Gas leak detection systems are prevalent in many industries and residences today. To develop a safe and reliable device, functional safety must be implemented into its' design. Gas leak detection systems can fall under various functional safety standards depending on where the system's intended use is. For this example, the Microchip PIC® and AVR® UL-certified IEC 60730 Class B software diagnostic library implements functional safety tests. These tests help ensure hardware faults are identified and dealt with if they occur. If a fault occurs and it is not identified, the application could act differently than expected, which poses potential harm to users or the environment. This example uses the AVR EA family of microcontrollers (MCUs) to implement a simple ammonia gas detector which uses the Class B Functional Safety (FuSa) libraries.
This example is for demonstration purposes only, and is not qualified, tested or verified to meet Class B safety standards.
When handling the ammonia containing solution, excerise caution and follow manufacturer's recommendations for ventilation and safety.
A minor change was made to the Class B library to convert the Cyclic Redundancy Check (CRC) from big-endian to little-endian when stored in flash. This enables the SW checksum to be compatiable with the HW checksum.
- Introduction to Functional Safety
- Class B Diagnostic Libraries for Functional Safety, Microchip University
- MQ137 Ammonia Sensor Product Page
- AVR64EA48 Product Page
- AVR EA Family of MCUs
- MPLAB® X IDE v6.20 or newer
- MPLAB XC8 v2.46 or newer
- MPLAB Code Configurator (MCC)
- AVR-Ex_DFP v2.8.189 or newer
- AVR64EA48 Curiosity Nano Evaluation Kit (EV66E56A)
- Curiosity Nano Base for Click Boards™ (AC164162)
- Ammonia Click (MIKROE-4151)
- (Optional) BUZZ 2 Click (MIKROE-2720)
- 2x2 Key Click (MIKROE-2152)
- Ammonia Solution, such as household glass cleaner
- With the power off, insert the AVR64EA48 Curiosity Nano into the Curiosity Nano Base.
- Insert the Ammonia Click into Slot 1.
- On the Ammonia Click, turn the gain potentiometer to the minimum position.
- Insert the Buzz 2 Click in Slot 2, if using one.
- Insert the 2x2 Key Click into Slot 3.
- Connect the Curiosity Nano to the Computer with a USB cable.
- Program the Curiosity Nano with the
FreeorProconfiguration. (For more information, please see Program Setup). - Wait for the sensor to warm-up.
- Once warmed up, press and hold SW0 until the calibration completes.
- Spray a solution containing ammonia near the sensor or apply the liquid to a towel or cloth and waft it over the element. The sensor will react to the change in environmental conditions within a few seconds.
There are four program configurations inside the project. Note: The sensor requires a 24 hour warm-up time before becoming stable. If the microcontroller is power cycled during programming, the timer will restart. For evaluation purposes, only free and pro configurations should be used as these are the "production" versions.
For development, only develop and develop_no_cksm should be used. These development versions do not enforce the 24 hour warm-up time, they will power-up even if the system fails self-check, and retain EEPROM values across programming cycles. However, only the develop_no_cksm version is capable of entering debug mode, but will fail the flash checksum on startup. Note: The user is responsible for ensuring the sensor has warmed up in these modes.
Please consult the table below to determine which configuration to use. For initial evaluation purposes, free or pro are recommended.
| Configuration | Optimization Level | Debug Mode Capable | 24 Hour Warm-Up Time | EEPROM Retained | Checksum Valid |
|---|---|---|---|---|---|
| free | 1 | No | Yes | No | Yes |
| pro | S | No | Yes | No | Yes |
| develop | 1 | No | No | Yes | Yes |
| develop_no_cksm | 1 | Yes | No | Yes | No |
- Open the project inside of MPLAB X IDE.
- At the top left side of the screen, press the white drop-down box (develop in the image).
- Select the desired configuration from the list.
- Recommended configuration for initial testing is
freeorpro.
- In MPLAB X IDE, press the Data Visualizer Icon (shown below) in the top toolbar.
- On the left side of the screen, click the gear icon next to the COM port. The port number may vary.
- Set the baud rate to 115200. No other changes are needed.
- Press the play button next to the gear.
- When prompted, press Send to Terminal, then close.
| Pin | Function |
|---|---|
| PA5 | SDO, Reserved (Ammonia Click) |
| PA6 | SCLK, Reserved (Ammonia Click) |
| PA7 | CS1, Reserved (Ammonia Click) |
| PB2 | SW0 |
| PB3 | LED0 |
| PC0 | UART TX |
| PC1 | UART RX, Reserved |
| PD0 | Sensor Heater (Ammonia Click) |
| PD1 | Buzzer (Buzz 2 Click) |
| PD2 | Button 4, Reserved (2x2 Click) |
| PD4 | Sensor Output (Ammonia Click) |
| PD6 | DAC0 Output |
| PD7 | Button 1 (2x2 Click) |
| PE0 | Button Interrupt, Reserved (2x2 Click) |
| PE1 | Button 3 (2x2 Click) |
| PE3 | Button 2 (2x2 Click) |
| PF6 | nRESET |
| PF7 | UPDI |
Note: Reserved pins are not used in the example, but are allocated by hardware.
- CPU
- Verifies the CPU registers are functioning correctly
- Periodically checks the CPU registers
- Flash*
- Verifies the program flash memory
- Periodically scan the Program Flash Memory (PFM) for errors
- EEPROM*
- Verifies the EEPROM data has not been corrupted
- Periodically scans the EEPROM for errors
- SRAM
- Verifies the SRAM operation on Power-on-Reset (POR)
- Periodically scans the SRAM for errors
- Watchdog Timer (WDT)
- Verifies the WDT hardware is functioning (at start-up)
Note: The Flash and EEPROM have alternative verification modes that do not use the Class B libraries. For the Flash, set the macro FUSA_ENABLE_FLASH_HW_SCAN to use the CRC hardware to perform the scan, rather than the Class B library. The Hardware scan will execute faster. For the EEPROM, set FUSA_ENABLE_EEPROM_SIMPLE_CHECKSUM to use a simpler checksum for calculations, rather than the Class B library. Both of these macros are defined in application.h.
Important: Set the ammonia click to minimum gain before power on!
On Power-on Reset (POR), the system boots up and performs a self-check of the hardware. If no issues are encountered, the system will enter a 24 hour warm-up phase for the sensor. During this period, the sensor will get warm to the touch. Once per hour, the microcontroller will print a message to the UART to indicate the current time remaining as well as run a memory scan to verify the flash memory and EEPROM (EEPROM is only scanned in the Monitor state).
After warm-up, the system will check to see if a calibration is stored in internal EEPROM. If the calibration data is not present, it will print a message to the UART. The user must press and hold SW0 to begin the zero-point sensor calibration.
Once complete, the system will switch to the Monitor state. Once per second, the system flashes the LED, measures the output of the ammonia sensor, performs a self-test of the analog comparator, and then checks for any user inputs. If the ammonia level rises above 50 ppm, the system will enter the Alarm state, sounding the buzzer and blinking the LED. The system will remain in the Alarm state until the concentration drops below 30 ppm.
The Calibration state can be re-entered by pressing SW0 in the Monitor state.
- Button 1 on the 2x2 Click will force the system from monitor to alarm to test the buzzer.
- Button 2 will reset the microcontroller.
- Button 3 will trigger an out-of-cycle memory scan after the next self-check operation.
If at any point during the above an error occurs, the system will enter a Fault state, where it will blink the LED and sound the buzzer in a pattern. The message SYSTEM FAULT is printed to the UART every 10 seconds. This is an infinite loop, and can only be exited by power-cycling the microcontroller or by pulling the hardware reset on PF6 to ground.
Note: Button 2 will not reset the microcontroller when in this state.
This application is controlled by a state machine, as shown below. The state machine is called once per second to run the Watchdog Timer (WDT), get a sample from the sensor, move states, and perform self-checks.
This state is used for initializing the system on POR. The SYS_INIT state only is active during the function Fusa_runStartupSelfTest and POR. If a startup error occurs, the program switches to SYS_ERROR.
This state is active during the sensor warmup. Once an hour, a tick from the Real Timer Clock (RTC) sets a flag and updates the remaining time. The polled function checks the flag status, clears it, and prints a message for the remaining time.
After 24 hours, the function Application_isSensorReady returns true, indicating the sensor is ready for use. If the internal EEPROM is valid, then the system switches to the SYS_MONITOR state or the SYS_ALARM state, depending on the status of the alarm. Otherwise, the system switches to the SYS_CALIBRATE state.
This state is used to handle the sensor calibration. To properly use the sensor, it is necessary to calibrate the sensor against a known zero point at specified environmental conditions. The user must press and hold SW0 until the calibration completes. If no errors occurred during calibration, the system switches to the SYS_MONITOR state.
This state is used to monitor the sensor. The analog comparator is polled to see if the ammonia value is above the ALARM_THRESHOLD_HIGH point. If it is, the system transitions to SYS_ALARM. Otherwise, the analog comparator is checked by the function Fusa_testAC. During this function, the system temporarily enters the SYS_SELF_TEST state, but returns to SYS_MONITOR after executing. An error during self-test function will cause the system to enter the SYS_ERROR state. Finally, if no other issues have occurred and the Alarm Test button is pressed, then the system switches to SYS_ALARM.
This state is only active during the self-test of the Analog Comparator. During this operation, the AC is disconnected from the sensor, and connected to the output of DAC0. At the end of this self-test, the sensor is reconnected to the AC and returned to the previous state. If this state is ever encountered outside of the self-test function, the system goes to the SYS_ERROR state.
This state is active when the alarm is triggered. In this state, the buzzer sounds and the LED blinks. When the threshold falls below the ALARM_THRESHOLD_LOW threshold, the system transitions to SYS_MONITOR. AC self-tests, alarm test, and other functions are not available in this mode.
This state is active if a self-test fails or the state machine enters an unexpected state. The LED blinks and the buzzer sounds in a pattern while printing SYSTEM FAULT to the UART. This state disables interrupts and acts as an infinite loop which cannot be escaped.
This example is an example of implementing an ammonia monitor using the Class B libraries on the AVR EA family of MCUs.