RTC with Supervisor & Automatic Switchover
← Back to: Supervisors & Reset
What it solves
This page converts four persistent blockers into verifiable capabilities and copy-paste BOM constraints: (1) time integrity across power-fail, (2) ultra-low backup drain, (3) deterministic resets on slow ramps and noise, and (4) safe cross-brand substitution via parameter matching.
Automatic MAIN→VBAT switchover with hysteresis preserves ticks. Power-Fail Timestamp and Reason Code capture root cause for post-mortem and field returns.
- Track:
V_sw(fall/rise),ΔV_hys,t_sw - PF logging:
PF_TS=yes,PF_REASON=yes
nA-level VBAT leakage with gated CLKOUT/ALARM prevents phantom drain in storage or deep sleep; quantify leakage at 25 °C and 85 °C.
I_VBAT_25C/I_VBAT_85C(nA)CLKOUT_gate: on/off
Supervisor window + hysteresis with guaranteed tRST(min) and t_GLITCH(min) ensures clean sequencing across slow ramp and noise bursts; add MR debounce.
V_IT±,V_hys,t_RST(min),t_GLITCH(min)MR_debounceand long-press policy
Use an equivalence table: switchover thresholds, VBAT range and leakage, t_sw, t_RST, and I²C address/lock strategy must match before approval.
VBAT_range,I_VBAT,t_sw,t_RSTI2C_addr,I2C_lock(OTP/Reg)
- Hysteresis budget:
ΔV_hys ≥ 3·σ(V_MAIN_noise) + V_margin - Reset coverage:
tRST ≥ t_clk_lock + t_POR + t_IO_ready - VBAT life (coin-cell):
Life ≈ C_cell / I_VBAT_avg - RTC drift:
Drift_ppm ≈ α_T·ΔT + Aging_ppm + Sens_V·ΔV
BOM Remarks (paste-ready)
- RTC shall auto switchover MAIN→VBAT with
ΔV_hys ≥ {Z} mV,t_sw ≤ {Y} µs. - VBAT leakage ≤ {N} nA @25 °C; provide full-temperature drift data.
- Expose Power-Fail Timestamp and Reason Code via I²C; parts lacking these are not accepted.
- RESET = open-drain with ≥10 kΩ pull-up to host I/O;
tRST ≥ {A} msafter MAIN valid. - Alternatives limited to TI/ST/NXP/Renesas/onsemi/Microchip/Melexis with parameter match & cloud mapping update.
Architecture & Signal Levels
MAIN → LDO/PMIC → Loads; VBAT → RTC backup domain. RTC domain must remain independent from system RESET. Switchover may be analog or digitally controlled; define V_sw(fall/rise), ΔV_hys, and t_sw explicitly.
For slow ramps, chatter is prevented by a hysteresis budget: ΔV_hys ≥ 3·σ(V_MAIN_noise) + V_margin. Specify glitch-absorption window and verify with injected ramps at 0.01/0.1/1 V/ms.
Use open-drain RESET with pull-up to the host I/O rail for level/fan-out compatibility across 1.8/3.3/5 V domains. Avoid push-pull unless strictly level-compatible and isolated.
R_pullup = 10–100 kΩ → HOST_IOτ ≈ R_pullup · C_line, ensuret_rise < t_margin
Aggregate power-good signals with an active-OR (open-drain). Add a small delay chain (0.5–2 ms) to suppress ping-pong during marginal rails or sequencing edges.
Polarity configurable; gate unneeded sources in deep sleep to cut leakage. When CLKOUT interferes with SCL, gate or re-divide CLKOUT or offset frequencies.
Avoid conflicts on common ranges (e.g., 0x68/0x6F). Prefer OTP or register lock for field robustness; document unlock sequence and audit logging.
Open-drain signals pull up to the host domain. Push-pull crossing domains requires one-way level translation and back-feed protection.
- OD signals pull up to host domain (1.8/3.3/5 V)
- Push-pull across domains → one-way level shifter
- Back-feed protection for mixed rails
- Active-OR with OD, add 0.5–2 ms delay
- Define dependency: clock → I/O → peripherals
- RTC domain independent from system RESET
- Avoid
0x68/0x6Fconflicts; document address map - Lock: OTP or register-lock + audit trail
- CLKOUT near SCL? Gate or divide
Switchover Thresholds & Timing
Systematize thresholds (V_sw(fall/rise), ΔV_hys with tolerance and tempco), delays (t_sw, t_RST, t_delay, t_GLITCH), and ramp/glitch immunity so cross-brand equivalence becomes auditable before substitution.
Define V_sw(fall), V_sw(rise) and ΔV_hys = V_sw(rise) − V_sw(fall). Match not only nominal values but also tolerance (%FSR) and temperature coefficient (ppm/°C), which dominate field stability.
- Tolerance over -40…85 °C:
±%FSR - Temp coefficient:
ppm/°C(rise/fall may differ) - Budget rule:
ΔV_hys ≥ 3·σ(V_MAIN_noise) + V_margin
Specify t_sw(MAIN→VBAT) and t_sw(VBAT→MAIN). Characterize under slow and fast ramps; document digital/analog switchover dispersion and metastable zones.
Guarantee t_RST(min/max) and release t_delay. False trips should be filtered by t_GLITCH(min). Rule of thumb: t_RST ≥ t_clk_lock + t_POR + t_IO_ready.
Qualify dV/dt limits (slow/fast) and a glitch-energy window (width×amplitude). Events with width < t_GLITCH(min) must not assert PF/RESET.
dV/dt_limit(slow|fast);E_glitch < E_window(max)- Test at 0.01 / 0.1 / 1 V/ms ramps
On power-fail: assert RESET → write PF_TS/Reason (idempotent, sequence-protected) → switch to VBAT. Apply write guards and monotonic SEQ_ID.
Drift_ppm = Temp_Coeff·ΔT + Aging + Supply_Sens·ΔV. Keep total drift within system budget across service life and supply variance.
Cross-brand comparison fields (copyable JSON)
{
"V_sw_fall": "V", "V_sw_rise": "V", "DeltaV_hys": "mV",
"Tol_percent_FSR": "%FSR", "TempCoef_ppm_C": "ppm/°C",
"t_sw_main_to_vbat": "µs", "t_sw_vbat_to_main": "µs",
"t_RST_min": "ms", "t_RST_max": "ms", "t_delay_release": "ms",
"t_GLITCH_min": "µs",
"dVdt_limit_slow": "V/ms", "dVdt_limit_fast": "V/ms",
"PF_TS_support": "yes|no", "PF_reason_support": "yes|no",
"Drift_model": { "Temp_Coeff": "ppm/°C", "Aging": "ppm/yr", "Supply_Sens": "ppm/V" }
}
BOM Remarks (paste-ready)
- Switchover thresholds:
V_sw(fall)={A} V,V_sw(rise)={B} V,ΔV_hys ≥ {Z} mV(−40…85 °C). - Delays:
t_sw(M→V) ≤ {Y} µs,t_sw(V→M) ≤ {Y2} µsunder slow/fast ramps. - Reset:
t_RST(min) ≥ {T} ms; glitch immunityt_GLITCH(min) ≥ {G} µs. - Ramp immunity: pass at
{SLOW} V/msand{FAST} V/mswithout false PF/RESET. - PF logging: support
PF_TS+Reasonwith write protection and sequence IDs.
Power-Fail Timestamp & Reason Codes
Ensure power events are traceable and diagnosable. Define log structure, write strategy (priority, buffering, idempotency), NV endurance trade-offs, secure read/clear flow, and anti-replay controls to close the RMA loop.
PF_TS as Unix (s/subs) or BCD (YYMMDDhhmmss). PF_REASON enumerates UVLO/BOD/Manual/McuReq/… with priorities. Optional fields: SEQ_ID, CRC, WRITE_PROT.
On PF, assert RESET, then write PF_REASON and PF_TS into a protected buffer (shadow) before NV commit. Keep writes idempotent with SEQ_ID and atomic commit.
Compare EEPROM/FRAM/Shadow RAM for latency, endurance and data safety. Prefer append-only logs with bounded depth, sequence numbers and CRC; evict oldest when full.
Read earliest in boot (<50 ms), uplink with SEQ_ID, optionally clear under an explicit enable. Support offline buffering and reliable re-upload.
Provide read-only windows, write password or OTP locks, CRC integrity, and anti-replay (reject stale SEQ_ID). Audit who changed what and when.
BOM Remarks (paste-ready)
- Implement
PF_TS(Unix or BCD) andPF_REASONenum with priority mapping. - Logs must be append-only with
SEQ_ID,CRC, and idempotent commits. - NV endurance ≥
{X}cycles; retained depth ≥{N}entries. - Provide read-only window / OTP lock for log registers; reject devices without write-protection.
- Update cloud schema when cross-brand alternatives are used; enforce field parity checks.
Wake Sources & Policies
Define what can wake, when it may wake, and how events are filtered and prioritized. Prevent false wakes and oscillations by combining priority, interlocks, inhibit windows, and debounce.
- ALARM: absolute (date/time) or periodic (interval); optional calendar.
- PG-OR: any required supply OK via open-drain active-OR.
- WDT-IRQ: pre-timeout early warning window before reset.
Key fields: ALARM_MODE{abs|periodic|both}, PG_OR_MASK, WDT_PREWIN(ms)
Recommended priority: PG-OR > WDT-IRQ > ALARM. Add boot inhibit window t_inhibit_boot to avoid repeated wakes; require long-press threshold on MR/key; enable dual-confirm (e.g., PG-OR ∧ ALARM) near boundaries.
Params: t_inhibit_boot, t_longpress, policy_dual_confirm
Gate CLKOUT, enable only needed IRQs, and raise thresholds to reduce false positives. Track averaged VBAT current for before/after comparison.
Fields: CLKOUT_GATE{on/off}, IRQ_MASK, THRESH_HIGHER{on/off}
- Debounce:
t_debounce_kb,t_debounce_pg - Re-arm window:
t_rearm_window(merge repeats) - Counter threshold:
N_repeat_maxtriggers downgrade (Minimal Boot) or lock
- Priority:
PG-OR > WDT-IRQ > ALARM; boot inhibitt_inhibit_boot={100–500 ms}. - MR/key:
t_longpress ≥ {1500 ms}; debouncet_debounce_kb ≥ {30 ms}. - PG-OR debounce
t_debounce_pg ≥ {2 ms}; re-arm windowt_rearm_window ≥ {1 s}. - Enable
CLKOUT_GATEwhen in Deep Sleep; restrictIRQ_MASKto chosen sources.
Integration & Sequencing
Clarify RESET fanout and level compatibility, PG aggregation and domain dependencies. Ensure the slowest domain is covered by RESET, with RTC domain isolated from global resets.
Prefer open-drain with pull-up to the host domain (1.8/3.3/5 V). Use one-way level shifters where necessary and add back-feed protection to prevent reverse currents.
Fields: R_pullup (10–100 kΩ), level_shifter, backfeed_protect
Use open-drain active-OR for PG signals, then add a short delay chain to suppress ping-pong. Specify PG_DELAY and PG_STABLE windows.
Order: MAIN → CLK → IO → PERIPH; RTC domain remains alive. Release RESET only after stability. Ensure t_RST(min) ≥ t_clk_lock + t_POR + t_IO_ready.
Debounce the manual reset pin; enforce a long-press for safe shutdown paths: write PF first, then assert RESET. Isolate dangerous combinations (key + noise) into Minimal Boot only.
Fields: t_debounce_mr, t_longpress_mr
- RESET is open-drain,
R_pullup=10–100 kΩ, add one-way level shifter when domains differ; enable back-feed protection. - PG via OD active-OR with
PG_DELAY={0.5–2 ms},PG_STABLE={1–5 ms}; forbid ping-pong. - Release RESET after sequence
MAIN→CLK→IO→PERIPHis stable;t_RST(min)covers the slowest domain. - MR:
t_debounce_mr ≥ {30 ms},t_longpress_mr ≥ {1500 ms}; log PF before global reset.
Ultra-Low Leakage Design
Make VBAT leakage measurable, comparable, and committable. Use uniform KPIs:
I_VBAT_total(25 °C), I_VBAT_total(85 °C), I_VBAT_sleep, I_VBAT_alarm_on.
Target example: ≤ 50 nA @25 °C (typ) / ≤ 150 nA @85 °C (max).
I_total = ΣI_IC(self) + Σ(V/R_pullup) + ΣI_ESD(static) + ΣI_protect + I_meter_inj.
Disable unused pins/functions: CLKOUT, ALARM, INT, TEST, GPIOx.
- Pull-ups on VBAT domain: prefer 330 k–1 MΩ if timing margins allow.
- Choose low-leak ESD arrays; account for temperature rise of static leakage.
- Short traces, guard ring to ground around VBAT sense node.
- Check protection diode orientation; eliminate reverse-feed paths.
- Clean flux residues (QFN/DFN exposed pad); conformal coat to reduce moisture leakage.
- Use picoammeter with triax/guard; warm-up & zero-drift compensation.
- Environment: shielded box, RH < 20%, 25 °C / 85 °C chamber.
- Sampling: 60 s mean, discard first 10 s; record mean/σ/max.
- VBAT total leakage KPI: ≤ 50 nA @25 °C (typ) / ≤ 150 nA @85 °C (max).
- VBAT pull-ups: 330 k–1 MΩ; gate
CLKOUT; mask unused IRQs. - Use low-leak ESD/protect parts; provide cleaning & coating process notes.
Validation
Scenarios: temperature, ramp slope, glitch tolerance, wake regression, timekeeping/logging. Metrics: pass/fail/borderline, false-trigger rate, drift, jitter.
Acceptance examples: |t_sw_error| ≤ max(20%, 20 µs), P_false ≤ 1e-3, RTC drift within spec, leakage meets Chapter 7 KPI.
Test dV/dt = 0.01/0.1/1 V/ms; record t_sw(M→V) / t_sw(V→M) and tolerance. Use programmable supply; log CSV.
Pulse widths: 0.5/1/5/10 µs; amplitude: ΔV=5–20% V_MAIN. Metric: false-trigger rate and t_GLITCH(min) discrimination.
Test at −40/25/85 °C: RTC drift (ppm), VBAT leakage, RESET pulse width change. Drift must meet spec; leakage meets Chapter 7 KPI.
Verify ALARM period error, t_inhibit_boot effectiveness, and PG-OR jitter immunity (no Full Run while jitter persists).
PF_TS ordering, Reason priority, and monotonic SEQ_ID; ensure idempotent writes and safe retry on power-loss.
- Ramp:
|t_sw_error| ≤ max(20%, 20 µs) - Glitch:
P_false ≤ 1e-3, correctt_GLITCH(min) - RTC drift: within spec at −40/25/85 °C
- Leakage: ≤ 50 nA @25 °C (typ) / ≤ 150 nA @85 °C (max)
- Wake: inhibit window effective; jitter -> no Full Run
- Logs: PF_TS/Reason ordered; SEQ_ID monotonic
Cross-Brand IC Mapping
Engineering-only comparables under four buckets:
RTC+Switchover, External Supervisor interface, RTC+Power-Fail log, and RTC+Alarm/Wake.
Use the parameter checklist to verify before approving alternates:
V_sw(f/r), ΔV_hys, t_sw, VBAT range, I_VBAT(25/85 °C),
t_RST, I²C address/lock, output type (OD>PP), package and AEC-Q100.
| Brand | Part number(s) | Bucket | Reasons to pick | Constraints / Notes | I²C addr (typ) | RESET type |
|---|---|---|---|---|---|---|
| TI | BQ32000 / BQ32001; TPS389x | RTC+Switchover; External Supervisor | Very low VBAT current on RTC; TPS389x offers precise thresholds and configurable tRST; OD variants fan out easily. | BQ3200x lacks NV PF timestamp; verify switchover hysteresis; pick OD suffix for TPS389x (avoid PP when paralleled). | 0x68 (RTC) | OD (selective) |
| ST | M41T62 / M41T65; STM706 / STM811 | RTC+Switchover; External Supervisor | Wide VBAT range, alarm/CLK features; supervisors cover multiple UVLO options with low Iq. | Some SKUs default CLKOUT on—gate to control leakage; avoid PP reset when multi-source fanout is required. | varies (datasheet) | OD variant advised |
| NXP | PCF8523 / PCF8563 | RTC+Alarm/Wake | Common footprint, mature software ecosystem, easy to source; timer/alarm complete. | Frequent address overlap with other 0x68/0x51 devices; gate CLKOUT to avoid SCL beat interference. | 0x68 / 0x51 (model-dep.) | n/a (RTC only) |
| Renesas | ISL1208 / ISL1209; ISL880xx | RTC+PF log; External Supervisor/Watchdog | RTC provides power-fail flag / NV fields—better for PF logging; supervisors include window watchdog options. | VBAT leakage higher than ultra-low RTCs—check Chapter 7 KPI; ensure window settings match firmware policy. | 0x6F (typ for RTC) | OD (select by suffix) |
| onsemi | NCP30x / NCP31x (Reset) | External Supervisor | Broad threshold options, cost-effective, OD selections available for fanout sequencing. | Some variants are PP only—do not wire-OR; select OD for multi-domain compatibility. | n/a | OD or PP (choose OD) |
| Microchip | MCP79310 / MCP79312; MCP131x / MCP132x | RTC+PF log/Alarm; External Supervisor | RTC models include alarm and power-fail flags; supervisors offer rich tRST/threshold combos; strong docs. | Check supply cadence for specific packages; 0x6F address may clash with fuel-gauges—plan readdress or mux. | 0x6F (RTC family) | OD variant advised |
| Melexis | SBC / system IC path (use SBC WDT/Reset with 3rd-party RTC) | System-level Reset/WDT (car) | Leverage automotive SBC watchdog/reset for sequencing and diagnostics; pair with low-leak RTC for VBAT domain. | Validate reset-level compatibility (SBC ↔ RTC RESET fanout). Use AEC-Q100 parts across the chain. | n/a | SBC reset (OD typical) |
Verify datasheets for exact V_sw/ΔV_hys/t_sw and I²C address options. Treat open-drain RESET as default for multi-source fanout; avoid push-pull where lines may be wire-ORed.
BOM Remarks & Procurement Hooks
- RTC shall support automatic MAIN→VBAT switchover with hysteresis ≥ {Z} mV and latency ≤ {Y} µs.
- VBAT leakage ≤ {N} nA @25 °C; provide full-temperature drift data to 85 °C.
- Expose Power-Fail Timestamp + Reason Code via I²C; parts without non-volatile flag are not accepted.
- RESET output shall be open-drain, pull-up to host I/O (≥ 10 kΩ); tRST ≥ {A} ms after MAIN valid.
- I²C address must avoid conflict with {list}; if fixed, provide board-level mux or re-address plan.
- Alternatives must be from TI/ST/NXP/Renesas/onsemi/Microchip/Melexis; update cloud telemetry mapper before release.
- Gate
CLKOUTin VBAT domain; mask unused IRQs. - Use VBAT pull-ups 330 k–1 MΩ if edges still meet timing.
- Specify
t_inhibit_boot = {100–500 ms}to block jitter-wake. - Add CRC/lock for PF log writes; “append-only” scheme with SEQ_ID.
- Provide lot/date code on COC; maintain PF log format mapping.
- SEQ_ID must be monotonic across boots; retain last N logs.
- AEC-Q100 grade (if automotive scope); ESD class as per system spec.
Request a Quote
FAQs
How is MAIN→VBAT switchover hysteresis chosen to prevent chatter on slow ramps?
Choose ΔV_hys large enough that expected ramp noise and dV/dt cannot re-cross the threshold. For typical systems, 50–150 mV works; use the higher end for very slow ramps (<0.05 V/ms). Add a minimum on-time/off-time (t_sw_blank ≥ 1–5 ms) or RC filtering at the sense node to suppress chatter without delaying valid transitions.
What minimum reset pulse width guarantees a cold MCU clock domain?
Set tRST ≥ max(oscillator start-up + PLL lock + worst boot strap), with margin. For crystals, budget 50–80 ms; many boards adopt 100 ms as a safe floor. Ensure RESET asserts after power-valid by at least 10 ms and deasserts only when all rails and the slowest clock domain report stable PG.
How do I bound RTC drift across −40~+85 °C without temperature-compensated parts?
Establish a ppm budget: Drift_ppm = aging + temp_coeff×ΔT + voltage sensitivity. Factory-calibrate at 25 °C, log trim, then apply periodic field calibration (e.g., sync to GNSS/NTP daily). Use voltage-stable VBAT, minimize series resistance, and record temperature to apply a linear correction. Many systems hold <±20 ppm with weekly synchronization.
When should RESET be open-drain instead of push-pull on mixed-voltage boards?
Prefer open-drain when multiple sources must wire-OR, when fanout spans 1.8/3.3/5 V domains, or when downstream pull-up level must match the host I/O. Push-pull is acceptable only point-to-point in a single voltage domain. If any parallel source exists, or unknown sinks may attach, mandate open-drain with ≥10 kΩ pull-up.
How do I log a power-fail timestamp if the bus dies before the write?
Use a PF interrupt with highest priority, keep a preformatted record in shadow RAM/FRAM, and perform an idempotent append with a SEQ_ID. Hold up the bus with a small energy buffer long enough for a single I²C write (e.g., 1–2 ms). If the write aborts, retry once at next boot using the same SEQ_ID to avoid duplicates.
Can I gate CLKOUT to cut leakage without breaking ALARM wake?
Yes—if ALARM timing is generated internally by the RTC and not derived from CLKOUT. Gate CLKOUT during deep sleep and enable only when a host needs a reference. Verify that gating reduces VBAT leakage (often several nA to tens of nA) and that ALARM interrupt polarity, debounce, and t_inhibit prevent spurious wakes when CLKOUT re-enables.
How do I avoid I²C address conflicts when adding a supervisor next to the RTC?
Audit existing 7-bit addresses, especially 0x68 and 0x6F. Prefer parts with configurable address pins or a lockable alternate address. If fixed, insert a simple mux or isolate via secondary bus. On boot, run a probe routine to confirm the expected map and log anomalies before enabling periodic transactions or ALARM-driven bus activity.
What is a safe debounce for MR that still allows a “long-press to force reset”?
Use 20–50 ms debounce for MR to reject key chatter, then implement a firmware long-press of 2–5 s to force reset. Add a release-to-rearm delay (200–500 ms) and ignore MR while RESET is asserted. If MR also wakes the system, add a t_inhibit window so wake events cannot retrigger immediately after a forced reset.
How do I prioritize ALARM vs PG-OR vs WDT-IRQ to avoid bounce-wake loops?
Prioritize: PG-OR first (power validity), then ALARM, then WDT-IRQ. If PG is jittering, stay in a “Wake Pending” state and hold t_inhibit (100–500 ms) before promoting to Full Run. Rate-limit repeated ALARM or WDT events with a counter and cool-off window. Clear pending flags atomically before exiting the wake handler.
What parameters must match when switching brands for VBAT switchover parts?
Match V_sw(fall/rise), ΔV_hys, t_sw, VBAT range, I_VBAT(25/85 °C), RESET type (open-drain), tRST(min), I²C address/lock behavior, and alarm polarity. Confirm package pinout and AEC-Q100 grade if automotive. Validate on your ramp/temperature profiles and re-measure leakage with CLKOUT gated; update telemetry mapping before release.
How can I test t_sw and t_RST reproducibly in the lab?
Use a programmable supply for controlled ramps (0.01/0.1/1 V/ms) and glitch widths (0.5–10 µs). Trigger scope on RESET edge; measure t_sw at V_sw crossing and tRST high time. Take 10 samples, discard the first, report mean/max and σ. Repeat at −40/25/85 °C and with CLKOUT gated to capture worst-case behavior.
What’s the clean migration path from EEPROM-based PF logs to FRAM/Shadow-RAM?
Freeze the schema, add a version field, and implement an import routine that reads EEPROM records, verifies CRC, assigns monotonic SEQ_ID, and writes to FRAM append-only. Keep a rollback flag until verification passes. During cutover, mirror new events to both stores for one release, then disable EEPROM writes and retire legacy readers.
