Problem:
This issue arose due to a customer's concern and was identified on the STM32F103VDT6 microcontroller. According to their engineering team, during the design of their product, the STM32’s HSE external 8MHz crystal oscillator was used to generate a stable clock signal. This signal was then multiplied to 72MHz via the internal PLL, which served as the system clock to run the chip. Additionally, there was a dedicated watchdog chip externally connected to the STM32 to monitor the MCU’s operation. A pulse generated by the software on one of the STM32's pins was used to reset the watchdog. If the STM32 failed to send this pulse in time, the watchdog would assume the MCU wasn’t functioning correctly and reset the STM32. During the product's reliability testing, a test was conducted to evaluate the watchdog’s ability to detect clock failures. The test involved grounding the two terminals of the HSE crystal to stop oscillation, checking whether the watchdog would reset the STM32. Surprisingly, the watchdog did not reset the STM32, even though the MCU continued sending reset pulses to the watchdog despite the clock failure.
Investigation:
To confirm this behavior, we repeated the test and verified that the phenomenon was indeed accurate. We reviewed the software code to ensure that the CSS (Clock Security System) feature of the STM32 was not accidentally enabled. To further analyze the situation, we modified the code to output the PLL’s divided-by-two frequency from the MCO (Main Clock Output) pin, allowing us to observe it easily with an oscilloscope. By grounding or ungrounding the HSE crystal pins, we could control its oscillation. When the HSE oscillated normally, the MCO output frequency was 36MHz. When the HSE stopped oscillating, the MCO output frequency dropped to approximately 1.7MHz, as shown in Figure (1).
We also observed the SWS control bits in the RCC_CFGR register using a debugger, which confirmed that the system clock was sourced from the PLL output, as indicated by the value [10]. From the STM32F103VD datasheet, we extracted the PLL-related parameters, as shown in Table (1).
According to the datasheet, the PLL’s output frequency range is 16MHz to 72MHz when locked. If the input signal frequency is too low, causing the output frequency to drop below 16MHz, the PLL enters a loss-of-lock condition. In this state, the output frequency no longer follows the expected multiplication and division relationships. Specifically, the output frequency becomes unpredictable and doesn't align with the theoretical formula:
This confirms that when the input signal frequency is zero, the PLL’s output frequency becomes zero. Our measurements aligned with this observation.
Conclusion:
Even without an input signal, the STM32’s PLL continues to oscillate at its lowest possible frequency, providing an output signal. Consequently, the CPU and other peripherals remain functional, being driven by the clock provided by the PLL. Thus, it is unreliable to judge the validity of the HSE solely based on whether there is a clock driving the CPU to execute instructions.
Solution:
To address this issue, we made the following software modifications:
- In the initialization section of the software, we enabled the CSS (Clock Security System) feature of the STM32.
- We modified the NMI (Non-Maskable Interrupt) service routine and added a while(1) trap statement.
With the CSS feature enabled, when the HSE fails, the STM32 automatically switches to the HSI (Internal High-Speed Oscillator) as the system clock and triggers an NMI interrupt. This ensures that the program flow remains in the NMI routine, preventing the generation of watchdog reset pulses. When the watchdog times out, it resets the STM32, returning the system to its normal state.
Suggestion:
The CSS functionality in STM32 is specifically designed to detect and handle HSE failures. However, this feature is disabled by default after each reset and must be explicitly enabled in the software. When the CSS unit detects an HSE failure, it switches the system clock to the HSI, disables the HSE, and—if the PLL’s input comes from the HSE—also disables the PLL. During this process, the CSS unit generates an NMI interrupt request and a brake signal to the advanced timer. The NMI interrupt allows the user program to handle emergencies in the interrupt service routine, while the brake signal halts the advanced timer to prevent any unintended actions, such as motor control malfunctions. In the NMI service routine, the program can attempt to restore the HSE and PLL functions or use traps to keep the program flow within the service routine until the watchdog resets the system.
By implementing these changes, we ensure that the system remains robust against HSE failures and maintains reliable operation under all conditions.
```≥1000Kva Diesel Generator
≥1000Kva Diesel Generator,Power Generator,Open Diesel Generator,Diesel Generator With Shanghai Engine
Shanghai Kosta Electric Co., Ltd. , https://www.generatorkosta.com