AN1015
APPLICATION NOTE
SOFTWARE TECHNIQUES FOR IMPROVING
MICROCONTROLLER EMC PERFORMANCE
by Microcontroller Division Applications
1 INTRODUCTION
A major contributor to improved EMC performance in microcontroller-based electronics sys-
tems is the design of hardened software.
To achieve this goal, you have to include EMC considerations as early as possible in the de-
sign phase of your project.
EMC-oriented software increases the security and the reliability of your application. EMC-
hardened software is inexpensive to implement, it improves the MCU’s immunity performance
and saves hardware costs. You should consider EMC disturbances to analog or digital data as
parameters that must be managed by the MCU software just like any other application param-
eter.
Examples of software disturbances:
– Microcontroller not responding
– Program Counter runaway
– Execution of unexpected instructions
– Bad address pointing
– Bad execution of subroutines
– Parasitic reset
– Parasitic interrupts
– I/O deprogramming
AN1015/0701 1/14
1
�SOFTWARE TECHNIQUES FOR IMPROVING EMC PERFORMANCE
Examples of the consequences of failing software:
– Unexpected commands
– Loss of context
– Unexpected branch in process
– Loss of interrupts
– Loss of data integrity
– Wrong input measurement values
This application note describes software techniques divided into two categories:
– Preventive techniques
– Auto-recovery techniques
You can implement preventive techniques in existing programs. Their purpose is to avoid vis-
ible disturbances at user level.
The software must include auto-recovery routines. When a runaway condition is detected, a
recovery subroutine is used to take the decision to stop program execution, optionally give a
warning and then return automatically to normal operations. This operation may be absolutely
transparent to the user of the application.
2 PREVENTIVE TECHNIQUES
You can easily implement these techniques in an existing program as they do not require any
change to the structure of the software.
2.1 USING THE WATCHDOG CORRECTLY
The watchdog is the most efficient tool you have available for ensuring that the MCU can re-
cover from software runaway failures. Its principle is very simple: it is a timer which generates
an MCU reset at the end of count. The only way of preventing the Watchdog resetting the mi-
crocontroller is to refresh the counter periodically in the program.
But to make the watchdog work at its full potential, you have to insert the enable and refresh
instructions in your software in the right way.
Figure 1 shows the classic examples of bad watchdog implementation:
To do it the right way, the golden rules are:
– Enable the watchdog as soon as possible after reset, or use the Hardware Watchdog option
if its available.
– Never refresh the watchdog in an interrupt routine.
2/14
1
� SOFTWARE TECHNIQUES FOR IMPROVING EMC PERFORMANCE
It is very important to optimize the period between the two refresh instructions according to the
duration of the various routines, including the interrupt rountines.
The minimum use of the watchdog resets the MCU, this means that the program execution
context is lost as well as the application data’s integrity.
After reset, in addition to enabling the watchdog, on some MCUs you can use the reset flags
to distinguish between a Power On or Low Voltage reset and a Watchdog reset (refer to Sec-
tion 3.3. for more details)
Figure 1. Classic Examples of Bad Watchdog Usage
INIT WDG ENABLE
2
Spurious
Addr: ??? INIT
PC-Jump
INFINITE
WDG ENABLE LOOP
(WDG NOT
ENABLED)
1
MAIN
Spurious
Reset WDG
REFRESH INTERRUPT
ROUTINE
Watchdog enabled too late after Startup
MAIN INTERRUPT Addr: ???
ROUTINE RETURN
WDG INFINITE
REFRESH LOOP
(WDG
REFRESHED
IN INVALID
Enable Watchdog immediately at Startup
Spurious
PC-Jump
RETURN
LOOP) No Watchdog refresh in Interrupt Routine
Watchdog refreshed in Interrupt Routine
3/14
1
�SOFTWARE TECHNIQUES FOR IMPROVING EMC PERFORMANCE
2.2 SECURING THE UNUSED PROGRAM MEMORY AREA
In most applications, program memory space is not used completely. For extra security, fill the
unused memory locations with code that forces a watchdog reset or jumps to a known pro-
gram location if you do not want to generate a reset.
This will ensure that even if the program counter is corrupted and jumps to an unused memory
location, the MCU will recover and return to normal operations.
In the example below (using the ST6), at address 0F3F if you put LDI WDT,01h, this instruc-
tion causes the MCU to be reset by the internal watchdog and thus avoids a microcontroller
lock condition.
In this unused area you can also jump to a Parasite Detection subroutine, which allows you to
return to normal operations.
For ST7 users, the ST7 "TRAP" instruction is also very convenient (only one instruction
byte:83) for generating a software interrupt in order to recover from a jump to an unexpected
location in memory.
Figure 2. Example of a Microcontroller lock condition
Opcode Main
read=BD Program ROM Address Opcode Assembly Instructions
0F20 BD LD V, A
PC
0F32 Parasite
Subroutine 0F34 CD RET
0F35 00 JRNZ 0F36
Parasite 0F36 00 JRNZ 0F37
0F37 00 INFINITE
Empty 0F3F 00 LOOP
Area
00 JRNZ 0F40
0F40 A0 JRNZ 0F35
0F41 ED WAIT?
Look-Up 0F42 9B 99 SET1, SN
Table 0F44 ..... .....
VR02129F
4/14
1
� SOFTWARE TECHNIQUES FOR IMPROVING EMC PERFORMANCE
2.3 INPUT FILTERING
The routine given below (for ST6) checks several times that PB4=1 before continuing the pro-
gram execution.
This is a simple means of filtering a critical input at no extra cost!
MAIN1 LDI LOOP,08h repeat measurement 8 times
MAIN2 JRR 4,PB,MAIN1 Check bit 4 of port B
DEC LOOP Decrement loop
JNRZ MAIN2 until Loop=0
2.4 MANAGEMENT OF UNUSED INTERRUPT VECTORS
To avoid problems caused by unexpected interrupt occurrences (whatever the source) it is
recommended to manage all the possible interrupt sources by putting a valid interrupt routine
address in the corresponding vector.
In the example below the unused interrupt vectors point to a "dummy" label filled with a simple
"return from interrupt" instruction.
Example of unused interrupt management (ST7):
.dummy
iret
segment ’vectit’
.pwm_it DC.W dummy ;location FFE0-FFE1h
DC.W dummy ;location FFE2-FFE3h
.i2c_it DC.W i2c_rt ;location FFE4-FFE5h
.sci_it DC.W dummy ;location FFE6-FFE7h
.tb_it DC.W dummy ;location FFE8-FFE9h
.ta_it DC.W dummy ;location FFEA-FFEBh
.spi_it DC.W dummy ;location FFEC-FFEDh
.can_it DC.W can_rt ;location FFEE-FFEFh
.ext3_it DC.W dummy ;location FFF0-FFF1h
.ext2_it DC.W dummy ;location FFF2-FFF3h
.ext1_it DC.W dummy ;location FFF4-FFF5h
.ext0_it DC.W dummy ;location FFF6-FFF7h
.mcc_it DC.W dummy ;location FFF8-FFF9h
.nmi_it DC.W dummy ;location FFFA-FFFBh
.softit DC.W pc_jp ;location FFFC-FFFDh
.reset DC.W init ;location FFFE-FFFFh
5/14
1
�SOFTWARE TECHNIQUES FOR IMPROVING EMC PERFORMANCE
2.5 REMOVING ILLEGAL AND CRITICAL BYTES FROM YOUR CODE
2.5.1 Critical Bytes
A critical byte is an instruction like WAIT or STOP which is decoded by the microcontroller and
forces it to stop executing any further instructions.
When the PC is corrupted it often becomes desynchronized (as most of the instructions have
several bytes), and as a result it may read and decode critical bytes.
To check and minimize the occurrence of these critical bytes you can edit the program ".list"
file.
Very often critical bytes are generated by the compiler as label address bytes. In this case, if
you simply insert one or several NOP instructions, all the label addresses will shift and this will
change the critical byte value to another value.
Example:
In the ST7 instruction sequence shown below, the "main" label address bytes contain the
HALT op-code (8E) and the "loop1" label address bytes contain the WFI op-code (8F).
If you add two "NOP" instructions before "loop1", the addresses are shifted from C18E to
C190 for "main" and from C08F to C091 for "loop1" and the critical bytes disappear!
.loop1
C08F .....
C09A 81 ret
.main ;Led PB3 freezed on
C18E 1415 bset PBDR,#2
C190 1715 bres PBDR,#3
C192 CDC08F call loop1
C195 CDC08F call loop1
C198 1515 bres PBDR,#2
C19A CDC08F call loop1
C19D CDC08F call loop1
C1A0 CCC18E jp main
2.5.2 IIlegal Bytes
Illegal bytes are defined as any byte value which is not part of the instruction set. They will ei-
ther be executed as a NOP instruction or (on some MCUs) a reset is generated if an illegal
byte is encountered. In some ST6 devices however "E5h" is executed as a WAIT and "65h" as
a STOP. In this case, use the techniques described above (for criticall bytes) to remove illegal
bytes from your code.
6/14
1
� SOFTWARE TECHNIQUES FOR IMPROVING EMC PERFORMANCE
2.6 AVERAGING THE A/D CONVERTER RESULTS
If you are performing A/D conversion, you can repeat conversions several times, store the re-
sults in the RAM and then average them (or select the most frequently-occuring value) to ob-
tain accurate results in spite of any potential noise errors.
2.7 REGISTER REPROGRAMMING
It rarely happens that EMC disturbances alter the content of the registers. Generally the reg-
isters concerned are clock control registers or I/O configuration and data registers because
they are close to the chip output pads.
In such cases a good security measure is to refresh these registers frequently.
Table 1. Summary of Preventive Techniques
Software Quality
Advantage Disadvantage Implementing
Preventive Methods
Easy but the activation
Control is CPU-inde- and refresh instructions
Watchdog Not compatible with Halt
pendent must be carefully placed
(Hardware or Software) mode
Avoids MCU lock in the code for maximum
efficiency
Force a watchdog reset More direct and quicker
Clear the WDG reset bit
in unused program than waiting for a watch- Loss of previous context
(see device spec.)
memory dog timeout
Fill unused area with
Single byte instruction.
Fill unused program "TRAP"(83h) op-code
More direct and quicker Instruction available only
memory with software in- and manage the failure
than wait for a WDG on ST7 devices.
terrupt instructions in the corresponding in-
timeout.
terrupt routine.
Ensure the ADC per- Perform an iterative loop
A/D Converter averaging formance in a noisy sur- Processing time for ADC acquisitions and
rounding. averaging.
Avoid MCU locks due to
Removal of illegal or crit- none except restriction String search in the
unexpected readings of
ical opcode on using these opcodes ".LIST" file (See §2.5).
WAIT or STOP opcodes
Repeat measurement
several times and per-
Input filtering Data acquisition stability Processing time
form a statistical choice
between "0" or "1".
Unused interrupt man- Avoid runaways due to Very easy (see section
None
agement unexpected interrupts 2.4
Refresh critical registers
Refreshing of critical reg-
Safe running Uses MCU resources in frequently-executed
isters
loops
7/14
1
�SOFTWARE TECHNIQUES FOR IMPROVING EMC PERFORMANCE
3 AUTO-RECOVERY TECHNIQUES
This section gives some techniques for quickly recovering your application context after an
EMC failure.
Unexpected resets, Program Counter jumps and parasitic interrupts are the most common
EMC failures observed in the MCU whatever the source of the disturbance.
In both any of cases the RAM (or EEPROM data memory when available) remains unchanged
and can be used as very efficient way to save the application context and parameters.
Note that the RAM will lose its contents if the device is powered-off. The EEPROM data keeps
its content at power-off but the writing time is much longer.
3.1 SAVING YOUR CONTEXT IN RAM
Figure 3 shows an example of a software auto-recovery implementation:
In Figure 3 we can see that the critical software sequences (door OPEN or CLOSE com-
mands, high speed motor controls) are memorized in a RAM byte ("RAM(SEQ)").
This allows us on the one hand to recover the context if an EMC event leads to an MCU reset,
and on the other hand we can check the source before a executing critical subroutine. In this
case the high speed motor activation is allowed only if RAM(SEQ)=03).
The application parameters (T1&T2 timing values) are also stored in RAM when they are
changed.
This means if a software runaway event occurred or the MCU is reset (by the LVD or the
watchdog), the recovery routine (CRR) will restore the last door command, reload the timing
parameters and resume the program execution without any external intervention.
8/14
1
� SOFTWARE TECHNIQUES FOR IMPROVING EMC PERFORMANCE
Figure 3. Example of Auto-Recovery Software
INIT
MOTOR STOP
N CRR
RAM(SEQ)=00 Call CRR CONTEXT RECOVERY
? ROUTINE
Y
T1=RAM(T1)
T2=RAM(T2)
T1=7s
T2=2s
Y
RAM(SEQ) Call OPEN DOOR
=01 or 03?
WAIT FOR
DOOR CMD
N
Y Y
RAM(SEQ)=01 RAM (SEQ) Call CLOSE DOOR
DOOR CMD
Call OPEN DOOR =02?
UP?
N N
RAM(SEQ)=00
RESET
Y (Go to INIT)
DOOR CMD RAM(SEQ)=02
Call CLOSE DOOR
DOWN?
RETURN
N
OPEN DOOR
RAM(SEQ)=00
LOAD TIMER WITH T1
RAM(SEQ)=03
CALL HI SPEED OPEN
HI SPEED OPEN
LOAD TIMER WITH T2
N
RAM(SEQ)=3 STOP MOTOR
CALL LO SPEED OPEN
? CALL CRR
RETURN
Y
Y
T1=0
?
HI SPEED MOTOR ON
(OPEN)
STORE T1 IN RAM(T1)
RETURN
9/14
1
�SOFTWARE TECHNIQUES FOR IMPROVING EMC PERFORMANCE
3.2 USING THE WATCHDOG FOR LOCAL CONTROL
Very often programmers consider the Watchdog Timer more or less just as a time bomb and
only refresh it to its maximum value to have the widest possible margin without any direct re-
lation to the expected program execution time.
This is a poor approach, a far better method is to use the watchdog timer register to check the
execution times of individual software routines and in case of an abnormality to react promptly
before the Watchdog end of count and either perform an immediate reset or go into a software
recovery routine.
Figure 4. Local Control by the Watchdog
Main
program
Read Watchdog Register
Call Subroutine
Subroutine
running SP1
no yes Time processing
Parasite Period = 300 300 cycles
300 US
CONTINUE
Yes Wdt period & SP1
PROCESSING
RESET
continue VR02129C
10/14
1
� SOFTWARE TECHNIQUES FOR IMPROVING EMC PERFORMANCE
3.3 USING THE RESET FLAGS TO IDENTIFY THE RESET SOURCE
There are several possible internal reset sources: LVD (Low Voltage detector) or Watchdog
reset, POR (Power On Reset), hot reset (parasitic or external reset following a low state of the
Reset pin).
On most of the ST MCUs the reset source is flagged in a "reset register" and this information
is kept as long as the MCU’s power supply is on.
Figure 5 shows how you can test the reset register at the beginning of your program and then
branch to a context recovery routine (depending to the detected reset source) instead of re-
starting the "Power On Reset" initialization routine which is often complex and time con-
suming.
It is very important to detect and manage parasitic resets as they are the most usual cause of
microcontroller EMC failures.
Figure 5. Identify Reset Sources
INIT
CRR2 READ WDG/LVD CRR1
Hot
CONTEXT RECOVERY RESET STATUS Reset CONTEXT RECOVERY
Reset
ROUTINE Occurred FLAGS Occurred ROUTINE
Power-On
Reset
Occurred
INIT1
INIT2
WAIT FOR
DOOR CMD
MAIN
11/14
1
�SOFTWARE TECHNIQUES FOR IMPROVING EMC PERFORMANCE
Table 2. Summary of Auto-Recovery Techniques
Software Quality
Advantage Disadvantage Implementing
Auto-recovery Methods
Check the sequence ex-
Local Control by the Process control of critical Need a calculation of a
ecution time using the
Watchdog sequential blocks accurate time window
WDG timer register
Use the MCU "reset reg-
Fast recovery from unex- ister" or the RAM to de-
ldentify Reset Sources None
pected reset failures tect various reset
sources.
Store software critical
phases and parameters
Save application param-
in RAM or FLASH.
Application context save eters, ensure critical task
Uses MCU resources Use data in RAM or
in RAM or FLASH execution resume in
FLASH to recover the
case of MCU failures.
last context before fail-
ure.
12/14
1
� SOFTWARE TECHNIQUES FOR IMPROVING EMC PERFORMANCE
4 WHAT RESULTS CAN BE ACHIEVED?
ST microcontrollers are designed tested and optimized to remain fully functional with +/-1kV
ESD voltages (according EN1000-4-2 standard) directly applied on any pin. Although this per-
formance is acceptable in most cases, it does not guarantee that the MCU will be fully robust
at application level which is sometimes above 4kV.
Such voltages cannot be withstood by any microcontroller using standard programming tech-
niques. This means that the EMC hardening techniques described in this document are abso-
lutely necessary to improve application robustness in many cases.
Figure 6 quantifies the typical EMC robustness limits you can expect from hardware or soft-
ware EMC-hardening measures (This data is sourced from qualification reports provided by
ST customers).
You can see that good EMC-hardened software can bring the application immunity to a very
high level, limited only by the physical silicon resistance.
Figure 6. Impact of Hardware and Software EMC Hardening
IMMUNITY
LEVEL
(kV)
20
SOFTWARE EMC MEASURES
(PREVENTIVE & AUTO-RECOVERY TECHNIQUES)
HARDWARE EMC MEASURES
(FILTERS, GROUND PLANES, METAL SHIELDS)
STANDARD PROGRAMMING
13/14
1
�SOFTWARE TECHNIQUES FOR IMPROVING EMC PERFORMANCE
"THE PRESENT NOTE WHICH IS FOR GUIDANCE ONLY AIMS AT PROVIDING CUSTOMERS WITH INFORMATION
REGARDING THEIR PRODUCTS IN ORDER FOR THEM TO SAVE TIME. AS A RESULT, STMICROELECTRONICS
SHALL NOT BE HELD LIABLE FOR ANY DIRECT, INDIRECT OR CONSEQUENTIAL DAMAGES WITH RESPECT TO
ANY CLAIMS ARISING FROM THE CONTENT OF SUCH A NOTE AND/OR THE USE MADE BY CUSTOMERS OF
THE INFORMATION CONTAINED HEREIN IN CONNEXION WITH THEIR PRODUCTS."
Information furnished is believed to be accurate and reliable. However, STMicroelectronics assumes no responsibility for the consequences
of use of such information nor for any infringement of patents or other rights of third parties which may result from its use. No license is granted
by implication or otherwise under any patent or patent rights of STMicroelectronics. Specifications mentioned in this publication are subject
to change without notice. This publication supersedes and replaces all information previously supplied. STMicroelectronics products are not
authorized for use as critical components in life support devices or systems without the express written approval of STMicroelectronics.
The ST logo is a registered trademark of STMicroelectronics
2001 STMicroelectronics - All Rights Reserved.
Purchase of I2C Components by STMicroelectronics conveys a license under the Philips I2C Patent. Rights to use these components in an
I2C system is granted provided that the system conforms to the I2C Standard Specification as defined by Philips.
STMicroelectronics Group of Companies
Australia - Brazil - China - Finland - France - Germany - Hong Kong - India - Italy - Japan - Malaysia - Malta - Morocco - Singapore - Spain
Sweden - Switzerland - United Kingdom - U.S.A.
http://www.st.com
14/14
