# DATA PROTECTION AND POWER UP/DOWN SEQUENCE FOR CAT25CXXX SPI SERIAL EEPROM DEVICES Denisa Stefan, Applications Engineer Data protection is a major concern in applications using EEPROMs. Even though serial EEPROMs offer a better protection against accidental writes than parallel EEPROMs, the corruption of data is still a possibility. Catalyst Semiconductor SPI (Serial Peripheral Interface) EEPROMs incorporate write protect features that enhance data integrity. ### **Data Protection Features** Software and hardware data protection features have been built into CAT25Cxxx device that prevent accidental writes to memory in noisy or poorly controlled environments. #### Write Enable Latch and Write Enable Instruction The write enable/disable state is controlled by an internal Write Enable Latch (WEL). The state of this latch is reflected by the WEL bit in the status register. In order to write to the device, the WEL bit must be set by a write enable instruction (WREN) prior to each write instruction. A write disable instruction (WRDI) can be sent to disable the write function again. The WEL bit is reset at the completion of the write operation. At power up, all CAT25Cxxx devices are in a write disable state (WEL bit is reset). The necessity to execute a WREN instruction before a write operation assures a high degree of protection against inadvertent write operations caused by random noise. #### Chip Select Requirements Another security measure for data protection requires *CS* to be driven high after a certain number of clock pulses in order to start the internal write cycle. For any instruction to be executed (except READ and RDSR), after the valid opcode is sent, CS must go from low to high after the rising edge of the SCK clock signal that latches the eighth bit of the instruction code or the eighth bit of a data byte. This positive CS transition must be after the last bit of the instruction is latched and before the next rising edge of the clock signal. During the internal cycle, the device is protected against external interruption by ignoring any other access to the memory array or write to the status register. #### Hardware Write Protection (WP) A hardware method of protection using the write protect pin (WP) is also available. When the WP pin is set high, normal writes to the memory array (CAT25010/20/40) or to the status register are allowed (CAT25Cxxx). ### Software Write Protection of Memory Blocks CAT25Cxxx devices also feature the ability to software write-protect areas of memory. The size of the memory array that can be protected is defined by the value of the *Block Protect* bits in the Status Register. These non-volatile bits are set using the Write Status Register (WRSR) instruction. Writes to the status register are not allowed if the hardware protection mode (controlled by the WP pin) has been set. A WREN instruction must precede any WRSR request. After completion of a WRSR instruction, the WEL bit is reset. ## **Power-Up and Power-Down Operation** At power-up, CAT25Cxxx devices are in the following state: - Low power standby mode - Write Enable Latch (WEL) is reset to "0" - Ready bit (RDY) is set to "0" (write cycle is not in progress) - The block protect bits of the status register are unchanged from the previous power-down (they are non-volatile bits) During power-up, the device is set to the initial state by an *internal power-on reset pulse*. The internal "power-on reset" circuit will generate the internal reset when the supply voltage is applied and rises from $V_{SS}$ to the nominal $V_{CC}$ value. For CAT25Cxxx devices that operate over the 1.8V to 6.0V range, the power-on reset generator reacts to the positive $V_{CC}$ transition at a level below 1.5V. Read or write operations can be initiated after a delay of maximum 1ms, ( $t_{PUR}$ , $t_{PUW}$ ), measured from the time $V_{CC}$ is stable at the nominal value. While the internal logic circuits work properly at supply voltage levels significantly lower than 1.7V, complete functionality of the device can not be expected. If there is a need to power down the supply voltage, it is recommended that ambiguous supply levels be avoided and that the supply be brought down to 0V. # **Power Failure during a Write Operation** CAT25Cxxx SPI serial EEPROMs offer a high degree of protection against inadvertent write with normal power supply levels. Additional protective measures might be required to protect against data corruption during some brown out events. In general, if the power goes down while an internal write operation is in progress there is no guarantee against data corruption. This danger can be minimized by careful application design. The possibility of data corruption depends on when power begins to fall during the write instruction. It also depends on the ramp rate of $V_{\rm CC}$ during power down and/or how $V_{\rm CC}$ powers up again. There are two time intervals during the write operation to which power down can be referenced: the interval when the write command is sent serially to the device and the actual internal write cycle. When $V_{\rm CC}$ goes down and powers up again the full sequence of events must be considered. For power failure during EEPROM write operations different scenarios must be examined. Case 1: Power failure occurs while sending a write instruction but before the last bit of data has been latched. CAT25Cxxx devices have excellent data protection in this case. The probability to corrupt data in the memory is almost zero. If power starts dropping and the input signals to the device stop transitioning before the last data bit has been latched, then there is very little chance of triggering the internal write cycle since the logic condition for starting an internal write is not met: the probability to have a positive CS transition after the eight or multiple of 8 clock pulses is essentially zero. **Case 2**: Power failure occurs while sending a write sequence after the last bit of data has been latched but the internal write has not yet been initiated by a low to high CS transition. This case may occur during the execution of a Page Write instruction with a certain delay between data bytes. During this time CS is in an active state. The chance a positive CS transition can initiate an internal write cycle is higher. Since the last bit of data has been latched, it is enough for CS to toggle from low to high to initiate the internal nonvolatile memory write cycle. The result of the write operation may be correct or incorrect. Since the maximum write time is 10 ms, data will be written correctly if the CS transition occurs at least 10 ms before $V_{\rm CC}$ drops below approximately 1.7V. If $V_{cc}$ drops to an ambiguous level (below approximately. 1.7V, but not low enough) before the next positive transition of CS (Figure 1), then the result of the write request becomes unpredictable. It is very possible the microcontroller that drives the EEPROM will be shut-off by a $V_{cc}$ brown-out condition. After power recovers, during the microcontroller's start-up period it is very likely a low to high transition on the CS input can be generated that will initiate an internal write cycle. There is no assurance, however, that the address and data latched before the power failure are still correct. Figure 1. Data corruption due to the write operation continued after power failure The user can protect the device against data corruption by using one of the following approaches: - a) If the brown-out condition can be detected, then the write operation can be aborted by taking $V_{CC}$ down to 0V before the positive transition of CS and then powering up again. This will reset the device, erase the initial write request and protect the device against inadvertent writes (Figure 2). Obviously, the data in the memory will not change. - **b)** If the power failure disables the driver (e.g. microcontroller) before $V_{CC}$ drops below the minimum level guaranteed for proper EEPROM operation, then it is possible to initiate the internal write by generating a positive CS transition as soon as the driver is disabled. This can be accomplished by connecting a pull-up resistor between the CS pin and $V_{cc}$ (Figure 3a). As soon as the driver is disabled a positive transition is generated. Assuming that $V_{cc}$ drops to the minimum EEPROM supply in more than approximately 10ms, the write request will be successfully completed (Figure 3b). Figure 2. Canceled write operation due to power failure 3 Document No. 6020, Rev. B Figure 3a. Figure 3b. Write operation successfully terminated during $V_{\mbox{\footnotesize{CC}}}$ brown out #### Case 3: Power down while an internal write cycle is in progress. In this case, the internal write cycle has been started and depending on how fast $V_{cc}$ decays during power down data may or may not be written correctly. CAT25Cxxx SPI serial EEPROMs are guaranteed to work properly down to $V_{cc}$ = 1.8V. If the supply is above 1.8V for at least 10ms following the positive transition of CS, the write operation will complete successfully, otherwise the end result is unpredictable (Figure 4). # Power-Up/Down Design Guides for Data Protection in CAT25Cxxx Devices To benefit from all the built-in CAT25Cxxx Serial EEPROMs data protection features the following recommendations should be followed: - 1) At power up, the $V_{cc}$ should rise from 0V (or at least 0.1V) to its final value to initialize the device in the correct state. - After V<sub>CC</sub> is stable, allow a minimum of 1ms before sending instructions to the device. - Avoid delays between the last data bit and the rising edge of CS that triggers the internal write cycle. In this way, the probability of data corruption caused by a power failure during this time interval is decreased. - 4) For additional protection, CAT25Cxxx devices should be allowed to automatically deselect during brownout conditions. This can be accomplished by allowing CS to follow V<sub>cc</sub> by using a suitable pull-up resistor on the CS pin. - 5) In order to allow the completion of ongoing internal writes during brown-out, V<sub>CC</sub> should drop slow enough to allow for the 10 ms required to complete the write (before reaching the minimum guaranteed supply level for proper device operation). - 6) Ambiguous supply levels (below 1.7V) should be avoided. If they can be detected, it is recommended to completely power down to 0V for at least several hundred milliseconds and then power up again to a nominal V<sub>cc</sub> value. - 7) Use a voltage supervisor that warns the system controller of power failure. The microcontroller must avoid initiating any write command to the EEPROM for which there is not enough time to terminate. 5 Document No. 6020, Rev. B Catalyst Semiconductor, Inc. Corporate Headquarters 1250 Borregas Avenue Sunnyvale, CA 94089 Phone: 408.542.1000 Fax: 408.542.1200 www.catalyst-semiconductor.com Publication #: 6020 Revison: B Issue date: 1/6/03 Type: Final