cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
dominiquegraber
Visitor
Visitor
1,356 Views
Registered: ‎07-04-2017

Zynq power supply separation in SIL application

I’m designing a SIL2 product using the Zynq (7Z020) as core. We are implementing redundancy as described in the Xilinx Zynq Safety Manual. But I have some troubles to implement/understand all requirements.

In DS187 note 1 of table 1 the following can be found:

Stresses beyond those listed under Absolute Maximum Ratings might cause permanent damage to the device. These are stress ratings only and functional operation of the device at these or any other conditions beyond those listed under Operating Conditions is not implied. Exposure to Absolute Maximum Ratings conditions for extended periods of time might affect device reliability.

 

Inside the Xilinx Zynq Safety Manual I found the following:

Chapter Hardware Requirements

- Functionally, physically isolated and independent power supplies for the PS and PL

 

Why is Xilinx requesting an "independent" power supply in the Zynq safety manual for HFT=1 (1C_PS_PL) if any supply voltage above the absolute maximum ratings on PS or PS can cause damage of the device?

Damage means for me in this case, damage in PS and/or PL, it is completely unknown what error happen where in the Zynq.

In my point of view it is not realistic to design a one failure safe power supply for all supply voltages to fulfil the requirements of the Xilinx Zynq safety manual and the datasheet. Especially it's not feasible to design a power supply for the core voltage that fulfils following specification:

- normal operating conditions: 0,95V ... 1,05V (DS187)

- error conditions maximum  1,1V (DS187)

    - maximum allowed over voltage in case of one error (Xilinx Safety Manual)

 

More realistic is the following scenario:

- normal operating conditions: 0,95V ... 1,05V

- error conditions maximum  3,3V or 5V depends on input voltage of DC-DC power supply

  - According to the available specification under error conditions in the power supply the Zynq can be / is damaged, this means the power supply is a common cause error for the system and the requested redundancy not needed / mandatory.

 

Is there any specification available about the separation between PS an PL in relation to the different power supplies (especially for over voltage conditions)?

What is the background of the hardware requirement in the Xilinx Safety manual?

 - Is it just to keep the PS running in case of under voltage lockout in the PL part and vise versa?

 - But in case of under voltage I pull on the POR_B and this restarts the Zynq (PS and PL). In my point of view a separate power supply doesn't help at all.

 

Many thanks for your support in advance.

0 Kudos
3 Replies
hpoetzl
Voyager
Voyager
1,335 Views
Registered: ‎06-24-2013

Hey @dominiquegraber

 

Especially it's not feasible to design a power supply for the core voltage that fulfils following specification:

- normal operating conditions: 0,95V ... 1,05V (DS187)

- error conditions maximum  1,1V (DS187)

 

There are ultra low dropout LDOs with 80mV which could work as safeguard for a failing switcher and with redundant supply you could also use a crowbar circuit with a sensitive trigger.

 

But I agree that the limits are rather strict.

 

Best,

Herbert

-------------- Yes, I do this for fun!
dominiquegraber
Visitor
Visitor
1,312 Views
Registered: ‎07-04-2017

Hi Herbert

 

Thanks for your fast response. I already checked the possibility of using a second LDO as guard, but I have some doubts to get under voltage conditions under heavy load conditions (~1A). I would rather use a crowbar instead of a LDO to get rid of this problem. But the crowbar is usually slowly in limiting voltages. Do you have a feeling how fast a crowbar need to be to protect the core? I guess we are talking about some micro seconds, this seems to be difficult to reach as well as the maximum limiting voltage of less than 1V in trip conditions until the input power supply falls below 1V.

 

My structure so far is as following:

24V -> 5V -> generate the different voltages as 1V0, 1V8, 3V3,  and so on

I have 5V relays in my system, this is the reason why I would like to use the 5V as intermediate voltage.

0 Kudos
austin
Scholar
Scholar
1,308 Views
Registered: ‎02-27-2008

d,

 

At the abs max, the device is unaffected, forever.

 

Slightly above, and damage may take minutes to days.

 

Far above, it may take less than a few microseconds.

 

The devices are quite robust, as the reliability report (UG116.pdf) describes in great detail.

 

I suggest you work with your local Xilinx sales office technical resources, who have training and access to the powering solutions you require for your safety critical system design.

 

 

 

Austin Lesea
Principal Engineer
Xilinx San Jose
0 Kudos