Microchip Technology DM183037 Data Sheet
2012 Microchip Technology Inc.
DS30575A-page 571
PIC18F97J94 FAMILY
28.4
Fail-Safe Clock Monitor
The Fail-Safe Clock Monitor (FSCM) allows the
microcontroller to continue operation in the event of
an external oscillator failure by automatically switch-
ing the device clock to the internal oscillator block.
The FSCM function is enabled by clearing the FSCMx
Configuration bits.
When FSCM is enabled, the LF-INTOSC Oscillator
runs at all times to monitor clocks to peripherals and
provides a backup clock in the event of a clock failure.
Clock monitoring (shown in
microcontroller to continue operation in the event of
an external oscillator failure by automatically switch-
ing the device clock to the internal oscillator block.
The FSCM function is enabled by clearing the FSCMx
Configuration bits.
When FSCM is enabled, the LF-INTOSC Oscillator
runs at all times to monitor clocks to peripherals and
provides a backup clock in the event of a clock failure.
Clock monitoring (shown in
) is accom-
plished by creating a sample clock signal, which is the
output from the LF-INTOSC, divided by 64. This allows
ample time between FSCM sample clocks for a periph-
eral clock edge to occur. The peripheral device clock
and the sample clock are presented as inputs to the
Clock Monitor (CM) latch. The CM is set on the falling
edge of the device clock source, but cleared on the
rising edge of the sample clock.
output from the LF-INTOSC, divided by 64. This allows
ample time between FSCM sample clocks for a periph-
eral clock edge to occur. The peripheral device clock
and the sample clock are presented as inputs to the
Clock Monitor (CM) latch. The CM is set on the falling
edge of the device clock source, but cleared on the
rising edge of the sample clock.
FIGURE 28-3:
FSCM BLOCK DIAGRAM
Clock failure is tested for on the falling edge of the
sample clock. If a sample clock falling edge occurs
while CM is still set, a clock failure has been detected
(
sample clock. If a sample clock falling edge occurs
while CM is still set, a clock failure has been detected
(
). This causes the following:
• The FSCM generates an oscillator fail interrupt by
setting bit, OSCFIF (PIR2<7>)
• The device clock source switches to the internal
oscillator block (OSCCON is not updated to show
the current clock source – this is the fail-safe
condition)
the current clock source – this is the fail-safe
condition)
• The WDT is reset
During switchover, the postscaler frequency from the
internal oscillator block may not be sufficiently stable for
timing-sensitive applications. In these cases, it may be
desirable to select another clock configuration and enter
an alternate power-managed mode. This can be done to
attempt a partial recovery or execute a controlled shut-
down. See
During switchover, the postscaler frequency from the
internal oscillator block may not be sufficiently stable for
timing-sensitive applications. In these cases, it may be
desirable to select another clock configuration and enter
an alternate power-managed mode. This can be done to
attempt a partial recovery or execute a controlled shut-
down. See
for more details.
To use a higher clock speed on wake-up, the INTOSC
or postscaler clock sources can be selected to provide
a higher clock speed by setting bits, IRCF<2:0>,
immediately after Reset. For wake-ups from Sleep, the
INTOSC or postscaler clock sources can be selected
by setting the IRCF<2:0> bits prior to entering Sleep
mode.
The FSCM will detect only failures of the primary or
secondary clock sources. If the internal oscillator block
fails, no failure would be detected nor would any action
be possible.
or postscaler clock sources can be selected to provide
a higher clock speed by setting bits, IRCF<2:0>,
immediately after Reset. For wake-ups from Sleep, the
INTOSC or postscaler clock sources can be selected
by setting the IRCF<2:0> bits prior to entering Sleep
mode.
The FSCM will detect only failures of the primary or
secondary clock sources. If the internal oscillator block
fails, no failure would be detected nor would any action
be possible.
28.4.1
FSCM AND THE WATCHDOG TIMER
Both the FSCM and the WDT are clocked by the
INTOSC Oscillator. Since the WDT operates with a
separate divider and counter, disabling the WDT has
no effect on the operation of the INTOSC Oscillator
when the FSCM is enabled.
As already noted, the clock source is switched to the
INTOSC clock when a clock failure is detected.
Depending on the frequency selected by the
IRCF<2:0> bits, this may mean a substantial change in
the speed of code execution. If the WDT is enabled
with a small prescale value, a decrease in clock speed
allows a WDT time-out to occur and a subsequent
device Reset. For this reason, Fail-Safe Clock events
also reset the WDT and postscaler, allowing it to start
timing from when execution speed was changed and
decreasing the likelihood of an erroneous time-out.
INTOSC Oscillator. Since the WDT operates with a
separate divider and counter, disabling the WDT has
no effect on the operation of the INTOSC Oscillator
when the FSCM is enabled.
As already noted, the clock source is switched to the
INTOSC clock when a clock failure is detected.
Depending on the frequency selected by the
IRCF<2:0> bits, this may mean a substantial change in
the speed of code execution. If the WDT is enabled
with a small prescale value, a decrease in clock speed
allows a WDT time-out to occur and a subsequent
device Reset. For this reason, Fail-Safe Clock events
also reset the WDT and postscaler, allowing it to start
timing from when execution speed was changed and
decreasing the likelihood of an erroneous time-out.
28.4.2
EXITING FAIL-SAFE OPERATION
The Fail-Safe condition is terminated by either a device
Reset or by entering a power-managed mode. On
Reset, the controller starts the primary clock source,
specified in Configuration Register 1H (with any
required start-up delays that are required for the
oscillator mode, such as the OST or PLL timer). The
INTOSC multiplexer provides the device clock until the
primary clock source becomes ready (similar to a Two-
Speed Start-up). The clock source is then switched to
the primary clock automatically after an OST. The Fail-
Safe Clock Monitor then resumes monitoring the
peripheral clock.
The primary clock source may never become ready
during start-up. In this case, operation is clocked by the
INTOSC multiplexer. The OSCCON register will remain
in its Reset state until a power-managed mode is
entered.
Reset or by entering a power-managed mode. On
Reset, the controller starts the primary clock source,
specified in Configuration Register 1H (with any
required start-up delays that are required for the
oscillator mode, such as the OST or PLL timer). The
INTOSC multiplexer provides the device clock until the
primary clock source becomes ready (similar to a Two-
Speed Start-up). The clock source is then switched to
the primary clock automatically after an OST. The Fail-
Safe Clock Monitor then resumes monitoring the
peripheral clock.
The primary clock source may never become ready
during start-up. In this case, operation is clocked by the
INTOSC multiplexer. The OSCCON register will remain
in its Reset state until a power-managed mode is
entered.
Peripheral
INTOSC
÷ 64
S
C
Q
(32
s)
488 Hz
(2.048 ms)
Clock Monitor
Latch (CM)
(edge-triggered)
Clock
Failure
Detected
Source
Clock
Q