AN4442, Integrating the MPC5643L and MC33907/08 for Safety

Freescale Semiconductor
Application Note
Document Number: AN4442
Rev 2, 1/2014
Integrating the MPC5643L and
MC33907/08 for Safety
Applications
by:
Gene Fortanely and Barbara Johnson
Contents
1 Introduction
1
Introduction................................................................1
This application note provides design guidelines for
integrating the Freescale MPC5643L microcontroller unit
(MCU) and Freescale MC33907/08 System Basis Chip in
automotive electric and electronic systems that target the ISO
26262 functional safety standard. It provides an overview of
the MPC5643L and the MC33907/08 feature set and covers
the functional safety requirements that are satisfied to achieve
ASIL D level of safety.
2
MPC5643L Overview...............................................1
3
MC33907/08 Features..............................................3
4
MPC5643L and MC33907/08
Alignment..................................................................5
5
MPC5643L Safety Requirements...........................15
6
Conclusion...............................................................18
Integrating the MPC5643L and MC33907/MC33908 in a
system provides many advantages for the customer.
Freescale’s ISO 26262 solutions, that form part of the
Freescale SafeAssure program, help system manufacturers
more easily achieve system compliance with functional safety
standards by simplifying the system architecture.
7
References...............................................................18
8
Revision history......................................................18
2 MPC5643L Overview
This section describes the MPC5643L features that are of
interest when integrating the device with the MC33907/08.
© 2012–2014 Freescale Semiconductor, Inc.
MPC5643L Overview
2.1 Safety concept
The MPC5643L is built around a dual e200z4d core Sphere of Replication (SoR) safety platform with a safety concept
targeting ISO 26262 ASIL D integrity level. In order to minimize additional software and module level features to reach this
target, on-chip redundancy is offered for the critical components of the MCU:
• CPU core
• DMA controller
• interrupt controller
• crossbar bus system
• memory protection unit
• flash memory and RAM controllers
• peripheral bus bridge
• system timers
• watchdog timer
A Redundancy control and checker unit (RCCU) is implemented at each output of this SoR. ECC is available for on-chip
RAM and flash memories. The programmable Fault Collection and Control Unit (FCCU) monitors the integrity status of the
device and provides flexible safe state control.
2.2 Power supply requirements
The on-chip voltage regulator module provides the following features: Single high supply requires nominal 3.3 V. An
external ballast transistor is used to reduce dissipation capacity at high temperature, but an embedded transistor can be used if
power dissipation is maintained within package dissipation capacity (lower frequency of operation). All I/Os are at same
voltage as external supply (3.3 V nominal). The core voltage supplies are not under user control. The core supplies are
generated by the on-chip voltage regulator.
See Table 1 for a list of MPC5643L power supplies.
Table 1. MPC5643L supplies (3.3 V and 5 V)
MPC5643L Supplies
Minimum
Maximum
Unit
VDD_HV_REG
3.3 V regulator supply
3.0
3.6
V
VDD_HV_IOx
3.3 V I/O supply
3.0
3.6
V
VDD_HV_FLA
3.3 V Flash supply
3.0
3.6
V
1
4.5
5.5
V
VDD_HV_ADR1 3.3 V ADC_0 and ADC_1 reference
3.0
3.6
V
VDD_HV_ADV
3.3 V ADC supply
3.0
3.6
V
VDD_HV_OSC
3.3 V oscillator supply
3.0
3.6
V
VDD_HV_ADR0 5 V ADC_0 and ADC_1 reference
1. The user may select 3.3V or 5V as the ADC reference voltage
2. The user may select 3.3V or 5V as the ADC reference voltage
2.3 Communication interfaces
The FlexCAN module is a communication controller implementing the CAN Protocol Specification version 2.0B.
The LINFlexD module supports LIN Master mode, LIN Slave mode and UART mode. The LIN state machine is compliant
to LIN1.3, 2.0, and 2.1 specifications.
Integrating the MPC5643L and MC33907/08 for Safety Applications, Rev 2, 1/2014
2
Freescale Semiconductor, Inc.
MC33907/08 Features
The Deserial Serial Peripheral Interface (DSPI) module provides a synchronous serial bus for communication between the
MCU and an external peripheral device, for example, the MC33907/08.
2.4 Fault Collection and Control Unit (FCCU)
The Fault Collection and Control Unit (FCCU) offers a programmable hardware channel to collect errors and to lead the
device in a controlled way to a safe state when a failure is present in the device. No CPU intervention is requested for
collection and control operation. The FCCU also has configurable and graded fault control with both internal reaction (no
internal reaction, IRQ, Functional Reset, or Destructive Reset) and external reaction (failure is reported to the external and
surrounding system via configurable output pins). The external reaction via output pins is the aspect of interest when
integrating with MC33907/08.
3 MC33907/08 Features
The MC33907 and MC33908 are multi-output power supply integrated circuits dedicated to the automotive market. The
MC33907/08 simplifies system implementation by providing the ISO 26262 system solutions and documentation to save
customer cost and complexity through an optimized interfacing with an MCU. This device also reduces system complexity
and increases functional robustness by integrating EMC and ESD protection.
3.1 Voltage regulators
• Vpre VOLTAGE PRE-REGULATOR
The Vpre voltage pre-regulator is a flexible switched-mode power supply (SMPS). The SMPS pre-regulator can be
configured in 2 topologies: Non-inverting buck-boost or standard buck configuration. The output voltage Vpre is
regulated between 6.25 V and 6.75 V in buck mode. The output current capability is up to 2 A. The SMPS preregulator also keeps power dissipation down and eliminates the need for bulky heat sinks compared to linear regulators.
• Vcore VOLTAGE REGULATOR
The Vcore voltage regulator is a step-down DC-DC converter with a PWM frequency of 2.4 MHz. The high-side
MOSFET is integrated in the device. The output voltage can be configured around 1.2 V or 3.3 V through an external
resistor divider (a minimum of 1% accuracy resistors are recommended) connected between Vcore and the feedback
pin. The expected accuracy is ±2%. The output current is up to 1.5 A for the MC33908 and up to 0.8 A for the
MC33907.
• Vcca VOLTAGE REGULATOR
The Vcca linear voltage regulator is mainly dedicated to supply the MCU I/Os, especially the ADC. The output voltage
is selectable at 5 V or 3.3 V. The expected accuracy is ±1%. The output current capability is up to 100 mA.
An external PNP transistor can be used to boost the current capability up to 300 mA, but the output voltage accuracy
becomes ±3% if an external PNP is used.
• Vaux VOLTAGE REGULATOR
The Vaux auxiliary voltage regulator is a dedicated supply for additional devices in the ECU or for sensors outside the
ECU. The Vaux output voltage is selectable between 5 V and 3.3 V.
• 5V-CAN VOLTAGE REGULATOR
The Vcan is a linear voltage regulator fully dedicated to the embedded HSCAN interface.
Integrating the MPC5643L and MC33907/08 for Safety Applications, Rev 2, 1/2014
Freescale Semiconductor, Inc.
3
MC33907/08 Features
3.2 Built-in CAN and LIN transceivers
The built-in enhanced high speed CAN interface fulfills the ISO11898-2 and -5 standards. Local and bus failure diagnostics,
protection and fail safe operation mode are provided. The HSCAN exhibits also wakeup capability with a very low current
consumption.
3.3 Watchdog function
The MC33907/08 implements a windowed watchdog using a “challenger” to ensure a question/answer with the MCU. The
challenger must be continuously triggered by the MCU in the open watchdog window to prevent an error indication from
being generated by the MC33907/08.
3.4 Fail safe machine
To fulfill the safety critical applications, a dedicated Fail Safe Machine (FSM) is provided. The FSM is composed of 4 main
sub-blocks:
• Voltage Supervisor (VS)
• Fail Safe State Machine (FSSM)
• Fail Safe Output driver (FSO)
• Built-In Self Test (BIST)
The FSM is as independent as possible from the rest of the circuitry to avoid common cause failure. For this reason, the FSM
has its own voltage regulators (analog and digital), dedicated bandgap and oscillator. Moreover, this block is also, physically,
as much independent as possible from the rest of the circuitry by doing dedicated layout and placement.
3.5 Error indication
Digital inputs are available for monitoring the MCU error signals as well as for error handling of external ICs.
3.6 Analog multiplexer
The analog multiplexer allows multiplexing of the following voltages to be output from the MC33907/08 and input to one of
the MCU’s ADC channel. The MCU can use the information for monitoring purposes.
• 2.5 V Internal reference voltage with a ±1 % accuracy
• Battery sense
• Analog inputs IO_0 and IO_1
• Die temperature
3.7 Low Power OFF mode
In LPOFF mode, all the voltage regulators are turned off which means that the MCU connected to Vcore is unsupplied. The
MC33907/08 monitors external events to wakeup and leave the LPOFF mode. Wakeup events can be generated via the CAN
interface and I/O inputs. A wakeup event triggers the Vcore regulator to turn on.
Integrating the MPC5643L and MC33907/08 for Safety Applications, Rev 2, 1/2014
4
Freescale Semiconductor, Inc.
MPC5643L and MC33907/08 Alignment
4 MPC5643L and MC33907/08 Alignment
A typical application electronic power steering application that integrates the MPC5643L with the MC33907/08 is shown
below. The MC33907/08 provides power generation and voltage monitoring to the MCU and provides external watchdog
supervision to detect failures of the MCU. The MC33907/08 also monitors the error signals coming from the MCU and
provides fail-safe mechanisms to maintain the system in a safe state, in case a failure occurs. This section provides design
guidelines when integrating the MPC5643L with the MC33907/08 to achieve ASIL D safety level.
Figure 1. MPC5643L and MC33907 electronic power steering application
4.1 Power supply connectivity
• MC33907/08 power supply
Power to the MC33907/08 is supplied via the Vsup1, Vsup2, and Vsup3 supply pins. An external reverse battery
protection diode must be connected between the external battery input Vbat and the capacitor-input filter. The battery
sense Vsense pin must be connected between the battery power and the diode through a filter. Up to 40 V can be
supplied to the Vsup and Vsense pins. The MC33907/08 power connection is shown in Figure 2
Integrating the MPC5643L and MC33907/08 for Safety Applications, Rev 2, 1/2014
Freescale Semiconductor, Inc.
5
MPC5643L and MC33907/08 Alignment
Figure 2. MC33907/08 supply connections
• MC33907/08 pre-regulator
The MC33907/08 pre-regulator output Vpre is between 6.25 V and 6.75 V in the buck converter configuration. In this
mode, the Gate_LS pin is tied to GND. A 22 µH inductor and four output ceramic capacitors in parallel, 10 µF, are
connected to Vpre as shown in Figure 3. It is recommended that the capacitors have low equivalent series resistance
(ESR) of less than 100 mΩ. A minimum of 100 nF capacitor must be connected to the Boot_pre pin.
Figure 3. MC33907/08 Pre-regulator connection in buck configuration
• MPC5643L 3.3 V regulator supply
The MPC5643L requires 3.3 V for the VDD_HV_REG regulator, which can be supplied by the MC33907/08 Vcore
voltage regulator. The Vcore provides a selectable output voltage around 1.2 V or 3.3 V. The MC33908 is capable of
supplying 1.5 A from the Vcore regulator in normal mode, while the MC33907 can output 0.8 A from Vcore. For the
MPC5643L, the MC33907 current capability is sufficient. The Vcore value is adjusted using a voltage divider
connected between the regulated Vcore output and the voltage feedback pin FB_core, which has a typical voltage of 0.8
V.
a. Vcore voltage selection
High precision 1% resistor values 24.9 KΩ and 8.06 KΩ can be used in a voltage divider circuit to adjust the
Vcore to 3.3 V.
Integrating the MPC5643L and MC33907/08 for Safety Applications, Rev 2, 1/2014
6
Freescale Semiconductor, Inc.
MPC5643L and MC33907/08 Alignment
Equation.1
The connection between the Vcore output from the MC33907/08 and the MPC5643L VDD_HV_REG is shown
in Figure 5. The Vcore can also be used to power the MCU’s Flash (VDD_HV_FLA), I/Os (VDD_HV_IOx) and
oscillator (VDD_HV_OSC) supplies. An optional external NPN transistor can be connected to the 3.3 V supply
to generate the supply for the MPC5643L core logic (VDD_LV_COR0). Note that the decoupling capacitors on
the MPC5643L side are not shown in the diagram. Refer to the MPC5643L Reference Manual for details on the
required bypass capacitors and the external ballast transistor.
b. Vcore ripple voltage
Since the Vcore provides the main power source to the MPC5643L, it is important that proper filtering is
implemented at the Vcore output to ensure a clean voltage at the MPC5643L supply input.
The current through the inductor, ∆IINDUCTOR, can be calculated based on the known parameters:
• Input voltage VIN = 6.5 V
• Output voltage VOUT = 3.3 V
• VCORE regulator switching frequency Fsw = 2.4 MHz
• Inductor L = 2.2 µH
• IOUTMAX = 1.5 A for MC33908 (0.8 A for MC33907)
Equation 2 shows the current flow through the inductor which yields 0.31 A.
Equation 2
Equation 3 yields a voltage overshoot of 97 mV for MC33908 (30 mV for MC33907) when a single CO = 10 µF
output capacitor is used.
Equation 3
The voltage ripple across the output capacitor is the sum of the ripple voltage due to the output capacitor’s ESR
and the voltage due to the capacitance.
The output capacitor will have a ripple voltage that is proportional to its ESR, therefore, it should have a low
ESR value to minimize the ripple voltage. For example, a 10 µF with a 100 mΩ ESR is an available capacitor
from an electronic parts vendor. The ripple voltage due to the output capacitor ESR VOUTESR is shown
Equation 4 which yields 31 mV.
Equation 4
The other component of the voltage ripple is the voltage due to the capacitance which is shown in Equation 5
which yields 3 mV.
Equation 5
Both voltage ripple components add up to about 34 mV, which is roughly 1% of the 3.3 V output. Note that
selecting a capacitor with a higher ESR can exceed the target output voltage ripple so careful consideration must
be made.
It is also critical that the MPC5643L includes proper decoupling capacitors between the VDD pins and the
nearest corresponding GND pins. Refer to the MPC5643L Reference Manual for more details. Note that the
MCU-side decoupling capacitors are not shown in Figure 2.
Integrating the MPC5643L and MC33907/08 for Safety Applications, Rev 2, 1/2014
Freescale Semiconductor, Inc.
7
MPC5643L and MC33907/08 Alignment
Figure 4 shows the Vcore output voltage ripple as measured from the 10 µF decoupling capacitor on the MCU
side. The measured peak-to-peak voltage is approximately 40 mV.
Figure 4. Voltage Ripple on Vcore
A compensation bridge consisting of two resistors and two capacitors as shown in Figure 5 is required to ensure
stability of the buck converter. The component values shown are selected based the 3.3 V Vcore ouput and load
capacitance.
Integrating the MPC5643L and MC33907/08 for Safety Applications, Rev 2, 1/2014
8
Freescale Semiconductor, Inc.
MPC5643L and MC33907/08 Alignment
Figure 5. MC33907/08 + MPC5643L Vcore Supply Connections
• MPC5643L ADC Voltage and Reference Supplies
The MPC5643L ADC voltage (VDD_HV_ADV) requires a 3.3 V supply. The ADC reference voltages
(VDD_HV_ADR0 and VDD_HV_ADR1) can be 3.3 V or 5 V. Both voltages VDD_HV_ADR0 and voltages
VDD_HV_ADR1 are required to be supplied by the same voltage source.
With a selectable voltage of 3.3 V or 5 V, the MC33907/08 Vcca linear regulator can be used to supply the MPC5643L
ADC reference voltages. If the ADC reference voltage is selected to be 3.3 V, the Vcca regulator can also be used to
supply the MPC5643L ADC voltage.
Depending on the power requirements of the system, an external PNP transistor can be connected to Vcca. With the
external transistor, Vcca is accurate up to ±3% and can output up to 300 mA. The MC33907/08 automatically detects
the external transistor during its startup sequence. If only the internal ballast is used, Vcca outputs up to 100 mA with a
±1% accuracy.
The value of the external resistor connected between the SELECT and GND pins determine the Vcca and Vaux
voltage. Table 2 shows the required resistor value for the selected voltage.
Integrating the MPC5643L and MC33907/08 for Safety Applications, Rev 2, 1/2014
Freescale Semiconductor, Inc.
9
MPC5643L and MC33907/08 Alignment
Table 2. Vcca and Vaux voltage
selection
Vcca (V)
Vaux (V)
Resistor 1% Accuracy
3.3
3.3
5 KΩ
3.3
5
24 KΩ
5
3.3
50 KΩ
5
5
12 KΩ
Figure 6 shows the connection between the MC33907/08 Vcca and the MPC5643L ADC voltage and reference
supplies when both require 3.3 V. A 5 KΩ resistor between the SELECT and GND pins will configure the Vcca and
Vaux pins to 3.3 V. A ferrite bead is used to isolate the digital and analog supplies.
Note that the decoupling capacitors on the MPC5643L side are not shown in the diagram. Refer to the reference manual
titled Qorivva MPC5643L Microcontroller Reference Manual (document number MPC5643L) for details on the
required bypass capacitors.
Figure 6. MC33907/08 + MPC5643L Vcca supply connections
Alternatively, if the ADC reference supply is 5 V, the Vcca regulator can be used to generate the 5 V ADC reference
supply while the Vcore regulator can be used to generate 3.3 V to the ADC voltage supply.
• Auxiliary Voltage Supply
Integrating the MPC5643L and MC33907/08 for Safety Applications, Rev 2, 1/2014
10
Freescale Semiconductor, Inc.
MPC5643L and MC33907/08 Alignment
The MC33907/08 auxiliary Vaux voltage regulator provides a selectable output of 5 V or 3.3 V to supply power to
additional devices in the ECU. It can also be used as a sensor supply outside the ECU. The Vaux is accurate up to ±3%
and can output up to 300 mA.
4.2 Ground separation
Three grounds are available on the PC33907_08: AGND (analog ground), GND_COM (Physical layer ground), and DGND
(logic ground).
On the printed-circuit board (PCB), two grounds must be clearly separated—locally for power components involved in the
high transient current loops, called PGND in this document. Other components must be connected to GND. Connections
from PC33907_08 grounds and PCB grounds are shown in
.
On the PCB, the connection between PGND and GND must be made as far as possible from the local PGND ground.
It is not necessary to connect the exposed pad to a ground as there are no electrical connections internally.
Integrating the MPC5643L and MC33907/08 for Safety Applications, Rev 2, 1/2014
Freescale Semiconductor, Inc.
11
MPC5643L and MC33907/08 Alignment
Figure 7. Ground connection between PC33907_08 and PCB ground
The MCU ground should be connected to PGND to avoid any perturbation on GND which is considered the “non perturbed”
ground.
4.3 Power-up sequence
To provide a safe and well known start-up sequence, the MC33907/08 devices include an undervoltage lock-out. When the
MC33907/08 supply voltage Vsup is below the lock-out voltage of 2.7 V, the device is under power-on-reset condition. In all
the other conditions, the MC33907/08 is able to operate down to this lock-out voltage. When Vsup rises to 5.3 V, the preregulator voltage Vpre starts to activate, which then turns on the different voltage rails if configured in buck-boost. The
Vcore, Vcca, and Vaux automatically ramp-up at the same time to provide power to the MPC5643L as shown in Figure 8.
With the built-in self-test (BIST) disabled, the MPC5643L de-asserts the RESET_B signal approximately 3 ms after the 3.3
V supplies are active to signal the end of the power-up sequence as shown in Figure 9 Reset De-Assertion.
Integrating the MPC5643L and MC33907/08 for Safety Applications, Rev 2, 1/2014
12
Freescale Semiconductor, Inc.
MPC5643L and MC33907/08 Alignment
Figure 8. Power-up sequence
Figure 9. Reset de-assertion
4.4 CAN connectivity
The CAN_5V linear regulator provides the 5 V CAN transceiver supply. A 1 µF capacitor must be connected to between
CAN_5V and GND. The MC33907/08 transmit and receive data pins TXD and RXD connect to the MPC5643L FlexCAN 0
TXD and RXD pins, respectively. The physical CAN bus interface connects to the CANH and CANL pins on the
MC33907/08 side.
The MC33907/08 CAN interface is connected to the MPC5643L as shown in Figure 10.
Integrating the MPC5643L and MC33907/08 for Safety Applications, Rev 2, 1/2014
Freescale Semiconductor, Inc.
13
MPC5643L and MC33907/08 Alignment
Figure 10. MC33907/08 + MPC5643L CAN connections
4.5 SPI connectivity
The Serial Peripheral Interface (SPI) allows bi-directional communication between the MPC5643L and the MC33907/08.
The MPC5643L, which acts as the master, accesses the MC33907/08 configuration registers through SPI registers. The
watchdog refresh is also communicated via SPI.
Figure 11. MC33907/08 + MPC5643L SPI connections
4.6 Error management connectivity
The MC33907/08 IO_2 and IO_3 pins can be configured as safety inputs from the MPC5643L for continuous monitoring of
the MPC5643L FCCU output pins FCCU_F[0] and FCCU_F[1]. The MC33907/08 asserts the INTb when an interrupt
condition occurs. This pin connects to the EIRQ[11] pin in the MPC5643L to trigger an external interrupt.
In case a failure occurs, the MC33907/08 asserts the RSTb to reset the MPC5643L. This pin connects to the RESET_B pin in
the MPC5643L. It is recommended that the fail-safe output FS0b is connected to an external circuit that disconnects the
power to the electrical motor in a power steering application when FS0b is asserted to indicate a fault. This mechanism
ensures that power to the critical circuits of the application is cut off to prevent potential damage of the system.
Integrating the MPC5643L and MC33907/08 for Safety Applications, Rev 2, 1/2014
14
Freescale Semiconductor, Inc.
MPC5643L Safety Requirements
The error management connection between the MC33907/08 and the MPC5643L is shown in Figure 12.
Figure 12. MC33907/08 + MPC5643L error management connections
5 MPC5643L Safety Requirements
The MPC5643L requires several external measures to allow safe operation in a system targeting ASIL D functional safety
level:
• External power supply and monitor
• External watchdog timer
• Error output monitor
The MC33907/08 provides the above functions to ensure that the MPC5643L is brought to a safe state in the event of a
failure. Refer to the safety application guide titled Safety Application Guide for MPC5643L (document number
MPC5643LSAG) for additional details about the safety requirements when using the MPC5643L with external components.
5.1 Power supply and monitor
The MPC5643L includes internal monitors which continuously check the various voltage supplies. The Low-Voltage
Detector (LVD) and the High-Voltage Detector (HVD) monitor the operating voltages to ensure the device works within the
correct voltage range. The operating voltages are supervised by the following voltage monitors:
• Duplicated LVD_DIG blocks to monitor the 1.2 V core supply
Integrating the MPC5643L and MC33907/08 for Safety Applications, Rev 2, 1/2014
Freescale Semiconductor, Inc.
15
MPC5643L Safety Requirements
• Duplicated HVD_DIG blocks to monitor the 1.2 V core supply
• Three LVD _MAIN blocks to monitor the 3.3 V VDDIO, VDDREG and VDDFLASH supplies
When the core voltage drops below the LVD_DIG threshold level, a 1.2 V low-voltage detection event occurs. Similarly,
when the core voltage exceeds the HVD_DIG threshold level, a 1.2 V high-voltage detection event occurs. If the voltage is
not in the proper range, the system responds with a reset.
When the main 3.3 V supply drops below the LVD_MAIN threshold level, a 2.7 V low-voltage detection event occurs and
the system responds with a reset. The MPC5643L does not include a high-voltage monitor for the 3.3 V supplies, therefore,
for ASIL D applications the overvoltage monitor for the 3.3 V supplies, in addition to the undervoltage monitor, must be
provided by an external device.
Safety Requirement [SAG_MPC5643L_076] — To fully monitor all voltage supplies, an external device must provide
overvoltage and undervoltage monitors for the MPC5643L external 3.3 V supplies.
This safety requirement is satisfied by the MC33907/08 which provides voltage regulation and over and undervoltage
monitors for the 3.3 V supplies. As mentioned in Power supply connectivity, the regulated Vcore output is adjusted to 3.3 V
using resistors connected between Vcore and the voltage feedback pin FB_core. The MC33907/08 monitors the undervoltage
and overvoltage on the FB_core node which has a typical value of 0.8 V.
Table 3 shows the MC33907/08 undervoltage and overvoltage detection thresholds of the regulator outputs. If the FB_core
pin drifts to the minimum FB_core overvoltage of 0.84 V, then the regulated Vcore output gets adjusted to 3.43 V and an
overvoltage event is detected. As a reaction to the fault condition, the MC33907/08 can be configured to assert the RSTb pin
to trigger a reset to the MPC5643L or it can assert the FS0b pin to control a fail-safe circuitry to shut off the power supply to
the actuator in the system. When the MC33907/08 is deactivated, the power to the MPC5643L is also shut off to prevent
permanent damage to the device. These two error-handling mechanisms will place the MPC5643L in a safe state when an
overvoltage event is detected. The MC33907/08 INIT SUPERVISOR1 register must be configured in the INIT phase to
select the reaction to Vcore feedback overvoltage and undervoltage events, that is, whether the RSTb or FS0b are asserted
upon overvoltage and undervoltage detection.
The same over and undervoltage protection is provided for the ADC and I/O power supplies when the MPC5643L’s analog
power is supplied from the Vcca and the I/O power is supplied from the Vaux regulated output.
Table 3. MC33907/08 Overvoltage and Undervoltage Detection Thresholds
MC33907/08 Parameters
Minimum
(V)
Maximum
(V)
Vcore_FB _ov
Vcore feedback overvoltage detection threshold
0.84
0.905
Vcore_FB_uv
Vcore feedback undervoltage detection threshold
0.67
0.773
Vcca_ov_5
Vcca overvoltage detection threshold (5 V config)
5.25
5.5
Vcca_uv_5
Vcca undervoltage detection threshold (5 V config)
4.5
4.75
Vcca _ov_33
Vcca overvoltage detection threshold (3.3 V config)
3.4
3.6
Vcca _uv_33
Vcca undervoltage detection threshold (3.3 V config)
3.0
3.2
Vaux_ov_5
Vaux overvoltage detection threshold (5 V config)
5.25
5.5
Vaux_uv_5
Vaux undervoltage detection threshold (5 V config)
4.5
4.75
Vaux _ov_33
Vaux overvoltage detection threshold (3.3 V config)
3.4
3.6
Vaux _uv_33
Vaux undervoltage detection threshold (3.3 V config)
3.0
3.2
Vcan_ov
5 V CAN overvoltage detection threshold
5.25
5.5
Vcan_uv
5 V CAN overvoltage detection threshold
4.25
4.75
Integrating the MPC5643L and MC33907/08 for Safety Applications, Rev 2, 1/2014
16
Freescale Semiconductor, Inc.
MPC5643L Safety Requirements
5.2 External watchdog
Some common causes of failure (CCF), such as a complete failure of the power supply are detected because the software
running on the MPC5643L no longer triggers the watchdog (WD). To detect critical failures that could completely disable the
MPC5643L, an external WD device must be connected to the MPC5643L for ASIL D applications.
Safety Requirement [SAG_MPC5643L_075] — An external device, acting as the supervisor of operations, must provide a
watchdog to cover CCFs of the MPC5643L for ASIL D applications. It shall be triggered periodically by the safety-relevant
software running on the MPC5643L.
This MPC5643L safety requirement is satisfied by the windowed time WD feature of the MC33907/08. The windowed time
WD concept is shown in Figure IV 1. This feature requires the MPC5643L to refresh the WD during each open window. The
duration of the window is selectable through SPI during the MC33907/08 initialization phase. The window duration is
configurable to be 1 ms, 2 ms, 3 ms, 4 ms, 8 ms, 16 ms, 32 ms, 64 ms, 128 ms, 256 ms, 512 ms, or 1024 ms in the
WD_Window register. The window duty cycle is 50%.
The default window duration is 256 ms, which can then be configured to a different value during configuration by the
MPC5643L. The selected window duration should be longer than the maximum duration of an MPC56543L reset sequence
which is impacted by the reset type and whether BIST is to be performed. Refer to the data sheet titled MPC5643L
Microcontroller Data Sheet to determine the maximum durations for the various reset sequences.
Figure 13. MC33907/08 windowed watchdog
The WD is based on a question and answer principle. The MPC5643L sends an 8-bit seed to the MC33907/08 through the
SPI during the INIT phase. This seed initializes the MC33907/08’s Linear Feedback Shift Register (LFSR). The MPC5643L
then runs a pre-defined calculation using the same seed. The MPC5643L sends the result of the calculation to the
MC33907/08 during the open WD window and the result is verified by the MC33907/08. If the result is correct, the LFSR is
incremented to generate a new pseudo-random word and the WD window is restarted. However, if the result is incorrect, the
WD error counter is incremented, the WD window is restarted and the MC33907/08 asserts INTb.
For each wrong WD refresh, the WD error counter is incremented by 2 (maximum of 6). For each correct WD refresh, the
WD error counter is decremented by 1 (minimum of 0). When the WD error counter reaches 6, a reset is generated and the
RST error counter is incremented by 1. The WD error and the RST error counters can be read by the MPC5643L via SPI
from the WD_Counter register and the Diag_FS2 registers, respectively.
The RST error counter can only be decremented by 1 if the WD is correctly refreshed 7 consecutive times. When the RST
error counter reaches 3, the MC33907/08 activates the FS pins (FS0b) and if the WD continues to be incorrectly refreshed
and if the RST error counter reaches 6, then the MC33907/08 turns off all the regulators and enters a deep reset state. At this
point, a new power-up sequence or a key off/on (if the signal is connected on IO_0) is needed to recover. Alternatively, the
MC33907/08 can be configured to activate the FS pins when the RST error counter reaches 1 and to enter a deep reset state
when the RST error counter reaches 3.
Integrating the MPC5643L and MC33907/08 for Safety Applications, Rev 2, 1/2014
Freescale Semiconductor, Inc.
17
Conclusion
When the MPC5643L detects a falling edge on the RESET_B signal, the external reset triggers the start of the reset sequence.
5.3 Error output monitor
The MPC5643L Fault Collection and Control Unit (FCC) supports two external pins FCCU_F[0] and FCCU_F[1] for error
indication. When the FCCU receives a fault signal, it reports the failure to the external world via the FCCU_F[1:0] signals. If
an error is indicated, the system may disable or reset the MPC5643L as a reaction to the error signal.
Safety Requirement [SAG_MPC5643L_078] — An external device must be connected to the FCCU via FCCU_F[0] and
optionally FCCU_F[1] to continually monitor the error output pins of the FCCU.
The MC33907/08 satisfies this safety requirement by providing FCCU monitoring of the error output signals from the
MPC5643L. The MC33907/08 IO_2 and IO_3 pins are by default configured as safety inputs for continuous monitoring of
the MPC5643L FCCU outputs.
When the IO_2 and IO_3 pins are configured as inputs for FCCU monitoring, only the bi-stable protocol can be used. In this
mode, the second output FCCU_F[1] is the inverted signal of the first output FCCU_F[0]. In the reset or self-test phase, the
FCCU_F[1:0] pins are set as high-impedance. In the normal state, when no FCCU faults are triggered, the FCCU_F[1:0]=01.
A fault condition is indicated by FCCU_F[1:0]=10.
When a failure is signaled through the IO_2 and IO_3 pins, the MC33907/08 then handles the error by one of the following
ways:
• Assert RSTb (active low) to reset the MPC5643L
• Assert FS0b (active low) to power off the system
The MC33907/08 allows the user to configure how the RSTb and FS0b pins react to overvoltage conditions.
6 Conclusion
This application note has described the hardware aspects on integrating the Freescale MPC5643L and MC33907/08. Further
information on the material in this application note can be found by referring to the MPC5643L Reference Manual and Data
Sheet for the two products.
Freescale SafeAssure program: Functional Safety. Simplified.
For more information, visit www.freescale.com/SafeAssure.
7 References
•
•
•
•
Reference Manual — Qorivva MPC5643L Microcontroller Reference Manual (document number MPC5643LRM)
Data Sheet — MPC5643L Microcontroller Data Sheet (document number MPC5643L)
Product Brief — MPC5643L Microcontroller Product Brief (document number MPC5643LPB)
Safety Application Guide — Safety Application Guide for MPC5643L (document number MPC5643LSAG)
8 Revision history
Integrating the MPC5643L and MC33907/08 for Safety Applications, Rev 2, 1/2014
18
Freescale Semiconductor, Inc.
Revision history
Revision
0
1
Description of changes
Initial release
•
•
•
•
•
•
•
•
•
•
•
2
Voltage regulators : changed the output voltage values for Vpre, Vcore, and Vaux.
Built-in CAN and LIN transceivers : removed text about supported standards.
Low Power OFF mode : revised section to only describe only low power off mode.
Power supply connectivity : changed power supply capacitor value, pre-regulator
capacitor quantity and value, Vcore output value, and resistor values.
Ground separation : new section.
Figure 5 changed resistor and capacitor values.
Table 2 : removed or changed voltage and resistor values.
Power-up sequence : clarified Vpre buck-boost behavior.
CAN connectivity : Removed LIN content.
External watchdog : Added 3 ms to the list of WD window durations. Added key off/
on as a method to perform deep reset state recovery.
Removed references to FS1 pin throughout.
Updated Figure 5
Integrating the MPC5643L and MC33907/08 for Safety Applications, Rev 2, 1/2014
Freescale Semiconductor, Inc.
19
How to Reach Us:
Home Page:
freescale.com
Web Support:
freescale.com/support
Information in this document is provided solely to enable system and
software implementers to use Freescale products. There are no express
or implied copyright licenses granted hereunder to design or fabricate
any integrated circuits based on the information in this document.
Freescale reserves the right to make changes without further notice to
any products herein.
Freescale makes no warranty, representation, or guarantee regarding
the suitability of its products for any particular purpose, nor does
Freescale assume any liability arising out of the application or use of
any product or circuit, and specifically disclaims any and all liability,
including without limitation consequential or incidental damages.
“Typical” parameters that may be provided in Freescale data sheets
and/or specifications can and do vary in different applications, and
actual performance may vary over time. All operating parameters,
including “typicals,” must be validated for each customer application by
customer's technical experts. Freescale does not convey any license
under its patent rights nor the rights of others. Freescale sells products
pursuant to standard terms and conditions of sale, which can be found
at the following address: freescale.com/SalesTermsandConditions.
Freescale, the Freescale logo, and Qorivva are trademarks of Freescale
Semiconductor, Inc., Reg. U.S. Pat. & Tm. Off. SafeAssure and the
SafeAssure logo are trademarks of Freescale Semiconductor, Inc. All
other product or service names are the property of their respective
owners. The Power Architecture and Power.org word marks and the
Power and Power.org logos and related marks are trademarks and
service marks licensed by Power.org.
© 2012–2014 Freescale Semiconductor, Inc.
Document Number AN4442
Revision 2, 1/2014