Good morning,
We have a device that monitors supply voltage vcc using the built-in supply
voltage monitor and causes an interrupt if the voltage falls. The ISR calls a
function ShutdownSaveData that writes 10 parameters to flash memory and sets a
flag indicating that the saved data is there. On powerup, I check for the flag
and, if present, I read the saved parameters into ram. I then erase this area
of flash to get ready for the next shutdown write. If the flag is not set, the
parameters are set to default values and the operator is warned. This works so
well, it's a little scary but lately, we have been seeing instances where
the parameters are reset to default when the operators think it should not be.
What we have determined is that on a single power loss/restore cycle, everything
works as expected. However, if power is toggled on/off/on/off/on at a period of
~600ms or shorter, we can reproduce this effect. One theory we have is that
power is being lost while I am erasing the flash. Does anyone know what the
expected result of this would be? Is this covered in any TI literature? Does
anyone have other suggestions?
Thanks,
Mike Raines
Power Loss while erasing flash memory on MSP430F5438
Started by ●November 14, 2012
Reply by ●November 14, 20122012-11-14
> Good morning,
> We have a device that monitors supply voltage vcc using the built-in
> supply voltage monitor and causes an interrupt if the voltage falls. The
> ISR calls a function ShutdownSaveData that writes 10 parameters to flash
> memory and sets a flag indicating that the saved data is there. On
> powerup, I check for the flag and, if present, I read the saved parameters
> into ram. I then erase this area of flash to get ready for the next
> shutdown write. If the flag is not set, the parameters are set to default
> values and the operator is warned. This works so well, it's a little
> scary but lately, we have been seeing instances where the parameters are
> reset to default when the operators think it should not be. What we have
> determined is that on a single power loss/restore cycle, everything works
> as expected. However, if power is toggled on/off/on/off/on at a period of
> ~600ms or shorter, we can reproduce this effect. One theory we have is
> that power is being lost while I am erasing the flash . Does anyone know
> what the expected result of this would be? Is this covered in any TI
> literature? Does anyone have other suggestions?
Maintain two regions of flash for parameter values, the backup segment and
the emergency power-down segment. Both segments will contain signed values,
i.e. a signature of the data is stored along with the data, placing the
signature at the beginning of the signed segment.
The idea here is to maintain two segments, a last-known-good master segment
and an emergency segment that is written only when required. If the
emergency segment contains valid data, that data is copied to the "last
known good" segment. The emergency segment is erased only when the
controller knows the master segment contains a valid copy of the emergency
data. The code below protects against erasing last-known-good data.
void power_up(void)
{
if (segment_signature_verified(&emergency_segment))
{
// Emergency shutdown segment has valid data, try to keep
// that data around in the master segment.
erase_segment(&master_segment);
// Program master segment with emergency segment.
program_segment(&master_segment, &emergency_segment);
}
// If the emergency segment is not blank, erase it ready for saving
// on abrupt power down.
if (!blank_segment(&emergency_segment))
erase_segment(&emergency_segment);
// If the master segment now has valid data, use it.
if (segment_signature_verified(&master_segment))
{
// Copy master data to RAM.
memcpy(&ram_data, &emergency_segment);
}
else
{
// Neither master nor emergency segment have valid data, so
// this is a blank device. Create some data.
initialize_new_device_data(&ram_data);
// Program master segment.
erase_segment(&master_segment);
program_segment(&master_segment, &ram_data);
}
}
void emergency_write_isr(void)
{
// Only write emergency shutdown data if the emergency segment
// has been fully erased and is prepared to accept programming.
if (blank_segment(&emergency_segment))
{
program_segment(&emergency_segment, &ram_data);
}
}
--
Paul Curtis, Rowley Associates Ltd http://www.rowley.co.uk
SolderCore Development Platform http://www.soldercore.com
> We have a device that monitors supply voltage vcc using the built-in
> supply voltage monitor and causes an interrupt if the voltage falls. The
> ISR calls a function ShutdownSaveData that writes 10 parameters to flash
> memory and sets a flag indicating that the saved data is there. On
> powerup, I check for the flag and, if present, I read the saved parameters
> into ram. I then erase this area of flash to get ready for the next
> shutdown write. If the flag is not set, the parameters are set to default
> values and the operator is warned. This works so well, it's a little
> scary but lately, we have been seeing instances where the parameters are
> reset to default when the operators think it should not be. What we have
> determined is that on a single power loss/restore cycle, everything works
> as expected. However, if power is toggled on/off/on/off/on at a period of
> ~600ms or shorter, we can reproduce this effect. One theory we have is
> that power is being lost while I am erasing the flash . Does anyone know
> what the expected result of this would be? Is this covered in any TI
> literature? Does anyone have other suggestions?
Maintain two regions of flash for parameter values, the backup segment and
the emergency power-down segment. Both segments will contain signed values,
i.e. a signature of the data is stored along with the data, placing the
signature at the beginning of the signed segment.
The idea here is to maintain two segments, a last-known-good master segment
and an emergency segment that is written only when required. If the
emergency segment contains valid data, that data is copied to the "last
known good" segment. The emergency segment is erased only when the
controller knows the master segment contains a valid copy of the emergency
data. The code below protects against erasing last-known-good data.
void power_up(void)
{
if (segment_signature_verified(&emergency_segment))
{
// Emergency shutdown segment has valid data, try to keep
// that data around in the master segment.
erase_segment(&master_segment);
// Program master segment with emergency segment.
program_segment(&master_segment, &emergency_segment);
}
// If the emergency segment is not blank, erase it ready for saving
// on abrupt power down.
if (!blank_segment(&emergency_segment))
erase_segment(&emergency_segment);
// If the master segment now has valid data, use it.
if (segment_signature_verified(&master_segment))
{
// Copy master data to RAM.
memcpy(&ram_data, &emergency_segment);
}
else
{
// Neither master nor emergency segment have valid data, so
// this is a blank device. Create some data.
initialize_new_device_data(&ram_data);
// Program master segment.
erase_segment(&master_segment);
program_segment(&master_segment, &ram_data);
}
}
void emergency_write_isr(void)
{
// Only write emergency shutdown data if the emergency segment
// has been fully erased and is prepared to accept programming.
if (blank_segment(&emergency_segment))
{
program_segment(&emergency_segment, &ram_data);
}
}
--
Paul Curtis, Rowley Associates Ltd http://www.rowley.co.uk
SolderCore Development Platform http://www.soldercore.com
Reply by ●November 16, 20122012-11-16
When power is applied, a cap is charged, this takes time.
When you lose power, you are using the cap's stored energy to write to
flash.
If the cap's charge up time is less than the on-time, the cap will not
be charged for the following loss of power.
From: m... [mailto:m...] On Behalf
Of one00100100
Sent: Wednesday, November 14, 2012 8:39 AM
To: m...
Subject: [msp430] Power Loss while erasing flash memory on MSP430F5438
Good morning,
We have a device that monitors supply voltage vcc using the built-in
supply voltage monitor and causes an interrupt if the voltage falls. The
ISR calls a function ShutdownSaveData that writes 10 parameters to flash
memory and sets a flag indicating that the saved data is there. On
powerup, I check for the flag and, if present, I read the saved
parameters into ram. I then erase this area of flash to get ready for
the next shutdown write. If the flag is not set, the parameters are set
to default values and the operator is warned. This works so well, it's a
little scary but lately, we have been seeing instances where the
parameters are reset to default when the operators think it should not
be. What we have determined is that on a single power loss/restore
cycle, everything works as expected. However, if power is toggled
on/off/on/off/on at a period of ~600ms or shorter, we can reproduce this
effect. One theory we have is that power is being lost while I am
erasing t he flash. Does anyone know what the expected result of this
would be? Is this covered in any TI literature? Does anyone have other
suggestions?
Thanks,
Mike Raines
When you lose power, you are using the cap's stored energy to write to
flash.
If the cap's charge up time is less than the on-time, the cap will not
be charged for the following loss of power.
From: m... [mailto:m...] On Behalf
Of one00100100
Sent: Wednesday, November 14, 2012 8:39 AM
To: m...
Subject: [msp430] Power Loss while erasing flash memory on MSP430F5438
Good morning,
We have a device that monitors supply voltage vcc using the built-in
supply voltage monitor and causes an interrupt if the voltage falls. The
ISR calls a function ShutdownSaveData that writes 10 parameters to flash
memory and sets a flag indicating that the saved data is there. On
powerup, I check for the flag and, if present, I read the saved
parameters into ram. I then erase this area of flash to get ready for
the next shutdown write. If the flag is not set, the parameters are set
to default values and the operator is warned. This works so well, it's a
little scary but lately, we have been seeing instances where the
parameters are reset to default when the operators think it should not
be. What we have determined is that on a single power loss/restore
cycle, everything works as expected. However, if power is toggled
on/off/on/off/on at a period of ~600ms or shorter, we can reproduce this
effect. One theory we have is that power is being lost while I am
erasing t he flash. Does anyone know what the expected result of this
would be? Is this covered in any TI literature? Does anyone have other
suggestions?
Thanks,
Mike Raines
Reply by ●November 20, 20122012-11-20
Paul, Thanks for your thoughtful response to my questions. I am going to try to
implement your solution. I have flow charted it and placed a Visio file and a
JPEG file in the files section. Would you please look at the flow charts to see
if I have misinterpreted your previous email? I am particularly questioning the
left center portion of my "power up" chart. You originally responded to this on
November 14.
Thanks again,
Mike Raines
Thanks again,
Mike Raines
Reply by ●November 20, 20122012-11-20
Paul, the files are in a folder titled "Paul Curtis Solution"...
Thanks,
Mike
________________________________
From: m... [mailto:m...] On Behalf Of one00100100
Sent: Tuesday, November 20, 2012 2:00 PM
To: m...
Subject: [msp430] RE: Power Loss while erasing flash memory on MSP430F5438
Paul, Thanks for your thoughtful response to my questions. I am going to try to implement your solution. I have flow charted it and placed a Visio file and a JPEG file in the files section. Would you please look at the flow charts to see if I have misinterpreted your previous email? I am particularly questioning the left center portion of my "power up" chart. You originally responded to this on November 14.
Thanks again,
Mike Raines
Thanks,
Mike
________________________________
From: m... [mailto:m...] On Behalf Of one00100100
Sent: Tuesday, November 20, 2012 2:00 PM
To: m...
Subject: [msp430] RE: Power Loss while erasing flash memory on MSP430F5438
Paul, Thanks for your thoughtful response to my questions. I am going to try to implement your solution. I have flow charted it and placed a Visio file and a JPEG file in the files section. Would you please look at the flow charts to see if I have misinterpreted your previous email? I am particularly questioning the left center portion of my "power up" chart. You originally responded to this on November 14.
Thanks again,
Mike Raines
Reply by ●November 21, 20122012-11-21
> Paul, Thanks for your thoughtful response to my
questions. I am going to
> try to implement your solution. I have flow charted it and placed a Visio
> file and a JPEG file in the files section. Would you please look at the
> flow charts to see if I have misinterpreted your previous email? I am
> particularly questioning the left center portion of my "power up" chart.
> You originally responded to this on November 14.
I'm not a flowchart person, sorry.
Regards,
--
Paul Curtis, Rowley Associates Ltd http://www.rowley.co.uk
SolderCore Development Platform http://www.soldercore.com
> try to implement your solution. I have flow charted it and placed a Visio
> file and a JPEG file in the files section. Would you please look at the
> flow charts to see if I have misinterpreted your previous email? I am
> particularly questioning the left center portion of my "power up" chart.
> You originally responded to this on November 14.
I'm not a flowchart person, sorry.
Regards,
--
Paul Curtis, Rowley Associates Ltd http://www.rowley.co.uk
SolderCore Development Platform http://www.soldercore.com
