Infineon XMC4000 Series Application Manual
Industrial applications
Hide thumbs
Also See for XMC4000 Series:
- Device manual (38 pages) ,
- Board user's manual (35 pages) ,
- User manual (30 pages)
Table of Contents
Advertisement
Quick Links
Advertisement
Table of Contents
Related Manuals for Infineon XMC4000 Series
Summary of Contents for Infineon XMC4000 Series
- Page 1 XMC4000 Microcontroller Series for Industrial Applications Fail -sa fe Feat ures Voltage Supervision Clock Supervision Memory Integrity Fail-safe Flash Software Supervision System Traps Special Peripheral Features Applic atio n Guid e V1.0 2013-04 Microcontrollers...
- Page 2 Infineon Technologies components may be used in life-support devices or systems only with the express written approval of Infineon Technologies, if a failure of such components can reasonably be expected to cause the failure of that life-support device or system or to affect the safety or effectiveness of that device or system. Life support devices or systems are intended to be implanted in the human body or to support and/or maintain and sustain and/or protect human life.
- Page 3 Revision History Page or Item Subjects (major changes since previous revision) V1.0, 2013-04 Trademarks of Infineon Technologies AG AURIX™, C166™, CanPAK™, CIPOS™, CIPURSE™, EconoPACK™, CoolMOS™, CoolSET™, CORECONTROL™, CROSSAVE™, DAVE™, EasyPIM™, EconoBRIDGE™, EconoDUAL™, EconoPIM™, EiceDRIVER™, eupec™, FCOS™, HITFET™, HybridPACK™, I²RF™, ISOFACE™, IsoPACK™, MIPAQ™, ModSTACK™, my-d™, NovalithIC™, OptiMOS™, ORIGA™, PRIMARION™,...
-
Page 4: Table Of Contents
Fail-Safe Features XMC4000 Family Table of Contents Table of Contents Voltage Supervision .............................. 6 Voltage Supervision ........................... 7 Introduction ............................7 Embedded Voltage Regulator ......................7 Power-on Reset............................ 7 PORST pin ............................8 1.4.1 Power Validation ..........................9 1.4.2 Supply Watchdog ..........................11 Supply Voltage Brown-out Detection .................... - Page 5 Fail-Safe Features XMC4000 Family Table of Contents 4.7.2 Trap Control ............................34 Handling Errors During Operation ...................... 35 SQER “Sequence Error” ........................35 4.8.1 PFOPER “Operation Error” ........................ 36 4.8.2 PROER “Protection Error” ........................37 4.8.3 VER “Verification Error” ........................38 4.8.4 PFSBER/DFSBER “Single-Bit Error”...
-
Page 6: Voltage Supervision
Fail-Safe Features XMC4000 Family Voltage Supervision Voltage Supervision Application Guide V1.0, 2013-04... -
Page 7: Voltage Supervision
Fail-Safe Features XMC4000 Family Voltage Supervision Voltage Supervision Voltage Supervision fail-safe features enable monitoring of the voltage levels and automatic reaction of the system to abnormal supply conditions in the application. Introduction The following fail-safe features are described in the subsequent sections: ... -
Page 8: Porst Pin
Fail-Safe Features XMC4000 Family Voltage Supervision Failure condition During power-up V voltage still too low to ensure proper function of modules supplied with V , which may potentially lead to for example to Flash malfunction, I/O pads misbehavior, or unreliable V generation in EVR. -
Page 9: Power Validation
Fail-Safe Features XMC4000 Family Voltage Supervision Pull-up on PORST Figure 2 Failure condition A load on the PORST reset pin prevents the bi-directional PORST from releasing reset faster that 2 µs during V ramping (time longer than 500 µs) leading to a risk of multiple low spikes on the PORST Fail-safe effect Improve PORST release time (below 2 µs) by applying a sufficient pull-up to the... - Page 10 Fail-Safe Features XMC4000 Family Voltage Supervision Power Validation Figure 3 It monitors that the core voltage is above the voltage threshold V which guarantees a save operation. Whenever the voltage falls below the threshold level a power-on reset is generated. Failure condition voltage remains, or has dropped down below a minimum level V , which...
-
Page 11: Supply Watchdog
Fail-Safe Features XMC4000 Family Voltage Supervision 1.4.2 Supply Watchdog The supply watchdog compares the supply voltage against the reset threshold V (see Figure 4). The Datasheet defines the nominal value and applied hysteresis. Supply Voltage Monitoring Figure 4 While the supply voltage is below V the device is held in reset. -
Page 12: Supply Voltage Brown-Out Detection
Fail-Safe Features XMC4000 Family Voltage Supervision Supply Voltage Brown-out Detection Brown-out detection is an additional voltage monitoring feature that enables the user software to perform some corrective action that brings the chip into safe operation in case of a critical supply voltage drop, and avoids a System Reset generated by the Supply Voltage Monitoring (see Figure 5). -
Page 13: Hibernate Domain Power Management
Fail-Safe Features XMC4000 Family Hibernate Domain Power Management Hibernate domain must be supplied with a valid V level during startup and while in active mode. This can be ensured by a direct V connection to V Invalid V voltage level may lead to unpredictable behavior of the device. 1.6.1 Temporary Loss of V Supply... - Page 14 Fail-Safe Features XMC4000 Family It is strongly recommended to supply Hibernate domain with V when available in order to Note: extend the battery life time. An external supply voltage switching solution based on schottky diodes is shown in Figure 7. The scenario may apply to applications where RTC is activated and will also preserve its operation during longer periods of device inactivity, while in hibernate mode for example, or when simply powered-off for a period of time.
-
Page 15: Clock Supervision
Fail-Safe Features XMC4000 Family Clock Supervision Application Guide V1.0, 2013-04... -
Page 16: Clock Supervision
Fail-Safe Features XMC4000 Family Clock Supervision Clock Supervision Introduction The XMC4000 clocking system implements various clock sources and operating modes. Fail-safe features cover a wide range of aspects of operation that can be utilized in order to ensure stable operation. The following sections cover the basic introduction to the clocking system elements and associated fail-safe mechanisms: ... -
Page 17: Backup Clock Source
Fail-Safe Features XMC4000 Family Clock Supervision Backup Clock Source The backup clock f generated internally, is the default clock after start-up. It is used for by-passing the PLL for startup of the system without an external clock. Furthermore it can be used as an independent clock source for the watchdog module, or even as the system clock source during normal operation. -
Page 18: System Pll Loss-Of-Lock Trap
Fail-Safe Features XMC4000 Family Clock Supervision 2.3.2 System PLL Loss-of-Lock Trap The System PLL Loss-of-Lock is signaled as a system Trap in case VCO lock has been lost and it continues in a free running mode. The user software shall apply a corrective action in order to re-lock the PLL and bring the system into safe operation. - Page 19 Fail-Safe Features XMC4000 Family Clock Supervision 2.3.4.1 Emergency System Clock for PLL Normal Mode The main PLL converts a low-frequency external clock signal to a high-speed internal clock. The PLL also has fail-safe logic that detects de-generative external clock behavior such as abnormal frequency deviations or a total loss of the external clock.
- Page 20 Fail-Safe Features XMC4000 Family Clock Supervision 2.3.4.2 Emergency System Clock for PLL Prescaler Mode The PLL offers a VCO Power-Down mode. This mode can be entered to save power within the PLL. The VCO Power-Down mode is entered by setting bit PLLCON0.VCOPWD. While the PLL is in this mode only the Prescaler mode is operable.
-
Page 21: Fail-Safe Clock Ratio Configuration
Fail-Safe Features XMC4000 Family Clock Supervision 2.3.5 Fail-safe Clock Ratio Configuration XMC4000 devices support a set of different clock ratio configurations for different groups of on-chip resources. A simplified rule that generally applies here is that the ratio between any of the clocks (any is never greater than 2 (for more details please refer to “Clock combination) f and f... -
Page 22: Usb Pll Loss-Of-Lock Trap
Fail-Safe Features XMC4000 Family Clock Supervision 2.4.1 USB PLL Loss-of-Lock Trap The USB PLL Loss-of-Lock is signaled as a system Trap when VCO lock has been lost, and it continues in a free running mode. The user software shall apply a corrective action in order to re-lock the USB PLL to bring the system into safe operation. -
Page 23: Rtc Clock Watchdog Trap
Fail-Safe Features XMC4000 Family Clock Supervision 2.5.1 RTC Clock Watchdog Trap Failure condition Externally generated clock outside of expected frequency range due for example to external crystal failure. Fail-safe effect A Trap generated and flagged in the TRAPSTAT register while operating in active mode. -
Page 24: Memory Integrity
Fail-Safe Features XMC4000 Family Clock Supervision Memory Integrity Application Guide V1.0, 2013-04... -
Page 25: Memory Integrity Protection
Fail-Safe Features XMC4000 Family Memory Integrity Protection Memory Integrity Protection Introduction The following of memory fail-safe features are described in the subsequent sections: Principle of Parity Check Operation Parity Error on System SRAMs Parity Error on Peripheral Module SRAMs ... -
Page 26: Parity Error On System Srams
Fail-Safe Features XMC4000 Family Memory Integrity Protection Parity Error on System SRAMs System SRAMs like PSRAM, DSRAM1 and DSRAM2, can be read/write accessed directly with user software. These memories are attached directly to the bus system and are mapped into system address space. -
Page 27: Fail-Safe Flash
Fail-Safe Features XMC4000 Family Memory Integrity Protection Fail-safe Flash Application Guide V1.0, 2013-04... -
Page 28: Fail-Safe Flash
Fail-Safe Features XMC4000 Family Fail-Safe Flash Fail-Safe Flash Introduction The Flash Module implements various mechanisms to limit or prevent the danger from misbehaviour under critical conditions, and provides the means for supervising different aspects of operation. The error conditions may be caused by a hazardous environment potentially affecting data integrity for example, poor supply voltage, or software bugs. -
Page 29: Single-Bit Error
Fail-Safe Features XMC4000 Family Fail-Safe Flash When data is read these codes are evaluated. Data in PFLASH uses an ECC code with SEC-DED (Single Error Correction, Double Error Detection) capabilities. Each block of 64 data bits is accompanied with 8 ECC bits over the 64 data bits. An erased data block (all bits „0‟) has an ECC value of 00 . - Page 30 Fail-Safe Features XMC4000 Family Fail-Safe Flash However, in cases where this external instance does not exist, a common solution is to detect an abort by performing two operations in sequence and determine after reset from the correctness of the second, the completeness of the first operation. For example, after erasing a sector a page is programmed.
-
Page 31: Boot Fallback Mode (Abm)
Fail-Safe Features XMC4000 Family Fail-Safe Flash 4.3.1 Boot Fallback Mode (ABM) When this boot mode is selected, ABM Address-0 header is audited first. A positive audit results in SSW ceding control to the user application pointed to by the header. ... -
Page 32: Flash Write And Otp Protection
Fail-Safe Features XMC4000 Family Fail-Safe Flash Flash Write and OTP Protection The Flash write protection mechanism prevents an un-intended overwrite of the Flash by the user application software. A write sequence applied to Flash protected sectors will be ignored and no data will be altered. -
Page 33: Write And Otp Protection Status
Fail-Safe Features XMC4000 Family Fail-Safe Flash 4.6.2 Write and OTP Protection Status Active write-protection is indicated with the WPROIN bits in the FSR register, and causes the program and erase command sequences to fail with a PROER. A range “x” (i.e. a group of sectors; see PROCON0) of the PFLASH is write-protected if any of the following conditions are true: ... -
Page 34: Trap Control
Fail-Safe Features XMC4000 Family Fail-Safe Flash 4.7.2 Trap Control CPU Traps are triggered because of bus errors, and are generated by the PMU for erroneous Flash accesses. Bus errors are generated synchronously to the bus cycle requesting the erroneous Flash access or the disturbed Flash read data. -
Page 35: Handling Errors During Operation
Fail-Safe Features XMC4000 Family Fail-Safe Flash Handling Errors During Operation The previous sections described the functionality of bits indicating errors in the Flash Status Register FSR. In this section we elaborate on this with a more in-depth explanation of the error conditions and provide recommendations as to how these should be handled by customer software. -
Page 36: Pfoper "Operation Error
Fail-Safe Features XMC4000 Family Fail-Safe Flash PFOPER “Operation Error” 4.8.2 Fault conditions ECC double-bit error detected in the Flash modules internal SRAM during a program or erase operation in PFLASH. Cause: This can be a transient event due to alpha-particles or illegal operating conditions. -
Page 37: Proer "Protection Error
Fail-Safe Features XMC4000 Family Fail-Safe Flash PROER “Protection Error” 4.8.3 Password failure. Fault conditions Erase/Write to protected sector. Erase UCB and protection active. Write UC-Page to protected UCB. A protection violation can occur even when a Attention: protection was not explicitly installed by the user. -
Page 38: Ver "Verification Error
Fail-Safe Features XMC4000 Family Fail-Safe Flash VER “Verification Error” 4.8.4 Fault conditions This flag is a warning indicator and not an error. It is set when a program or erase operation was completed but with a sub- optimal result. This bit is already set when only a single bit is left over-erased or weakly programmed which would any way be corrected by the ECC. -
Page 39: Pfsber/Dfsber "Single-Bit Error
Fail-Safe Features XMC4000 Family Fail-Safe Flash PFSBER/DFSBER “Single-Bit Error” 4.8.5 Fault conditions When reading data or fetching code from PFLASH, the ECC evaluation detected a Single Bit Error (SBE) which was corrected. This flag is a warning indication and not an error. A certain amount of single-bit errors must be expected because of known physical effects. -
Page 40: Handling Flash Errors During Startup
Fail-Safe Features XMC4000 Family Fail-Safe Flash Handling Flash Errors During Startup During startup, a fatal error during Flash ramp-up forces the Firmware to terminate the startup process and to end in the Debug Monitor Mode (see Firmware chapter). The reason for a failed Flash startup can be a hardware error or damaged configuration data. -
Page 41: Software Supervision
Fail-Safe Features XMC4000 Family Fail-Safe Flash Software Supervision Application Guide V1.0, 2013-04... -
Page 42: Software Supervisory
Fail-Safe Features XMC4000 Family Software Supervisory Software Supervisory Introduction The following aspects of fail-safe software surveillance are covered in the subsequent sections: Windowed Watchdog Timer (WDT) Flexible CRC Engine (FCE) Windowed Watchdog Timer (WDT) Purpose of the Window Watchdog Timer module is improvement of system integrity. WDT triggers the system reset or other corrective action like e.g. -
Page 43: Flexible Crc Engine (Fce)
Fail-Safe Features XMC4000 Family Software Supervisory System Clock Supervisory Figure 17 Failure condition System un-recoverable hang up occurred. Fail-safe effect Triggers system reset when WDT not serviced on-time or serviced in the wrong way. Flexible CRC Engine (FCE) The FCE provides a parallel implementation of Cyclic Redundancy Code (CRC) algorithms. The current FCE version for the XMC4000 microcontrollers implements the IEEE 802.3 ethernet CRC32, the CCITT CRC16 and the SAE J1850 CRC8 polynomials. -
Page 44: System Traps
Fail-Safe Features XMC4000 Family Software Supervisory System Traps Application Guide V1.0, 2013-04... -
Page 45: Traps And Interrupts
Fail-Safe Features XMC4000 Family Traps and Interrupts Traps and Interrupts Introduction The following aspects of fail-safe od traps and interrupt requests are covered in the subsequent sections: System Traps External Traps System Critical Service Requests System Traps Abnormal system events listed in Table 2 can result in the assertion of a NMI. -
Page 46: External Traps
Fail-Safe Features XMC4000 Family Traps and Interrupts External Traps External events (Service Requests to the chip I/O pins) routed via the ERU0 module listed in Table can optionally result in assertion of a NMI if configured with the SCU_NMIREQEN register. Otherwise, the ERU0 module Service Requests are routed to the interrupt controller (NVIC) and processed as regular interrupt requests. -
Page 47: System Critical Service Requests
Fail-Safe Features XMC4000 Family Traps and Interrupts System Critical Service Requests Service Request signals typically generate system interrupts. A number of Service Request signals are intended to indicate events nearly as severe as the System Traps. Some of the Service Requests may be configured with the SCU_NMIREQEN register to cause NMI requests rather than an ordinary interrupt. -
Page 48: Special Peripheral Features
Fail-Safe Features XMC4000 Family Traps and Interrupts Special Peripheral Features Application Guide V1.0, 2013-04... -
Page 49: Special Peripheral Features
Fail-Safe Features XMC4000 Family Special Peripheral Features Special Peripheral Features Introduction The following aspects of fail-safe software surveillance are covered: WDT Special Functions − Pre-warning Service Request − Pre-warning Service Request Capture/Compare & PWM − Hardware Emergency Shutdown −... -
Page 50: Wdt Service External Monitoring
Fail-Safe Features XMC4000 Family Special Peripheral Features Failure condition WDT did not get served on time due to lack of real-time CPU responsiveness. Fail-safe effect The system will not be reset on the first missing WDT service of the WDT and can still be brought into safe operation. -
Page 51: Dead-Time Generation
Fail-Safe Features XMC4000 Family Special Peripheral Features 7.3.2 Dead-Time Generation The XMC4000 capture/compare modules implement dead-time insertion to prevent short circuits in the external switches. There are independent dead-time values for rising and falling transitions and an independent channel dead-time counter. ... -
Page 52: High Resolution Pwm (Hrpwm) Overload Protection
Fail-Safe Features XMC4000 Family Special Peripheral Features 7.3.5 High Resolution PWM (HRPWM) Overload Protection It is possible, with a simple arrangement of resources, to have a dedicated timer for maximum ON time control. With this mechanism it is possible to limit the maximum time where the switch is ON (overload situations due to wrong measurement), avoiding a premature burn of the switch. -
Page 53: Digital I/Os
Fail-Safe Features XMC4000 Family Special Peripheral Features Digital I/Os 7.4.1 Power Up and RESET All I/Os on input (tri-state or weak pull-up). in tri-state (PWM outputs) all others with weak pull-up Failure condition XMC4000 power-up or reset occurs while other application board components are active and are driving I/Os of the device which may lead to potential damage of I/O pads (on XMC4000 or other components) if conflicting direction is configured (as outputs). - Page 54 . i n f i n e o n . c o m Published by Infineon Technologies AG...