AN78175 PSoC 3 and PSoC 5LP - IEC 60730 Class B Safety Software Library ® Author: Taras Kuzo, Dmytro Makara, Vasyl Parovinchak Associated Project: Yes Associated Part Family: CY8C3xxx, CY8C5xxx Software Version: PSoC® Creator™ 2.2 SP1 Related Application Notes: AN79973 If you have a question, or need help with this application note, contact the author s at [email protected], [email protected], [email protected]. ® AN78175 describes the PSoC 3 and PSoC 5LP IEC60730 Class B Safety Software Library and includes an example project with self-check routines to ensure reliable and safe operation. Library routines and examples in the example project can be directly integrated with the end user’s application. This application note also describes the API functions that are available in the Library. Contents Introduction .......................................................................2 Recommendations and Examples................................... 24 Overview of Annex H.........................................................2 UDB Configuration Registers Test ............................. 24 Start-up Configuration Registers Test ........................ 26 Watchdog Test ........................................................... 27 Windowed Watchdog Timer ....................................... 27 Example of Communications UART Data Transfer Protocol ...................................................................... 30 Data Delivery Controlling ........................................ 30 PSoC Implementation............................................. 31 Summary ......................................................................... 34 Class B Requirements.......................................................3 API Functions for PSoC 3 and PSoC 5LP .........................4 CPU Registers Test ......................................................4 Program Counter ..........................................................5 Program Flow Testing ..................................................5 Interrupt Handling and Execution .................................6 Clock ............................................................................7 FLASH (Invariable Memory) .........................................9 Error Correction Code (ECC) Method .......................9 Checksum Method .................................................. 10 EEPROM (Invariable Memory) ................................... 11 SRAM (Variable Memory)........................................... 12 March Test .............................................................. 13 March C Test .......................................................... 13 March C Minus Test................................................ 13 MARCH C MINUS ALGORITHM: ........................... 13 March B Test .......................................................... 14 Stack Overflow Test ................................................... 15 Digital I/O.................................................................... 16 A/D Converter............................................................. 16 D/A Converter............................................................. 18 Comparator ................................................................ 19 PGA ............................................................................ 19 TIA .............................................................................. 20 Opamp........................................................................ 21 Communications UART .............................................. 23 Communications SPI .................................................. 23 www.cypress.com References ...................................................................... 34 Appendix A ...................................................................... 35 Appendix B ...................................................................... 37 Appendix C ..................................................................... 38 Appendix D ..................................................................... 39 MISRA Compliance .................................................... 39 Worldwide Sales and Design Support ............................. 43 Document No. 001-78175 Rev. *E 1 PSoC® 3 and PSoC 5LP - IEC 60730 Class B Safety Software Library Introduction Today, the majority of automatic electronic controls for home appliance products use single-chip microcontrollers. Manufacturers develop real-time embedded firmware that executes in the MCU and provides hidden intelligence to control home appliances. MCU damage due to overheating, static discharge, extremely high voltage, or other factors can cause the appliance to enter an unknown or unsafe state. The International Electrotechnical Commission (IEC) has developed safety standard IEC 60730-1 that discusses mechanical, electrical, electronic, environmental endurance, EMC, and abnormal operation for home appliances. This application note focuses on Annex H Class B: Requirements for Electronic Controls. This portion of the standard details test and diagnostic methods to ensure safe operation of embedded control hardware and software for home appliances. Overview of Annex H Annex H of the IEC 60730-1 standard classifies appliance software into the following: Class A Control functions not intended to be relied upon for the safety of the equipment Examples: Humidity controls, lighting controls, timers, and switches. According to the IEC 60730-1 standard, a manufacturer of automatic electronic controls must design its Class B software using one of the following structures: Single channel with functional test Single channel with periodic self-test Dual channel without comparison (see Figure 1) In the single-channel structure with functional test, the software is designed using a single CPU to execute the functions as required. The functional test is executed after the application starts to ensure that all the critical features are functioning reliably. In the single-channel structure with the periodic self-test, the software is designed using a single CPU to execute the functions as required. The periodic tests are embedded within the software, and the self-test occurs periodically while the software is in execution mode. The CPU is expected to regularly check the critical functions of the electronic control without conflicting with the end application’s operation. In the dual-channel structure without a comparison, the software is designed using two CPUs to execute the critical functions. Before executing a critical function, both CPUs are required to share that they have completed their corresponding task. For example, when a laundry door lock is released, one CPU stops the motor spinning the drum and the other CPU checks the drum speed to verify that it has stopped, as shown in the following figure. Figure 1. Dual Channel without Comparison Structure Class B Control functions intended to prevent unsafe operation of controlled equipment. Examples: Thermal cut-offs and door locks for laundry equipment. Class C Control functions intended to prevent special hazards (such as an explosion caused by the controlled equipment). Examples: Automatic burner controls and thermal cutouts for closed, unvented water heater systems. Large appliances, such as washing machines, dishwashers, dryers, refrigerators, freezers, and cookers/stoves, tend to fall under the Class B classification. An exception is an appliance that might cause an explosion, such as a gas-fired controlled dryer, which falls under class C. The Class B Safety Software Library and the example project described in this application note implement the self-test and self-diagnostic methods that are in the Class B category. These methods use various measures to detect software-related faults and errors and respond to them. www.cypress.com The dual-channel structure implementation is costlier because two CPUs (or two MCUs) are required. In addition, they are more complex because two devices are needed to regularly communicate with each other. The single-channel structure with a functional test is most commonly implemented today. However, appliance manufacturers are moving to the single-channel structure with the periodic self-test implementation. Document No. 001-78175 Rev. *E 2 PSoC® 3 and PSoC 5LP - IEC 60730 Class B Safety Software Library Class B Requirements In addition, the following system requirements are recommended to run the Class B Safety Software Library: The IEC60730-1 Class B Annex H Table H.11.12.7 has a list of the components that must be tested, depending on the software classification. Generally, each component offers optional measures to verify/test the corresponding components, and provides flexibility for manufacturers. To provide Class B IEC 60730 compliance for the singlechannel structures, manufacturers of electronic controls are required to test the components listed in the following table. Table 1. Components Required to be Tested for SingleChannel Structures Class B IEC 60730 Components Required to be Tested on Electronic Control (see Table H.11.12.7 in Annex H) Fault/Error The user application must correctly determine whether interrupts need to be enabled or disabled during execution of the Class B Safety Software Library. For example, if an interrupt occurs during execution of the CPU self-tests routine, an unexpected change may occur in any of the registers. Therefore, when the Interrupt Service Routine (ISR) is executed, the contents of the register do not match the expected. The example project with Class B Safety Software Library shows where interrupts need to be disabled and enabled for correct self-testing. Class B Safety Software Library The Class B Safety Software Library described in this application note can be used with PSoC 3 and PSoC 5LP devices. The library includes APIs designed to maximize the application reliability through fault detection. 1.1 CPU registers Stuck at 1.3 CPU program counter Stuck at 2. Interrupt handling and execution No interrupt or too frequent interrupt 3. Clock Wrong frequency 4.1 Invariable memory All single bit faults 4.2 Variable memory DC fault There are two types of self-test functions described and implemented in this application note: 4.3 Addressing (relevant to variable/invariable memory) Stuck at 1. 5.1 Internal data path Data Stuck at 5.2 Internal data path Addressing(for expanded memory MCU systems only) Wrong address 6.1 External communications Data Hamming distance 3 6.2 External communications Addressing Hamming distance 3 6.3 Timing Wrong point in time/sequence 7.1 I/O Periphery Fault conditions specified in Appendix B: “IEC 60730-1, H.27”) 7.2.1 Analog A/D and D/A converters Fault conditions specified in Appendix B: “IEC 60730-1, H.27”) 7.2.2 Analog multiplexor www.cypress.com Wrong addressing Some of the self-tests can be applied by only adding an appropriated API function and *.c and *.h files from the Class B Safety Software Library. Other self-tests can be applied by adding an appropriate API function, *.c and *.h files, and a schematic to the project. Self-test functions to help meet the IEC 60730-1 Class B standard compliance : CPU Registers - Test for stuck bits Program counter - Test for jumps to the correct address Interrupt handling and execution - Test for proper interrupt calling and periodicity Clock. Test for wrong frequency FLASH (invariable memory). Test for memory corruption. EEPROM (invariable memory) - Test for memory corruption SRAM (variable memory) - Test for stuck bits and proper memory addressing Digital I/O - Test for pins short A/D- and D/A- convertor - Test for proper functionality COMPARATOR - Test for proper functionality Communications (UART, SPI) - Test for correct data reception Document No. 001-78175 Rev. *E 3 PSoC® 3 and PSoC 5LP - IEC 60730 Class B Safety Software Library 2. Additional self-test functions, which PSoC 3 and PSoC 5LP can support due to programmable interconnect. Often, the end-application also needs these self-tests even though they are not provided in Appendix B IEC 60730-1. TIA, PGA, and opamp tests Watchdog test - Test for chip reset Additional Windowed WDT to monitor FW execution UDB configuration registers test Start-up configuration registers test All self-tests can be executed after device startup before the main loop. This provides an opportunity to check whether the chip is suitable for operation. In addition, self-tests must be executed while the device is working in a determined period of time. This provides an opportunity to make sure the chip was not damaged during operation. The following sections describe self-test and implementation details for each test according to the IEC 60730-1 Class B Annex H. In addition, each section lists the APIs required to execute a corresponding test for the supported architectures. API Functions for PSoC 3 and PSoC 5LP CPU Registers Test PSoC 3 with an enhanced 8051 core has 256 bytes of internal data RAM as shown in Figure 2. Figure 2. 8051 Internal Data Space 0xFF RAM Shared with Stack Space (indirect addressing, idata space) SFRs Special Function Registers (direct addressing, data space) 0x80 0x7F 0x30 RAM Shared with Stack Space (direct and indirect addressing, shared idata and data spaces) 0x2F 0x20 Bit Addressable Area 0x0F 0x00 4 Banks, R0-R7 Each Accumulator registers, ACC or A and B www.cypress.com Stack pointer, SP Program counter, PC Four register banks (R0 – R7) Program status word, PSW Flag bit addressable locations 16 bit data pointer registers, DPTR0 and DPTR1 Other SFRs including port data and select registers PSoC 5LP with the Cortex-M3 has 16-bit and 32-bit registers: R0 to R12 – general purpose registers. R13 – Stack Pointer (SP). There are two stack pointers with only one available at a time. The SP is always 32-bit word aligned; bits [1:0] are always ignored and considered to be ‘0’. R14 – Link register. Stores the return program counter during function calls. R15 – Program counter. This register can be written to control the program flow. R0 to R7 – can be accessed by all instructions. R8 to R12 – can be accessed by all 32-bit and some 16-bit instructions. The CPU Register test implements the functional test H.2.16.5 defined by the IEC 60730-1 standard. It detects stuck-at faults in the CPU registers by using the checkerboard test. This ensures that the bits in the registers are not stuck at value ‘0’ or ‘1’; this is a nondestructive test. This test performs the following major tasks: 1. The contents of the CPU registers to be tested are saved on the stack before executing the routine. 2. The registers are tested by successively writing the binary sequences (length is dependent upon architecture) 01010101 followed by 10101010 into the registers, and then reading the values from these registers for verification. 3. The test returns an error code if the returned values do not match. The checkerboard method is implemented for all CPU registers except the program counter. Function All the registers and bit addressable locations are as follows (a failure of any of them can cause unpredictable behavior): uint8 SelfTest_CPU_Registers(void) Returns: 0 1 No error Error detected Located in: SelfTest_CPU.c Document No. 001-78175 Rev. *E 4 PSoC® 3 and PSoC 5LP - IEC 60730 Class B Safety Software Library SelfTest_CPU.h *(PC5555); SelfTest_CPU_asm.c SelfTest_CPU_asm.h } >rom =0 NV_CONFIG2 0xAAAA : The function SelfTest_CPU_Registers is called to do the CPU test. { . = 0x00; For PSoC 3, the function checks the following CPU registers: ACC, DPL, DPH, DPL1, DPH1, DPS, DPX, DPX1, P2, IE, PSW, and B. It checks the entire internal data RAM by looping through the 256 bytes of memory. For PSoC 5LP, the function checks all 16 CPU registers. If an error is detected, the PSoC should not continue to function because its behavior can be unpredictable and therefore, potentially unsafe. Program Counter *(PCAAAA); } >rom =0 2. 3. In the example project, it is already added to the “custom_cm3gcc.ld” file. This linker file is added in the following location: Project > Build Setting > Linker > Custom Linker Script. These functions return a unique value. The returned value is verified using the PC test function. If the values match, the PC branches to the correct location or a WDT will trigger a reset because the program execution is out of range. DOC_PC – PSoC 3 CPU Program Counter register. 4. R15 – PSoC 5LP CPU Program Counter register. Because Bit 0 is always ‘0’, the instructions are always aligned to the word or half-word boundaries. Function The program counter register is part of the CPU register set. To test these registers, a checkerboard test is commonly used; the addresses of 0x5555 and 0xAAAA must be allocated for this test. uint8 0 1 No error Error detected The Program Counter (PC) test implements the functional test H.2.16.5 defined by the IEC 60730 standard. The PC holds the address of the next instruction to be executed. The test performs the following major tasks: Located in: SelfTest_CPU.c SelfTest_CPU.h 1. The PC test calls the functions that are located in the Flash memory at different addresses. For PSoC 3, this can be done by using Linker commands. The Linker command for placing the functions in the above mentioned locations is: SEGMENTS(?PR?SelfTest_PC5555?SelfTest_CPU( C:0x5555),?PR?SelfTest_PCAAAA?SelfTest_CPU(C: 0xAAAA)) The above linker command places a function named SelfTest_PC5555() placed in a file named SelfTest_CPU.c into location 0x5555 and SelfTest_PCAAAA() placed in a file named SelfTest_CPU.c into location 0xAAAA. This linker command is placed in the following location: Project > Build Setting > Linker > Command line. For PSoC 5LP, this can be done by using the Linker script in a *.ld file. NV_CONFIG1 0x5555 : { . = 0x00; www.cypress.com SelfTest_PC(void) Returns: Note The Linker command for placing the functions in the previously mentioned locations for PSoC 3 must be added. SEGMENTS(?PR?SelfTest_PC5555?SelfTest_CPU(C:0x 5555),?PR?SelfTest_PCAAAA?SelfTest_CPU(C:0xAAAA) ) For PSoC 5LP, the “custom_cm3gcc.ld” file must be added to the linker. The function SelfTest_PC() is called to do the Program Counter test. Program Flow Testing A specific method is used to check the program execution flow for every critical execution code block. Unique numbers are added to or subtracted from the complementary counters before block execution, and immediately after execution. These procedures check if the code block is called correctly from the main program flow and check if the block is correctly executed. As long as there are always the same number of exit and entry points, the counter pair will always be complementary after each tested block. See Figure 3. Any unexpected values should be treated as a program flow execution error. Document No. 001-78175 Rev. *E 5 PSoC® 3 and PSoC 5LP - IEC 60730 Class B Safety Software Library Figure 3. Program Flow Test Figure 4. PSoC Creator Schematic for Interrupt Test Program Flow Counter1 = 0x0000 Counter2 = 0xFFFF ... Counter1 = Counter1 + 0x10 Counter1 = 0x10 Counter1 = Counter1 + 0x15 Counter1 = 0x25 Code Block 1 Counter2 = Counter2 – 0x15 Counter2 = 0xFFEA Counter2 = Counter2 – 0x10 ... Counter1 = Counter1 + 0x30 Counter2 = 0xFFDA Counter1 = 0x55 Counter1 = Counter1 + 0x40 Counter1 = 0x95 Code Block 2 Counter2 = Counter2 – 0x40 Counter2 = 0xFF9A Counter2 = Counter2 – 0x30 … Check if Counter1 and Counter2 are complementrary Counter2 = 0xFF6A Note The component’s name should be the same as in Figure 4. Global interrupts must be enabled for this test, but all interrupts except isr_1 and isr_2 must be disabled. Counter1 XOR Counter2 = 0x0095 XOR 0xFF6A = 0xFFFF Interrupt Handling and Execution The SelfTest_Interrupt() function is called to check the Interrupt Controller operation. The interrupt sources are from Fixed Function and UDB blocks. Calling of the function starts two timers. The PSoC 3 and PSoC 5LP Interrupt Controllers provide the mechanism for hardware resources to change the program address to a new location independent of the current execution in the main code. The interrupt controller also handles continuation of the interrupted code after completion of the interrupt service routine. Timer_1 is placed into a Fixed Function block and configured to generate an interrupt every 10.667 µs. isr_1 counts the number of interrupts that occurred. The Interrupt test implements independent time slot monitoring H.2.18.10.4 defined by the IEC 60730 standard. It checks whether the number of interrupts that occurred is within the predefined range. Timer_1 must generate 20 interrupts during 213.333 µs When Timer_2 interrupt occurs, the isr_2 component stops Timer_1 interrupt counting. If the counted value in isr_1 is ≥ 18 and ≤ 22, the test is passed. The specific number of interrupts needed to pass this test depends on the application, and can be modified as required. The goal of the Interrupt test is to verify that interrupts occur regularly. The test checks the Interrupt Controller by using two interrupt sources. The test assumes that other interrupt vectors are also working when these two tested vectors are working. Timer_2 is placed into a UDB block and configured to generate an interrupt every 213.333 µs. Function uint8 SelfTest_Interrupt(void) Returns: 0 1 Located in: No error Error detected SelfTest_Interrupt.c SelfTest_Interrupt.h www.cypress.com Document No. 001-78175 Rev. *E 6 PSoC® 3 and PSoC 5LP - IEC 60730 Class B Safety Software Library Figure 5. Flowchart for Interrupt Self Test Clock According to the IEC 60730 standard, only harmonics and sub-harmonics of the clock need to be tested. The Clock test implements an independent time slot, monitoring H.2.18.10.4 defined by the IEC 60730 standard. It verifies the reliability of the system clock (specifically, that the system clock should be neither too fast nor too slow). Function uint8 SelfTest_Clock(void) Returns: 0 No error Not 0 Error detected (return the id of failed clock) Located in: SelfTest_Clock.h SelfTest_Clock.c www.cypress.com Note The tested clock sources and there accuracies are defined in the SelfTest_Clock.h. If the clock frequency is not defined, the test of the corresponding source will be skipped. // Id = 1 #define MASTER_CLK_FREQUENCY 24000000 // Frequency in Hz #define MASTER_CLK_ACCURACY_Minus 1000 // Accuracy – in 0.001% #define MASTER_CLK_ACCURACY_Plus 1000 // Accuracy + in 0.001% // Id = 2 #define IMO_CLK_FREQUENCY 3000000 #define IMO_CLK_ACCURACY_Minus 1000 #define IMO_CLK_ACCURACY_Plus 1000 // Id = 3 #define XTALM_CLK_FREQUENCY 24000000 #define XTALM_CLK_ACCURACY_Minus 1000 #define XTALM_CLK_ACCURACY_Plus 1000 Document No. 001-78175 Rev. *E 7 PSoC® 3 and PSoC 5LP - IEC 60730 Class B Safety Software Library // Id = 4 #define ILO_CLK_FREQUENCY 1000 #define ILO_CLK_ACCURACY_Minus 50000 #define ILO_CLK_ACCURACY_Plus 100000 // Id = 5 #define PLL_CLK_FREQUENCY 24000000 #define PLL_CLK_ACCURACY_Minus 1000 #define PLL_CLK_ACCURACY_Plus 1000 // Id = 6 #define XTALK_CLK_FREQUENCY 32768 #define XTALK_CLK_ACCURACY_Minus 10 #define XTALK_CLK_ACCURACY_Plus 10 // Id = 7 #define DSIG_CLK_FREQUENCY 10000000 #define DSIG_CLK_ACCURACY_Minus 100 #define DSIG_CLK_ACCURACY_Plus 100 // Id = 8 #define DSID_CLK_FREQUENCY 10000000 #define DSID_CLK_ACCURACY_Minus 100 #define DSID_CLK_ACCURACY_Plus 100 // Id = 9 #define DSIA_CLK_FREQUENCY 10000000 #define DSIA_CLK_ACCURACY_Minus 100 #define DSIA_CLK_ACCURACY_Plus 100 Figure 6 shows the PSoC schematic implementation of this test. The Clock input is connected to the measurement frequency that is tested through a divider to the count input of the UDB Counter. The counter counts the rising edges of the divided input frequency during a 1sec time interval; after this time, the counter stores the counted value in the capture register. The divided frequency of the XTAL 32.768 kHz is used to provide the reference time interval for the counter. This function returns the result after frequency measurement during the 1-second interval. The SelfTests_Clock_Ready() function checks when the hardware part finishes frequency measuring and the results are ready for comparison with the nominal value. It is not necessary to wait while the hardware part of the clock self-test operates. During this time, other tasks can be performed and the result of the clock test can be retrieved later. Figure 6. Clock Test PSoC Implementation www.cypress.com Document No. 001-78175 Rev. *E 8 PSoC® 3 and PSoC 5LP - IEC 60730 Class B Safety Software Library Figure 7. Flowchart for Clock Self-Test for either error correcting codes (ECC) or additional data storage. FLASH (Invariable Memory) PSoC 3 and PSoC 5LP devices include on-chip flash memory. These two families offer devices that range from 16 to 256 kilobytes. Additional flash is available for either error correction or data storage. The PSoC 3 and PSoC 5LP flash memory is organized in rows where each row contains 256 data bytes plus 32 bytes. The additional 32 bytes per row can be configured www.cypress.com Error Correction Code (ECC) Method To use the ECC method, you must enable ECC in the project settings by checking the box System > Configuration > Enable Error Correcting Code (ECC) in the projects *.cydwr file. The ECC block checks the data read from flash. It is responsible for error detection and correction. The cache receives the error status from the Document No. 001-78175 Rev. *E 9 PSoC® 3 and PSoC 5LP - IEC 60730 Class B Safety Software Library ECC block and the error status is logged into the firmware visible registers. The ECC method works even when the flash memory contents are dynamically changed at run time, such as during bootloading. Programming Steps 1. There are two interrupts related to ECC detection and correction. The interrupts can be enabled by setting the appropriate bits of the CACHE_INT_MSK register. For PSoC 3: #pragma asm CSEG AT 0xFFFE DW 0x0000 #pragma endasm ECC-Single Bit: This interrupt occurs when a single bit error is encountered during read operation and is fixed. The CACHE_INT_LOG3 register is updated with the flash location address where the error occurred. For PSoC 5LPs (GCC compiler): const uint16 CheckSum_from_rom __attribute__ ((section ("CheckSum"))) = 0x0000u; ECC-Multiple Bits: This interrupt occurs when a multiple-bit error is encountered during a read operation. This error cannot be fixed. The CACHE_INT_LOG4 register is updated with the flash location address where the error occurred. For PSoC 5LPs (ARM MDK or RVDS compilers): const uint32 CheckSum_from_rom __attribute__ ((at(0x0003FFFC))) = 0x00000000u; Function uint8 SelfTest_FlashECC(void) Returns: 0 1 2 Located in: No error Error detected(2 or more bits damaged) 1-bit was corrected SelfTest_Flash.c SelfTest_Flash.h Build the project in PSoC Creator with the stored checksum value set to 0x0000 in the SelfTest_Flash.c file. 2. Open PSoC Programmer and read Flashchecksum. 3. Copy this value and store it in the checksum location 4. Compile the project and program PSoC. See Appendix A for a detailed description. The function SelfTest_FlashECC() is called to do the flash memory corruption test using the ECC hardware (Error Correction Code). Note The global Interrupts must be enabled for this test. Function uint8 SelfTest_FlashCheckSum() Returns: 1 2 Error detected Checksum for one block calculated, but end of Flash was not reached 3 Pass, Checksum of all Flash is calculated and checked Checksum Method All devices can also use the checksum method if the ECC area is used for data rather than ECC. To complete a full flash diagnostic, a checksum of all used flash needs to be calculated. PSOC_FLASH_SIZE in SelfTest_Flash.h file defines the flash size that needs to be monitored. The Checksum Flash test reads each ROM or flash location and accumulates the values in a 16-bit variable to calculate a running checksum of the entire flash. The actual 16-bit checksum of the flash is stored in the last two bytes of the flash itself. When the test reaches the location 0xFFFE on 64-KB devices (the penultimate byte of the flash), it stops the checksum calculation and then compares this calculated value with the actual value stored in the last 2 bytes of the flash. A mismatch indicates ROM failure and the execution is frozen. www.cypress.com Located in: SelfTest_Flash.c SelfTest_Flash.h The function SelfTest_FlashCheckSum () is called to do the flash memory corruption test using the checksum method. During the call, this function calculates the checksum for one block of flash. The size of the block can be set using the parameters in SelfTest_Flash.h file: /*Set size of one block in Flash test*/ #define WORDS_IN_BLOCK_FLASH (1024u) If the checksum for the block is calculated and the end address of the tested flash is reached, the test returns 0x03. If the checksum for the block is calculated, but the end address of flash is not reached, the test returns 0x02. Document No. 001-78175 Rev. *E 10 PSoC® 3 and PSoC 5LP - IEC 60730 Class B Safety Software Library Note The check does not work if there is a change in the flash or ROM during run time using SPC commands. The checksum needs to be updated before calling the test. The EEPROM (Invariable Memory) test implements the periodic modified checksum H.2.19.3.1 defined by the IEC 60730 standard. It detects single-bit faults in the invariable memory. The invariable memory in a system such as the EEPROM contains data not intended to vary during program execution. The EEPROM invariable memory test computes the periodic checksum using a Cyclic Redundancy Check (CRC). This example uses the CRC16 standard for the CRC calculation. EEPROM (Invariable Memory) The PSoC 3 and PSoC 5LP devices have on-chip EEPROM memory. These two families offer devices that range from 512 bytes to 2 kilobytes. The PSoC 3 and PSoC 5LP EEPROM memories have the following organization: The characteristics of the CRC divisor vary from 8 to 32 bits depending on the polynomial that is used. You can change the polynomial in the CRC component configuration parameters. Organized in rows, where each row contains 16 bytes. Organized as one block of 32, 64, or 128 rows, depending on the device. Store nonvolatile data. Write and erase using the SPC commands. Byte read access by the CPU or DMA using the PHUB. Figure 8. Flowchart for Invariable Memory Test Start NO YES CRCFlag == 0 Calculate the Reference CRC Checksum Calculate the CRC YES Reference CRC == NO Calculated CRC Store the Reference CRC Checksum in the Flash/EEPROM Memory Set CRCFlag = 0xFF Pass/No Errors Found Fail/Errors Found End www.cypress.com Document No. 001-78175 Rev. *E 11 PSoC® 3 and PSoC 5LP - IEC 60730 Class B Safety Software Library The CRC16 calculation function returns the final CRC value that can be used to perform the following: These bytes are not used in the EEPROM CRC calculation. 1. At system startup, the computed CRC checksum can be used as a reference checksum if the CRC_Flag is set to 0x00. ClearEEPROMUserArea() – this function clears CRC_CALC_STATUS, CRC_LO and CRC_HI defined bytes in EEPROM. 2. The reference checksum is stored in the Flash or EEPROM memory and the CRC flag is set to 0xFF. 3. The CRC16 calculation function can be called periodically if the CRC flag is set to 0xFF. SelfTest_EEPROM() – Calculate the CRC if CRC_CALC_STATUS is not sets, store it to the EEPROM, and sets CRC_CALC_STATUS. 4. The checksum calculated from step 3 is compared to the reference checksum. 5. If both values match, a status bit can be set by the user application to indicate that the invariable memory has passed the test and no errors were found. Function uint8 These two functions must be called after PSoC start and before the first test result from the SelfTest_EEPROM() function. In this case, if you need to update EEPROM periodically, follow these steps: SelfTest_EEPROM(void) Returns: 0 1 Located in: No error Error detected SelfTest_Memory.c SelfTest_Memory.h Change data in EEPROM Call ClearEEPROMUserArea()function to clear CRC_CALC_STATUS status. Call SelfTest_EEPROM()function once to calculate and set CRC value and set CRC_CALC_STATUS. Call SelfTest_EEPROM()function in required place to do EEPOM self-test. SRAM (Variable Memory) Schematic showed in Appendix B. The function SelfTest_EEPROM () is called to do the EEPROM memory corruption test using CRC16 calculation. There are two modes of CRC16 calculation: firmware calculation or hardware calculation. PSoC 3 and PSoC 5LP devices include on-chip SRAM. These families offer devices that range from 2 to 64 kilobytes. The PSoC 3 devices offer an additional 4 kilobytes as a trace buffer that can be used as general purpose SRAM. You can define it using the following parameters in the SelfTest_Memory.h file: PSoC 3 and PSoC 5LP SRAM have these features: #define CRC_CALCULATION_MODE CRC_SOFTWARE_MODE #define CRC_HARDWARE_MODE (1u) #define CRC_SOFTWARE_MODE (0u) Appendix B shows the implemented schematic for the EEPROM tests. The EEPROM CRC performs calculations using the hardware schematic and the CRC hardware component. Data from the EEPROM transfers to the Shift Register through the DMA. The Shift Register is used because the CRC component computes the CRC from a serial bit stream. Four D Flip Flops and Counter7 (based on the Status Register) are used for synchronization. Note The component names should be the same as in Appendix B. The example project uses the last row in the EEPROM to store the First Calculation Status Byte and two CRC bytes. CRC_EEPROM_SEMAPHORE_SHIFT, CRC_EEPROM_LO_SHIFT and CRC_EEPROM_HI_SHIFT define shift from end or row where this three bytes store. www.cypress.com Organized as up to three blocks of 4 KB each, including a 4 KB trace buffer, for the CY8C38 family. Organized as up to 16 blocks of 4 KB each, for the CY8C55 family. Code can be executed out of portions of the SRAM, for the CY8C55 family. 8-bit, 16-bit, or 32-bit accesses. In PSoC 3 devices, the CPU has 8-bit direct access to the SRAM. Zero wait state accesses. Arbitration of SRAM accesses by the CPU and the DMA controller. Different blocks can be accessed simultaneously by the CPU and the DMA controller. PSoC 3 has idata and xdata RAM. The internal data space (idata) is 384 bytes, compressed within a 256-byte space. This space consists of 256 bytes of RAM and a 128-byte space for Special Function Document No. 001-78175 Rev. *E 12 PSoC® 3 and PSoC 5LP - IEC 60730 Class B Safety Software Library Registers (SFRs). See Figure 2. The lowest 32 bytes are used for four banks of registers R0-R7. The next 16 bytes are bit-addressable. In addition to the register or bit address modes used with the lower 48 bytes, the lower 128 bytes can be accessed with direct or indirect addressing. With the direct addressing mode, the upper 128 bytes map to the SFRs. With the indirect addressing mode, the upper 128 bytes map to RAM. The stack operations use indirect addressing. The xdata space is 24-bit or 16 MB in size. The majority of this space is not “external” - it is used by on-chip components. It can only be accessed using indirect addressing. The 8051 core features dual DPTR registers for faster xdata transfer operations. The data pointer selects SFR and DPS, and selects which data pointer register (DPTR0 or DPTR1) is used for the following instructions: MOVX @DPTR, A MOVX A, @DPTR MOVC A, @A+DPTR JMP @A+DPTR INC DPTR MOV DPTR, #data16 The Variable Memory test implements the Periodic Static Memory test H.2.19.6 defined by the IEC 60730 standard. It detects single-bit faults in the variable memory. The variable memory contains data, which is intended to vary during the program execution. The RAM Memory test is used to determine if any bit of the RAM memory is stuck at ‘1’ or ‘0’. The March Memory test and Checkerboard test are some of the most widely used static memory algorithms to check for DC Faults. The following tests can be implemented using the Class B Safety Software Library: > < <> r0 r1 w0 w1 Arrange address sequence in ascending order Arrange address sequence in descending order Arrange address sequence in either ascending or descending order Indicate read operation (reads “0” from a memory cell) Indicate read operation (reads “1” from a memory cell) Indicate write operation (writes “0” from a memory cell) Indicate write operation (writes “1” from a memory cell) March C Test The March C test is a destructive test and used to detect the following types of Faults in the variable memory: Stuck-at Fault Addressing Fault Transition Fault Coupling Fault This test complexity is 11n, where n indicates the number of bits in memory. This test is a destructive test (which means that memory contents are not saved). Therefore, it is designed to run at the system startup before initializing memory and the run-time libraries. MARCH C ALGORITHM: MarchC { <> (w0); > (r0, w1); > (r1, w0); <> (r0); < (r0, w1); < (r1, w0); > (r0) } March C Minus Test March Test The March C Minus test is a destructive test and used to detect the following types of fault in the variable memory: March C Test March C Minus Test March B Test March Test March tests perform a finite set of operations on every memory cell in the memory array. Each operation performs the following tasks: 1. 2. 3. 4. MARCH TEST NOTATIONS Writes ‘0’ to a memory cell (w0). Writes ‘1’ to a memory cell (w1). Reads the expected value ‘0’ from a memory cell (r0). Reads the expected value ‘1’ from a memory cell (r1). www.cypress.com Stuck-at Fault Addressing Fault Transition Fault Coupling Fault This test complexity is 10n, where n indicates the number of bits in the memory. This test is a destructive test. Therefore, it is designed to run at the system startup before initializing the memory and the run-time libraries. MA R C H C MI N U S A L G O R I TH M: MarchC Document No. 001-78175 Rev. *E 13 PSoC® 3 and PSoC 5LP - IEC 60730 Class B Safety Software Library { Using the start address and end address pointers, the function performs runtime MARCH B/C/C Minus tests by backing up the area of SRAM under test to another reserved part of SRAM and then restoring the data. <> (w0); > (r0, w1); > (r1, w0); <> (r0); < (r0, w1); < (r1, w0); } March B Test The March B is a destructive test that can detect the following types of fault: Stuck-at Linked Idempotent Coupling The reserved part of SRAM is also tested, using the March test, before the data is copied. The reserved area of SRAM must be located at the end of SRAM and can be set using the following parameters in the SelfTest_SRAM_March.a51 file for PSoC 3: ;Low bytes of addresses is 0x00. START_BUFF_ADDR_H EQU 0x1E ;00 END_BUFF_ADDR_H EQU 0x20 ;00 Or in SelfTest_SRAM_March.s file for PSoC 5LP: Inversion Coupling This test complexity is 17n, where n indicates the number of bits in the memory. MARCH B ALGORITHM: MarchB { <> (w0); > (r0, w1, r1, w0, r0, w1); > (r1, w0, w1); < (r1, w0, w1, w0); < (r0, w1, w0); } Function uint8 1 2 Error detected Still testing 3 Pass, all RAM is tested Located in: .equ END_BUFF_ADDR_H, 0x2000 .equ END_BUFF_ADDR_L, 0x7800 During the call, this function tests one block of SRAM. The size of the block must be the same as the size of the reserved buffer area in SRAM, and can be set using the following parameters in SelfTest_SRAM_March.a51 file for PSoC 3: ;High byte of block size in SRAM test ;Low byte of address is 0x00. BLOCK_SIZE_BYTE_H EQU 0x02;00 SelfTests_SRAM_March (void) Returns: .equ START_BUFF_ADDR_H, 0x2000 .equ START_BUFF_ADDR_L, 0x7400 SelfTest_RAM.c SelfTest_RAM.h This function is called to do the March SRAM tests in run time without data corruption. You can define March C Minus, March C, or March B using the following parameters in SelfTest_SRAM_March.a51 file for PSoC 3: MARCH_C_MINUS MARCH_C MARCH_B EQU EQU EQU 0x00 0x01 0x02 TYPE_OF_MARCH_TEST EQU MARCH_C_MINUS Or in SelfTest_SRAM_March.s file for PSoC 5LP: /* Block size in SRAM test */ .equ BLOCK_SIZE_BYTE, 0x0400 This test does the test only on the SRAM area and does not cover the stack area. If the block is tested successfully and the start address of the reserved area is reached, the test returns 0x03. If the block is tested successfully but the start address of the reserved area is not reached, the test returns 0x02. Function uint8 SelfTests_IRAM_March (void) 0 1 No error Error detected Or in SelfTest_SRAM_March.s file for PSoC 5LP: Located in: .equ MARCH_C_MINUS, .equ MARCH_C, .equ MARCH_B, 0x00 0x01 0x02 SelfTest_RAM.c SelfTest_RAM.h This function is called to do the March Internal RAM tests in run time without data corruption for PSoC 3. .equ TYPE_OF_MARCH_TEST, MARCH_C www.cypress.com Returns: More information about Internal RAM of PSoC 3 is described in the section CPU Registers Test. Document No. 001-78175 Rev. *E 14 PSoC® 3 and PSoC 5LP - IEC 60730 Class B Safety Software Library You can define March C Minus, March C, or March B using the following parameters in SelfTest_IRAM_March.a51: The reserved part of SRAM is also tested, using the March test, before data copy. This function uses the same reserved area of SRAM that is used for the SRAM March test. MARCH_C_MINUS MARCH_C MARCH_B EQU EQU EQU TYPE_OF_MARCH_TEST EQU MARCH_C_MINUS During the call, this function tests one block of Stack. The size of block must be the same as the size of the reserved buffer area in SRAM, and can be set using the following parameters in the SelfTest_IRAM_March.s file for PSoC 5LP: 0x00 0x01 0x02 Using the start address and end address pointers, the function performs runtime MARCH B/C/C Minus tests by backing up the area of IRAM under test to the reserved part of SRAM and then restoring the data. The reserved part of SRAM is also tested, using the March test, before the data is copied. This function uses the same reserved area of SRAM that is used for the SRAM March test. During the call, this function tests one block of IRAM. The size of the block must be the same as the size of the reserved buffer area in SRAM, and can be set using the following parameters in the SelfTest_IRAM_March.a51 file for PSoC 3: ;High byte of block size in SRAM test ;Low byte of address is 0x00. BLOCK_SIZE_BYTE_H EQU 0x02;00 This test does the test only on the IRAM. If the block is tested successfully and the end address of IRAM is reached, the test returns 0x03. If the block is tested successfully but the end address of IRAM is not reached, the test returns 0x02. Function uint8 SelfTests_Stack_March (void) Returns: 0 1 No error Error detected Located in: SelfTest_RAM.c SelfTest_RAM.h /* Block size in SRAM test */ .equ BLOCK_SIZE_BYTE, 0x0400 This test does the test only on the Stack. If the Stack is tested successfully, the function returns 0x00. If not, it returns 0x01. Stack Overflow Test The stack is a section of RAM used by the CPU to store information temporarily. This information could be a data or an address. The CPU needs this storage area since there are only a limited number of registers. The Stack Pointer (SP) register is used to access the stack. The Stack pointer in PSoC 3 is only 8 bits wide, can address 256 bytes, and is incremented with every PUSH instruction (stack grows upwards) and decremented with every POP. The stack in PSoC 3 is located in idata space. In PSoC 5LP, the stack is located at the end of RAM and grows downward: the stack pointer is 32 bits wide, is decremented with every PUSH instruction, and incremented with POP. The purpose of the stack overflow test is to ensure that the stack did not overlap with the program data memory during program execution. This can occur, for example, if recursive functions are used. To perform this test, a reserved fixed memory block at the end of the stack is filled with a predefined pattern and the test function is periodically called to verify it. If stack overflow occurs, the reserved block will be overwritten with corrupted data bytes and this should be treated as overflow error. This function is called to do the March Stack tests in run time without data corruption for PSoC 5LP. Functions You can define March C Minus, March C, or March B using the following parameters in the SelfTest_SRAM_March.s file for PSoC 5LP: Returns: NONE void SelfTests_Init_Stack_Test(void) Located in: SelfTest_Stack.c SelfTest_Stack.h .equ MARCH_C_MINUS, .equ MARCH_C, .equ MARCH_B, 0x00 0x01 0x02 This function is called once to fill the reserved memory block with predefined pattern. .equ TYPE_OF_MARCH_TEST, MARCH_C uint8 SelfTests_Stack_Check(void) Using the start address and end address pointers, this function performs runtime MARCH B/C/C Minus tests by backing up the area of Stack under test to the reserved part of SRAM and then restoring the data. www.cypress.com Returns: Document No. 001-78175 Rev. *E 0 No error 1 Error detected 15 PSoC® 3 and PSoC 5LP - IEC 60730 Class B Safety Software Library Located in: SelfTest_Stack.c SelfTest_Stack.h This function is called periodically at runtime to test for stack overflow. The block size should be an even value and can be modified using the macro located in SelfTest_Stack.h: #define STACK_TEST_BLOCK_SIZE 0x08u The pattern can be modified using the macro located in SelfTest_Stack.h: Note This test is application-dependent and may require customization. The default test values may cause pins to be momentarily configured into an incorrect state for the end application. Function uint8 SelfTests_IO() Returns: Located in: #define STACK_TEST_PATTERN 0x55AAu No error Error detected SelfTest_IO.c SelfTest_IO.h The SelfTests_IO()function is called to check shorts of I/O pins to GND or Vcc. The Pin_pcTable array in the SelfTests_IO() function is used to set pins that must be tested. Digital I/O The PSoC I/Os provide: 0 1 Digital input sensing For example: Digital output drive uint8 CYXDATA * const CYCODE Pin_pcTable[] = { Pin interrupts Connectivity for analog inputs and outputs Connectivity for LCD segment drive and EMIF Access to internal peripherals: o o Directly for defined ports Through the Universal Digital Blocks (UDB) via the Digital System Interconnect (DSI) The digital I/Os are arranged into ports, with up to eight pins per port. Some of the I/O pins are multiplexed with special functions (USB, debug port, crystal oscillator). Special functions are enabled using control registers associated with the specific functions. The test goal is to ensure that the I/O pins are not shorted to GND or Vcc. In normal operating conditions, the pin-to-ground and pinto-VCC resistances are very high. To detect any shorts, actual resistance values are compared to the PSoC internal pull-up resistors. To detect the pin-to-ground short, use the following next method. The pin is configured in the resistive pull-up drive mode. In normal conditions, the CPU reads a logical one because of the pull-up resistor. If the pin is connected to ground through a small resistance, the input level is recognized as a logical zero. To detect Sensor-to-VCC short, use a similar method. In this case, the sensor pin is configured in the resistive pull-down drive mode. The input level is zero in normal conditions. www.cypress.com /* PORT0 */ (uint8 CYXDATA *)CYREG_PRT0_PC0, (uint8 CYXDATA *)CYREG_PRT0_PC1, (uint8 CYXDATA *)CYREG_PRT0_PC2, (uint8 CYXDATA *)CYREG_PRT0_PC3, (uint8 CYXDATA *)CYREG_PRT0_PC4, (uint8 CYXDATA *)CYREG_PRT0_PC5, (uint8 CYXDATA *)CYREG_PRT0_PC6, ………………………………………………………………………………… A/D Converter The ADC test implements independent input comparison H.2.18.8, defined by the IEC 60730 standard. The test provides a fault/error control technique by which the inputs/outputs that are designed to be within specified tolerances are compared. The purpose of the test is to test the ADC analog functions. This test is easily implemented using the reconfigurable hardware of PSoC and by using the internal bandgap reference as the ADC input. For example, the PSoC internal bandgap reference delivers a 1.024-V voltage, which can be regularly sampled to test the ADC. For this test, PGA, VREF, and analog multiplexers are needed. If the PGA is already used in the design, the opamp is also needed to connect the VREF to the multiplexer through the opamp. VREF cannot be connected to the multiplexer directly. Therefore, the opamp connects the VREF to the multiplexer before the PGA input. Document No. 001-78175 Rev. *E 16 PSoC® 3 and PSoC 5LP - IEC 60730 Class B Safety Software Library Figure 9 shows the schematic implementation of this test based on PSoC 3/5LP. #define ADC_TEST_ACC 10 // +/- ADC result value The PGA_Vin, ADC_Plus, and ADC_Minus are the user pins. This function implements the ADC value test in four cases: Before the test, the analog multiplexers disconect the ADC and PGA from the user pins, and reconfigure the internal connections necessary for the ADC self-tests. After the test, the user configuration is restored. The ADC inputs switch between the corresponding pins (or other user modules, such as the PGA, TIA, and opamp) and the reference voltages, by using an analog multiplexer The reference voltages can be connected to both polarities so that it is possible to calculate the ADC gain and ADC offset providing increased system accuracy. The delta-sigma ADC has four configurations. One of these configurations is used for the test and named “ClassB”. The other three are used for user purposes. The “ClassB” configuration can measure ±2.048 V. Function uint8 0 1 Located in: Vin PGA – 1.024V, PGA Gain -1; ADCplus - 1.024V; ADCminus – GND; Expected ADC result: + 1.024V; Vin PGA – 1.024V, PGA Gain -1; ADCplus - GND; ADCminus - 1.024V; Expected ADC result: - 1.024V; Vin PGA – 1.024V, PGA Gain -2; ADCplus - 2.048V; ADCminus – GND; Expected ADC result: + 2.048V; Vin PGA – 1.024V, PGA Gain -2; ADCplus - GND; ADCminus - 2.048V; Expected ADC result: - 2.048V; SelfTest_ADC(void) Returns: The test is a success if the digitalized input voltage value is equal to the required reference voltage value within the defined accuracy. If the test is a success, the function returns 0; otherwise, it returns 1. No error Error detected SelfTest_Analog.h SelfTest_Analog.c The test function saves all the component configurations before testing and restores them after the test ends. The schematic is shown in Figure 9. The ADC accuracy is defined in “SelfTest_Analog.h”. A 10-bit ADC is used for testing: Figure 9. ADC Test PSoC Implementation www.cypress.com Document No. 001-78175 Rev. *E 17 PSoC® 3 and PSoC 5LP - IEC 60730 Class B Safety Software Library D/A Converter Function The DAC test implements independent output comparison H.2.18.8, defined by the IEC 60730 standard. It provides a fault/error control technique by which inputs/outputs that are designed to be within specified tolerances are compared. uint8 SelfTest_DAC(void) Returns: 0 1 Located in: The purpose of the test is to test DAC analog functions. No error Error detected SelfTest_Analog.h SelfTest_Analog.c This test is easily implemented using the reconfigurable hardware of the PSoC and can be done using the ADC to measure the DAC output. For example, the DAC generates a set voltage, which can be regularly converted by the ADC to test the DAC. The schematic is shown in Figure 10. The ADC and analog multiplexers are needed for the test. // +/- DAC result value This function implements the DAC value test. The digital value converts to the analog voltage using the tested DAC, and this voltage converts to a digital value using the ADC. If both values are within the set tolerance, the test is passed. If the test is a success, the function returns 0, otherwise it returns 1. Figure 10 shows the schematic implementation of this test based on PSoC 3/5LP. Vout, ADC_Plus, ADC_Minus are the user pins. Before the test, the analog multiplexers disconnect the DAC and ADC from the user pins, and reconfigure the internal connections needed for the DAC tests. After the test, the user configuration is restored. The ADC inputs switch between the corresponding pins (or other user modules, such as the PGA, TIA, opamp) and the reference voltages by using an analog multiplexer. The Track and Hold unit is used to maintain the DAC output value if a continuous voltage output (VDAC) is required by the end application. A continuous current output (IDAC) is not possible during testing without using a second IDAC during the test. The DAC accuracy is defined in “SelfTest_Analog.h”. A 10-bit ADC is used for testing. #define DAC_TEST_ACC (15u) Before the test, the DAC configures to the output range of 0 to 4.080 mV. After the test, the user configuration is restored. The test range is defined in DAC_TEST_RANGE_1 (7u) and DAC_TEST_RANGE_2 (128u). The DAC step is 16 mV. The test range is from 112 mV to 2048 mV. The test function saves the component configurations before testing and restores them after the test. The delta sigma ADC has four configurations. One of these configurations is used for all the analog self-tests and is named “ClassB”. The other three are used for the user purposes. The “ClassB” configuration can measure ±2.048 V. Figure 10. DAC Test PSoC Implementation www.cypress.com Document No. 001-78175 Rev. *E 18 PSoC® 3 and PSoC 5LP - IEC 60730 Class B Safety Software Library Comparator PGA This function implements the comparator functional test. Analog signals of opposite polarity are sequentially put into the input of the analog comparator, forcing the output value of the comparator to change. When the test is a success, the function returns 0; otherwise, it returns 1. Function uint8 SelfTest_Comparator(void) Returns: 0 1 Located in: No error Error detected The Programmable Gain Amplifier (PGA) test is not provided in the IEC 60730 standard but is useful when the PGA is used in critical blocks. The PGA test falls under the principle of testing “independent output comparison” defined in H.2.18.8 by the IEC 60730 standard. It provides a fault/error control technique by which inputs/outputs that are designed to be within specified tolerances are compared. The purpose of the test is to test PGA analog functions. SelfTest_Analog.h SelfTest_Analog.c Figure 11 shows this test PSoC schematic implementation. The comparator input terminals switch between the corresponding pins (or other user modules, such as the PGA, TIA, and opamp) and the reference voltages using an analog multiplexer. The output values of the comparator are analyzed at different polarities of the input signals. If the output signal changes during this operation, the test is passed. The test function saves all the component configurations and non-retention registers before testing and restores them later. Figure 11. Comparator Test PSoC Implementation This test is easily implemented using the reconfigurable hardware of the PSoC and can be performed by using the internal bandgap reference connected to the PGA input. The PGA delivers a voltage, which can be regularly converted by the ADC to test the PGA functions. The ADC, opamp, VREF, and analog multiplexers are needed for the test. Because VREF cannot be connected to the multiplexer directly, the opamp is used to connect the VREF to the multiplexer before the PGA input. Figure 12 shows the schematic implementation of this test based on PSoC 3/5LP. PGA_Vin, ADC_Plus, and ADC_Minus are the user’s pins. Before the test, the analog multiplexers disconect the ADC and PGA from the user’s pins, and reconfigure the internal connections needed for the ADC self tests. After the test, the user configuration is restored. The ADC inputs switch between the corresponding pins (or other user modules, such as the PGA, TIA, and opamp) and the reference voltages by using an analog multiplexer The delta-sigma ADC has four configurations. One of these configurations is used for the test and named “ClassB”. The other three are used for the user purpose. The “ClassB” configuration can measure ±2.048 V. Function uint8 SelfTest_PGA(void) Returns: 0 1 Located in: No error Error detected SelfTest_Analog.h SelfTest_Analog.c The schematic is shown in Figure 12. The PGA test accuracy is defined in “SelfTest_Analog.h”. A 10-bit ADC is used for testing: #define PGA_TEST_ACC 10 // +/- PGA result value www.cypress.com Document No. 001-78175 Rev. *E 19 PSoC® 3 and PSoC 5LP - IEC 60730 Class B Safety Software Library This function implements the PGA test by measuring the PGA output value using the ADC in two cases: Vin PGA – 1.024 V, PGA Gain -1; Expected ADC result: +1.024V; The test is a success if the digitalized ADC input voltage value is equal to the required reference voltage value within the defined accuracy. When the test is a success, the function returns 0; otherwise, it returns 1. The test function saves all the component configurations before testing and restores them after the test ends. Vin PGA – 1.024 V, PGA Gain -2; Expected ADC result: +2.048 V; Figure 12. PGA Test PSoC Implementation connections needed for the TIA self-tests. After the test, the user configuration is restored. TIA The TIA test in not provided in the IEC 60730 standard but is useful when used in critical blocks. The TIA test falls under the principle of testing “independent output comparison” defined in H.2.18.8 by the IEC 60730 standard. It provides a fault/error control technique by which inputs/outputs that are designed to be within specified tolerances are compared. The purpose of the test is to test the TIA analog functions. This test is easily implemented using the reconfigurable hardware of the PSoC and can be performed using the ADC and IDAC to generate a current and measure the TIA output. For example, the IDAC generates a current and the TIA converts the current to a voltage, which can be regularly converted by the ADC. The IDAC, ADC, and analog multiplexers are needed for the test. Figure 13 shows the schematic implementation of this test based on PSoC 3 and PSoC 5LP. The ADC inputs switch between the corresponding pins (or other user modules, such as the PGA, TIA, and opamp) and reference voltages by using an analog multiplexer. The delta-sigma ADC has four configurations. One of these configurations is used for all the analog self-tests and named “ClassB”. The other three are meant for the user. The “ClassB” configuration can measure ±2.048 V. Function uint8 SelfTest_TIA(void) Returns: 0 1 Located in: No error Error detected SelfTest_Analog.h SelfTest_Analog.c The schematic is shown in Figure 13. The Iin, ADC_Plus, and ADC_Minus are user pins. The TIA test accuracy is defined in “SelfTest_Analog.h”. A 10-bit ADC is used for testing. Before the test, the analog multiplexers disconect the TIA and ADC from the user pins and reconfigure the internal #define TIA_TEST_ACC (15u) // +/- TIA result value www.cypress.com Document No. 001-78175 Rev. *E 20 PSoC® 3 and PSoC 5LP - IEC 60730 Class B Safety Software Library This function implements the TIA value test and consists of four steps: 1. The digital value converts to a current using the IDAC. 2. This current converts to a voltage using the TIA. 3. The voltage converts to a digital value using the ADC. 4. If the resulting value matches the expected value within the set tolerance, the test is passed. When the test is a success, the function returns 0, else returns 1. The TIA Vout is determined by the following equation, where the RFB is the resistive feedback: The IDAC is configured in the output range of 0 to 255 uA. The TIA test range is defined in IDAC_TEST_RANGE_1 (0u) and IDAC_TEST_RANGE_2 (78u). IDAC step is 1 uA. The TIA test range is: [1.65 V – (IDAC_TEST_RANGE_2 - 1)uA * 20 kΩ ; 1.65 V - IDAC_TEST_RANGE_1 uA * 20 kΩ] [110 mV; 1650 mV] The test function saves the ADC configuration before testing and restores it after the test. Where RFB = 20 kΩ. Figure 13. TIA Test PSoC Implementation The PGA, ADC, and VREF, and the analog multiplexers are needed for the test. Opamp The Opamp test is not provided in the IEC 60730 standard but is useful when the opamp is used in critical blocks. The opamp test falls under the principle of testing “independent output comparison” defined in H.2.18.8 by the IEC 60730 standard. It provides a fault/error control technique by which inputs/outputs that are designed to be within specified tolerances are compared. If the PGA is already used in the design, the opamp is also needed to connect the Vref to the multiplexer through the Opamp. The Vref cannot be connected to the multiplexor directly. Therefore, the opamp is used to connect the Vref to the multiplexor before the PGA input. Figure 14 shows the schematic implementation of this test based on PSoC 3/5LP. The purpose of the test is to test the opamp analog functions. The Vin, ADC_Plus, ADC_Minus, Opamp_Plus, and Opamp_Minus are user pins. This test is easily implemented using the reconfigurable hardware of the PSoC and can be performed by using the internal band-gap reference to the Opamp input. The opamp output signal can be regularly converted by the ADC to test opamp functions. Before the test, the analog multiplexers disconnect the opamp, ADC, and PGA from the user pins, and reconfigure the internal connections needed for the opamp self-tests. After the test, the user configuration is restored. www.cypress.com Document No. 001-78175 Rev. *E 21 PSoC® 3 and PSoC 5LP - IEC 60730 Class B Safety Software Library The ADC inputs switch between the corresponding pins (or other user modules, such as the PGA, TIA, and opamp) and reference voltages by using an analog multiplexer. This function implements the opamp test by measuring the opamp output signal using the ADC in two cases: The opamp is configured for the following mode: The delta-sigma ADC has four configurations. One of these configurations is used for the test and named “ClassB”. The other three are used for user purposes. The “ClassB” configuration can measure ±2.048 V. Function uint8 Returns: 0 1 Located in: Opamp Plus – 1.024 V The expected ADC result: + 1.024 V; SelfTest_Opamp(void) Vin PGA – 1.024 V, PGA Gain -1; Vin PGA – 1.024 V, PGA Gain -2; The opamp is configured for the following mode. No error Error detected Opamp Plus – 2.048 V The expected ADC result: + 2.048 V; SelfTest_Analog.h SelfTest_Analog.c The schematic is shown in Figure 14. The opamp test accuracy is defined “SelfTest_Analog.h”. A 10-bit ADC is used for testing: #define OPAMP_TEST_ACC 10 // +/- Opamp result value in The test is a success if the digitalized input ADC voltage value is equal to the expected value within the defined accuracy. If the test is a success, the function returns 0; otherwise, it returns 1. The test function restores ADC and PGA configurations to default after the test ends. Figure 14. Opamp Test PSoC Implementation www.cypress.com Document No. 001-78175 Rev. *E 22 PSoC® 3 and PSoC 5LP - IEC 60730 Class B Safety Software Library 7 Communications UART This function implements the UART internal data loopback test. The test is a success if the transmitted byte is equal to the received one. If the test is a success, the function returns 0; otherwise, it returns 1. Function uint8 SelfTests_UART_Data(void) Returns: 1 2 Error detected Pass test with current value, but not all tests in range (from 0x00 to 0xFF) are complete 3 Pass, completed testing with all tests range (from 0x00 to 0xFF) 4 ERROR_TX_NOT_EMPTY 5 ERROR_RX_NOT_EMPTY 6 ERROR_TX_NOT_ENABLE Located in: ERROR_RX_NOT_ENABLE SelfTest_UART.h SelfTest_UART.c Figure 15 shows the PSoC schematic implementation. The input and output terminals switch between the corresponding pins and loop to each other to provide the internal loopback test by using the UART multiplexer and demultiplexer. If the receiving or transmitting buffers are not empty before the test, the test is not executed and returns ERROR_RX_NOT_EMPTY or ERROR_TX_NOT_EMPTY status. The test function saves the component configuration and non-retention registers before testing and restores them later. During the call, the function transmits one byte. The transmitted value increments after each function call. The range of test values is from 0x00 to 0xFF. Figure 15. UART Test PSoC Implementation 5 Communications SPI This function implements the SPI internal data loopback test. The test is a success if the transmitted byte is equal to the received one. If the test is a success, the function returns 0; otherwise, it returns 1. Function uint8 SelfTest_SPI_Data(void) Returns: 1 2 Error detected Pass test with current values, but not all tests in range (from 0x00 to 0xFF) ware passed 3 Pass, tested with all tests in range (from 0x00 to 0xFF) 4 ERROR_TX_NOT_EMPTY www.cypress.com Located in: ERROR_RX_NOT_EMPTY SelfTest_SPI.h SelfTest_SPI.c Figure 16 shows this test’s PSoC schematic implementation. The SPI input and output terminals switch between the corresponding pins and loop to each other to provide the internal loopback test using a multiplexer and demultiplexer. If the receiving or transmitting buffers are not empty before the test, the test is not executed and returns ERROR_RX_NOT_EMPTY or ERROR_TX_NOT_EMPTY status. The test function saves all the component configuration and non-retention registers before testing and restores them later. During the call, the function transmits one byte. The transmitted value increments after each function call. The range of test values is from 0x00 to 0xFF. Document No. 001-78175 Rev. *E 23 PSoC® 3 and PSoC 5LP - IEC 60730 Class B Safety Software Library Figure 16. SPI Test PSoC Implementation Recommendations and Examples The following section describes how to use PSoC’s programmable interconnectivity for self-testing components. The following functions allow you to implement the UDB configuration register tests in your design. There are two test modes implemented in the functions: UDB Configuration Registers Test There are two main groups of UDB registers: UDB Working registers. Located in the main 64K page (Page 0) UDB Configuration registers. Located in the dedicated configuration page (Page 1) UDB Array Base Addresses are described in Figure 17. The UDB configuration registers are static and configured during design build. Do not change these registers during device operation. You can check against the initial configuration. www.cypress.com Duplicates of UDB configuration registers are stored in the flash memory after device start-up. The configuration registers are periodically compared with the stored duplicates. Additionally, ECC can be enabled to monitor duplicate errors stored in flash. The corrupted registers can be restored from flash after checking. Compare the calculated CRC with the CRC previously stored in EEPROM if the CRC status semaphore is set. If the status semaphore is not set, the CRC must be calculated and stored to EEPROM and the status semaphore must be set. Document No. 001-78175 Rev. *E 24 PSoC® 3 and PSoC 5LP - IEC 60730 Class B Safety Software Library Figure 17. UDB Array Base Addresses Function Function cystatus SelfTests_Save_UDB_Cfg(void) uint8 SelfTests_UDB_ConfigReg(uint8 numberOfBlocks) Returns: 0 1 Located in: write in flash is successful error detected during flash writing SelfTest_UDB_CfgReg.c SelfTest_UDB_CfgReg.h SelfTest_CustomFlash.c SelfTest_CustomFlash.h Returns: Description: This function stores the UDB configuration registers to flash memory. These registers are located in the memory address from 0x00010000u to 0x00012000u and occupy 8 KB, located in 32 blocks of flash memory. The number of flash blocks is defined in UDB_NUMBER_OF_BLOCKS. UDB_REG_FIRST_BLOCK and DB_REG_LAST_BLOCK define the location for the UDB configuration registers in the flash memory. Note This function should be called once after PSoC initialization before entering the main program. It writes the correct UDB configuration register values to flash. www.cypress.com Parameters: numberOfBlocks – number of blocks to be tested per 1 function call. 32 – used in demo project. 1 2 Error detected PASS for one block 3 PASS for registers Located in: all tested UDB SelfTest_UDB_CfgReg.c SelfTest_UDB_CfgReg.h Description: This function checks the UDB configuration registers. The defined number of UDB register blocks is tested per one function call. The size of the block is 256 bytes. Because the size of one block of flash is the same, it simplifies working with flash. Document No. 001-78175 Rev. *E 25 PSoC® 3 and PSoC 5LP - IEC 60730 Class B Safety Software Library The number of tested blocks during the call can be set using the following parameters in the SelfTest_UDB_CfgReg.h file: There are two test modes implemented in these functions: #define BLOCKS_PER_TEST (2u) There are two modes of checking: CRC16 calculation and checking Registers comparison with duplicates. You can define the mode using the following parameters in the SelfTest_UDB_CfgReg.h file: #define UDB_CFG_REGS_MODE CFG_REGS_CRC_MODE/ CFG_REGS_TO_FLASH_MODE #define CFG_REGS_TO_FLASH_MODE (1u) This mode stores the duplicates of registers to FLASH and compares the registers with duplicates. Returns fail if values are different. Registers can be restored in this mode. SelfTests_Save_UBD_Cfg() function used to store duplicates to FLASH. UDB_REG_FIRST_BLOCK and DB_REG_LAST_BLOCK defines the location for UDB configuration registers in Flash memory. #define CFG_REGS_CRC_MODE (0u) In this mode, the function calculates a CRC16 of registers and stores the CRC to EEPROM. Later function calls recalculate the CRC16 and compare it with the saved value. Returns fail if values are different. Start-up Configuration Registers Test This test describes and shows an example of how to check the start-up configuration registers: Test digital clocks, ILO, IMO, PLL, and bus/master clock configuration registers Test DMAC configuration registers (set to default values after start-up) Test analog configuration registers (set to default values after start-up) Test cyfitter configuration registers These start-up configuration registers are static and are located in the cyfitter_cfg.c file after the design is built. This example covers tests cyfitter_cfg configuration functions: cfg_dma_init() ClockSetup() Duplicates of startup configuration registers are stored in the flash memory after device start-up. The configuration registers are periodically compared with stored duplicates. ECC can also be enabled to monitor duplicate errors. Corrupted registers can be restored from flash after checking. Compare the calculated CRC with the CRC previously stored in EEPROM if the CRC status semaphore is set. If the status semaphore is not set, the CRC must be calculated and stored to EEPROM and the status semaphore must be set. Note The following functions are examples and can only be applied to the example project. If the user makes changes in the schematic or configuration, other configuration registers may be generated in the cyfitter_cfg.c file. Do not change the list of required registers (recommended registers are generated in the cyfitter_cfg() function). Note If the clock self-test is used, enable CLOCK_SELF_TEST_ENABLED defined in the SelfTest_ConfigRegisters.c file. It excludes checking of the CYREG_CLKDIST_DCFG0_CFG0, CYREG_CLKDIST_DCFG1_CFG0, and CYREG_CLKDIST_DCFG2_CFG0 registers, generated in the ClockSetup() function. This register is used for the Clock self-test and may change at run time causing a test error. Function cystatus SelfTests_Save_cfg(void) Returns: 0 write in flash is successful 1 error detected during flash writing Located in: SelfTest_ConfigRegisters.c SelfTest_ConfigRegisters.h SelfTest_CustomFlash.c SelfTest_CustomFlash.h Description: This function stores all listed start up configuration registers to rowData array and writes this array to the flash block defined in CFG_REG_BLOCK. Side Effects: Call this function once after PSoC initialization before entering the main program. It writes the correct startup configuration registers to flash. AnalogSetDefault() Other configuration registers generated in cyfitter_cfg() www.cypress.com Document No. 001-78175 Rev. *E 26 PSoC® 3 and PSoC 5LP - IEC 60730 Class B Safety Software Library Function Figure 18. WDT Test PSoC Implementation uint8 SelfTests_StartUp_ConfigReg(void) Returns: 0 Located in: Start No error 1 Error detected Start Watchdog SelfTest_ConfigRegisters.c SelfTest_ConfigRegisters.h Description: NO This function checks the listed startup configuration registers. Stop (infinity loop) There are two modes of checking: CRC16 calculation and checking The user can define the mode using the parameters in the SelfTest_ConfigRegisters.h file: #define STARTUP_CFG_REGS_MODE CFG_REGS_CRC_MODE/ CFG_REGS_TO_FLASH_MODE #define CFG_REGS_TO_FLASH_MODE (1u) This mode stores duplicates of registers to flash and compares the registers with the duplicates. It returns a fail (1) if the values are different. The registers can be restored in this mode. The SelfTests_Save_cfg function is used to store duplicates to FLASH. CFG_REG_BLOCK, which defines the location of the Start Up configuration registers in the flash memory. #define CFG_REGS_CRC_MODE (0u) In this mode, the function calculates a CRC16 of registers and stores the CRC to EEPROM. Later, the function calls recalculate the CRC16 and compare it with the saved value. It returns a fail (1) if the values are different. Watchdog Test This function implements the watchdog functional test. The function starts the watchdog timer and runs an infinite loop. If the watchdog timer works, it generates a reset. After the reset, the function analyzes the reset source. If the watchdog is the source of the reset, the function returns; otherwise, the infinite loop executes. void YES Return Windowed Watchdog Timer Registers comparison with duplicates. Function Watchdog is a source of Reset The watchdog timer increases reliability in microprocessor-based systems. Window-selectable watchdog timers allow adjusting the watchdog time-out period, thus allowing more flexibility to meet different processor timing requirements. The windowed watchdog circuits protect systems from running too fast or too slow. Microprocessors executing critical or safety-related functions demand a high level of supervision to ensure proper fault detection and correction. A critical function can be defined as one for which the downtime cannot be tolerated, and (in many cases) one for which a repair is very costly. Such functions are found in almost every segment of the microprocessor market: patient-monitoring systems, process-control plants, and safety-related automotive applications, for example. There is no Windowed Watchdog Timer in PSoC 3/PSoC 5LP, but it can be implemented using the reconfigurable hardware of PSoC. Figure 21 shows the schematic implementation of this test based on the PSoC 3/5LP. The Windowed Watchdog Timer (Windowed WDT) provides a way to demand that the ClearWDT instruction be executed (such as, only in the last quarter of the watchdog timeout period). Essentially this improves code flow monitoring to catch firmware bugs. For example, a user has an application bug that results in the clear watchdog timer repeatedly execute close to the beginning of the code flow. This can be interpreted as a normal operation in the Non Windowed Watchdog Timer mode. Most users just use the Non Windowed Watchdog Timer mode. SelfTest_Watchdog(void) Returns: None Located in: SelfTest_WDT.h SelfTest_WDT.c Figure 18 shows the test flowchart. www.cypress.com Document No. 001-78175 Rev. *E 27 PSoC® 3 and PSoC 5LP - IEC 60730 Class B Safety Software Library Figure 19. Windowed WDT Timing Diagram The second Window, from (80u) to (0u), is used to detect if the Windowed WDT clear is correct. The three stages of the Windowed WDT schematic operation are described in Figure 21: 1. The Flip Flop DFF1 detects if Clear happens in the second window (The Clear_Window_Watch_Dog Control Register is triggered when Clock_Count is between 80u to 0u). 2. The Flip Flop DFF2 detects if Clear happens in the first window (The Clear_Window_Watch_Dog Control Register is triggered when Clock_Count is between 255u to 80u). 3. The Flip Flop DFF3 detects if Clearing does not happen during the specific period of time. Counter period Compare Value Clear WDT window WDT Counter The limitation in the Windowed Watchdog Mode is that the ClearWDT instruction must be called within a prescribed window. This limits the tolerance of the clock source that drives the watchdog timer. The tolerance of the clock source of the Windowed Watchdog also defines the minimum and maximum nominal watchdog period. A counter and flip-flops are used to implement the Windowed WDT in PSoC 3/PSoC 5LP. Figure 20 shows the Windowed WDT counter configuration. Clock_Count, and Counter Period are used to define the maximum waiting (maximum FW execution) time for clear command. The Counter Compare value is used to define the width of the clearing window. The down counting counter output “comp” changes as follows during the count period: The ISR isr_Windowed_WDT is triggered in cases 2 or 3 (if clear happens in the first or second window). The ISR is used to detect a reset in the example project for the purpose of demonstration. In the customer design, a pin connected to the HW reset can be used instead of the ISR. A windowed WDT output can also be ANDed/ORed with the critical outputs to disable them in case of a WDT event. Integration of safety inputs, such as windowed WDT or interlock inputs, with output logic and pins can create 100% hardware safety control with no CPU processing. Functions: First Window: from (255u) to (80u) output “comp” is “0” There are two functions to operate the Windowed Watchdog Timer. Second Window: from (80u) to (0u) output “comp” is “1” void Windowed_WDT_Start(void)-This function starts operation of the Windowed Watchdog Timer. If the Windowed WDT clear happens in the first window or does not happen during the counter period, this means incorrect FW operation and PSoC requires reset. The clear Windowed WDT means trigger “1” in the Clear_Window_Watch_Dog Control Register. void Windowed_WDT_Clear(void)-This clears the Windowed Watchdog Timer. These functions are located SelfTest_Windowed_WDT.c SelfTest_Windowed_WDT.h files. in function the and Figure 20. Windowed WDT Counter Configuration. www.cypress.com Document No. 001-78175 Rev. *E 28 PSoC® 3 and PSoC 5LP - IEC 60730 Class B Safety Software Library Figure 21. Windowed Watchdog Timer Implementation in PSoC 3/PSoC 5LP Figure 22. Flow Chart of Working Window WDT www.cypress.com Document No. 001-78175 Rev. *E 29 PSoC® 3 and PSoC 5LP - IEC 60730 Class B Safety Software Library Data is placed in the packets with a defined structure to be transferred. All packets have a CRC calculated with the packet data to ensure the packet’s safe transfer. Example of Communications UART Data Transfer Protocol Additional system safety can be achieved for data transfer between system components, using communication protocols with CRCs and packet handling. An example of safety communication is described in this application note. Figure 23 shows the packet format. Figure 23. Packet Structure STX ADDR DL ……..(data bytes) D0 Dn CRCH CRCL Channel controlling symbols STX – Marker of the packet start. This is a unique byte that is always equal to 0x02. ESC – Marker of a 2-byte sequence. When any byte in a packet is equal to STX or ESC, it changes to a 2-byte sequence (ESC)(byte+1). This procedure provides a unique packet start symbol. The ESC byte is always equal to 0x1B. The following table shows the packet’s field description. Name Length Value Description STX 1 byte 0x02 Unique start packet marker ADDR 1or 2 bytes 0x00..0xFF except 0x02 Slave address. If this byte is equal to STX it changes to 2 byte sequence: (ESC)+(STX+1) If this byte is equal to ESC it changes to 2 byte sequence: (ESC)+(ESC+1) DL 1or 2 bytes 0x00..0xFF except 0x02 Data length of packet (without protocol bytes). If this byte is equal to STX it changes to 2 byte sequence: (ESC)+(STX+1) If this byte is equal to ESC it changes 2 byte sequence: (ESC)+(ESC+1) D0..Dn (data) 1..510 bytes 0x00..0xFF except 0x02 Packet’s data. If any byte in data is equal to STX it changes to 2 byte sequence: (ESC)+(STX+1) If any byte in data is equal to ESC it changes to 2 byte sequence: (ESC)+(ESC+1) CRCH 1 or 2 bytes 0x00..0xFF except 0x02 MSB of packet CRC. CRC-16 is used. CRC is calculated for all packet bytes from ADDR to last data byte. CRC is calculated after the ESC changing procedure. If this byte is equal to STX it changes to 2 byte sequence: (ESC)+(STX+1) If this byte is equal to ESC it changes to 2 byte sequence: (ESC)+(ESC+1) CRCL 1 or 2 byte 0x00.. 0xFF except 0x02 LSB of packet CRC. CRC-16 is used. CRC is calculated for all packet’s bytes from ADDR to last data byte including. CRC is calculated after the ESC changing procedure. If this byte is equal to STX it changes to 2 bytes sequence: (ESC)+(STX+1) If this byte is equal to ESC it changes to 2 bytes sequence: (ESC)+(ESC+1) D a t a D e l i ve r y C o n t r o l l i n g Figure 24 shows the communication process-timing diagram. The communication procedure can be divided into three parts: Send Request (opposite side Receive Request) Wait for Response (opposite side Analyze Request) Receive Response (opposite side Send Respond) The ‘Send request’ consists of sending the STX, sending the data length and data using the byte changing procedure, calculating the CRC, and sending the calculated result. www.cypress.com Document No. 001-78175 Rev. *E 30 PSoC® 3 and PSoC 5LP - IEC 60730 Class B Safety Software Library ‘Receive respond’ consists of finding the STX and starting the CRC counter. If the received address is invalid, the STX byte is searched again. If the address is valid, the data length is received and then the data bytes are received. The CRC counter then stops and the two CRC bytes are received and these bytes are compared with the stored CRC value. After sending a request, we start the guard timer to detect the end of the packet if a response is not sent. Figure 24. Timing Diagram of Communication Process Send Request Wait for Response Beginning of transceiving process Analyze request on opposite side time Send Response Success process End of transceiving process Send Request Line break or opposite device break End of transceiving process Unsuccess process PSoC Implementation Figure 25 represents the PSoC protocol implementation. The UART component is used to physically generate the signals. To provide the CRC-16 calculation, the CRC units are used (one for transmit and one for receive). To control the CRC calculation a control register is used. To detect an unsuccessful packet transaction the timer is used. There are three interrupts implemented in this project that provide a fully interrupt-driven background process. The www.cypress.com Beginning of transceiving process transmit interrupt in the UART is configured for a ‘FIFO not full’ event to take the new data from the RAM and place it in the TX buffer and the Transmit complete event to start/stop the CRC calculation. The receive interrupt in the UART is configured for a FIFO not empty event to analyze the received data, control the CRC calculation and store the received data into RAM. The timer interrupt is used to detect the end of an unsuccessful transmission. Document No. 001-78175 Rev. *E 31 PSoC® 3 and PSoC 5LP - IEC 60730 Class B Safety Software Library Figure 25. PSoC Implementation This software unit is implemented as an interrupt-driven driver. That is, the user only starts the process and checks the state of the unit; all operation is provided in the background. Function There are four functions for working with the protocol unit for the master: Located in: void UartMesMaster_Init(void) Returns: None UART_master_message.h UART_master_message.c This function initializes the UART message unit. www.cypress.com Document No. 001-78175 Rev. *E 32 PSoC® 3 and PSoC 5LP - IEC 60730 Class B Safety Software Library Function uint8 UartMesMaster_DataProc(uint8 address, char * txd, uint8 tlen, char * rxd, uint8 rlen) Returns: 0 1 Located in: No error Error detected UM_COMPLETE – the last transaction process finished successfully and the received buffer contains a response. The unit is ready to start a new process UM_BUSY – the unit is busy with an active transaction operation. Function UART_master_message.h UART_master_message.c This function starts the process of transmitting and receiving messages and returns the result of the process start: 0 = success and 1 = error. An error can be that the unit is already busy sending a message or a null transmitting length was detected. The input parameters are as follows: uint8 UartMesMaster_GetDataSize(void) Returns: returns data size Located in: UART_master_message.h UART_master_message.c This function returns the received data size that is stored in the receive buffer. If the unit is busy or the last process generated an error, it returns 0. address – slave address for communication There are five functions for working with the protocol unit for the slave. txd – the pointer to the transmitted data (Request data) Function tlen – the length of the request in bytes rlen – the length of the received buffer in bytes Returns: None rxd – a pointer to the buffer where the received data is stored (Received data) Function 0 (UM_ERROR) – the last transaction process finished with an error and the unit is ready to start a new process 1 (UM_COMPLETE) – the last transaction process finished successfully, the received buffer contains a response. The unit is ready to start a new process 2 (UM_BUSY) – the unit is busy with an active transaction operation. Located in: UART_master_message.h UART_master_message.c This function returns the current state of the UART message unit. There are three possible results: UART_slave_message.h UART_slave_message.c This function initializes the UART message unit. Address – the slave address. Returns: Located in: The input parameters are: uint8 UartMesMaster_State(void) void UartMesSlave_Init(uint8 address) UM_ERROR – the last transaction process finished with an error and the unit is ready to start a new process www.cypress.com Function uint8 UartMesSlave_Respond(char * txd, uint8 tlen) Returns: 0 1 Located in: No error Error detected UART_slave_message.h UART_slave_message.c This function starts the response. This function returns the result of the start of the process: if it succeeds, it returns 0 and 1 if there is an error (the unit has not received a marker). The input parameters are: txd – the pointer to the transmitted data (Request data) tlen – the length of the request in bytes Document No. 001-78175 Rev. *E 33 PSoC® 3 and PSoC 5LP - IEC 60730 Class B Safety Software Library Function This function obtains the received data size stored in the receive buffer. If the unit state is not UM_PACKREADY, it returns 0. uint8 UartMesSlave_State(void) Returns: 0 (UM_IDLE) – the last transaction process is finished 1 (UM_PACKREADY) – the unit has received a marker and there is received data in the buffer. The master waits for a response. 2 (UM_RESPOND) – the unit is busy with sending a response. Located in: Returns: return pointer to data Located in: UART_slave_message.h UART_slave_message.c This function obtains pointer to the received data. Summary This function returns current state of the UART message unit. There are three possible results: UM_IDLE – the last transaction process is finished UM_RESPOND – the unit is busy with sending a response. UM_PACKREADY – the unit has received a marker and there is received data in the buffer. The master waits for a response. Function uint8 UartMes_GetDataSize(void) returns data size Located in: uint8 * UartMesSlave_GetDataPtr(void) UART_slave_message.h UART_slave_message.c Returns: Function UART_slave_message.h UART_slave_message.c www.cypress.com This application note describes how to implement various diagnostic tests defined by the IEC 60730 standard. The introduction of IEC 60730 into the design of white goods and other appliances will add a new level of safety for consumers. By taking advantage of the unique hardware configurability of PSoC 3 and PSoC 5LP, designers can comply with regulations while maintaining or reducing electronic systems cost. The use of PSoC and this Class B Safety Software Library enables creating a strong system-level development platform, achieving superior performance, fast time to market, and energy efficiency. References IEC 60730 Standard, “Automatic Electrical Controls for Household and Similar Use”, IEC 60730-1 Edition 3.2, 2007-03. Document No. 001-78175 Rev. *E 34 PSoC® 3 and PSoC 5LP - IEC 60730 Class B Safety Software Library Appendix A The following instructions help to program your part for proper flash/ROM diagnostic testing. 1. Build the project in PSoC Creator; make sure that the initial checksum value is set to ‘0’. Figure 26. Build Project 2. Open PSoC Programmer and read the flash checksum as shown in the following figure. Figure 27. Copy Checksum Value from PSoC Programmer www.cypress.com Document No. 001-78175 Rev. *E 35 PSoC® 3 and PSoC 5LP - IEC 60730 Class B Safety Software Library 3. In PSoC Creator, assign the copied value to the checksum. Click the Program button. Figure 28. Reassign Checksum Constant with Actual Checksum for PSoC 3 Figure 29. Reassign Checksum Constant with Actual Checksum for PSoC 5LP www.cypress.com Document No. 001-78175 Rev. *E 36 PSoC® 3 and PSoC 5LP - IEC 60730 Class B Safety Software Library Appendix B EEPROM CRC Calculation at the Hardware Level using Hardware CRC Component Figure 30. Hardware CRC Calculation The EEPROM CRC calculates the CRC using a hardware CRC component freeing up CPU resources. Data from the EEPROM transfers to the Shift Register through the DMA. The Shift Register was used because the CRC component computes the CRC from a serial bit stream. Four D Flip Flops and a Counter7 (based on the Status Register) were used for synchronization. www.cypress.com Document No. 001-78175 Rev. *E 37 PSoC® 3 and PSoC 5LP - IEC 60730 Class B Safety Software Library Appendix C Table 2. Supported Part Numbers PSoC 3 PSoC 5LP CY8C3244AXA-XXX CY8C3446AXI-XXX CY8C5265AXI-XXXXX CY8C3244AXI-XXX CY8C3446LTI-XXX CY8C5265LTI-XXXXX CY8C3244LTI-XXX CY8C3446PVA-XXX CY8C5266AXI-XXXXX CY8C3244PVA-XXX CY8C3446PVE-XXX CY8C5266LTI-XXXXX CY8C3244PVI-XXX CY8C3446PVI-XXX CY8C5267AXI-XXXXX CY8C3245AXA-XXX CY8C3645AXE-XXX CY8C5267LTI-XXXXX CY8C3245AXI-XXX CY8C3646AXE-XXX CY8C5268AXI-XXXXX CY8C3245LTI-XXX CY8C3646PVE-XXX CY8C5268LTI-XXXXX CY8C3245PVA-XXX CY8C3665AXA-XXX CY8C5465AXI-XXXXX CY8C3245PVE-XXX CY8C3665AXI-XXX CY8C5465LTI-XXXXX CY8C3245PVI-XXX CY8C3665LTI-XXX CY8C5466AXI-XXXXX CY8C3246AXA-XXX CY8C3665PVA-XXX CY8C5466LTI-XXXXX CY8C3246AXI-XXX CY8C3665PVI-XXX CY8C5467AXI-XXXXX CY8C3246LTI-XXX CY8C3666AXA-XXX CY8C5467LTI-XXXXX CY8C3246PVA-XXX CY8C3666AXI-XXX CY8C5468AXI-XXXXX CY8C3246PVI-XXX CY8C3666LTI-XXX CY8C5468LTI-XXXXX CY8C3444AXA-XXX CY8C3666PVA-XXX CY8C5666AXI-XXXXX CY8C3444AXI-XXX CY8C3845PVE-XXX CY8C5666LTI-XXXXX CY8C3444LTI-XXX CY8C3846AXE-XXX CY8C5667AXI-XXXXX CY8C3444PVA-XXX CY8C3865AXA-XXX CY8C5667LTI-XXXXX CY8C3444PVE-XXX CY8C3865AXI-XXX CY8C5668AXI-XXXXX CY8C3444PVI-XXX CY8C3865LTI-XXX CY8C5668LTI-XXXXX CY8C3445AXA-XXX CY8C3865PVA-XXX CY8C5866AXI-XXXXX CY8C3445AXE-XXX CY8C3865PVI-XXX CY8C5866LTI-XXXXX CY8C3445AXI-XXX CY8C3866AXA-XXX CY8C5867AXI-XXXXX CY8C3445LTI-XXX CY8C3866AXI-XXX CY8C5867LTI-XXXXX CY8C3445PVA-XXX CY8C3866LTI-XXX CY8C5868AXI-XXXXX CY8C3445PVI-XXX CY8C3866PVA-XXX CY8C5868LTI-XXXXX CY8C3446AXA-XXX CY8C3866PVI-XXX CY8C3446AXE-XXX www.cypress.com Document No. 001-78175 Rev. *E 38 PSoC® 3 and PSoC 5LP - IEC 60730 Class B Safety Software Library Appendix D MISRA Compliance This section describes the MISRA-C:2004 compliance and deviations for the test projects. MISRA stands for Motor Industry Software Reliability Association. The MISRA specification covers a set of 122 mandatory rules and 20 advisory rules that apply to firmware design. It has been put together by the automotive industry to enhance the quality and robustness of the firmware code embedded in automotive devices. Table 3. Verification Environment Component Name Version Test Specification MISRA-C: 2004 Guidelines for the use of the C language in critical systems. October 2004 Target Device PSoC 3 Production PSoC 5LP Production PK51 9.03 GCC 4.4.1 Generation Tool PSoC Creator 2.2 SP1 MISRA Checking Tool Programming Research QA C source code analyzer for Windows 8.1-R Programming Research QA C MISRAC:2004 Compliance Module (M2CM) 3.2 Target Compiler The list of deviated rules is provided in the following table. Table 4. Deviated Rules MISRA-C: 2004 Rule 1.1 Rule Class (R/A) R Rule Description This rule states that code shall conform to the C ISO/IEC 9899:1990 standard. Description of Deviations Some C language extensions (such as interrupt keyword) relate to device hardware functionality and cannot be practically avoided. In the main.c file generated by PSoC Creator, the nonstandard main() declaration is used: “void main()”. The standard declaration is “int main()”. 3.1 R All usage of implementation-defined behavior shall be documented. For the documentation on PK51 and GCC compilers, refer to the PSoC Creator Help menu, documentation sub-menu, Keil, and GCC commands respectively. 8.7 R Objects shall be defined at block scope if they are only accessed from within a single function. Volatile global variables are accessed in ISR routines. 8.8 R An external object or function shall be declared in one and only one file. For PSoC 5LP, some objects are declared with external linkage in *.c files and these declarations are not in the header files. 8.10 R All declarations and definitions of objects or functions at file scope shall have internal linkage unless external linkage is required. Library APIs are designed to be used in user application and might not be used in the library API. 10.1 R The value of an expression of integer type shall not be implicitly converted to a different File SelfTest_Analog.c: uint16 DACval variable is converted to a signed value to check its range (± constant value). www.cypress.com Document No. 001-78175 Rev. *E 39 PSoC® 3 and PSoC 5LP - IEC 60730 Class B Safety Software Library MISRA-C: 2004 Rule Rule Class (R/A) Rule Description Description of Deviations underlying type if: a) it is not a conversion to a wider integer type of the same signedness, or b) the expression is complex, or c) the expression is not constant and is a function argument, or d) the expression is not constant and is a return expression 10.3 R The value of a complex expression of integer type shall only be cast to a type of the same signedness that is no wider than the underlying type of the expression. File SelfTest_Analog.c: uint16 DACval variable is converted to signed value to check it range (± constant value). Uint8 IDAC_Value variable is converted to signed int16 to be subtracted from the signed int16 constant value. 11.3 A A cast should not be performed between a pointer type and an integral type. See “List of pointer violations in demo projects” in Table 5. 11.4 A A cast should not be performed between a pointer to object type and a different pointer to object type. See “List of pointer violations in demo projects” in Table 5. 11.5 R A cast shall not be performed that removes any const or volatile qualification from the type addressed by a pointer. See “List of pointer violations in demo projects” in Table 5. 13.6 R Numeric variables being used within a “for” loop for iteration counting shall not be modified in the body of the loop. File SelfTest_UDB_CfgReg.c, function SelfTests_UDB_ConfigReg: iblock variable is zeroed within loop body to start test for next flash block. 13.7 R Boolean operations whose results are invariant shall not be permitted. Some Boolean operations are mistakenly treated by the analyzer as “invariant”. These are all false positives. Library APIs are designed to be used in user application and might not be used in library demo code. 14.1 R There shall be no unreachable code. Library APIs are designed to be used in the user application and might not be used in the library code. 14.3 R Before preprocessing, a null statement shall only occur on a line by itself; it may be followed by a comment provided that the first character following the null statement is a white-space character. The CyGlobalIntEnable macro has a null statement that is located close to the other code. 15.2 R An unconditional break statement shall terminate every non-empty switch clause. File SelfTest_Clock.c, function SelfTests_Clock: state machine implementation require switch case usage without break statement. 16.9 R A function identifier shall only be used with either a preceding &, or with a parenthesised parameter list, which may be empty. Files uart_master_message.c and uart_slave_message.c: functions UTX_M_ISR_SetVector, URX_M_ISR_SetVector, U_M_TIME_ISR_SetVector, UTX_S_ISR_SetVector, URX_S_ISR_SetVector take functions names as input parameters. 16.10 R If a function returns error information, then that error information shall be tested. Library functions return values which are not used in demo projects but could be used in customer’s projects. 17.4 R Array indexing shall be the only allowed form of pointer arithmetic. See “List of pointer violations in demo projects” table below. 21.1 R Minimization of run-time failures shall be ensured by the use of at least one of: Some code generated by PSoC Creator in some specific configurations can contain redundant operations introduced because of generalized implementation approach. a) static analysis tools/techniques; b) dynamic analysis tools/techniques; c) explicit coding of checks to handle runtime faults. www.cypress.com Document No. 001-78175 Rev. *E 40 PSoC® 3 and PSoC 5LP - IEC 60730 Class B Safety Software Library Table 5. Pointer Violations in Demo Projects Pointer (variable name) All register definitions in *.h files that are used in library APIs MISRA rule Files 11.3 A cast should not be performed between a pointer type and an integral type. AN78175_Memory project: Main.c; SelfTest_cpu_asm.c; SelfTest_crc_calc.c; SelfTest_CustomFlash.c; SelfTest_EEPROM.c; SelfTest_Ram.c; SelfTest_Flash.c; SelfTest_Stack.c; SelfTest_UDB_CfgReg.c; Description HW registers access is implemented over pointers to these registers. AN78175_Analog project: Main.c; idac8_cb.c; elfTest_Analog.c; SelfTest_Analog_Calibration.c; vdac8_cb.c; AN78175_Digital project: Main.c; SelfTest_IO.c; AN78175_Protocol project: Main.c; uart_master_message.c; Uart_slave_message.c; AN78175_Wdt project: Main.c; WDT_Window project: Main.c; SelfTest_Flash.c: Flash_Pointer; 11.4 A cast should not be performed between a pointer to object type and a different pointer to object type. AN78175_Memory project: SelfTest_Flash.c; uart_slave_message.c: UMS.message; 11.5 A cast shall not be performed that removes any 'const' or 'volatile' qualification from the type addressed by a pointer. AN78175_Protocol project: uart_slave_message.c: Cast uint8 message[MAX_MESSAGE_SIZE] to (uint8 *)UMS.message; SelfTest_CRC_calc.c: RegPointer; 17.4 Array indexing shall be the only allowed form of pointer arithmetic. AN78175_Memory project: SelfTest_CRC_calc.c; SelfTest_CustomFlash.c; SelfTest_EEPROM.c; SelfTest_Flash.c; SelfTest_Stack.c; SelfTest_UDB_CfgReg.c; uint8 * rowData is passed as parameter to function where is accessed as indexed array. Main.c: rxd; SelfTest_CustomFlash.c: rowData; SelfTest_EEPROM.c: RegPointer, RegPointer1; SelfTest_Flash.c: Flash_Pointer; SelfTest_Stack.c: stack; SelfTest_UDB_CfgReg.c: CfgRegPointer; AN78175_Protocol project: main.c; AN78175_Protocol project: uart_master_message.c; uart_slave_message.c; Cast static uint8 CYCODE *Flash_Pointer to (*((uint16 code *)Flash_Pointer)) to access uint16 word per one instruction. Cast uint8 rxd[16u] to (char8*) rxd) as it is required by LCD_Char_PrintString library function. reg8 * RegPointer and reg8 * RegPointer1 are used as indexed arrays to access registers set. static uint8 CYCODE *Flash_Pointer is used as array of flash data and is indexed via “++” operation. uint16 *stack is used as array and is indexed via “++” operation. uart_master_message.c: UM.rxptr uint8 CYCODE * CfgRegPointer is used as indexed array to access data stored in flash. uart_slave_message.c: UMS.txptr; uint8 * txptr is used as array and is indexed via “++” operation. www.cypress.com Document No. 001-78175 Rev. *E 41 PSoC® 3 and PSoC 5LP - IEC 60730 Class B Safety Software Library Document History ® Document Title: PSoC 3 and PSoC 5LP - IEC 60730 Class B Safety Software Library – AN78175 Document Number: 001-78175 Revision ECN Orig. of Change Submission Date Description of Change ** 3567592 TARK_UKR ANBI_UKR DIMA_UKR 04/02/2012 New Spec. *A 3624352 TARK_UKR 08/06/2012 Updated Recommendations and Examples (Removed CapSense CSD (Removed Test on Sensor Shorts, Test on Sensor Disconnect, and Modulator Component (Cmod and Rb) Testing), added UDB Configuration Registers test and Start up Configuration Registers test). *B 3721601 TARK_UKR 8/23/2012 Exclude CapSense CSD self-tests Added two additional self-tests: UDB configuration register test and Start up configuration register test located on page 15, 16. *C 3822654 MATT 11/27/2012 Updated for PSoC 5LP. *D 4280250 VASY 02/13/2014 Added Program Flow Testing description. Added Stack Overflow Test. Added PSoC 3 idata and xdata difference description. Added Windowed WDT timing diagram. Added List of supported part numbers to Appendix C. Added MISRA Compliance description to Appendix D *E 4500971 www.cypress.com TARK 09/12/2014 Corrected the attached project. Document No. 001-78175 Rev. *E 42 PSoC® 3 and PSoC 5LP - IEC 60730 Class B Safety Software Library Worldwide Sales and Design Support Cypress maintains a worldwide network of offices, solution centers, manufacturer’s representatives, and distributors. To find the office closest to you, visit us at Cypress Locations. PSoC® Solutions Products Automotive cypress.com/go/automotive psoc.cypress.com/solutions Clocks & Buffers cypress.com/go/clocks PSoC 1 | PSoC 3 | PSoC 4 | PSoC 5LP Interface cypress.com/go/interface Lighting & Power Control cypress.com/go/powerpsoc cypress.com/go/plc Memory cypress.com/go/memory PSoC cypress.com/go/psoc Touch Sensing cypress.com/go/touch USB Controllers cypress.com/go/usb Wireless/RF cypress.com/go/wireless Cypress Developer Community Community | Forums | Blogs | Video | Training Technical Support cypress.com/go/support PSoC is a registered trademark and PSoC Creator is a trademark of Cypress Semiconductor Corp. All other trademarks or registered trademarks referenced herein are the property of their respective owners. Cypress Semiconductor 198 Champion Court San Jose, CA 95134-1709 Phone Fax Website : 408-943-2600 : 408-943-4730 : www.cypress.com © Cypress Semiconductor Corporation, 2012-2014. The information contained herein is subject to change without notice. Cypress Semiconductor Corporation assumes no responsibility for the use of any circuitry other than circuitry embodied in a Cypress product. Nor does it convey or imply any license under patent or other rights. Cypress products are not warranted nor intended to be used for medical, life support, life saving, critical control or safety applications, unless pursuant to an express written agreement with Cypress. Furthermore, Cypress does not authorize its products for use as critical components in life-support systems where a malfunction or failure may reasonably be expected to result in significant injury to the user. The inclusion of Cypress products in life-support systems application implies that the manufacturer assumes all risk of such use and in doing so indemnifies Cypress against all charges. This Source Code (software and/or firmware) is owned by Cypress Semiconductor Corporation (Cypress) and is protected by and subject to worldwide patent protection (United States and foreign), United States copyright laws and international treaty provisions. Cypress hereby grants to licensee a personal, non-exclusive, non-transferable license to copy, use, modify, create derivative works of, and compile the Cypress Source Code and derivative works for the sole purpose of creating custom software and or firmware in support of licensee product to be used only in conjunction with a Cypress integrated circuit as specified in the applicable agreement. Any reproduction, modification, translation, compilation, or representation of this Source Code except as specified above is prohibited without the express written permission of Cypress. Disclaimer: CYPRESS MAKES NO WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, WITH REGARD TO THIS MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Cypress reserves the right to make changes without further notice to the materials described herein. Cypress does not assume any liability arising out of the application or use of any product or circuit described herein. Cypress does not authorize its products for use as critical components in life-support systems where a malfunction or failure may reasonably be expected to result in significant injury to the user. The inclusion of Cypress’ product in a life-support systems application implies that the manufacturer assumes all risk of such use and in doing so indemnifies Cypress against all charges. Use may be limited by and subject to the applicable Cypress software license agreement. www.cypress.com Document No. 001-78175 Rev. *E 43