Power-on-reset (POR) usually places devices in known, ready-to-operate configurations. POR thus sounds simple and in the vast majority of cases it works well. But when it fails, POR can trigger a series of critical events and, eventually, cause a catastrophe. In this article we explore the world of POR, its variables, “Murphy’s law”1 and the “Gotcha”2 that most of us have had to struggle through sometime in our career. Despite the best POR design for an application, ultimately, the end user also bears some responsibility for ensuring that POR function remains reliable.
Power Lines and Mountain Cliffs
We start our discussion with a metaphor: a valley or plain where we walk up and down mountains, illustrated by the colored lines in Figure 1.
Figure 1. A figurative mountain range and the terrain surrounding them.
What does the terrain look like from the ground? We cannot know as each mountain is different. Is there a typical or average terrain? No, there may be foothills, a granite cliff, a plateau, a small mountain followed by a valley, and then a big mountain. In short, anything conceivable could be in our path. Your first reaction to Figure 1 might be that there are no mountains like the blue line, but see Figure 2.
Figure 2. Sheer vertical cliffs in Zhangjiajie National Forest Park in China serve as a metaphor for power lines that power up and down.
The terrain lines in Figure 1 can represent power-supply profiles as they power up and down. Is there a typical curve? Obviously, no. So how does an IC designer design a POR circuit that must accommodate an often wide range of voltage conditions? The answer is with great difficulty. That is why we see so many variations on that rocky path. Then after the IC is built, how can anyone test the POR with every conceivable power supply?
Making POR Work Safely
Most engineers have strong opinions about the best design for a POR circuit. Generally, the procedure is to allow the voltage to pass one or two thresholds, start a timer and wait for some programmed interval so the voltage stabilizes, and then perform the reset function. The timers tend to be analog resistor-capacitor (RC) time constants with wide tolerances. On power-down those capacitors have to discharge. Because leakage is the only discharge path, it can take some time to get close enough to ground to restart. To shorten this time to restart, one design trick uses a CMOS transistor gate capacitor which is high impedance and does not have much leakage.
Before we talk about other ways to make a POR work correctly, we should mention why it typically fails. It is all about timing. A POR is guaranteed to fail if you do not turn the power supply completely off before restarting or if you turn the supply off for only a very short time. In fact, we have seen customers turn off the supply for a few tens of microseconds and wonder why the POR did not work.
If poor timing and timing errors make a POR circuit fail, then what is good timing, or at least preferred timing? Let’s take a part like a DAC or digital potentiometer with nonvolatile (NV) memory as an example. We set the supply at 5V and set three arbitrary voltages to explain the various failure modes (Figure 3). From this we will consider time and how to make a POR work safely.
Figure 3. Momentary voltage drops and the effects are seen on volatile memory. The voltages chosen here are arbitrary and do not reflect any specific IC design.
In this example, the DAC or digital potentiometer has two memories: a volatile memory or working memory, and a nonvolatile (NV) memory. The value in volatile memory is erased when the power is removed, however the NV memory retains its value even without power applied. The NV memory is used for long-time storage of a value that will be used when power is restored to the device. The POR sequence reads the value of the NV memory and applies it to the volatile memory. The volatile memory sets the output voltage or resistance of the part. The volatile (working) memory along with the output value can be changed through the serial interface (commonly SPI or I2C). The NV value will not be used again until the next time POR is triggered.
It is apparent from Figure 3 that the drooping voltage 1 has no effect on the register settings. The voltage has not gone below the 2V level where the memory is lost. Voltage 2 does drop below the 2V line and the memory is lost; as the voltage rises again, the volatile registers will contain random data. Finally, the volatile memory for voltage waveform 3 is lost as it passes through 2V and continues below 1.5V. Then as the voltage rises through 1.5V, the POR starts, the volatile memory is refreshed from the NV memory, and the part will operate normally.
Because an IC designer must try to accommodate any number of differing power-supply starting slopes in conjunction with noise, hysteresis is a good thing. So with the example in Figure 3, as the voltage rises above 1.5V we might set a latch with hysteresis. This hysteresis would keep the latch set as long as the voltage stays above 1.3V. This voltage, however, is not high enough yet to make operation dependable, so we will wait until the voltage rises through 2.5V again with hysteresis. At this point we want to load the value currently in NV memory into the volatile registers. To do this, we must start a local oscillator which acts as a clock for reading the NV and writing to the volatile memory. Using a state machine we load memory while we count the clocks to know when the operation is complete. Subsequently, we complete the POR sequence with other housekeeping chores, such as turning off the local oscillator and enabling the output.
Now we will consider time as a protective facet of the POR. Hysteresis protects us from noise in the voltage plane; time delays protect us from uncertainty in power slopes and stability plateaus. One way to be sure that the power is stable is to wait a while. We cannot predict the future slope, but we can wait to see if there is a change in voltage that could disrupt operation. How long should we wait? Obviously, a reasonable wait is necessary (whatever “reasonable” is) and that is a judgment call that the designer must make based on the application.
Testing for Safe, Reliable Operation—Not so Straightforward
By now it is very evident that successful POR is impossible to guarantee under every conceivable operating condition. Consequently, the designer must try to accommodate a reasonable range of conditions. Given the number of possible operating conditions in a given application environment, how can a semiconductor manufacturer test POR? It is bench tested during the new-IC correlation process. Correlation of the physical silicon on the bench verifies the simulation done during the design process. Considering the forgoing issues, it is apparent that not every possible power-up and power-down configuration is explored. Nonetheless, POR does work with typical lab power supplies.
During the automatic testing (ATE) of each IC, POR is tested with fast risetime supplies. Time is of the essence and expensive in the ATE machine, consequently the power supplies are always active and a switch or relay opens the power path to the IC. ATE machines can cost $2 or $3 million dollars, so we measure test time in milliseconds. Consequently, we do not want to wait for power supplies to turn on from scratch. The ATE supplies are typically relatively large, well regulated, and properly bypassed with capacitors. When the part is powered, the switch or relay closes resulting in a fast step function in the voltage. As a result, POR is not tested with slow ramping power as you might find in many applications.
Confusing a POR
Can we confuse the POR circuit and cause it to malfunction? Yes, as we illustrated in Figure 3 above.
Further, and must worse, is it possible to trick the circuit and actually write garbage into the NV memory? Yes, and this is not a frivolous or fanciful experiment because we do not know what the customer’s power circuit might do, or be expected to do. In fact we have heard of managers who turn on and off the power as rapidly as possible in an effort to detect some failure. Actually, this is not a bad thing to do, as it might cause a circuit to fail sometime. Nonetheless, this rapid on/off exercise has limited value because it tests for only one sequence of switching. There may well be other untested sequences that would cause a POR failure. In an ideal world the POR circuit will protect all the circuits until the power is stable and allow operation to resume.
It is possible, however, to cause a spurious write to NV memory. The normal writing process requires a voltage higher than VCC for a charge to be added to a dielectrically isolated capacitor (i.e., the memory element). The typical time required to complete a write is about 10ms because it is necessary to start an internal DC-DC convertor to generate the high voltage. When digital logic powers up, it can be in a random state. If that random state includes the flip-flop controlling the NV write sequence, we would have an out-of-control condition that could write to the NV memory.
This is just the sort of complex situation where Murphy’s law, that anything bad can and does happen, at the worst time, seems to strike. But time (yes, this is wordplay here, given the importance of “time” for a POR circuit) is on our side…in most cases. Recall Figure 3 and let’s try to prevent the NV write. Assume that we have a 1ms safe window to stop the NV write if, that is, it accidently starts at the wrong time. First, as the voltage rises above 1.5V, we will set the write latch to “off,” even though we may not have sufficient voltage to accomplish this reliably under all conditions. Second, as the voltage crosses 2.5V, we will again set the write latch to “off.” Wow! That was easy to solve, or was it? If the voltage passes 1.5V and then drops to 1.4V so the POR hysteresis says that POR has started, the write latch was set to “off.” However, if the voltage drops to 1.4V and the write latch is set to “on,” we could be in trouble. Well that is actually fine because we will catch it at the 2.5V point. But is this always the case? While this is normally true, suppose that the power supply takes a long time to charge its capacitors and the time between 1.5V and 2.5V is 2ms. We write to the NV memory. What if the power supply normally comes on fast enough to prevent the write, but just as the power is coming up a motor in the plant starts dropping the AC line voltage momentarily? A memory write could appear randomly.
A Good Design Strategy Will Improve POR
By now it should be quite clear that even our best designed POR circuit can be thwarted by a random external event in a nearby electrical component. For ultimate power-supply safety, even more careful planning is required.
Safety and uptime are critical in a factory. For our discussion let’s think about a simple valve. Depending on the use, it could fail in one of three predetermined ways: open, close, or maintain position. If power is unexpectedly interrupted to a boiler or nuclear reactor, we want the emergency cooling water valve to fail “open,” that is to go on completely. We would probably want a valve for the natural gas supply to a boiler to fail “close” or turn off. A noncritical valve may just maintain its position. Given the number of valves in a factory, these potential power disruptions rise exponentially. Clearly, each powered component in the factory, or in any product where human safety is imperative, must be able to reset itself reliably. It is thus critically important that the designer prepare a strategy for both power-on and power-off conditions.
Consider some options for power on. Not only the main control microprocessor, but all outputs need close management. Calibration-class ICs are analog devices such as digital-to-analog converters (DACs) and digital potentiometers that contain an independent, self-initializing POR so they power on with a known voltage. As with mechanical valves, three options exist for the POR: start at zero code, midrange, or at a customer’s preset value. These analog parts protect outputs until the system’s microprocessor can boot and check the system properly. Boot time can be a few seconds or even minutes, and calibration parts are relatively fast in providing protection. Typically, processors will monitor DC voltages on power buses and at critical system points before allowing operation. System switches may be required to power some circuits only when it is safe to do so, or to power them with a controlled ramp.
Now let’s turn to power off. What will happen if the power is interrupted momentarily? Will the system’s power decoupling capacitors discharge near enough to ground so that the POR will reliably trigger? Ensuring that this happens might be as simple as requiring the power to stay off for a period of time. At first blush, powering the microprocessor from the standby supply seems like a good idea. That supply is present so the remote control can turn on the main circuits, just like many TV sets. Then again, this does not protect against powerline failure. A better way is to provide a few seconds of separate power for the microprocessor. This could be as simple as a Schottky diode in series and some large capacitors; the capacitors would be charged through the diode. When the power goes down, the diode will be back-biased, thereby conserving the power for the processor to make a graceful controlled shutdown. This also can force a minimum off time to ensure that all the PORs operate properly.
To ensure uninterruptable power, battery backup and diesel generators are good fallback devices. Backup power should be tested automatically or operators should be reminded to check the backup operation routinely. Finally, we must also understand what must be done if the backup power is compromised and plan for that contingency also…but that is another topic for another article.
POR is a difficult issue to manage. Many so-called random events are a confluence of marginal incidents. A power interruption will not happen often and it may never happen again in the system’s lifetime, but Murphy’s law says that it could. Much like our mountain climber earlier, an IC power engineer must navigate across difficult terrain and cannot anticipate every aspect of an application. With consistent performance and sometimes safety at stake, we must do our best to ensure reliable power. That is why we must design a POR circuit that accommodates as wide a range of voltage conditions as possible.
1 For a discussion of Murphy’s Law, start here: http://en.wikipedia.org/wiki/Murphy%27s_law.
2 Gotcha has a wide range of meanings in the English language. Here we intend what Wikipedia syas usually refers “to an unexpected capture or discovery.” See http://en.wikipedia.org/wiki/Gotcha.
3 There are many references and images of the part available. A good place to start is here: https://www.google.com/search?q=Zhangjiajie+NATIONAL+FOREST+PARK+IN+CHINA&hl=en&client=firefox-a&hs=3yI&tbo=u&rls=org.mozilla:en-US:official&tbm=isch&source=univ&sa=X&ei=8vcGUbmNNY-vygGfsYG4CA&ved=0CEkQsAQ&biw=1033&bih=513 . A general overview of the park can be found here: http://en.wikipedia.org/wiki/Zhangjiajie_National_Forest_Park.
About the Author: Bill Laumeister is an engineer in strategic applications with the Precision Control Group at Maxim Integrated. He works with customers who use DACs, digital potentiometers, and voltage references. He has more than 30 years of experience and holds several patents.