear that would reboot periodically to deal with soft radiation induced errors. Is that the sort of thing you are talking about?

nt that can potentially heat up to unsafe levels. So in this case, a motor for a household gadget. In our case, it's a circulation pump

How do they meet it other than just not using digital "stuff"?

T:

controller. You feed the main clock to a timer, and you then compare the ma in clock with say the watchdog clock/timer. They must not differ much, if t hey do, you pull the reset flag

e. So if your clock will impact your product to have double heat consumptio n at half clock frequency and that is a problem, then that is your limit

ksum. During runtime, the code checksum is calculated every 10 seconds. If it differs, you pull reset

approach for FPGAs works well.

such errors are sufficiently rare. In our case the software and firmware can keep an eye on one another. If either sees something wonky the entire unit gets rebooted. The MCU can reboot the FPGA after the FPGA has reboote d the MCU.

do not have approved Class B SW, then your micro is considered to be one bi g fault generator. If you have your checks in place, then you can get it ap proved. The advantage of using the libraries from ST or Microchip and other s is that they are preapproved, so you only need to argue about the applica tion layer when you talk to the approval body

nts (those that need UL/IEC approval, since they are connected to the line, Y caps, X caps, varistors etc)

Normally I would welcome such a discussion, but you are not getting it. Th e standard you are referring to does not apply to medical equipment. The m edical standard may require something similar, but that will be the medical standard requirement, not the standard you are referring to which may be v ery different. The software hazards are not relevant if they are prevented from materializing because the hardware prevents them.

I'm not interested in going round and round about this. You need to unders tand what I'm saying and you don't seem to.

--

  Rick C. 

  +-- Get 1,000 miles of free Supercharging 
  +-- Tesla referral code - https://ts.la/richard11209

whoosh as usual