Failure Mode and Effect Analysis (FMEA)
Implementation for CSD
Application Note Abstract
This application note describes functions that allow you to perform run-time sensor diagnostics in CSD based designs. These
functions detect sensor line shorts to Vcc or ground, sensor-to-sensor shorts, and modulator component faults. They also
detect when sensor pads are disconnected. Sensors with specific critical-safe requirements such as On/Off buttons can be
implemented with hardware redundancy.
Introduction
One of the main development goals for capacitive sensing
applications is to enhance the reliability of devices with
capacitive sensors in harsh or sensitive environments. The
reliability of the front panel can be improved through
different methods. New capacitive sensing methods such
as the Sigma-Delta Modulator (CSD) and successive
approximation (CSA) are offered as user modules in PSoC
Designer™. These methods feature improved signal-to-
noise ratio (SNR), EMI and ESD immunity, and immunity
to power supply and input transients. In addition,
considerable effort has gone into eliminating improper
operation modes in software. Similar software tricks
include application programming interfaces (APIs) that
employ different positive or negative noise thresholds and
debounce counters.
This application note demonstrates how to use the unique
hardware reconfiguration possibilities available in PSoC
devices to detect errors in capacitive sensing
measurements at runtime. Some of the errors are:
 Shorts to VCC or ground
 Sensor-to-sensor shorts
 Sensor disconnects
 Sensor hardware redundancy
 Faults in the sigma-delta modulator external
components such as:
 Modulation capacitor (Cmod)
 Discharge resistor (Rb)
September 5, 2008 Document No. 001-17582 Rev. *A
AN17582
Authors: Vadym Grygorenko, Gianluca Pedrina
Associated Project: Yes
Associated Part Family: CY8C21x34
GET FREE SAMPLES HERE
Software Version: PSoC Designer™ 5.0
Associated Application Notes: None
Use these diagnostics to provide fail-safe functions in
capacitive sensing devices, where sensor faults lead to
safety concerns. White goods, automotive, and industrial
electronic applications are examples of devices that
require sensor fault diagnostics for safe operations.
The proposed FMEA implementation is based on
International Electrotechnical Commission standard (IEC
60335).
The proposed diagnostic functions are added to existing
CapSense projects by including several FMEA function
calls.
Operation Principles
Two diagnostic tasks are considered in this application
note: sensor shorts and disconnects. Different approaches
are used for each diagnostic task.
Detecting Sensor Shorts
In normal operating conditions, the sensor-to-ground,
sensor-to-sensor, and sensor-to-VCC resistance are very
high. To detect any shorts, actual resistance values are
compared to PSoC internal pull up resistors. A simplified
schematic for sensor-to-ground short detection is shown in
Figure 1.
Figure 1. Sensor-to-Ground Short Detection Schematic
Vcc
Sensor
shorting
PSoC
1
[+] Feedback

The sensor pin is configured to resistive pull up drive
mode. This is achieved by writing a „0‟ to the
corresponding bit of the port DM2 register, and a „1‟ to
DM1, DM0, and DR registers. In normal conditions, the
CPU reads a logical one because of the pull up resistor. If
the sensor is connected to ground through a small
resistance, then the input level is recognized as a logical
zero.
Sensor-to-VCC shorting is detected by a similar method.
The corresponding schematic is shown in Figure 2.
Figure 2. Sensor-to-VCC Short Detection Schematic
Vcc
shorting
Sensor
PSoC
In this case, the sensor pin is configured to resistive pull
down drive mode (DM2, DM1, DM0, and DR = 0). The
input level is zero in normal conditions.
The schematic for the sensor-to-sensor short check is
shown in Figure 3.
Figure 3. Sensor-to-Sensor Short Detection Schematic
Vcc
Sensor
shorting
Sensor
PSoC
All sensor pins are connected to ground internally by
writing zero values to the data registers in strong drive
mode (DM2 and DM1 = 0, DM0 = 1, DR = 0). The
measured sensor pin is configured to resistive pull up
mode. The input level is one for good sensors. A logical
zero signifies a detected short.
Detecting Sensor Disconnect
Another FMEA task is detecting sensor disconnects.
Unfortunately, this task cannot be accomplished with
hardware tricks as in the case of short detection. Sensor
disconnects are detected by several methods.
The first detection method is based on observing the
sensor baseline data. If a sensor is disconnected from the
sensing IC, the area of copper that is attached to the
sensing IC is less than expected. This leads to
significantly lower raw count and baseline values. To
detect sensor disconnects, store the baseline values
under normal conditions in the internal EEPROM. Actual
September 5, 2008 Document No. 001-17582 Rev. *A
AN17582
baseline values are compared to the stored values. If the
actual value is less than the stored value and the
difference exceeds a threshold, a system fault is detected.
The threshold value must not be too small to avoid false
fault triggering based on environmental condition changes.
In addition, this value must not be too large to provide
reliable disconnect detection. This implementation
provides two predefined threshold values: 25% and 12.5%
of the stored baseline value. These values are sufficient
for most applications. Choose the actual value in your
system by running tests on real boards in real systems.
It is possible for the baseline value to change with
temperature by about 25% (see the CSD User Module
data sheet). In this case, the previous method may be
insensitive to sensor disconnects at high temperatures or
may produce false fault detection at low temperatures. To
achieve more reliable sensor disconnect detection, add a
dedicated reference sensor. This reference sensor is
formed with a generic capacitor, instead of a regular touch
area. It is used for baseline temperature drift
compensation. Assuming that the relative baseline
temperature drift is the same for real and reference
sensors, the drift is estimated as:
Bref Norm
Drift , Equation 1
Bref Curr
In Equation 1, BrefCurr is the reference sensor baseline
value at current conditions, and BrefNorm is the reference
sensor baseline value in normal conditions.
Compare the actual sensor baseline to the stored value
with drift compensation, as shown in Equation 2.
B BCurr Drift BNorm Equation 2
This difference B is compared to a predefined threshold.
Another approach to detecting sensor disconnects does
not require any reference value stored in EEPROM. This
approach may be used only if you have a shield electrode.
The shield electrode decreases the capacitance of the
sensor that it shields, and as a result, the baseline value of
that sensor. The baseline decrease is observed only if
there is a capacitive coupling between the shield electrode
and the sensor touch area. Temporarily disabling the
shield electrode causes the signal level to increase for a
good sensor, but does not change the signal value for a
disconnected sensor. Compare the difference between
signal levels when the shield is enabled and disabled to
some threshold value. This difference must exceed the
threshold for a good sensor.
2
[+] Feedback
 AN17582

Figure 4. Voltage on Cmod during Charge and Discharge

Detecting Sensor Disconnect with
Redundancy
When the two detection methods described in the previous
section are not applicable or convenient, PSoC‟s unique
hardware reconfiguration ability allows detection of sensor
disconnect errors using redundant connections. This
method uses two nonadjacent pins connected to the same
sensor. In normal CSD operation, the two pins are shorted
together in the multiplexer, working exactly as a normal
sensor.
During the diagnostics routine, CSD does not scan the
sensors, and the two lines can be checked for continuity
with the same approach used to detect sensor shorts. The
only difference is that now short is the correct condition.

Modulator Component Checkup

The sigma-delta modulator in the CSD User Module uses
two external components: a modulation capacitor (Cmod) The scope image in Figure 4 shows the proposed RC
and a discharge resistor (Rb). These components can also checkup method. At the first stage, Cmod is charged to Vcc
cause errors in capacitance measurement. For example, and after a pause is discharged to Vref. The measured
these components could get shorted or opened. However, discharge time is about 66 µs. This completely agrees with
the techniques described for sensor diagnostic are not the previous equations for Cmod = 22 nF and Rb = 2.2k, as
applicable in this case, because the Cmod pin appears to shown in Equation 6.
be disconnected when tested at DC.
t 1.39 2.2k 22nF 67 s Equation 6
The simplest method to test both Cmod and Rb
simultaneously is to estimate the RC time constant during In software, it is more convenient to measure discharge
Cmod discharge through Rb. This measurement requires time in CPU cycles, as shown in Equation 7.
minimal hardware reconfiguration and is easy to
implement in software. NCLK 1.39 Rb Cmod CPU _ Clock Equation 7
If Cmod is charged to Vcc and then discharged through Rb, For example, if Cmod = 22 nF, Rb = 2.2k, and
the voltage on the capacitor changes according to CPU_Clock = 12 MHz, then the measured discharge time
Equation 3. is NCLK = 807 CPU cycles.
Vc (t) = Vcc e -t/τ Equation 3
In this equation, the time constant (t) = RbCmod.
The capacitor is discharged until its voltage drops below
the comparator reference voltage. This reference voltage
depends on the CSD User Module settings. In most cases,
the reference source is ASE11 and the reference value is
zero. In this case, the reference voltage is equal to Vcc/4.
The time needed to discharge the capacitor from Vcc to
Vcc/4 is according to Equation 4 or Equation 5.

t ln 4 Equation 4

t 1.39 Equation 5

September 5, 2008 Document No. 001-17582 Rev. *A 3

[+] Feedback
 AN17582

3. BYTE FMEA_CheckBaselines (void)

Software Implementation
The FMEA functions are implemented as a standalone
library. The library consists of the main assembler unit,
CSD_FMEA.asm, and a C header file: CSD_FMEA.h.
Note The FMEA library contains direct calls to the CSD
User Module API functions. Name the main instance of the
CSD User Module in PSoC Designer “CSD” so that these
function calls work correctly.
There are six main functions and several auxiliary
functions that are called from the main functions.
Main Functions
Description: Compares all sensor baselines to stored
reference values. If the baseline is below tolerance, then
an error code is returned. Tolerance is defined by the
constant, FMEA_TOLERANCE. The allowed values are:
 FMEA_12_5_PERCENT (tolerance is 12.5%)
 FMEA_25_PERCENT (tolerance is 25%)
Input: None
Output: Returns an error code in the accumulator as
shown in Table 2.

1. BYTE FMEA_CheckShorts(void) Table 2. Error Code Descriptions for FMEA_CheckBaselines

Description: Checks all sensors for shorts to Vcc, ground, Error Code Value Description
or sensor-to-sensor shorts. FMEA_OK 0x00 No errors detected
Input: None FMEA_NO_FLASH_DATA 0x08 Reference baselines
values are not stored
Output: Returns an error code in the accumulator, as in flash memory
shown in Table 1.
FMEA_BASELENE_DOWN 0x10 Baseline is below the
Table 1. Error Code Descriptions for FMEA_CheckShorts allowed value

Error Code Value Description The number of the sensor with the fault is stored in the
FMEA_OK 0x00 No errors detected global variable CSD_bSensorNum.
FMEA_SHORT_TO_VCC 0x01 A short to Vcc is
4. BYTE FMEA_CheckBaselinesRef (BYTE
detected
bRefNo)
FMEA_SHORT_TO_GND 0x02 A short to GND is
detected Description: Compares all sensor baselines to stored
FMEA_SHORT_TO_OTHER 0x04 Sensor-to-sensor
reference values with temperature drift compensation,
short is detected using a reference sensor. If the baseline is below
tolerance then an error code is returned. Tolerance is
defined by the constant FMEA_TOLERANCE. The allowed
The number of the sensor that caused the error is stored
in a global variable, CSD_bSensorNum. values are:

2. BYTE FMEA_SaveBaselines(void)
 FMEA_12_5_PERCENT (tolerance is 12.5%)

Description: Stores the current (reference) baseline values
to the selected Flash block. It writes
CSD_TotalSensorCount data words that contain baseline
values and one additional word, 0x55AA, as sentinel. This
sentinel allows you to check the EEPROM to see if it
contains the stored values. Call this function once to call
the sensor disconnect detection algorithm, which is based
on baseline level tracking. The Flash block number that is
used to save data is defined with the constant BLOCK_ID
in CSD_FMEA.asm. This block must be unprotected in the
flashsecurity.txt file.
Input: None
Output: Returns an error code in the accumulator.
 Value greater than zero: The sensor is OK.
 Zero: Indicates an error.
 FMEA_25_PERCENT (tolerance is 25%)
Input: bRefNo is the number of the dedicated reference
sensor.
Output: Returns an error code in the accumulator, as
shown in Table 2.
CSD_bSensorNum contains the bad sensor number.
5. BYTE FMEA_CheckBaselinesShield(void)
Description: Compares the signal values with an enabled
and disabled shield electrode. If the difference is below
tolerance, then an error code is returned. Tolerance is
defined by the constant FMEA_TOLERANCE. The
allowed values are:
 FMEA_12_5_PERCENT (tolerance is 12.5%)
 FMEA_25_PERCENT (tolerance is 25%)
Note The current implementation of this function works
only with the CY8C21x34 PSoC family.
Input: None

September 5, 2008 Document No. 001-17582 Rev. *A 4

[+] Feedback

Output: Returns an error code in the accumulator as
shown in Table 2 on page 4, excluding
FMEA_NO_FLASH_DATA.
CSD_bSensorNum contains the bad sensor number.
6. WORD FMEA_CheckMod(void)
Description: Charges Cmod to Vcc and measures the
discharge time. The result is an integer value. To calculate
discharge time in CPU cycles, use Equation 8.
NCLK Result 23+38 Equation 8
In most cases, when an absolute time constant value is
not required, it is enough to compare the result value to
zero and FFFFh. If the result is zero, it means that Cmod is
open or Rb is shorted. If the result is FFFFh, it means that
Rb is open. Other values correspond to normal operation.
Note Interrupts are not disabled during the measurement,
because this function is not intended for precision
measurement, only for failure detection. If precision
measurement is required, disable interrupts before calling
FMEA_CheckMod().
Auxiliary Functions
1. BYTE FMEA_CheckSensorUp(BYTE
bSensorMask, BYTE bPort)
Description: Checks the selected sensor for short to GND.
Configures the sensor to pull up drive mode and reads the
data register. If the sensor is OK, then the read data must
be one.
Input:
bSensorMask. The bit mask for the sensor is passed in
the accumulator.
bPort. The port number for the sensor is passed in the X
register.
Output: Returns an error code in the accumulator.
 Value greater than zero: The sensor is OK.
 Zero: Indicates an error.
2. BYTE FMEA_CheckUp(void)
Description: Checks all sensors for short to GND by calling
FMEA_CheckSensorUp() once for each sensor.
Input: None
Output: Returns an error code in the accumulator.
 Zero: No errors detected.
 One: Error.
CSD_bSensorNum contains the bad sensor number.
September 5, 2008 Document No. 001-17582 Rev. *A
AN17582
3. BYTE FMEA_CheckSensorDown(BYTE
bSensorMask, BYTE bPort)
Description: Checks the selected sensor for short to VCC.
Configures the sensor to pull down drive mode and reads
the data register. If the sensor is OK, then the read data
must be zero.
Input:
bSensorMask. The bit mask for the sensor is passed in
the accumulator.
bPort. The port number for the sensor is passed in the
X register.
Output: Returns an error code in the accumulator.
 Value > zero. This indicates the sensor is OK.
 Zero. This indicates an error.
4. BYTE FMEA_CheckDown(void)
Description: Checks all sensors for shorts to VCC by calling
FMEA_CheckSensorDown() once for each sensor.
Input: None
Output: Returns an error code in the accumulator.
 Zero. This indicates no errors are detected.
 One. This indicates an error.
CSD_bSensorNum contains the bad sensor number.
5. BYTE FMEA_CheckSnsBaseline(bSnsNumber)
Description: Compares the selected sensor baseline to the
stored reference value. If the baseline is below some
tolerance, then an error code is returned. Tolerance is
defined by the constant FMEA_TOLERANCE. The allowed
values are:
 FMEA_12_5_PERCENT (tolerance is 12.5%)
 FMEA_25_PERCENT (tolerance is 25%)
Input: bSnsNumber. The sensor number is passed in the
accumulator.
Output: Returns an error code in the accumulator.
 Value > zero. This indicates the sensor is OK.
 Zero. This indicates an error.
5
[+] Feedback
 AN17582

Resources
First, store the reference values in the internal EEPROM
 7 bytes RAM (does not include stack usage) using the FMEA_SaveBaselines() function. Then
function FMEA_CheckBaselines() is periodically called
 1544 bytes ROM (large memory model, including 594
to check the sensors.
bytes for Flash API)
Another example is in the attached project for the CY3213
 1351 bytes ROM (small memory model, including 594 CapSense Board.
bytes for Flash API)
You can decrease ROM usage by removing unused Summary
sensor disconnect detection functions from the assembler
You can easily modify the FMEA library implementation to
source file. Manual removal is more effective than
use it with the CSA User Module. Modifications are
compiler code compression features.
necessary because the CY8C20x34 PSoC family has
different drive modes for the pins.
Example Modify the functions FMEA_CheckSensorUp() and
Code 1 demonstrates how to check all sensors for any FMEA_CheckSensorDown() to correctly set pins to
shorting. The test results are displayed on the LCD. resistive pull up and pull down modes.
Code 1. Check Sensors for Shorting
bResult = FMEA_CheckShorts();
if (bResult == FMEA_OK)
LCD_PrCString(" FMEA Check OK ");
else if (bResult == FMEA_SHORT_TO_VCC) {
LCD_PrCString(" Sensor ");
LCD_PrHexByte(CSD_bSensorNum);
LCD_PrCString(" - Vcc");
}
else if (bResult == FMEA_SHORT_TO_GND) {
LCD_PrCString(" Sensor ");
LCD_PrHexByte(CSD_bSensorNum);
LCD_PrCString(" - Gnd");
}
else if (bResult == FMEA_SHORT_TO_OTHER) {
LCD_PrCString(" Sensor ");
LCD_PrHexByte(CSD_bSensorNum);
LCD_PrCString(" shorts");
}

Code 2 shows how to check for sensor disconnect using

the baseline tracking algorithm.
Code 2. Check Sensor Disconnect
FMEA_SaveBaselines();
…
bResult = FMEA_CheckBaselines();
if (bResult != FMEA_OK) {
LCD_PrCString("Disconnect - ");
LCD_PrHexByte(CSD_bSensorNum);
}

September 5, 2008 Document No. 001-17582 Rev. *A 6

[+] Feedback
 AN17582

About the Authors

Name: Vadym Grygorenko Name: Gianluca Pedrina

Title: Senior Application Engineer Title: Field Apps Engr Principal
Background: Ukraine Solution Centre Background: White Good Applications
Contact: vad_gr@ukr.net Contact: gxp@cypress.com

Document History
Document Title: Failure Mode and Effect Analysis (FMEA) Implementation for CSD
Document Number: 001-17582
Revision ECN Orig. of Change Submission Date Description of Change
** 1674263 Victor Kremin/HMT 10/25/2007 New Application Note.
*A 2545909 Victor Kremin/AESA 09/05/2008 Added chapter “Detecting sensor disconnect with
redundancy”. Changed title to “Failure Mode and Effect
Analysis (FMEA) Implementation for CSD“. Updated
application note template. Updated software version and
project to PSoC Designer 5.0.

PSoC is a registered trademark of Cypress Semiconductor Corp. "Programmable System-on-Chip," PSoC Designer, and PSoC Express are
trademarks of Cypress Semiconductor Corp. All other trademarks or registered trademarks referenced herein are the property of their
respective owners.

Cypress Semiconductor
198 Champion Court
San Jose, CA 95134-1709
Phone: 408-943-2600
Fax: 408-943-4730
http://www.cypress.com/

© Cypress Semiconductor Corporation, 2007-2008. The information contained herein is subject to change without notice. Cypress Semiconductor
Corporation assumes no responsibility for the use of any circuitry other than circuitry embodied in a Cypress product. Nor does it convey or imply any
license under patent or other rights. Cypress products are not warranted nor intended to be used for medical, life support, life saving, critical control or
safety applications, unless pursuant to an express written agreement with Cypress. Furthermore, Cypress does not authorize its products for use as
critical components in life-support systems where a malfunction or failure may reasonably be expected to result in significant injury to the user. The
inclusion of Cypress products in life-support systems application implies that the manufacturer assumes all risk of such use and in doing so indemnifies
Cypress against all charges.
This Source Code (software and/or firmware) is owned by Cypress Semiconductor Corporation (Cypress) and is protected by and subject to worldwide
patent protection (United States and foreign), United States copyright laws and international treaty provisions. Cypress hereby grants to licensee a
personal, non-exclusive, non-transferable license to copy, use, modify, create derivative works of, and compile the Cypress Source Code and derivative
works for the sole purpose of creating custom software and or firmware in support of licensee product to be used only in conjunction with a Cypress
integrated circuit as specified in the applicable agreement. Any reproduction, modification, translation, compilation, or representation of this Source
Code except as specified above is prohibited without the express written permission of Cypress.
Disclaimer: CYPRESS MAKES NO WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, WITH REGARD TO THIS MATERIAL, INCLUDING, BUT
NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Cypress reserves the
right to make changes without further notice to the materials described herein. Cypress does not assume any liability arising out of the application or
use of any product or circuit described herein. Cypress does not authorize its products for use as critical components in life-support systems where a
malfunction or failure may reasonably be expected to result in significant injury to the user. The inclusion of Cypress‟ product in a life-support systems
application implies that the manufacturer assumes all risk of such use and in doing so indemnifies Cypress against all charges.
Use may be limited by and subject to the applicable Cypress software license agreement.

September 5, 2008 Document No. 001-17582 Rev. *A 7

[+] Feedback