ESP32 Forum

Hi,

I have an application (see attachment), where I switch a N-Channel Mosfet with GPIO16 of ESP-WROOM-32E.
GPIO16=HIGH switches the Mosfet ON, that switches a solenoid.

The state of the solenoid is critical and has to be always in a controlled state.
I have a lot code for monitor this (electrical check etc...).
In case of an error, I switch GPIO16=LOW and turn off the Mosfet and solenoid this is the failsafe state.

The only possible error, where I am not sure what will happen is:
What will happen, if the chip/ESP gets broken during runtime?
My desired behaviour is, that GPIO16 goes LOW and triggers the failsafe state automatically.

Does anyone know what will happen in this case?

Thanks in advance!

That is hard to say, especially because a chip can theoretically have a whole bunch of different failure modes. I would say that for a fair few of them, however, the watchdog will eventually reset the chip, so IO16 will be at whatever level it is after a reboot. (I assume that would be tristated, but I'm not sure.)

If you want to be 100% sure of your failsafe, you could implement something like an external watchdog chip combined with a flipflop. If the watchdog times out (because the ESP32 is broken somehow), it resets the ESP32 but also triggers the flipflop which in turn can force the IO-pin into a failsafe state.

You could do a 555 timer that will pull the gate low after some short time like 50 ms. Then have your esp32 pulse to reset the 555 timer like every 40 ms. If your esp32 fails to reset the timer for any reason then the 555 will complete and pull the gate low.
There are probably also watchdog chips that do similar things in a dedicated ic, do some searching.

Hi and thanks for your replies!

I also thought about an additional timer/watchdog chip.
But don't you just shift the failure-problem from the ESP to the timer/watchdog?
Then the additional chip can fail...
I am a little bit stuck...

doglike wrote: ↑

Wed Jan 13, 2021 10:21 am

Then the additional chip can fail...
I am a little bit stuck...

Then i will follow this way of thinking and i will ask, do you have fail safe in case of transistor fail, or selenoid, bad soldering, or just a wires? Everything may pass quality tests, but after some time fail.

In other hand esp32 is complicated chip, with software that may fail to work, so your initial questions is correct, but watchdog chip is very simple and assuming it will fail is just overthinking IMO.

Yes as chegewara said the watchdog chip is simpler and less likely to fail and the esp32. So you have shifted the problem from the ESP 32 over to the watchdog chip, you shifted the problem from a more likely failure to a less likely failure and that is a success.

You also can have a watchdog chip that is communicating with the esp32, so they are both checking each other bi-directionally. Then the most likely occurrence is that ESP 32 fails, and watchdog protects. The next most likely occurrence is that just the watchdog fails, the ESP detects that and maybe can do something in response like let you know. and finally the least likely occurrence is that both the ESP and the watchdog fail at the same time before the watchdog can act. that would pass through a failure but the probability of occurring is so much smaller than your original issue.

Thank you guys for all the valueable input!
I think I will implement an additional external watchdog.
Do you have any suggestion IC for me?