AN-1320: ADuCM360/ADuCM361 Self Diagnostic Features (Rev. 0) PDF

AN-1320
APPLICATION NOTE
One Technology Way • P.O. Box 9106 • Norwood, MA 02062-9106, U.S.A. • Tel: 781.329.4700 • Fax: 781.461.3113 • www.analog.com
ADuCM360/ADuCM361 Self Diagnostic Features
by Michael Looney
INTRODUCTION
The ADuCM360/ADuCM361 are 32-bit, Cortex™-M3-based
microcontrollers that also integrate 24-bit Σ-Δ analog-to-digital
converters (ADC), each with a fully programmable instrumentation amplifier on the front end. These microcontrollers target a
wide range of applications including industrial control and
instrumentation applications. In many of the target applications,
self diagnostic features are important in safety critical environments
and smart recovery from failure modes.
This application note describes some of the ADuCM360/
ADuCM361 features that diagnose issues with the
ADuCM360/ADuCM361 and surrounding circuitry.
Rev. 0 | Page 1 of 6
AN-1320
Application Note
TABLE OF CONTENTS
Introduction .................................................................................. 1
ESD Protection on All External Pins ..........................................5
Revision History ........................................................................... 2
Cortex-M3 Fault Management Features ....................................5
Diagnostic Current Sources ........................................................ 3
Clocks and Timers ........................................................................6
Fully Flexible Analog Input Mux................................................ 4
Clocking Architecture Block Diagram .......................................6
Multiple ADC Reference Sources............................................... 4
Verification of Flash Contents .................................................... 4
REVISION HISTORY
10/14—Revision 0: Initial Version
Rev. 0 | Page 2 of 6
Application Note
AN-1320
DIAGNOSTIC CURRENT SOURCES
For example, if the ADCxCON register, Bit 11 = 0x1 and the
ADCxCON register, Bits[4:0] = 0x1, a 50 µA current flows from
AIN1.
The ADuCM360/ADuCM361 contain two 50 µA diagnostic
current sources. These current sources are different from the
programmable excitation current sources. ADC0 and ADC1
have separate, independent diagnostic current sources.
Similarly, if the ADCxCON register, Bit 10 = 0x1 and the
ADCxCON register, Bits[9:5] = 0x0, a 50 µA current flows from
AIN0.
The diagnostic current sources are routed internally to the
analog input channels currently selected for ADC conversions
via the positive input channel selection, the ADCxCON register,
Bits[9:5], and the negative input channel selection, the
ADCxCON register, Bits[4:0]. As shown in Table 1, the
ADCxCON register, Bits[11:10], enable/disable current sources
to the positive and negative ADC inputs.
Figure 1 shows an example circuit.
A
B
A
Table 1. Register ADCxCON, Bits[11:10]
Bit Name
ADCDIAG
VIN =
ADC0,
ADC1
B
ADC1 (–)
R2*
Description
Diagnostic current bits.
00: Current source off.
01: Enable a 50 µA current on the selected
positive input. For example, AIN0.
10: Enable a 50 µA current on the selected
negative input. For example, AIN1.
11: Enable a 50 µA current on the selected
input. For example, AIN0 and AIN1.
12597-001
Bits
[11:10]
ADC0 (+)
R1*
AVDD
*ASSUMES R1 = R2 = 2kΩ
Figure 1. Example Circuit Using Diagnostic Current Sources
Table 2. Example Scenarios for Using Diagnostic Current Sources 1
Register ADCxCON,
Bits[11:10], Setting
00
Diagnostic Test
Current Source
Description
Current source
off
01
Enable a 50 μA
diagnostic
current source
on AINx
01
Enable a 50 μA
diagnostic
current source
on AINx
Enable a 50 μA
diagnostic
current source
on both AINx
and AINy
11
1
Description
Convert on AINx and
AINy as normal with
diagnostic currents
disabled
Convert AINx and
AINy
Normal Result
Normal result
Fault Result
Not applicable
ADC changes by
ΔV = 50 μA × R1; for
example, ~100 mV
for R1 = 2 kΩ
Convert AINx in
single-ended mode
Expected voltage on
AINx
Short circuit
between AINx and
AINy; short circuit
between R1_A and
R1_B
AINx open circuit or
R1 open circuit
Convert AINx and
AINy
ADC reading changes
by ΔV = 50 μA ×
(R1 − R2), that is,
~10 mV for 10%
tolerance
AINx is the positive input channel and AINy is the negative input channel.
Rev. 0 | Page 3 of 6
R1 does not match
R2
Detected
Measurement
for Fault
Not applicable
ADC reading ≈ 0 V,
regardless of
programmable gain
amplifier (PGA) setting
ADC reading is positive
full scale, even on the
lowest PGA setting
ADC reading > 10 mV
of expected value
AN-1320
Application Note
FULLY FLEXIBLE ANALOG INPUT MUX
Table 3. Register ADCxCON, Bits[13:12]
The ADuCM360/ADuCM361 ADCs have a fully flexible analog
input mux. Because of the fully flexible analog input mux, the
user is not constrained with fixed differential input pairs for
ADC measurements. It is possible to configure a differential
pair with any external analog input pins. In addition, ADC1
allows any external analog input pin to be paired with one of the
internal ADC channels for a differential ADC1 measurement.
Both ADC0 and ADC1 can be connected to any external analog
input pin.
Bits
[13:12]
The fully flexible analog input mux is useful for checking the
following system failures:
•
•
•
Analog input pin voltage check. Cross check vs. a known
supply voltage, vs. a VDAC voltage, or relative to a fixed
external voltage connected to one of the AINx pins.
Functional check on either of the ADCs (ADuCM360
only). Repeat measurement taken on ADC0 by selecting
same input channels and repeating on ADC1. It is also
possible to check the ADC1 reading via ADC0.
Monitor the digital or analog supply voltages via ADC1.
This is useful for battery-powered applications or for
detecting a decaying power supply.
AIN0
AIN1
AIN2
AIN3
AIN4/IEXC
AIN5/IEXC
AIN8/EXTREF2IN–
AIN9/DACBUFF+
AIN10
AIN11/VBIAS1
Description
Reference selection.
00: INTREF-AGND.
01: EXTREF. The external buffer mode is
set in the ADCxCFG register.
10: EXTREF2IN (valid for ADC1 only).
EXTREF2IN+ buffer controlled via the
ADCxCFG register.
11: AVDD-AGND.
Reference options allow safety checking of an external reference
source by repeating the measurement using the internal
reference or by using the analog supply voltage as the ADC
reference source.
This safety checking allows ADuCM360/ADuCM361 systems to
detect a failure with any of the ADC voltage reference sources.
Another feature for the external reference, EXTREF, is the
detection of a drop in the reference voltage that sets a register
status bit. For EXTREF, the status bit in the DETSTA register,
Bit 4, is set to 1 if the source voltage of EXTREF across VREF+ and
VREF− drops below 0.4 V (typical) or below 0.8 V (maximum). To
use this feature, set the DETCON register, Bit 8, to 1.
This feature does not work for the EXTREF2IN± reference
source.
VERIFICATION OF FLASH CONTENTS
AMP
BUF
Along with read/write flash protection mechanisms, the
ADuCM360/ADuCM361 also support a function to verify the
contents of user flash that have not changed since last
programmed; this is the sign feature. More details regarding this
feature are available in the UG-367 User Guide.
AIN6/IEXC
AIN7/VBIAS0/IEXC/
EXTREF2IN+
Bit Name
ADCREF
MUX
Flash Integrity Signature Feature
AMP
The signature checks the integrity of the flash device. The
software can call a signature check command occasionally or
whenever a new block of code is about to be executed. The
signature is a 24-bit cyclic redundancy check (CRC) with the
polynomial x24 + x23 + x6 + x5 + x + 1.
BUF
CURRENT
SOURCES
12597-002
DAC, TEMP,
IOVDD/4,
AVDD/4
Figure 2. ADC Input Mux
MULTIPLE ADC REFERENCE SOURCES
Table 3 shows the reference options available for ADC0 and
ADC1. The reference options are selected via the
ADCxCON register, Bits[13:12].
The sign command generates a signature and checks the
signature of a block of code, where a block can be a single page
or multiple pages. A 24-bit linear feedback shift register (LFSR)
generates the signature. The hardware assumes that the
signature for a block is stored in the upper four bytes of the
most significant page of a block. These four bytes are not
included when generating the signature.
Use the following procedure to generate a signature:
1.
2.
3.
Rev. 0 | Page 4 of 6
Write the start address of the block to the FEEADR0L
register and the FEEADR0H register.
Write the end address of the block to the FEEADR1L
register and the FEEADR1H register.
Write the sign command to the command register (the
FEECMD register = 10).
Application Note
AN-1320
When the command completes, the signature is available in the
sign register. The signature is compared with the data stored in
the upper four bytes of the uppermost page of the block. If the
data does not match the signature, a fail status is returned in the
status register (the FEESTA register, Bits[5:4] = 10).
ESD PROTECTION ON ALL EXTERNAL PINS
While the signature is being computed, all other accesses to
flash are stalled for a 128 kB block, that is, 32,000 reads.
Table 4 shows details about the robustness of the device to
transients from the ADuCM360/ADuCM361 reliability reports.
Each external pin on the ADuCM360/ADuCM361 has a
protection circuit to ground and to the supply rail to protect the
device from electrostatic discharges due to operator or machine
handling.
Note that the FEEADR0L register, the FEEADR0H register, the
FEEADR1L register, and the FEEADR1H register are byte
addresses, but only pages must be identified. The hardware
ignores the lower nine bits.
CORTEX-M3 FAULT MANAGEMENT FEATURES
Note that the user must run the CRC polynomial in user code
first to generate the CRC value and must then write this to the
upper four bytes of the uppermost page of a block. When this
operation is complete, any call of the signature feature compares
this 4-byte value to the result of the signature check function.
When these occur, the Cortex-M3 processor stops executing its
current instruction and vectors to a fixed memory address
where an associated user defined exception handler is executed.
Integrity of the Kernel
The hardware automatically checks the integrity of the kernel
after reset. In the event of a failure, the FEESTA register, Bit 6, is
set and user code cannot run. This bit can be read via a serial
wire read only if the serial wire interface is enabled.
The fault management system of the Cortex-M3 processor
detects bus, memory, and undefined instruction faults.
In this exception handler function, the user code can alert the
system of the fault and proceed with next steps to recover from
the failure or else shut down the ADuCM360/ADuCM361.
Table 5 summarizes the key exceptions.
Table 4. Robustness to Transients
ESD
Model
FICDM
HBM
Package
48-lead
LFCSP
48-lead
LFCSP
ESD Test Specification
JESD22-C101
ESDA/JEDEC JS-0012011
RC Network
R = 1 Ω, C = capacitance of the
package
R = 1.5 kΩ, C = 100 pF
Highest Pass
Level
±1500 V
First Fail
Level
Not applicable
Class
C6
±2500 V
±3000 V
2
Table 5. System Exceptions
Number
1
2
Type
Reset
NMI
Priority
−3 (highest)
−2
3
4
−1
Programmable
5
Hard fault
Memory management
fault
Bus fault
6
Usage fault
Programmable
Programmable
Description
Any reset
Nonmaskable interrupt connected to power supply monitor of
ADuCM360/ADuCM361
All fault conditions if the corresponding fault handler is not enabled
Memory management fault; access to illegal locations
Prefetch fault, memory access fault, data abort, and other address/memory
related faults
Same as undefined instruction executed or illegal state transition attempt
Rev. 0 | Page 5 of 6
AN-1320
Application Note
CLOCKS AND TIMERS
Using software control, a user may select from a choice of four
different system clock sources to allow cross checking of other
clock sources and internal clock circuits.
The ADuCM360/ADuCM361 integrate two on-chip oscillators
and circuitry for an external crystal as follows:
•
•
•
•
Note that, by default, the internal 16 MHz oscillator is the
system clock (UCLK) source.
LFOSC is a 32 kHz low power internal oscillator, used in
low power modes.
HFOSC is a 16 MHz internal oscillator that is used in
active mode.
LFXTAL is a 32 kHz external crystal.
Power saving clock mechanism, which can be enabled and
disabled for a peripheral.
The ADuCM360/ADuCM361 also integrate a watchdog timer.
The watchdog timer is normally enabled in user code to be
refreshed regularly. If user firmware does not run as expected
and fails to refresh the watchdog timer within a predefined
period, the watchdog hardware issues a full system reset.
CLOCKING ARCHITECTURE BLOCK DIAGRAM
FCLK
CORTEX
HCLK
FLASH/SRAM
CLKSYSDIV[0]
CLKCON0[2:0]
CLKDIS[8]
DMA
HFOSC
16MHz OSC
PCLK
DIV2EN
CLKDIS[7]
CD
DAC
LFOSC
CLKCON0[4:3]
LFXTAL
UCLK
CLKDIS[5]
CLKDIS[5]
TIMER0
TIMER0CLK
CLKDIS[6]
CLKDIS[6]
EXTCLK
WATCHDOG
TIMER
PCLK
PCLK
UCLK
WAKE-UP
TIMER
CLKDIS[0]
CLKDIS[1]
CLKDIS[1]
PWMCD
CLKDIS[4]
CLKDIS[3]
CLKDIS[2]
CLKCON1[8:6]
I2CCD
CLOCK
DIVIDER
UART
UARTCLK
TIMER1CLK
CLKDIS[2]
PWM
PWMCLK
CLKCON1[11:9]
UARTCD
SPI1
SPI1CLK
CLKCON1[14:12]
TIMER0CLK
SPI0
SPI0CLK
CLKCON1[5:3]
SPI1CD
CLKDIS[4]
CLKDIS[0]
CLKCON1[2:0]
SPI0CD
CLKDIS[3]
PCLK
UCLK
TIMER1
TIMER1CLK
I2CCLK
I2C
ADC0
ACLK = 125kHz
CLKDIS[9]
NOTES
1. ADuCM361 CLOCKING ARCHITECTURE BLOCK DIAGRAM IS IDENTICAL EXCEPT ADC0 IS REMOVED.
Figure 3. ADuCM360 Clocking Architecture Block Diagram
©2014 Analog Devices, Inc. All rights reserved. Trademarks and
registered trademarks are the property of their respective owners.
AN12597-0-10/14(0)
Rev. 0 | Page 6 of 6
12597-003
ADC1