

# AD7284 Safety Manual

One Technology Way • P.O. Box 9106 • Norwood, MA 02062-9106, U.S.A. • Tel: 781.329.4700 • Fax: 781.461.3113 • www.analog.com

### Safety Manual for the AD7284

#### **SCOPE**

This safety manual describes the implementation of the safety requirements on the AD7284 (see Table 3). This safety manual provides the necessary information to enable the integration of the AD7284 when in compliance with the ISO 26262 functional safety standards.

#### **PRODUCT OVERVIEW**

The AD7284 contains all functions required for the generalpurpose monitoring of stacked Li-Ion batteries, as used in hybrid electric vehicles and battery backup applications.

The AD7284 has multiplexed cell voltage and auxiliary analog-to-digital converter (ADC) measurement channels supporting four to eight cells of battery management. The device provides a total unadjusted error (TUE) (cell voltage accuracy) of  $\pm 3$  mV, maximum, this includes all the internal errors from input to output and defines the cell voltage measurement accuracy. The primary ADC resolution is 14 bits.

The AD7284 also includes an integrated secondary measurement path that validates the data on the primary ADC. Other diagnostic features include the detection of open inputs, communication, and power supply related faults.

The AD7284 has cell balancing interface outputs designed to control external field effect transistors (FETs) to allow discharging of individual cells.

There are two on-chip 2.5 V voltage references: one reference for the primary measurement path and one reference for the secondary measurement path.

The AD7284 operates from just one  $V_{\rm DD}$  supply with a range of 10 V to 40 V. The device provides eight differential analog input channels to accommodate large common-mode signals across the full  $V_{\rm DD}$  range. Each channel allows an input signal range,  $V_{\rm INx}-V_{\rm IN(x-1)}$ , of 0 V to 5 V. The input pins assume a series stack of eight cells. The AD7284 includes four auxiliary ADC input channels that can be used for temperature measurement or system diagnostics.

The AD7284 has a differential daisy-chain interface that allows multiple devices to be stacked without the need for individual device isolation. By design, this interface allows device to device communication within the same module and communication between devices on different modules.

#### **TARGET APPLICATIONS**

The AD7284 is designed for use in Li-Ion battery monitoring in both electric and hybrid electric vehicles.

#### **DOCUMENTS NEEDED**

AD7284 data sheet ISO 26262:2011

# UG-1054

# **AD7284 Safety Manual**

# **TABLE OF CONTENTS**

| Scope                             | 1 |
|-----------------------------------|---|
| Product Overview                  | 1 |
| Target Applications               | 1 |
| Documents Needed                  | 1 |
| Revision History                  | 2 |
| Functional Block Diagram          | 3 |
| Conditions of Use                 | 4 |
| Device Identification             | 4 |
| Functional Safety Requirements    | 5 |
| Function and Safety of the AD7284 | 6 |
| Safety Architecture               | 6 |
| Device Operation                  | 7 |

| Summary of Safety Mechanisms                     |    |
|--------------------------------------------------|----|
| Failure Modes Effects and Diagnostic Analysis    | 10 |
| Hardware Safety Mechanisms and Diagnostics       | 11 |
| External Components Considerations               | 11 |
| IC Diagnostics—Life Counters and Fault Registers | 11 |
| Communication Interfaces                         | 12 |
| Voltage Measurements                             | 16 |
| Power Supplies                                   | 18 |
| Memory and Calibration                           | 19 |
| Cell Balancing Interface                         | 21 |
| Software Safety Mechanisms and Diagnostics       | 22 |

#### **REVISION HISTORY**

5/2017—Revision A: Initial Version

### **FUNCTIONAL BLOCK DIAGRAM**



### **CONDITIONS OF USE**

The AD7284 usage conditions must meet the following requirements:

- The temperature complies with the specifications shown in the AD7284 data sheet.
- The minimum and maximum power supplies comply with the specifications shown in the AD7284 data sheet.
- The AD7284 is powered from the battery packs at all times.
- The circuit configuration and external components for the AD7284 comply with the recommendations described in the AD7284 data sheet.
- This document is only applicable to the AD7284WBSWZ model; it is not applicable to the Sx models (see the Device Identification section).

The AD7284 is developed in accordance with Analog Devices, Inc., advanced product quality planning (APQP) framework with the inclusion of many aspects of the ISO 26262 functional safety standard. To assist customers in integrating the device into a system with automotive safety integrity level (ASIL) requirements, a full failure mode and diagnostic analysis (FMEDA) is performed, which is available for inspection on request.

#### **DEVICE IDENTIFICATION**

The AD7284 can be identified from the branding on the top of the package, as shown in Figure 2. The branding items are as follows:

- AD7284
- WBSWZ
- Date code (#1614 in Figure 2)
- Assembly lot number (3452005.1 in Figure 2)

In addition to the package markings, device identification is available from the one-time programmable (OTP) memory. Information, such as the wafer identification (ID) and the x and y coordinates on the wafer, are stored in the nonvolatile memory, as described in Table 1 and Table 2.



Figure 2. Sample Branding Example (Top View)

To read back the device identification, use the following procedure:

- 1. Write 0x02 to the page register at Address 0x3E.
- 2. Read the fuse register at Address 0x2F.
- 3. Read the fuse register at Address 0x30.

Table 1. Fuse Register (Address 0x2F)

| Bits    | Name | Description                                                                                                |
|---------|------|------------------------------------------------------------------------------------------------------------|
| [D7:D2] | X    | X die location on the wafer. These bits are not included in the cyclic redundancy check (CRC) calculation. |
| [D1:D0] | Y2   | Top two digits of the Y die location on the wafer. These bits are not included in the CRC calculation.     |

Table 2. Fuse Register (Address 0x30)

| Bits    | Name | Description                                                                                                      |
|---------|------|------------------------------------------------------------------------------------------------------------------|
| [D7:D4] | Y1   | Bottom four digits of the Y die location on<br>the wafer. These bits are not included in<br>the CRC calculation. |
| [D3:D0] | W    | Wafer ID. These bits are not included in the CRC calculation.                                                    |

# **FUNCTIONAL SAFETY REQUIREMENTS**

To ensure that a system can be developed without an unacceptable risk, the system must operate within a safe state of charge and temperature range.

To achieve the safety requirements, it is important to understand whether a fault has occurred in the cell voltage or cell temperature measurements. The functional safety requirements (FSRs), FSR-1 and FSR-2, are described in Table 3.

**Table 3. Functional Safety Requirements** 

|       | ······································                                                                                                                              |                                                                                                                                                                       |  |  |  |  |
|-------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------|--|--|--|--|
| FSR   | Hazard                                                                                                                                                              | Fault Detection Time                                                                                                                                                  |  |  |  |  |
| FSR-1 | Incorrect cell voltage measurement. An incorrect measurement error is considered to be $\pm 50$ mV TUE over the ranges specified in the AD7284 data sheet.          | The fault detection time is less than or equal to 16.5 ms for a 96 cell application (12 AD7284 devices), or 27 ms for a 160 cell application (20 AD7284 devices).     |  |  |  |  |
| FSR-2 | Incorrect auxiliary ADC voltage measurement. An incorrect measurement error is considered to be $\pm 50$ mV TUE over the ranges specified in the AD7284 data sheet. | The fault detection time is less than or equal to 16.5 ms for a 96 cell application (12 × AD7284 devices), or 27 ms for a 160 cell application (20 × AD7284 devices). |  |  |  |  |

### FUNCTION AND SAFETY OF THE AD7284

The primary function of the AD7284 is to measure the voltage of individual cells and the temperature of battery packs in a stack, as shown in Figure 3. Each device transmits its measurement results via the daisy-chain interface down to the master device, which communicates over the serial peripheral interface (SPI) with the host microcontroller.

The master and slave configurations are determined by external components setting the voltage on the MASTER pin of the device. The safety architecture and hardware safety mechanism and diagnostics described in this safety manual apply to the AD7284 in both master and slave configurations.

#### **SAFETY ARCHITECTURE**

The AD7284 implements a dual-measurement path to achieve a high level of fault detection. To simplify the system architecture, on-chip secondary features are offered for the following critical components of the device:

- The reference, multiplexer, ADC, and state machine.
- The oscillator and watchdog timer.

Two fixed communication protocols, with appropriate CRCs, ensure the integrity of the information being communicated. CRC calculations—present on the nonvolatile memory to ensure trimming coefficients to achieve specified accuracy—are unchanged. Fault flags indicate the status of the device. In the event of loss of communication, the AD7284 automatically enters a known state on watchdog expiration.



Figure 3. Multiple AD7284 Devices Monitoring a Stack of Battery Packs



Figure 4. Dual Measurement Path

#### **Dual Measurement Path**

The primary measurement path consists of a voltage input multiplexer and a successive approximation register (SAR) ADC providing 14 bits of resolution. The primary analog cell voltage inputs, VPIN0 to VPIN8, allow individual voltage monitoring of eight cells, plus a stack voltage measurement. The primary auxiliary inputs, VPAUX1 to VPAUX4, can be used for temperature monitoring or external diagnostics. The primary measurement path also measures  $V_{\text{REG5}},\,V_{\text{VREF2}},\,V_{\text{REFBUF}},$  and the internal temperature sensor. The  $V_{\text{VREF2}}$  measurement allows the user to verify the operation of the two measurement paths.

The secondary measurement path consists of a voltage input multiplexer and a SAR ADC providing 10 bits of resolution. The secondary analog cell voltage inputs, VSIN0 to VSIN8, allow a second set of voltage measurements on the eight cells. The secondary analog voltage inputs can connect to a second set of external filtering components, giving access to specific safety mechanisms. These inputs can be tied directly to VPIN0 to VPIN8 on the primary measurement path to minimize the use of external components. The secondary measurement path also measures  $V_{\text{REG5}}$  and  $V_{\text{REF1}}$ . The  $V_{\text{REF1}}$  measurement allows the user to verify the operation of the two measurement paths.

Figure 4 shows the dual measurement paths that allow the user to detect incorrect measurements. Some multiplexer inputs are omitted for clarity of the diagram.

#### **DEVICE OPERATION**

The battery stack powers the AD7284; it is assumed the AD7284 is connected to the battery cells at all times in the application. The AD7284 has three operating modes: active mode, partial power-down mode, and full power-down mode. Measurements and safety mechanisms are only available when the AD7284 is in active mode.

All diagnostic information is transmitted through the SPI on the master to the host microcontroller.

There are two types of safety mechanisms: integrated circuit (IC) diagnostics and user diagnostics.

IC diagnostics are performed at the end of a conversion sequence. The IC diagnostics include the following features:

- Most of the self diagnostic results are available in the fault register. The user is required to monitor the fault register within the system fault detection time interval.
- Other self diagnostic results (life counters) are available on data conversion readback.

The user diagnostics include the following features:

- Communication validation. These mechanisms allow the detection of erroneous communication.
- Measurement validation. For data transmitted by the AD7284, the user is required to validate the data within the system fault detection time interval. The rate at which the user requests conversions and reads back the secondary path for comparison or validation of the primary path must be determined by the safety goals of the system.
- Other validations. The user is required to run specific diagnostics during the initialization phase and periodically.
  The rate at which the user performs diagnostics must be determined by the safety goals of the system.

User diagnostics can be used both at startup and during runtime operation.

The status of device malfunction can be deduced from any of the following phenomena:

- Fault flags.
- Fault detection as part of communication, measurement, or other validation.
- Loss of communication with the device.

In cases where communication is lost, the AD7284 automatically enters the full power-down mode. The user must determine if the communication loss is temporary or permanent and take the appropriate actions.

#### **Recommended Run-Time Operation**

Figure 5 shows an overview of the typical run-time operation of the AD7284 in the application.



Figure 5. Typical Run-Time Operation

A transition from full power-down mode to active mode requires initialization of the chain.

#### **Initialization Phase**

The watchdog timer begins operating at device power-up and requires servicing within 98.3 ms. During the initialization phase, the following steps are required:

- 1. Set or service the watchdog timer within 98.3 ms of powering up.
- 2. Set up the device address.
- 3. Validate the device address and the fault register contents for each device in the chain.

#### Measurement and Data Validation Phase

The system requirements dictate the frequency of the measurement and data validation. During this phase, perform the following tasks in sequence:

- 1. Send the conversion request.
- 2. Wait for the t<sub>START</sub> period (see the AD7284 data sheet for more information).
- 3. Read back the primary conversion data.
- 4. Optionally, read back the secondary conversion data.
- 5. Read back the fault register.
- 6. Perform validation and appropriate actions.
- 7. Service the watchdog timer.
- 8. Stay in idle mode or, optionally, enter partial power-down mode.

### **SUMMARY OF SAFETY MECHANISMS**

Table 4 describes the safety mechanisms that are available to achieve the functional safety metrics listed in Table 5.

**Table 4. List of Safety Mechanisms** 

| ID    | Description                                                                | Туре            |
|-------|----------------------------------------------------------------------------|-----------------|
| SM1a  | Fuse verification (a); fault flag                                          | IC diagnostic   |
| SM1b  | Fuse verification (b); CRC flag validation                                 | User diagnostic |
| SM2a  | Data validation (a); life counter increment                                | IC diagnostic   |
| SM2b  | Data validation (b); independent life counter                              | IC diagnostic   |
| SM2c  | Data validation (c); zero readback                                         | User diagnostic |
| SM3a  | Data masquerade (a); secondary results inverted                            | User diagnostic |
| SM3b  | Data masquerade (b); device and register address                           | User diagnostic |
| SM4   | Stack voltage vs. sum of cells                                             | User diagnostic |
| SM5   | Reference crosscheck                                                       | User diagnostic |
| SM6   | Matrix of known voltages at known locations                                | User diagnostic |
| SM7   | Open pin detection algorithm                                               | User diagnostic |
| SM8a  | Monitor 5 V supply (a); low dropout regulator (LDO) fault flag             | IC diagnostic   |
| SM8b  | Monitor 5 V supply (b); power-on reset (POR) fault flag                    | IC diagnostic   |
| SM8c  | Monitor 5 V supply (c); conversion of LDO                                  | User diagnostic |
| SM9   | Monitor buffered 2.5 V supply; conversion                                  | User diagnostic |
| SM10  | Monitor buffered 2.0 V supply; daisy-chain, common-mode voltage fault flag | IC diagnostic   |
| SM11  | Cell balance diagnostic algorithm                                          | User diagnostic |
| SM12a | Communication protocol (a); registers                                      | User diagnostic |
| SM12b | Communication protocol (b); results                                        | User diagnostic |
| SM13a | CRC algorithm (a); registers                                               | User diagnostic |
| SM13b | CRC algorithm (b); results                                                 | User diagnostic |
| SM14  | Communication watchdog                                                     | User diagnostic |
| SM15a | Loss of communication (a); secondary watchdog                              | User diagnostic |
| SM15b | Loss of communication (b); oscillator drift detection                      | IC diagnostic   |
| SM16  | Test mode entry detection                                                  | IC diagnostic   |
| SM17  | Fault register functional check                                            | User diagnostic |
| SM18  | One out of two measurements on cell voltages                               | User diagnostic |
| SM19a | Result value boundaries (a); cell voltage measurements                     | User diagnostic |
| SM19b | Result value boundaries (b); auxiliary inputs voltage measurements         | User diagnostic |
| SM20  | Monitor daisy-chain common-mode voltage; ADC feedback on VPAUXx            | User diagnostic |
| SM21  | Power-down timer enabled before watchdog disabled                          | User diagnostic |
| SM23  | Open auxiliary input detection                                             | User diagnostic |

# UG-1054

# FAILURE MODES EFFECTS AND DIAGNOSTIC ANALYSIS

The FSRs for the AD7284 are described in Table 3. Table 5 shows the overall single-point fault metric and latent fault metric figures achieved.

Table 5. Overall Safety Metrics for FSR-1 and FSR-2

| Block                                         | FSR-1 (%) | FSR-2 (%) |
|-----------------------------------------------|-----------|-----------|
| IC Diagnostic Coverage,<br>Single-Point Fault | 99.43     | 98.21     |
| IC Diagnostic Coverage,<br>Latent Fault       | 96.67     | 93.25     |

### HARDWARE SAFETY MECHANISMS AND DIAGNOSTICS

To ensure the integrity of the information communicated to the host microcontroller, a comprehensive set of safety features are incorporated into the product design. A variety of safety mechanisms are incorporated into the AD7284 to assess the health of the following aspects of the device:

- Communication interfaces.
- Voltage measurements.
- Power supplies, memory and calibration, and the cell balancing interface.

Detailed explanations of each safety mechanism and external components considerations are discussed in this section.

#### **EXTERNAL COMPONENTS CONSIDERATIONS**

The AD7284 data sheet contains typical connection diagrams. In addition, this section describes specific recommendations applicable to functional safety.

#### **Decoupling Capacitors**

The AD7284 pin configuration includes multiple supply pins to reduce risks associated with external decoupling capacitors, as shown in Figure 6.

Two  $V_{\text{DD}}$  pins allow two sets of decoupling capacitors on the battery supply. Consider using capacitors in series to ensure device operation in the event of a shorted capacitor.

The regulated 5 V supply, supplying all low voltage circuits, is available on three pins:  $V_{\text{REG5}}$ ,  $AV_{\text{CC}}$ , and  $DV_{\text{CC}}$ . Use a 100 nF capacitor to decouple each of these pins, as shown in Figure 6.



Figure 6. Decoupling on the Supply Pins (External Circuitry Omitted for Clarity)

#### **Cell Input Filters**

To take full advantage of the two independent measurement paths described in the Safety Architecture section, use two sets of filters on each of the cells. This configuration provides the following benefits:

- The primary and secondary cell measurement paths are duplicated from the connector containing the cell voltage inputs (SM18) to the result registers.
- Open pin and open connection algorithms require separate measurement paths (SM7).
- The cell balancing diagnostic is available (SM11).

#### **Cell Temperature Measurements**

The AD7284 features four VPAUXx inputs to monitor cell temperature via external thermistors. Use two VPAUXx inputs to monitor the same group of cells to implement SM23.

In addition, system temperature correlation can be achieved with the on-chip temperature sensor. Thermal analysis at the system level is required to determine the degree of correlation.

# IC DIAGNOSTICS—LIFE COUNTERS AND FAULT REGISTERS

The life counters and fault registers form part of the various safety mechanisms.

A life counter is built into the state machine, sequencing the primary measurement path; the value of the life counter is returned with the measurement results. The life counter only increments on completion of a correct sequence of conversions on the primary path of the AD7284. A similar independent life counter only increments on the completion of a correct sequence of conversions on the secondary path. The two life counters, in conjunction with the other safety mechanisms implemented on the AD7284, allow the user to detect possible faults, as summarized in Table 6.

Table 6. Fault Detections with the Life Counters

| Primary Life<br>Counter State | Secondary Life<br>Counter State | Fault Detection                                                                         | Safety Mechanisms |
|-------------------------------|---------------------------------|-----------------------------------------------------------------------------------------|-------------------|
| Incorrect Increment           | Incorrect increment             | Multiple conversion requests or missing readback request                                | SM2a              |
| Incorrect Increment           | Correct increment               | Measurement path state machine fault                                                    | SM2b              |
| Correct Increment             | Incorrect increment             | Measurement path state machine fault or missing secondary read request on previous loop | SM2a and SM2b     |
| No Increment                  | No increment                    | Multiple readback requests or missing conversion request                                | SM2c              |
| Correct Increment             | No increment                    | Measurement path state machine fault                                                    | SM2b              |
| No Increment                  | Correct increment               | Measurement path state machine fault                                                    | SM2b              |

### UG-1054

Table 7. Fault Register Settings (Register 0x01)

| Bits | Name     | Description                                                                                                                                                                   | Safety Mechanism |
|------|----------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------|
| D7   | PORFLAG  | Power-on reset flag. Set this bit to 1 to indicate that a power-on reset occurred.                                                                                            | SM8b             |
| D6   | WDFAULT  | Watchdog power-down fault. Set this bit to 1 when the watchdog timer times out.                                                                                               | SM14             |
| D5   | LDOFAULT | LDO fault flag. Set this bit to 1 if the internal LDO supply is out of range (<4.8 V or >5.2 V, typical).                                                                     | SM8a             |
| D4   | Reserved | Reserved. Set this bit to 0.                                                                                                                                                  | Not applicable   |
| D3   | FUSECRC  | Fuse CRC fault flag. Set this bit to 1 when the fuse CRC does not match the programmed fuse CRC value.                                                                        | SM1b             |
| D2   | DCMFAULT | C <sub>CM</sub> fault flag. Set this bit to 1 if an overvoltage (2.5 V typical) or undervoltage (1.5 V typical) condition is detected on the daisy-chain common-mode voltage. | SM10             |
| D1   | CFGFAULT | Set this bit to 1 if the device is in test mode. Issue a reset to restart the device in user mode.                                                                            | SM16             |
| D0   | OSCDRIFT | The AD7284 has two internal oscillators that are trimmed to the same frequency. Set this bit to 1 when the difference between the two oscillators is greater than 3.9%.       | SM15b            |

Table 8. 32-Bit SPI Register Read/Register Write Data Packet Format

| Device Address | Write/Write-Read | Register Address | Register Data | CRC          |
|----------------|------------------|------------------|---------------|--------------|
| Bits[D31:D27]  | Bit D26          | Bits[D25:D20]    | Bits[D19:D12] | Bits[D11:D0] |

At the end of a conversion sequence, the state machine automatically updates the fault register containing seven fault flags, as shown in Table 7.

The life counters and fault registers are part of the safety mechanisms described in detail in the following sections.

#### **COMMUNICATION INTERFACES**

A 4-wire SPI interface serves as the communications interface between the AD7284 master device and a host microcontroller. A 2-wire, twisted pair daisy chain is used for master to slave communication, and for slave to slave communication.

After receiving a 32-bit SPI frame (or two 16-bit SPI frames), the master moves the message to the daisy-chain interface. After receiving a 32-bit message, each slave passes up the information received from the device below in the daisy chain. In parallel to passing the information up the daisy chain, each device decodes the received message (or SPI).

To transmit 32-bit packets, after sending its own message, each slave passes down the information received from the device above it in the daisy chain.

Measurement results are communicated to the host in 64-bit packet format (two 32-bit SPI frames) using a shift register.

#### **Communication Protocols**

The AD7284 has two fixed communication protocols. These two protocols are identical for the two communication interfaces: SPI and daisy chain.

The safety mechanisms related to data integrity and fault detection are as follows:

- Two fixed protocols, SM12a and SM12b.
- Error detection protocols, SM13a and SM13b.

- Detection of temporary loss of communication during measurement loop (readback/conversion requests), SM2a and SM2c.
- Prevention of data masquerade, SM3a and SM3b.

To protect against data corruption faults, use the AD7284 communication protocols and implement SM12x in conjunction with SM13x, SM2x, and SM3x.

#### SM12a Communication Protocol Register

The AD7284 implements a fixed data protocol for writes to and reads from registers, as shown in Table 8.

Each 32-bit SPI data packet contains a device address, a direction bit (write/write-read bit), a register address, data, and a CRC that covers the contents to a Hamming distance of 6.

A device acts on the message only if the CRC is correct and if it is being addressed, with either a matching device address, or with Address 0x1F (used to address all devices at the same time). The AD7284 also uses page addressing. To access a register on a page, the corresponding page must be selected first. Configuration and diagnostic registers are located on Page 1. Page 0 is the default page on power on.

#### User Requirements to Implement SM12a

Implement the protocol described in Table 8 to read from and write to registers, and to validate each SPI packet coming from the master.

During the initialization phase, configure the device address. Then, perform a register read and analyze the device address field to confirm all devices are initialized and communicating correctly. A register read can detect loss of communication. Performing a conversion and readback (see SM12b) is an alternative mechanism to assess the health of the communication path.

Table 9, 64-Bit SPI Read Conversion Result Data Packet Format

|                          |               |                   |                   | Device        |                   |              |
|--------------------------|---------------|-------------------|-------------------|---------------|-------------------|--------------|
| <b>Channel Address 1</b> | Life Counter  | Channel Address 2 | Conversion Data 1 | Address       | Conversion Data 2 | CRC          |
| Bits[D63:D58]            | Bits[D57:D55] | Bits[D54:D49]     | Bits[D48:D35]     | Bits[D34:D30] | Bits[D29:D16]     | Bits[D15:D0] |

#### **SM12b Communication Protocol Results**

The AD7284 implements a fixed data protocol to read from result registers located in Page 0, as shown in Table 9. Each 64-bit SPI data packet contains a device address, a register address (channel address) for each result register, conversion data from the two result registers, a life counter, and a CRC that covers the contents to a Hamming distance of 6. Reading from the primary and secondary path uses the same protocol.

#### User Requirements to Implement SM12b

Implement the protocol described in Table 9 to read data from the AD7284 devices and to validate each 64-bit SPI data packet received.

Perform a conversion and analyze the device address field to detect loss of communication or to confirm that all devices are initialized and communicating correctly. Performing a register read (see SM12a) is an alternative mechanism to assess the health of the communication path.

#### **CRC Algorithm**

The main safety mechanism to detect errors in communication is the implementation of a 16-bit CRC for all conversion data readback and a 12-bit CRC for all register read and register write operations.

#### SM13a CRC Algorithm Register

For the detection of data corruption on register read and write operations (32-bit SPI data packet), the 12-bit CRC polynomial 0xB41 covers the 20-bit data field, Bits[D31:D12], to a Hamming distance of 6. The device ignores a write with an incorrect CRC located on Bits[D11:D0]. Each device calculates and sends a CRC during a register read operation.

#### User Requirements to Implement SM13a

Issue the correct CRC for a register write and verify the validity of the CRC on a register read. CRC pseudocode examples are available in the AD7284 data sheet. Ignore any register content returned with an incorrect CRC and repeat the read request and read the FAULT register.

To validate that the AD7284 CRC engine is decoding messages properly, perform a write of a register and read back the same register.

#### SM13b CRC Algorithm Results

For detection of data corruption on conversion data readback (64-bit SPI data packet), the 16-bit polynomial 0xC86C covers the 48-bit data field, Bits[D63:D16], to a Hamming distance of 6. Each device calculates and sends a CRC during a data read operation.

#### User Requirements to Implement SM13b

Calculate the CRC on the returning data. Example CRC pseudocode is available in the AD7284 data sheet. Ignore any data returned with an incorrect CRC and repeat the conversion and data readback operations.

In the event of continuous CRC failures on reads, the user can attempt to rationalize the data set in several ways using SM4, SM6, and SM18.

#### **Data Packet Content**

In addition to the CRC, use the other fields in the 64-bit data packet to detect communication faults.

#### SM2a Data Validation, Life Counter Increment

On each of the devices in the chain, the life counter is incremented automatically at the end of each successful conversion sequence. The life counter allows the user to determine if a device received multiple consecutive conversion requests without receiving a readback request. A life counter incrementing by more than the expected value is indicative of the temporary loss of communication during data readback, or the reception of an unintentional conversion request.

#### User Requirements to Implement SM2a

During the measurement loop, as part of the data validation step, verify that the life counter is incrementing correctly. Save the last known valid life counter value to compare to the new value. If the life counter is not incremented correctly, assume that a set (or multiple sets) of data is missing or incomplete. In the event of frequent life counter errors, apply other diagnostics, such as SM15b and SM10, as shown in Table 6.

#### SM2c Data Validation, Zero Readback

After receiving a readback command, the ADC results are placed in a shift register. Zeros replace the content of the shift register after the result data is shifted out. Subsequent reads without a request for the ADC to convert result in the device(s) returning zeros. Other fields, such as the device IDs, register addresses, life counters, and the CRC, also return zeros.

This safety mechanism provides the following two pieces of information:

- The detection of missed conversion requests or multiple readback requests.
- Validation that all the results are read back by sending more frames than necessary.

Reading zeros when expecting valid results on one or more devices in the chain may be an indication that this device (or devices) did not receive or interpret the ADC convert start command correctly.

### UG-1054

#### User Requirements to Implement SM2c

During the measurement loop, if all the data fields return zeros, assume a conversion request has not been received, or the device received an unintentional readback request. In the event of frequent zero readbacks, use other mechanisms, such as SM15b and SM10. To confirm correct operation of the shift register, send extra frames. System goals determine the frequency of this diagnostic.

#### SM3a Data Masquerade, Secondary Results Inverted

The cell measurements are contained in the Conversion Data 1 and Conversion Data 2 fields of the 64-bit packet shown in Table 9. These data fields are 14 bits wide. The primary ADC returns 14-bit results and the secondary ADC returns 10-bit results. The secondary ADC 10-bit result is inverted and padded with four leading zeros before being transmitted.

#### User Requirements to Implement SM3a

During the measurement loop, as part of the data analysis step of the secondary measurement path, manipulate the data from the conversion data field as follows: ignore the four leading zeros and invert the 10-bit data.

#### SM3b Data Masquerade, Device, and Register Addresses

The AD7284 implements a 5-bit device address configuration scheme. The master device address is programmable and the rest of the device IDs in the chain can be incremented automatically. This feature gives unique IDs to each device in a chain.

After being programmed, the device IDs are assigned until a POR or pin reset occurs, or when a new device address configuration command is issued. A software reset does not affect assignment of device addresses.

A register address corresponds to each measurement channel, as shown in Table 11. For cell voltage measurements, Address 0x01 to Address 0x08 are assigned to the primary path, and Address 0x21 to Address 0x28 to the secondary path.

Combinations of device addresses and register addresses create a unique ID for each cell in the stack. Table 10 shows an example of two devices monitoring 16 cells with Device Address 1 and Device Address 2.

#### User Requirements to Implement SM3b

During the initialization phase, configure the device address of for all devices in the chain. Do not use the address of zero or 0x1F; zero is the reset value and can be used to confirm a specific device has reset and 0x1F is reserved for general broadcast to all devices in the chain.

During the measurement loops, validate the device address and register addresses sent back from the chain as part of the data readback step. The following validations are expected:

- Validation of the device position vs. the device address (the appropriate number of devices with the properly incremented device sequence).
- Validation of the cell position vs. the register address.

An incorrect or out of sequence device address, or an incorrect or out of sequence register address, is an indication that an error occurred during transmission. If this is the case, ignore the data set, at least from the device with the incorrect addressing. Take other actions to check the data set, such as

- For an incorrect or out of sequence device address, check that all results are flushed from the shift register (SM2c).
- For a device address returned as zero, analyze the FAULT register (SM8b).
- For an incorrect or out of sequence register address from the primary or secondary path, use the secondary or primary path data comparison (SM18) or matrix of known voltages at known locations (SM6).

**Table 10. Cell Identification Example** 

|                    |                       | Register Address |                |  |
|--------------------|-----------------------|------------------|----------------|--|
| <b>Cell Number</b> | Device Address Number | Primary Path     | Secondary Path |  |
| Cell 16            | 2                     | 0x08             | 0x28           |  |
|                    |                       |                  |                |  |
| Cell 9             | 2                     | 0x01             | 0x21           |  |
| Cell 8             | 1                     | 0x08             | 0x28           |  |
|                    |                       |                  |                |  |
| Cell 2             | 1                     | 0x02             | 0x22           |  |
| Cell 1             | 1                     | 0x01             | 0x21           |  |

#### **Housekeeping Functions**

Other safety mechanisms related to loss of communication are as follows:

- Early detection of oscillator drift, SM15b.
- Methods of placing the device in a known state, SM14, SM15a, and SM21.

As part of the measurement loop, the data readback contains the device address (see SM12b). Analyze the data and check the device address to determine if the devices have not responded, or not responded correctly. No response indicates a total loss of communication. An incorrect response with the device address reset to zero indicates that the device entered the initialization phase.

Alternatively, during a long period in partial power-down mode and/or during the cell balancing phase, perform a periodic request for the device address or register read. A register readback contains the device address (see SM12a).

#### SM14—Communication Watchdog

The AD7284 integrates a watchdog timer, enabled by default on power-up of all devices. The watchdog is based on the primary oscillator. Writes to the watchdog timer register are required to service or reconfigure the timer. The default timeout is 98.3 ms. After timeout, the watchdog places the device in full power-down mode.

The FAULT register contains a flag, Bit D6, that is set when the watchdog timer times out. If this bit is set during a conversion loop, it indicates that the watchdog has timed out but the device failed to power down.

#### **User Requirements to Implement SM14**

During the initialization phase, configure the watchdog timeout period to a value just outside the worst case expected measurement loop time. During the measurement loop, service the watchdog timer within the programmed timeout period.

Intermittent communication, where the communication to service the watchdog does not complete, can be confirmed by reading back registers (SM12a) or data (SM12b). Ensure the device address is zero and the FAULT register is reset to 0xFF.

As part of the measurement loop, read and analyze the content of the FAULT register. If Bit D6 is set, use other mechanisms, such as checking if the FAULT register bit is stuck (SM1a). If the possibility of the watchdog timer failing to place the device in full power-down mode exists, report the failure and issue a software command (and issue  $V_{\rm DRIVE}$  for the master) to attempt to place the device in full power-down mode.

#### SM15a Loss of Communication, Secondary Watchdog

The AD7284 integrates two watchdog timers for communication diagnostics. The primary watchdog is clocked from the primary oscillator. A secondary watchdog timer ensures backup in the event of primary oscillator failure.

The secondary watchdog timer is clocked from the secondary oscillator and has a fixed timeout period of approximately 98.3 ms. Irrespective of the primary watchdog configuration (enabled or disabled by the host), the secondary watchdog has no effect while the primary oscillator is operating and only takes over on a failure of the primary oscillator.

The secondary watchdog powers down the device on timeout, thereby placing the device in a known state (full power-down mode).

#### User Requirements to Implement SM15a

This safety mechanism cannot be disabled by the user.

#### SM15b Loss of Communication, Oscillator Drift Detection

An internal oscillator serves as the device clock source. Daisy-chain communication can tolerate a clock variation of  $\pm 4.5\%$ . The oscillator frequency is trimmed during factory testing by Analog Devices. The AD7284 integrates a second oscillator to alert the system to a drift in the oscillator prior to a loss of communication. During each ADC sequence, the two oscillators are compared and, if their frequencies differ by more than  $\pm 3.9\%$ , the AD7284 asserts Bit D0 in the FAULT register. The assertion of this bit is a warning flag indicating drift in the oscillator frequency while communication is still possible.

#### User Requirements to Implement SM15b

As part of the cell measurement loop, read the FAULT register and analyze the OSCDRIFT flag, Bit D0.

If the OSCDRIFT flag is continuously asserted, report an increased risk of losing communication with the AD7284.

# SM21—Power-Down Timer Enabled Before Watchdog Disabled

The maximum programmable watchdog timer timeout is 1040 ms, requiring servicing from the host microcontroller. During a long period of cell balancing, where the AD7284 is not in full power-down mode, the user may want to power down the host micro-controller. The power-down timer can place the device in full power-down mode automatically. The watchdog timer can be disabled so the host microcontroller does not need to periodically wake up to service the watchdog timer.

The sequence to disable the watchdog timer involves three consecutive register write operations. Any intermediate SPI command resets the process of disabling the watchdog timer, further reducing the risk of disabling it unintentionally.

#### **User Requirements to Implement SM21**

Configure the AD7284 power-down timer before disabling the watchdog timer to ensure that the AD7284 goes into full power-down mode in the event of a loss of communication. This safety mechanism allows the AD7284 to be placed in a known state, independent of the host state.

| Primary ADC                  |                   |                     |            | Secondary ADC         |                   |                     |            |
|------------------------------|-------------------|---------------------|------------|-----------------------|-------------------|---------------------|------------|
| Input Channel                | Readback<br>Order | Register<br>Address | Input Type | Input Channel         | Readback<br>Order | Register<br>Address | Input Type |
| Cell Voltage on VPIN1        | 1                 | 0x01                | Variable   | Cell Voltage on VSIN1 | 1                 | 0x21                | Variable   |
| Cell Voltage on VPIN2        | 2                 | 0x02                | Variable   | Cell Voltage on VSIN2 | 2                 | 0x22                | Variable   |
| Cell Voltage on VPIN3        | 3                 | 0x03                | Variable   | Cell Voltage on VSIN3 | 3                 | 0x23                | Variable   |
| Cell Voltage on VPIN4        | 4                 | 0x04                | Variable   | Cell Voltage on VSIN4 | 4                 | 0x24                | Variable   |
| Cell Voltage on VPIN5        | 5                 | 0x05                | Variable   | Cell Voltage on VSIN5 | 5                 | 0x25                | Variable   |
| Cell Voltage on VPIN6        | 6                 | 0x06                | Variable   | Cell Voltage on VSIN6 | 6                 | 0x26                | Variable   |
| Cell Voltage on VPIN7        | 7                 | 0x07                | Variable   | Cell Voltage on VSIN7 | 7                 | 0x27                | Variable   |
| Cell Voltage on VPIN8        | 8                 | 0x08                | Variable   | Cell Voltage on VSIN8 | 8                 | 0x28                | Variable   |
| VSTK ÷ 16                    | 9                 | 0x11                | Variable   | V <sub>REF1</sub>     | 9                 | 0x31                | Known      |
| $V_{REF2}$                   | 10                | 0x12                | Known      | $V_{REG5} \times 4/5$ | 10                | 0x34                | Known      |
| $V_{\text{REG5}} \times 2/3$ | 11                | 0x13                | Known      |                       |                   |                     |            |
| Auxiliary ADC on VPAUX1      | 12                | 0x14                | Variable   |                       |                   |                     |            |
| Auxiliary ADC on VPAUX2      | 13                | 0x15                | Variable   |                       |                   |                     |            |
| Auxiliary ADC on VPAUX3      | 14                | 0x16                | Variable   |                       |                   |                     |            |
| Auxiliary ADC on VPAUX4      | 15                | 0x17                | Variable   |                       |                   |                     |            |
| $V_{REFBUF}$                 | 16                | 0x1C                | Known      |                       |                   |                     |            |
| $V_{\text{REG5}} \times 2/3$ | 17                | 0x1D                | Known      |                       |                   |                     |            |
| Temperature Sensor           | 18                | 0x1E                | Variable   |                       |                   |                     |            |

Table 11. Primary and Secondary ADC Conversion Order and Result Storage

#### **VOLTAGE MEASUREMENTS**

Two independent measurement paths are crucial to the safety architecture of the AD7284, shown in Figure 4. Each path has its own reference, mux, ADC, sequencer, and result registers. Each path monitors the same cells and a variety of other channels, shown in Table 11. This independent monitoring allows the user to verify the operation of the two measurement paths.

On completion of a successful sequence, the ADC state machine performs two other tasks: a life counter update and a FAULT register update.

To validate the cell measurements and VPAUXx measurements, safety mechanisms are available, as described in the following sections.

#### SM2b Data Validation, Independent Life Counters

Independent life counters are built into each of the ADC sequencers. A single command starts the two independent paths. The life counters increment on completion of a correct sequence of their respective sequencers. Therefore, the two life counters must be identical at all times. Different life counters indicate a failure in one of the ADC state machines. The result register of an incomplete conversion reads zero. All life counters remain out of synchronization until software reset or initialization.

#### **User Requirements to Implement SM2b**

During the measurement loop, as part of the data validation step, verify that the life counter on the primary path and secondary path are identical. If a life counter increments correctly on one path but incorrectly on the other path, do not apply SM18. Consider a software reset to resynchronize the counters.

#### SM18, One Out of Two Measurement on Cell Voltages

The primary measurement path provides accurate cell voltage information and auxiliary information. The secondary measurement path allows the user to validate the function of the primary path and the accuracy within the safety requirement limits.

Following a conversion request from the user, the primary and the secondary measurement paths sequence through conversions and store the results in unique result storage locations on the AD7284.

#### **User Requirement to Implement SM18**

Read back data on the primary and secondary paths from the same conversion sequence and compare this data to validate correct function and accuracy of the primary path to within the safety requirement limits.

The rate at which the user reads back the secondary path for comparison or validation with the primary path is determined by the safety goals of the system.

To differentiate data from the primary and secondary paths, a number of mechanisms can be used, such as SM3a and SM3b.

#### SM4, Stack Voltage Versus Sum of Cells

To provide increased diagnostic coverage on the ADC result data set, the AD7284 includes a local stack voltage measurement between the VPIN0 and VPIN8 input pins. The stack voltage channel provides a valid measurement if an open input (VPIN1 to VPIN7) is detected. The stack sampling switches and sampling capacitors are additional to the cell monitoring switches and sampling capacitors, thereby offering a degree of independence.

This result is part of the data set returned during a readback of the primary conversion results. The sampling capacitors for the stack voltage are of a different size from the sampling capacitors for the cells, and are scaled so a stack conversion result does not appear the same as the cell voltage results.

#### **User Requirements to Implement SM4**

Perform a sum of the individual cell voltages, compare the result to the local stack voltage result, and ensure the results are within the boundaries specified in the AD7284 data sheet.

Ignore the data set if the sum of cells does not correctly add up to the stack voltage conversion.

#### SM5, Reference Cross Check

The primary ADC reference is sampled and converted by the secondary ADC and secondary multiplexer. The secondary ADC reference is sampled and converted by the primary ADC and primary multiplexer. Each reference voltage is sampled, along with the individual cell voltages corresponding to a conversion request, shown in Table 11.

These results are part of the data set and are returned during a readback of the conversion results. These results in their location form part of the matrix of known voltages at known locations (SM6).

#### **User Requirements to Implement SM5**

Use the returned measurements of the primary and secondary reference voltages if SM18 is invalid to determine faults related to open circuits, short circuits, oscillation, and drift on the ADC references and ADC calibration fuses. Ignore the data set if the reference results are not within the boundaries specified in the AD7284 data sheet.

#### SM6, Matrix of Known Voltages at Known Locations

The ADC measures some variable voltages and a variety of known voltages such as reference, divided down LDO, and the reference buffer. All measurements are transmitted in a specific order as described in Table 11 for the primary and secondary ADCs.

#### **User Requirements to Implement SM6**

Verify that the result addresses are returned in the correct order and expected voltages appear in particular locations. These measurements reflect the accuracy of the ADC and the voltage sources being converted.

If the expected voltages are not present in their specific locations, or if the result addresses are not returned in the correct order (see SM3b), ignore the data.

#### SM19a, Result Value Boundaries—Cell Voltage Measurements

The AD7284 integrates two fully independent measurement paths internally for independent verification of the primary path measurements. Externally, two independent input filters per cells are required.

#### User Requirements to Implement SM19a

Set boundaries for monitored cell voltages and run plausibility checks on results from conversions runs on the AD7284. Cell voltage measurement accuracy (TUE) is specified in the AD7284 data sheet over a specific cell voltage range and junction temperature. Margin due to external component error depends on the system and must be considered to generate adequate result value boundaries.

# SM19b, Result Value Boundaries—Auxiliary Inputs Voltage Measurements

The variable inputs include the VPAUXx inputs. These inputs can be used in, for example, ratiometric measurements with thermistors.

#### User Requirements to Implement SM19b

Set boundaries for monitored auxiliary measurements and run plausibility checks on results from conversions run on the AD7284.

In addition, two VPAUXx inputs must monitor the same parameter. For example, an external voltage or two thermistors measuring temperature at the same location.

#### SM7—Open Pin Detection Algorithm

The AD7284 provides the user with multiple methods for determining an open pin condition within the measurement circuit path. These methods require the use of the secondary path and independent filters on the ADC inputs. On-chip current sources on the primary path, on-chip current sources on the secondary path, or the cell balancing interface are used for the open pin detection diagnostic.

#### **User Requirements to Implement SM7**

During the initialization phase, determine if the measurement path external connections are present. The detailed sequence is described in the AD7284 data sheet. This diagnostic can be repeated periodically. The system designer must determine the frequency of this diagnostic.

#### SM23—Open Auxiliary Input Detection

The AD7284 offers four auxiliary inputs that are converted by the primary ADC. These inputs can be used in, for example, ratiometric measurements with thermistors or for diagnostics purposes (SM20).

#### **User Requirements to Implement SM23**

Use two auxiliary inputs to separately detect one voltage, and use the other two auxiliary inputs to separately detect another voltage.

As part of the measurement loop, during the readback phase, compare the results of the two auxiliary inputs on one voltage, and separately compare the results of the other two auxiliary inputs on the other voltage.



Figure 7. Power Supply Block Diagram (External Circuitry Omitted for Clarity)

Table 12. LDO Output Voltage Diagnostics Outcome

| SM8a         | SM8c                              | Consequence from Diagnostics                                |  |  |  |  |
|--------------|-----------------------------------|-------------------------------------------------------------|--|--|--|--|
| Flag Cleared | Conversion results acceptable     | LDO output voltage valid                                    |  |  |  |  |
| Flag Cleared | Conversion results not acceptable | Apply SM17 to determine if the LDO fault flag is stuck low  |  |  |  |  |
| Flag Set     | Conversion results acceptable     | Apply SM17 to determine if the LDO fault flag is stuck high |  |  |  |  |
| Flag Set     | Conversion results not acceptable | LDO output voltage invalid                                  |  |  |  |  |

If the two auxiliary conversion results of one voltage are different, or the other two auxiliary conversion results of the other voltage are different, then there is possibly a problem somewhere in the system between the measurement of the voltage and the input to the primary ADC of the AD7284. The system designer must determine what action to take and must also determine what levels of difference constitute a possible problem.

#### **POWER SUPPLIES**

The AD7284 is powered directly from the battery stack and generates a number of low voltage supplies and references, shown in Figure 7.

#### SM8a, Monitor 5 V Supply—LDO Fault Flag

The AD7284 monitors the output of the on-chip voltage regulator,  $V_{\text{REG5}}.$  The regulator supplies a constant 5 V to the logic and low voltage analog circuits. Hard coded limits of 4% are applied to the  $V_{\text{REG5}}$  regulator output. If the regulator output voltage exceeds the lower limit (4.8 V) or upper limit (5.2 V), the AD7284 asserts Bit D5 in the FAULT register.

#### User Requirements to Implement SM8a

As part of the cell measurement loop, read the FAULT register and analyze the LDO fault flag, Bit D5.

Additionally, perform SM8c to confirm the validity of the detection mechanism.

#### SM8b, Monitor 5 V Supply—POR Fault Flag

The AD7284 integrates 5 V internal supply monitors (level and edge detection).

If the 5 V supply dips below the POR threshold, the device is held in a reset state until the 5 V supply recovers.

If a POR is detected, Bit D7 in the FAULT register is set. After the POR, all bits in the FAULT register are set (see SM17).

#### **User Requirements to Implement SM8b**

As part of the cell measurement loop, read the FAULT register and analyze the POR flag, Bit D7.

Bit D7 in the FAULT register is set to 1 to indicate a POR has occurred and the device must be initialized.

If this flag is set, then a POR has occurred on the device, which indicates that a serious glitch occurred on the 5 V rail. The data set associated with a conversion before this flag is read must be ignored. Reconversion is recommended.

#### SM8c, Monitor 5 V Supply—Conversion of LDO

Upon receiving a valid convert start request, the AD7284 performs an ADC conversion on both the primary and secondary paths on the internal 5 V  $V_{\text{REG5}}$  supply, shown in Table 11. These conversion results, scaled down, are part of the data set that is output from the device on a read request.

#### User Requirements to Implement SM8c

Validate that these results are within the boundaries specified in the AD7284 data sheet. This mechanism allows the user to crosscheck the LDO fault flag. Table 12 summarizes the possible scenarios.

#### SM9, Monitor Buffered 2.5 V Supply—Conversion

Upon receiving a valid convert start request, the AD7284 performs a conversion of the buffered 2.5 V output,  $V_{\text{REFBUF}}$ , as part of the primary conversion sequence shown in Table 11.

The measurement is part of the set of results read back. This reading allows detection of single-point faults for oscillation, drift, open-circuit, and short-circuit faults on this buffered output.

#### **User Requirements to Implement SM9**

Monitor the  $V_{\text{REFBUF}}$  measurement and flag an error if the result is outside the boundaries specified in the AD7284 data sheet. The level at which an error must be flagged depends on what the 2.5 V buffer output is used for and is determined by the system goals.

#### SM10, Monitor Buffered 2.0 V Supply—C<sub>CM</sub> Fault Flag

The AD7284 monitors the output of the daisy-chain common-mode amplifier,  $C_{\text{CM}}$ . The buffered 2.0 V supply sets the daisy-chain common-mode voltage. Undervoltage and overvoltage fault detection limits of 25% are applied to the  $C_{\text{CM}}$  buffered supply. If the  $C_{\text{CM}}$  voltage is outside the lower limit (1.5 V) or upper limit (2.5 V), the AD7284 asserts Bit D2 in the FAULT register.

If the  $C_{CM}$  fault flag is continuously set, it is likely that communications are less robust to interference.

#### **User Requirements to Implement SM10**

As part of the initialization phase and the measurement loop, read the FAULT register and analyze the  $C_{CM}$  fault flag, Bit D2.

#### SM20, Monitor Daisy-Chain Common-Mode Voltage— ADC Feedback on VPAUXx

The VPAUXx inputs are capable of a 0 V to 5 V measurement range. A VPAUXx input can be used for additional diagnoses, such as monitoring the  $C_{\text{CM}}$  buffered output.

#### **User Requirements to Implement SM20**

Feed the buffered 2.0 V supply externally to one of the VPAUXx inputs on the AD7284. Monitor the conversion results on this auxiliary input to validate the  $C_{\text{CM}}$  fault flag operation.

#### **MEMORY AND CALIBRATION**

The AD7284 integrates registers and OTP fuses.

Page addressing accesses registers. Three pages are used: Page 0 for conversion, initiation, readback request, and ADC results; Page 1 for device configuration and diagnostics; and Page 2 is reserved for device production testing.

The OTP fuses contain fixed factory calibration coefficients that are automatically applied to achieve performance and measurement accuracy.

#### SM1—Fuse Verification

There are two parts to this safety mechanism: a CRC fault flag (SM1a) and a mechanism to verify the CRC fault flag (SM1b).

At the end of a conversion sequence, the device verifies that the calibration codes stored in OTP fuses are valid. The device performs CRC calculations on the OTP fuses, compares these calculations with the three CRCs stored during production testing, and indicates the results of the comparisons in the CRC fault flag (SM1a). The CRC fault flag, Bit D3 in the FAULT register, indicates if any of the fuse CRCs do not match the programmed fuse CRC values.

Figure 8 shows the location of the CRCs in each of the three fuse blocks (the MSB is stored in lower address) and the fuse locations included in each of the CRC calculations.

In Block1, CRC1 is calculated from Address 0x01 to Address 0x0E. CRC1 is stored at Address 0x0F and Address 0x10.

In Block2, CRC2 is calculated from Address 0x11 to Address 0x19 and Address 0x20. CRC2 is stored at Address 0x1A and Address 0x1B.

In Block3, CRC3 is calculated from Address 0x21 to Address 0x2B. CRC3 is stored at Address 0x2C and Address 0x2D.



Figure 8. Fuse Blocks and CRC Addresses

#### **User Requirements to Implement SM1**

As part of the initialization phase and as part of the measurement loop, read the FAULT register and analyze the CRC fault flag, Bit D3 (SM1a).

To verify the validity of the CRC fault flag, read the fuses, calculate each of the CRCs, and compare the CRCs with the calculated CRCs stored in the nonvolatile memory during production testing at Analog Devices (SM1b).

To read back the content of these locations, select Page 2 and read back the required locations using the register data protocol. Apply the polynomial 0xC86C to the content of the locations being read back.

Each of the calculated CRCs must match the stored CRC values for the CRC fault flag to be cleared.

#### SM16—Test Mode Entry Detection

The AD7284 includes a test mode reserved for use by Analog Devices. The test mode is used for testing and calibration purposes in the factory. To gain write access to the AD7284 test features, a series of three SPI writes must be performed whereby data values are written to a specific memory address. This sequence must be conducted in sequence.

Setting the CFGFAULT flag (Bit D1 in the FAULT register) to 1 indicates that some of the steps to unlock the test mode have been performed, intentionally or otherwise, resulting in an unwanted configuration state.

#### **User Requirements to Implement SM16**

As part of the cell measurement loop, read the FAULT register and analyze the CFGFAULT flag, Bit D1.

If the CFGFAULT flag is asserted, issue a software reset command to the AD7284 to remove the device from test mode and repeat the FAULT register read operation. Ignore any results from measurements performed while D1 is asserted.

#### SM17—FAULT Register Functional Check

The FAULT register contains seven fault flags as shown in Table 7. These flags indicate that a fault has occurred when set and are cleared on a read of the register. At power-up, and after waking up from full power-down mode, the FAULT register resets to 0xFF. A software reset also resets this register to 0xFF.

#### **User Requirements to Implement SM17**

At power-up, and after waking up from full power-down mode, read the FAULT register twice and check its content. Report a device malfunction if the content is different from 0xFF on the first read, or different from 0x00 on the second read.

#### **CELL BALANCING INTERFACE**

The AD7284 integrates drivers to control the external circuitry for cell balancing.

#### SM11—Cell Balance Diagnostic Algorithm

Figure 9 shows the external components for cell balancing. Other external components, such as secondary measurement path filters, are omitted in this figure.



Figure 9. External Components for Cell Balancing

The two possible faults of the active components of this circuit are FETs stuck on or FETs stuck off. Cell balancing is not available on a cell if the FET connected across that cell is stuck off. The accuracy measurement of a cell voltage is affected if the FET connected across that cell is stuck on. The cell also discharges unintentionally.

#### User Requirements to Implement SM11

The user may detect a stuck on or stuck off condition by initiating a cell balance diagnostic. The flowchart for the user to diagnose the potential external circuit faults is shown in Figure 10.

Enable the diagnostic via the communication interface and define the set of switches to be tested. When the diagnostic mode is enabled, upon initiating a conversion request, the AD7284 measures the cell voltages with the first ADC selected and stores the result data. The primary path or the secondary path can be the first ADC.

After the first ADC conversion sequence is complete, the device automatically enables the cell balance (CB) outputs set and waits approximately 1 ms to allow time for the voltage on the external components to settle.



Figure 10. External Circuit Fault Detection Flowchart

After this delay period, use the secondary path to measure the cell voltages. Then, read back the two result data sets and compare the change in voltage for each cell based on the defined test pattern. The change in voltage is determined by the user and is based on the external component selection made by the user.

If a change in voltage is not detected for a cell (defined by the test pattern), an external or internal fault may be present. The switch may be stuck on or off if a change in voltage is not seen. Additional algorithms within the system are required to distinguish between the two faults and a flag should be generated in the user code to indicate that a fault condition has been discovered.

### SOFTWARE SAFETY MECHANISMS AND DIAGNOSTICS

This device features no on-chip software; the system integrating the AD7284 is responsible for making all safety related decisions.



#### **ESD Caution**

**ESD** (electrostatic discharge) sensitive device. Charged devices and circuit boards can discharge without detection. Although this product features patented or proprietary protection circuitry, damage may occur on devices subjected to high energy ESD. Therefore, proper ESD precautions should be taken to avoid performance degradation or loss of functionality.

#### **Legal Terms and Conditions**

Information furnished by Analog Devices is believed to be accurate and reliable. However, no responsibility is assumed by Analog Devices for its use, nor for any infringements of patents or other rights of third parties that may result from its use. No license is granted by implication or otherwise under any patent or patent rights of Analog Devices. Trademarks and registered trademarks are the property of their respective owners. Information contained within this document is subject to change without notice. Software or hardware provided by Analog Devices may not be disassembled, decompiled or reverse engineered. Analog Devices 'standard terms and conditions for products purchased from Analog Devices can be found at: http://www.analog.com/en/content/analog\_devices\_terms\_and\_conditions/fca.html.

©2017 Analog Devices, Inc. All rights reserved. Trademarks and registered trademarks are the property of their respective owners. UG15055-0-5/17(A)



www.analog.com