A similar version of this article appeared in the May 2013 issue of Electronic Science Korea magazine.
Power-on reset (POR) usually places devices in known, ready-to-operate configurations. POR thus sounds simple, and in the vast majority of cases, it works well. But when it fails, POR can trigger a series of critical events and eventually cause a catastrophe. In this application note, we explore the world of POR, its variables, “Murphy’s Law”,1 and the “gotchas”2 that most of us have had to struggle through sometime in our career. Despite the best POR design for an application, ultimately, the end user also bears some responsibility for ensuring that the POR function remains reliable.
Power Lines and Mountain Cliffs
We start our discussion with a metaphor: a valley or plain where we walk up and down mountains, illustrated by the colored lines in Figure 1.
Figure 1. A figurative mountain range and the terrain surrounding it.
What does the terrain look like from the ground? We cannot know as each mountain is different. Is there a typical or average terrain? No, there might be foothills, a granite cliff, a plateau, a small mountain followed by a valley, and then a big mountain. In short, anything conceivable could be in our path. Your first reaction to Figure 1 might be that there are no mountains like the blue line, but see Figure 2.
Figure 2. Sheer vertical cliffs in Zhangjiajie National Forest Park in China serve as a metaphor for power lines that power up and down.3
The terrain lines in Figure 1 can represent power-supply profiles as they power up and down. Is there a typical curve? Obviously, no. So how does an IC designer design a POR circuit that must accommodate an often wide range of voltage conditions? The answer is, with great difficulty. That is why we see so many variations on that rocky path. Then after the IC is built, how can anyone test the POR with every conceivable power supply?
Making POR Work Safely
Most engineers have strong opinions about the best design for a POR circuit. Generally, the procedure is to allow the voltage to pass one or two thresholds, start a timer and wait for some programmed interval so the voltage stabilizes, and then perform the reset function. The timers tend to be analog resistor-capacitor (RC) time constants with wide tolerances. On power-down, these capacitors have to discharge. Because leakage is the only discharge path, it can take some time to get close enough to ground to restart. To shorten this time to restart, one design trick uses a CMOS transistor gate capacitor, which is high impedance and does not have much leakage.
Before we talk about other ways to make a POR work correctly, we should mention why it typically fails. It is all about timing. A POR is guaranteed to fail if you do not turn the power supply completely off before restarting, or if you turn the supply off for only a very short time. In fact, we have seen customers turn off the supply for a few tens of microseconds and wonder why the POR did not work.
If poor timing and timing errors make a POR circuit fail, then what is good timing, or at least preferred timing? Let’s take as an example a part like a digital-to-analog (DAC) or a digital potentiometer with nonvolatile (NV) memory. We set the supply at 5V and three arbitrary voltages to explain the various failure modes (Figure 3). From this, we consider time and how to make a POR work safely.
Figure 3. Momentary voltage drops and the effects seen on volatile memory. The voltages chosen here are arbitrary and do not reflect any specific IC design.
In this example, the DAC or digital potentiometer has two memories: a volatile memory or working memory, and a nonvolatile (NV) memory. The value in volatile memory is erased when power is removed. However, the NV memory retains its value even without power applied. The NV memory is used for long-time storage of a value that is needed when power is restored to the device. The POR sequence reads the value of the NV memory and applies it to the volatile memory. The volatile memory sets the output voltage or resistance of the part. The volatile (working) memory, along with the output value, can be changed through the serial interface (commonly SPI or I²C). The NV value is not used again until the next time POR is triggered.
It is apparent from Figure 3 that drooping voltage 1 has no effect on the register settings. The voltage has not gone below the 2V level where the memory is lost. Voltage 2 does drop below the 2V line and the memory is lost; as the voltage rises again, the volatile registers contain random data. Finally, the volatile memory for voltage waveform 3 is lost as it passes through 2V and continues below 1.5V. Then as the voltage rises through 1.5V, the POR starts, the volatile memory is refreshed from the NV memory, and the part operates normally.
Because an IC designer must try to accommodate any number of differing power-supply starting slopes in conjunction with noise, hysteresis is a good thing. So with the example in Figure 3, as the voltage rises above 1.5V we might set a latch with hysteresis. This hysteresis would keep the latch set as long as the voltage stays above 1.3V. This voltage, however, is not high enough yet to make operation dependable, so we wait until the voltage rises through 2.5V again with hysteresis. At this point, we want to load the value currently in the NV memory into the volatile registers. To do this, we must start a local oscillator, which acts as a clock for reading the NV memory and for writing to the volatile memory. Using a state machine, we load the memory while we count the clocks to know when the operation is complete. Subsequently, we complete the POR sequence with other housekeeping chores, such as turning off the local oscillator or enabling the output.
Next, we consider time as a protective facet of the POR. Hysteresis protects us from noise in the voltage plane; time delays protect us from uncertainty in power slopes and stability plateaus. One way to be sure that the power is stable is to wait a while. We cannot predict the future slope, but we can wait to see if there is a change in voltage that could disrupt operation. How long should we wait? Obviously, a reasonable wait is necessary (whatever “reasonable” is) and that is a judgment call the designer must make based on the application.
Testing for Safe, Reliable Operation—Not So Straightforward
By now, it is very evident that successful POR is impossible to guarantee under every conceivable operating condition. Consequently, the designer must try to accommodate a reasonable range of conditions. Given the number of possible operating conditions in a given application environment, how can a semiconductor manufacturer test POR? It is bench tested during the new IC correlation process. Correlation of the physical silicon on the bench verifies the simulation done during the design process. Considering the foregoing issues, it is apparent that not every possible power-up and power-down configuration has been explored. Nonetheless, POR does work with typical lab power supplies.
During the automatic testing of each IC, POR is tested with fast risetime supplies. Time is of the essence and expensive in automatic test equipment (ATE). As a result, the power supplies are always active and a switch or relay opens the power path to the IC. ATE can cost $2 or $3 million dollars, so we measure test time in milliseconds. Consequently, we do not want to wait for power supplies to turn on from scratch. The ATE supplies are typically relatively large, well regulated, and properly bypassed with capacitors. When the part is powered, the switch or relay closes, resulting in a fast step function in the voltage. Thus, POR is not tested with slow ramping power as you might find in many applications.
Confusing a POR
Can we confuse the POR circuit and cause it to malfunction? Yes, as we illustrated in Figure 3 above. Further, and much worse, is it possible to trick the circuit and actually write garbage into the NV memory? Yes, and this is not a frivolous or fanciful experiment because we do not know what the customer’s power circuit might do, or be expected to do. In fact, we have heard of managers who turn on and off the power as rapidly as possible in an effort to detect some failure. Actually, this is not a bad thing to do, as it might cause a circuit to fail sometimes. Nonetheless, this rapid on/off exercise has limited value because it tests for only one sequence of switching. There might well be other untested sequences that would cause a POR failure. In an ideal world, the POR circuit protects all the circuits until the power is stable and allows operation to resume.
It is possible, however, to cause a spurious write to the NV memory. The normal writing process requires a voltage higher than VCC for a charge to be added to a dielectrically isolated capacitor (i.e., the memory element). The typical time required to complete a write is about 10ms because it is necessary to start an internal DC-DC convertor to generate the high voltage. When digital logic powers up, it can be in a random state. If that random state includes flip-flop control of the NV write sequence, we would have an out-of-control condition that could write to the NV memory.
This is just the sort of complex situation where Murphy’s Law, that anything bad can and does happen, at the worst time, seems to strike. But time (yes, this is wordplay here, given the importance of “time” for a POR circuit) is on our side…in most cases. Recall Figure 3. Let’s try to prevent the NV write. Assume that we have a 1ms safe window to stop the NV write if, that is, it accidently starts at the wrong time. First, as the voltage rises above 1.5V, we set the write latch to “off,” even though we might not have sufficient voltage to accomplish this reliably under all conditions. Second, as the voltage crosses 2.5V, we again set the write latch to “off.” Wow! That was easy to solve, or was it? If the voltage passes 1.5V and then drops to 1.4V so the POR hysteresis indicates that POR has started, the write latch is set to “off.” However, if the voltage drops to 1.4V and the write latch is set to “on,” we could be in trouble. Well, that is actually fine because we catch it at the 2.5V point. But is this always the case? While this is normally true, suppose that the power supply takes a long time to charge its capacitors and the time between 1.5V and 2.5V is 2ms. We write to the NV memory. What if the power supply normally comes on fast enough to prevent the write, but just as the power is coming up a motor in the plant momentarily drops the AC line voltage? A memory write could appear randomly.
A Good Design Strategy Will Improve POR
By now it should be quite clear that even our best designed POR circuit can be thwarted by a random external event in a nearby electrical component. For ultimate power-supply safety, even more careful planning is required.
Safety and uptime are critical in a factory. For our discussion, let’s think about a simple valve. Depending on its use, it could fail in one of three predetermined ways: open, closed, or in a maintained position. If power to a boiler or nuclear reactor is unexpectedly interrupted, we want the emergency cooling water valve to fail when it is “open,” that is, to turn on completely. We would probably want a valve for the natural gas supply to a boiler to fail when it is “closed”, or turned off. A noncritical valve might just maintain its position. Given the number of valves in a factory, these potential power disruptions rise exponentially. Clearly, each powered component in the factory, or in any product where human safety is imperative, must be able to reliably reset itself. It is thus critically important that the designer prepare a strategy for both power-on and power-off conditions.
Consider some options for power on. Not only the main control microprocessor, but all outputs need close management. Calibration-class ICs are analog devices such as DACs and digital potentiometers that contain an independent, self-initializing POR so they power on with a known voltage. As with mechanical valves, three options exist for the POR: start at zero code, at midrange, or at a customer’s preset value. These analog parts protect outputs until the system’s microprocessor can boot and check the system properly. Boot time can be a few seconds or even minutes, and calibration parts are relatively fast in providing protection. Typically, processors monitor DC voltages on power buses and at critical system points before allowing operation. System switches might be required to power some circuits only when it is safe to do so, or to power them with a controlled ramp.
Now, let’s turn to power off. What happens if the power is momentarily interrupted? Do the system’s power decoupling capacitors discharge near enough to ground so that the POR reliably triggers? Ensuring that this happens might be as simple as requiring the power to stay off for a period of time. At first blush, powering the microprocessor from the standby supply seems like a good idea. That supply is present so the remote control can turn on the main circuits, just like with many TV sets. Then again, this does not protect against powerline failure. A better way is to provide a few seconds of separate power for the microprocessor. This could be as simple as a Schottky diode in series and some large capacitors; the capacitors are charged through the diode. When the power goes down, the diode is back-biased, thereby conserving the power for the processor to make a graceful controlled shutdown. This also can force a minimum off time to ensure that all the PORs operate properly.
To ensure uninterruptable power, battery backups and diesel generators are good fallback devices. Backup power should be automatically tested or operators should be reminded to routinely check the backup operation. Finally, we must also understand what must be done if the backup power is compromised and plan for that contingency…but that is a topic for another article.
POR is a difficult issue to manage. Many so-called random events are a confluence of marginal incidents. A power interruption does not happen often and it might not happen again in the system’s lifetime, but Murphy’s Law says that it could. Much like with mountains mentioned earlier, an IC power engineer must navigate across difficult terrain and cannot anticipate every aspect of an application. With consistent performance and sometimes safety at stake, we must do our best to ensure reliable power. That is why we must design a POR circuit that accommodates as wide a range of voltage conditions as possible.