Freescale Semiconductor, Inc. Application Note Document Number: AN5099 Rev. 0, 04/2015 Integrating the MPC5744P and MC33907/08 for Safety Applications by: Tomas Kulig Contents 1. Introduction 1. 2. This application note provides design guidelines for integrating the Freescale MPC5744P microcontroller unit (MCU) and Freescale MC33907/08 System Basis Chip in automotive electric and electronic systems that target the ISO 26262 functional safety standard. It provides an overview of the MPC5744P and the MC33907/08 feature set and covers the functional safety requirements that are satisfied to achieve ASIL D level of safety. Integrating the MPC5744P and MC33907/08 in a system provides many advantages to the customers. Freescale’s ISO 26262 solutions, that form part of the Freescale SafeAssure program, help system manufacturers to easily achieve system compliance with functional safety standards by simplifying the system architecture. 3. 4. 5. 6. 7. © 2015 Freescale Semiconductor, Inc. All rights reserved. Introduction 1 MPC5744P Overview 2 2.1. Safety concept ......................................................... 2 2.2. Power supply requirements ..................................... 2 2.3. Communication interfaces ...................................... 3 2.4. Fault Collection and Control Unit (FCCU) ............. 3 MC33907/08 features 3 3.1. Voltage regulators ................................................... 4 3.2. Built-in CAN transceiver ........................................ 6 3.3. Built-in LIN transceiver .......................................... 6 3.4. Watchdog function .................................................. 7 3.5. Fail safe machine .................................................... 7 3.6. Error indication ....................................................... 7 3.7. Analog multiplexer ................................................. 7 3.8. Low power OFF mode – LPOFF sleep ................... 8 MPC5744P and MC33907/08 alignment 8 4.1. MC33907/08 power supply ..................................... 9 4.2. Ground separation ................................................. 16 4.3. Power-up sequence ............................................... 17 4.4. CAN connectivity ................................................. 19 4.5. LIN connectivity ................................................... 19 4.6. SPI connectivity .................................................... 20 4.7. Error management connectivity ............................ 20 MPC5744P safety requirements 22 5.1. Power supply and monitor .................................... 22 5.2. External watchdog ................................................ 23 5.3. Error output monitor ............................................. 27 5.4. Functional and Destructive Reset Escalation ........ 27 Conclusion 28 Reference 28 MPC5744P Overview 2. MPC5744P Overview This section describes the MPC5744P features that are of interest when integrating the device with the MC33907/08. 2.1. Safety concept The MPC5744P is built around e200z425n3 dual issue core Sphere of Replication (SoR) safety platform with a safety concept targeting ISO 26262 ASIL D integrity level. In order to minimize additional software and module level features to reach this target, on-chip redundancy is offered for the critical components of the MCU: • CPU core • DMA controller • Interrupt controller • Crossbar bus system • Memory Protection Unit (MPU) • Flash memory and RAM controllers • Peripheral bridges • System timers • Watchdog timer • Register protection A Redundancy control and checker unit (RCCU) is implemented at each output of this SoR. ECC is available for on-chip RAM and flash memories. The programmable Fault Collection and Control Unit (FCCU) monitor the integrity status of the device and provide flexible safe state control. 2.2. Power supply requirements The device requires nominal 3.3 V power supply for all of the modules besides Core and Reference voltage for ADC. The reference voltage for ADC range from 3.15 V to 5.5 V (MC33907/08 has two fixed voltages: 3.3 V or 5.0 V). The Core voltage supplies can be generated by on-chip voltage regulator (voltage supply are not under user control) or by external regulator. All I/Os are at same voltage as external supply (3.3 V nominal). See Table 1 for the list of MPC5744P power supplies. Integrating the MPC5774P and MC33907/08 for Safety Applications Rev. 0 04/2015 2 Freescale Semiconductor, Inc. MC33907/08 features Table 1. MPC5744P supplies (3.3 V and 5 V) MPC5744P Supplies Minimum Maximum Unit VDD_HV_PMU 3.3 V regulator supply VDD_HV_IOx 3.3 V I/O supply VDD_HV_FLA0 3.3 V Flash supply VDD_HV_OSC 3.3 V oscillator supply VDD_HV_ADV0/1 3.3 V ADC supply VDD_HV_ADx_VDDE/ ADC reference Tj <=150°C 3.15 5.5 ADC reference 150°C <Tj < 165°C 3.15 5.25 VDD_HV_ADREx 1 3.15 3.6 V 1. The user may select each voltage between Minimum and Maximum as the ADC reference voltage. Full functionality cannot be guaranteed when the voltage drops below the minimum value. 2.3. Communication interfaces There are three serial communication interfaces which are used together with MC33907/08: FlexCAN, LINFlexD (UART), and Deserial/Serial Peripheral Interface (DSPI). The FlexCAN module is a communication controller implementing the CAN Protocol Specification version 2.0B. The LINFlexD module supports LIN Master mode, LIN Slave mode and UART mode. The LIN state machine is compliant to LIN 1.3, 2.0, 2.1 and 2.2 specifications. DSPI module provides a synchronous serial bus for communication between the MCU and external peripheral devices, for example, the MC33907/08. 2.4. Fault Collection and Control Unit (FCCU) The Fault Collection and Control Unit (FCCU) offer a hardware channel to collect errors and to place the device into a safety state when a failure in the device is detected. CPU intervention is not requested for collection and control operation. The FCCU also has configurable and graded fault control with both internal reaction (no reset reaction, IRQ, Short Reset, Long Reset or NMI) and external reaction (failure is reported to the outside world via one or more output pins). The external reaction via output pins is the aspect of interest when integrating with MC33907/08. 3. MC33907/08 features The MC33907/08 devices are multi-output, power supply, integrated circuit, including HSCAN, LIN (MC33907L and MC33908L) transceivers and dedicated to the automotive market. Integrating the MPC5774P and MC33907/08 for Safety Applications Rev. 0 04/2015 Freescale Semiconductor, Inc. 3 MC33907/08 features Multiple switching and linear voltage regulators, including low power mode are available with various wake-up capabilities. An advanced power management scheme is implemented to maintain high efficiency over wide input voltages and wide output current ranges. The MC33907/08 devices include enhanced safety features, with multiple fail-safe outputs, becoming a full part of a safety oriented system partitioning, to reach a high integrity safety level. The MC33907/08 devices simplify system implementation by providing the ISO 26262 system solutions and documentation to save customer cost and complexity through an optimized interfacing with an MCU. This device also reduces system complexity and increases functional robustness offering excellent EMC and ESD performances. 3.1. Voltage regulators The MC33907/908 voltage regulators block diagram is shown in Figure 1 and the voltage VPRE is in the Table 2. Table 2. Mode Buck Buck-Boost VPRE voltage ranges VSUP[V] VPRE[V] > VSUP_UV_7 6.25 ÷ 6.75 VSUP_UV_7>=…>= 4.6 VPRE_UV4P3 ÷ (VSUP – RDSON_PRE* IPRE) > VSUP_UV_7 6.25 ÷ 6.75 VSUP_UV_7>=…>= 2.7 6.00 ÷ 7.00 Integrating the MPC5774P and MC33907/08 for Safety Applications Rev. 0 04/2015 4 Freescale Semiconductor, Inc. MC33907/08 features VSUP Buck Buck-Boost DC/DC VPRE Mode V SUP Buck: 4.6 V ÷ 40 V Buck-Boost: 2.7 V ÷ 40 V Buck DC/DC Linear Linear VCORE 1.2 V - 3.3 V 0.8 A (MC33907) 1.5 A (MC33908) VAUX 3.3 V or 5 V 300 mA VCCA 3.3 V or 5 V 100 mA int. MOSFET 300 mA ext. PNP Linear VCAN 5 V 100 mA Figure 1. Voltage regulators of MC33907/MC33908 • Vpre VOLTAGE PRE-REGULATOR The Vpre voltage pre-regulator is a flexible switched-mode power supply (SMPS). The SMPS pre-regulator can be configured in two topologies: Non-inverting buck-boost or standard buck configuration depending of the external configuration. The configuration is detected automatically during start-up sequence – see DS for more information. The output voltage Vpre is regulated in the ranges which depend on the VSUP voltage and used mode of pre-regulator, see figure 1. The output current capability is up to 2 A. The SMPS pre-regulator also keeps power dissipation down and eliminates the need for bulky heat sinks compared to linear regulators. • Vcore VOLTAGE REGULATOR The Vcore voltage regulator is a step-down DC-DC converter with a PWM frequency of 2.4 MHz. The high-side MOSFET is integrated in the device. The output voltage is configurable from 1.2 V to 3.3 V range through the external resistor divider (with 1% accuracy resistors recommended) connected between Vcore and the feedback pin. The MPC5744P core voltage can be set either 1.2 V (MPC5744P is in external regulator mode) or 3.3 V (MPC5744P is in internal regulator mode). The accuracy is ±2 % without the external resistors included. The output current is up to 1.5 A for the MC33908 and up to 0.8 A for the MC33907. The stability of the overall converter is done by an external compensation network connected to the pin COMP_CORE. Integrating the MPC5774P and MC33907/08 for Safety Applications Rev. 0 04/2015 Freescale Semiconductor, Inc. 5 MC33907/08 features • Vcca VOLTAGE REGULATOR The Vcca linear voltage regulator is mainly dedicated to supply the MCU I/Os, especially the ADC. The output voltage is selectable at 5 V or 3.3 V. The accuracy is ±1 % for 5 V and ±1.5 % for 3.3 V when the output current capability is 100 mA with the internal MOSFET transistor. An external PNP transistor can be used to boost the current capability to 300 mA, with reduced output voltage accuracy to ±3 %. The PNP connection is detected automatically during the startup sequence of the MC33907/08. • Vaux VOLTAGE REGULATOR The Vaux auxiliary voltage regulator is a dedicated supply for additional devices in the ECU or for sensors outside the ECU. The Vaux output voltage is selectable between 5 V and 3.3 V. The accuracy is ±3 % and an external PNP transistor must be used because there is not internal current capability. The output current is up to 300 mA. • 5V-CAN VOLTAGE REGULATOR The Vcan is a linear voltage regulator fully dedicated to the embedded HSCAN interface. The output current capability is up to 100 mA. 3.2. Built-in CAN transceiver The built-in enhanced high speed CAN interface fulfills the ISO11898-2 and -5 standards. Local and bus failure diagnostics, protection and fail safe operation mode are provided. The HSCAN exhibits also wakeup capability with a very low current consumption. 3.3. Built-in LIN transceiver This section applies to MC33907L and MC33908L versions. The LIN interface fulfills LIN protocol specifications 1.3, 2.0, 2.1, 2.2, and SAEJ2602-2. LIN interface can be used as a wake-up source. The device has two selectable baud rates: 20 kbit/s for Normal Baud rate and 10 kbit/s for slow baud rate. An additional fast baud rate (100 kbit/s) is implemented. It can be used to flash the MCU or in the garage for diagnostic. The LIN Consortium specification does not specify electrical parameters for this baud rate. The communication only must be guaranteed. In LPOFF mode, the LIN transistor is OFF, and this pin is pulled up to VSUP3. LIN has integrated ESD protection and extremely high robustness versus external disturbance, such as EMC and electrical transients NOTE MC33907/08L has LIN driver and MC33907/08 do not have. Refer to the datasheet of the System Basis Chip device if the LIN driver is available on the part. Integrating the MPC5774P and MC33907/08 for Safety Applications Rev. 0 04/2015 6 Freescale Semiconductor, Inc. MC33907/08 features 3.4. Watchdog function A windowed watchdog is implemented in the MC33907/08 and is based on “question/answer” principle. The watchdog must be continuously triggered by the MCU in the open watchdog window, otherwise an error is generated. 3.5. Fail safe machine To fulfill the safety critical applications, a dedicated Fail Safe Machine (FSM) is provided. The FSM is composed of 3 main sub-blocks: • Voltage Supervisor (VS) • Fail Safe State Machine (FSSM) • Fail Safe Output driver (FSO) The FSM is as independent as possible from the rest of the circuitry to avoid common cause failure. For this reason, the FSM has its own voltage regulators (analog and digital), dedicated bandgap and oscillator. Moreover, this block is also, physically, as much independent as possible from the rest of the circuitry by doing dedicated layout and placement. There are two fail-safe outputs: RSTB (asserted low to reset the MCU) and FS0B (asserted low to control any fail-safe circuitry). 3.6. Error indication Digital inputs are available for monitoring the MCU error signals as well as for error handling of external ICs. 3.7. Analog multiplexer The analog multiplexer allows multiplexing of the following voltages to be output from the MC33907/08 and input to one of the MCU’s ADC channel. The MCU can use the information for monitoring purposes. The multiplexer output is selected by SPI interface as well as the range of the multiplexer (tight or wide). • 2.5 V Internal reference voltage with a ±1 % accuracy • Battery sense • Analog inputs IO_0 and IO_1 • Die temperature sensor The battery sense and IO_0 and IO1 analog pins are not connect directly to the analog multiplexer but via resistor dividers. There are 4 dividers available for each of them. The selection of used divider depends on the VDDIO voltage value and on the set up range (wide or tight). See the Figure 2 for more information. Integrating the MPC5774P and MC33907/08 for Safety Applications Rev. 0 04/2015 Freescale Semiconductor, Inc. 7 MPC5744P and MC33907/08 alignment Figure 2. Simplified analog multiplexer block diagram 3.8. Low power OFF mode – LPOFF sleep Entering in Low Power mode OFF - SLEEP is only available if the product is in Normal mode by sending a secured SPI command. In this mode, all the regulators are turned OFF and the MCU connected to VCORE regulator is unsupplied. Once the MC33907/08 is in LPOFF SLEEP, the device monitors external events to wake-up and leave the Low Power mode. The wake-up events can occur and depending of the device configuration from: • CAN • LIN • I/Os inputs When a wake-up event is detected, the device starts the main state machine again by detecting the VPRE configuration (BUCK or BUCK-BOOST), the wake-up source is reported to the dedicated SPI register, and the Fail-safe state machine is also restarted. Finally, after the wake-up event, the regulators are turned ON and the MCU operation restarts and the initialization phase is accessible again. 4. MPC5744P and MC33907/08 alignment A typical application that integrates the MPC5744P with the MC33907/08 is shown in Figure 3. The MC33907/08 devices provide power generation and voltage monitoring to the MCU and external watchdog supervision to detect failures of the MCU. They also monitor the error signals coming from Integrating the MPC5774P and MC33907/08 for Safety Applications Rev. 0 04/2015 8 Freescale Semiconductor, Inc. MPC5744P and MC33907/08 alignment the MCU and provide fail-safe mechanisms to maintain the system in a safe state, in case a failure occurs. This section provides design guidelines when integrating MPC5744P with MC33907/08 to achieve ASIL D safety level. MPC5744P PwSBC - MC33907/8 VSUP VSENSE VREF (2.5 V) VSUP IO[0] VCORE_MON IO[1] IO[0] IO[1] Die Temp IO interface CAN_5V VAUX VCCA FB_ CORE VPRE Voltage Regulator SUPERVISOR Power Management State machine SPI FAIL SAFE Machine AN[5] MUX_OUT Mux interface IO[2] FCCU_F[0] IO[3] IO[4] IO[5] FCCU_F[1] INTb NMI_B MISO MOSI SCLK /CS SIN SOUT SCK CS0 RSTb (RESET_B) ADC0 FCCU INTC DSPI0 RGM /FS0b CANH CANL LIN CAN phy LIN phy RXD CAN0_RXD TXD CAN0_TXD RXD LIN1_RX TXD LIN1_TX FlexCAN LINFlex Figure 3. MPC5744P and MC33907/8 typical application 4.1. MC33907/08 power supply Power to the MC33907/08 devices is supplied via the VSUP1, VSUP2, and VSUP3 supply pins. An external reverse battery protection diode must be connected between the VBAT (JP1 on the Figure 4) external battery input and the capacitor input filter. A PI filter is implemented to avoid current switching noises coming from DC/DC converters to be propagated on VBAT and VSUP3 (clean supply where all our internal thresholds are generated). For that reason, VSUP3 must be connected before the PI filter to deliver a clean supply to the MC33907/08, de-correlated from the VSUP1 and VSUP2, which are dedicated to SMPS. The resistor connected on the VSENSE pin limits the current at the pin, in cases of high transient. The MC33907/08 power connection is shown in Figure 4. Integrating the MPC5774P and MC33907/08 for Safety Applications Rev. 0 04/2015 Freescale Semiconductor, Inc. 9 MPC5744P and MC33907/08 alignment MBR230LSFT1G D1 JP1 2 1 1 C4 2 1uH C3 C1 4.7uF CON_1_PWR 100nF L4 330uF C2 4.7uF C13 300nF PwrSBC VSUP1 PGND PGND R1 VSUP2 5k1 VSUP3 VSENSE C5 1uF Figure 4. MC33907/08 supply connections 4.1.1. MC33907/08 pre-regulator The MC33907/08 pre-regulator output Vpre is between 6.0 V and 7.0 V in the non-inverting buck-boost converter configuration as shown in Figure 5. In this mode, the Gate_LS pin drive external MOSFET transistor. A 22 μH inductor is used. It is recommended that the capacitors C7, C8, C9 and C10 have together low equivalent series resistance (ESR) of less than 100 mΩ and C6 has low ESR of less than 10 mΩ. 100 nF capacitor must be connected to the Boot_pre pin. Figure 5. MC33907/08 Pre-regulator connection in buck-boost configuration Integrating the MPC5774P and MC33907/08 for Safety Applications Rev. 0 04/2015 10 Freescale Semiconductor, Inc. MPC5744P and MC33907/08 alignment A snubber is circuit for filtering the ringing at each turn ON of the integrated SMPS switch to improve EMC performances. The values of its components must be fine tuned as linked also to board layout performance (see AN4766 in freescale.com for more details). 4.1.2. MPC5744P core supply The MPC5744P requires 3.3 V for the VDD_HV_PMU regulator, which can be supplied by the MC33907/08 Vcore voltage regulator. The Vcore provides a selectable output voltage around 1.2 V or 3.3 V. The MC33908 is capable of supplying 1.5 A from the Vcore regulator in normal mode, while the MC33907 can output 0.8 A from Vcore. For the MPC5744P, the MC33907 current capability is sufficient. The Vcore value is adjusted using a voltage divider connected between the regulated Vcore output and the voltage feedback pin FB_core, which has a typical threshold voltage value of 0.8 V. 4.1.2.1. Vcore voltage selection High precision 1% resistor values should be used. There are used for 3.3 V core voltage resistors values 6.2 KΩ (R4) and 2 KΩ (R5) in a voltage divider circuit to adjust the Vcore 3.3 V. Following equation is used for calculating the resistors values. Equation 1: The connection between the Vcore output from the MC33907/08 and the MPC5744P VDD_HV_PMU is shown in Figure 5. The Vcore can also be used to power the MCU’s Flash (VDD_HV_FLA0), I/Os (VDD_HV_IOx) and oscillator (VDD_HV_OSC) supplies. A power transistor must be added on the PCB to generate the supply for the MPC5744P core logic (VDD_LV_COR0). Note that the decoupling capacitors on the MPC5744P side are not shown in the diagram. Refer to the MPC5744P Data Sheet for details on the required bypass capacitors and the external ballast transistor. 4.1.2.2. Vcore ripple voltage Since the Vcore provides the main power source to MPC5744P, it is important that proper filtering is implemented at the Vcore output to ensure a clean voltage at the MPC5744P supply input. The current through the inductor, ΔIINDUCTOR, can be calculated based on the known parameters: • Input voltage VIN = 6.5 V • Output voltage VOUT = 3.3 V • VCORE regulator switching frequency FSW = 2.4 MHz • Inductor L = 2.2 μH • IOUTMAX = 1.5 A for MC33908 (0.8 A for MC33907) Integrating the MPC5774P and MC33907/08 for Safety Applications Rev. 0 04/2015 Freescale Semiconductor, Inc. 11 MPC5744P and MC33907/08 alignment Equation 2 shows the current flow through the inductor which yields 0.308 A. Equation 2: Equation 3 yields a voltage overshoot of 24.6 mV for MC33908 (9.3 mV for MC33907) when a CO consist of two 22uF and one 100nF capacitors. Equation 3: MC33908 (1.5 A): MC33907 (0.8 A): The voltage ripple across the output capacitor is the sum of the ripple voltage due to the output capacitor’s ESR and the voltage due to the capacitance. The output capacitor will have a ripple voltage that is proportional to its ESR, therefore, it should have a low ESR value to minimize the ripple voltage. For example, a 22 μF with a 20 mΩ ESR is an available capacitor from an electronic parts vendor. The ripple voltage due to the output capacitor ESR VOUTESR is shown Equation 4 which yields 3.08 mV. Equation 4: The other component of the voltage ripple is the voltage due to the capacitance which is shown in Equation 5 which yields 0.74 mV. Integrating the MPC5774P and MC33907/08 for Safety Applications Rev. 0 04/2015 12 Freescale Semiconductor, Inc. MPC5744P and MC33907/08 alignment Equation 5: Both voltage ripple components add up to about 3.8 mV, which is less than 1% of the 3.3 V output. Note that selecting a capacitor with a higher ESR can exceed the target output voltage ripple so careful consideration must be made. It is also critical that the MPC5744P includes proper decoupling capacitors between the VDD pins and the nearest corresponding GND pins. Refer to the MPC5744P Reference Manual for more details. Note that the MCU-side decoupling capacitors are not shown in Figure 7. Figure 6 shows the Vcore output voltage ripple as measured from the 2 x 22 μF and 1 x 100nF decoupling capacitors on the MCU side. The measured peak-to-peak voltage is approximately 4.4 mV. Figure 6. Voltage ripple on Vcore Integrating the MPC5774P and MC33907/08 for Safety Applications Rev. 0 04/2015 Freescale Semiconductor, Inc. 13 MPC5744P and MC33907/08 alignment A compensation network consisting of two resistors and two capacitors as shown in Figure 7 is required to ensure stability of the buck converter. The component values shown are selected based the 3.3 V Vcore (MPC5744P is in the external regulator mode) output and load capacitance. Figure 7. MC33907/08 and MPC5744P Vcore supply connection A snubber is circuit for filtering the ringing at each turn ON of the integrated SMPS switch to improve EMC performances. The values of its components must be fine tuned as linked also to board layout performance. It is recommended that the capacitors C18 and C19 have together low equivalent series resistance (ESR) of less than 100 mΩ. Note that the decoupling capacitors on the MPC5744P side are not shown in the diagram. Refer to the data sheet of MPC5744P for details on the required bypass capacitors. 4.1.3. MPC5744P ADC voltage and reference supplies The MPC5744P ADC voltage (VDD_HV_ADVx) requires a 3.3 V supply. The ADC reference voltages (VDD_HV_ADRE0 and VDD_HV_ADRE1) can be 3.3 V or 5 V. Both voltages VDD_HV_ADRE0 and voltages VDD_HV_ADRE1 cannot be operated at different voltages and must be supplied by the same voltage source.With a selectable voltage of 3.3 V or 5 V, the MC33907/08 Vcca linear regulator can be used to supply the MPC574AP ADC reference voltages. If the ADC reference voltage is selected to be 3.3 V, the Vcca regulator can also be used to supply the MPC5744P ADC voltage. Depending on the power requirements of the system, an external PNP transistor can be connected to Vcca. With the external transistor, Vcca is accurate up to ±3% and can output up to 300 mA. The MC33907/08 automatically detects the external transistor during its startup sequence. If only the internal ballast is used, Vcca is accurate a ±1% and can output up to 100 mA. Integrating the MPC5774P and MC33907/08 for Safety Applications Rev. 0 04/2015 14 Freescale Semiconductor, Inc. MPC5744P and MC33907/08 alignment The value of the external resistor connected between the SELECT and GND pins determine the Vcca and Vaux voltage. Table 3 shows the required resistor value for the selected voltage Table 3. Vcca and Vaux voltage selection Vcca [V] Vaux [V] Resistor range [k] Recommended Value [k] 3.3 3.3 <7 5.1 +/- 5% 5.0 5.0 10.8 << 13.2 12 +/- 5% 3.3 5.0 21.6 << 26.4 24 +/- 5% 5.0 3.3 45.9 << 56.1 51 +/- 5% Figure 8 shows the connection between MC33907/08 Vcca and the MPC5744P ADC voltage and reference supplies when reference supply is connected to 5.0 V and supply voltage is connected to 3.3 V (Vcore voltage generated by MC33907/08). Both of them require 3.3 V. A 12 kΩ resistor between SELECT and GND pins will configure the Vcca and Vaux pins to 5.0 V. A ferrite transformer is used to isolate the digital and analog supplies. Note that the decoupling capacitors on the MPC5744P side are not shown in the diagram. Refer to the data sheet of MPC5744P for details on the required bypass capacitors. Q2 BCP52-16 1 C22 C23 22uF 100nF 2 FL1 4 3 C24 C25 22uF 100nF 700 OHM@100MHZ R9 AGND AGND AGND V_core PwrSBC VDD_HV_ADV VDD_HV_ADREx SELECT VCCA VCCA_B VCCA_E 12k MPC5744P Figure 8. MC33907/08 and MPC5744P Vcca supply connection Alternatively, if the Vcca reference supply is 3.3 V, the ADC voltage supply can use the Vcca supply voltage instead of the Vcore voltage supply. Integrating the MPC5774P and MC33907/08 for Safety Applications Rev. 0 04/2015 Freescale Semiconductor, Inc. 15 MPC5744P and MC33907/08 alignment 4.1.4. Auxiliary voltage supply The MC33907/08 auxiliary Vaux voltage regulator provides a selectable output of 5 V or 3.3 V to supply power to additional devices in the ECU. It can also be used as a sensor supply outside the ECU. The Vaux is accurate up to ±3% and can output up to 300 mA. Figure 9 shows the connection of the Vaux voltage. Vaux +5V Q3 BCP52-16 C26 C27 22uF 100nF R10 SELECT VAUX VAUX_B VAUX_E 12k PwrSBC Figure 9. MC33907/08 Vaux supply connection 4.2. Ground separation Three grounds are available on MC33907/08: AGND (analog ground), GND_COM (Physical layer ground), and DGND (digital ground). There are Power ground (PGND) and Quiet ground (QGND) on the PCB which must be clearly separated. The PGND is for SMPS components involved in the high transient current loops and also for DGND of MC33907/08 and MPC5744P GNDs. The QGND is for AGND and GND_COM of MC33907/908 and other component which are not connected to the PGND. Connections from MC33907/08 grounds, MPC5744P grounds and PCB grounds are shown in Figure 10. On the PCB, the connection between PGND and QGND must be done as far as possible from the local PGND ground. The best is at the Vbat connector level. This will ensure that noisy PGND does not pollute the QGND. Integrating the MPC5774P and MC33907/08 for Safety Applications Rev. 0 04/2015 16 Freescale Semiconductor, Inc. MPC5744P and MC33907/08 alignment VBAT+ VBAT- Power GND DGND PwrSBC AGND GND_COM Quiet GND Analog GND DGND MPC5744P VSS_HV_ADREx Figure 10. Ground connections between MC33907/08 and PCB ground 4.3. Power-up sequence To provide a safe and well-known start-up sequence, the MC33907/08 devices include an undervoltage lock-out. The Vsup must be higher than VSUP_UV_5 (5.6V) for leaving the PowerDown mode. In all the other conditions, the MC33907/08 is able to operate down to this lock-out voltage. When Vsup rises to 5.6 V, the preregulator voltage Vpre starts to activate, which then turns on the different voltage rails if configured in buck-boost. The Vcore, Vcca, and Vaux automatically ramp-up at the same time to provide power to the MPC5744P as shown in Figure 11 (VSUP – dark blue, VCORE – light blue, VCCA – pink, VAUX - green). With built-in self-test (BIST) disabled, MPC5744P de-asserts the RESET_B signal approximately 3 ms after the 3.3 V supplies are active to signal the end of the powerup sequence as shown in Figure 12 (VSUP – dark blue, VCORE – light blue, RESET - pink). When MC33907/08 is in the normal mode and the Vsup falls under the lock-out voltage of 2.7 V (buck-boost mode) or 4.6 V (buck mode), the device is under power-on-reset condition. Integrating the MPC5774P and MC33907/08 for Safety Applications Rev. 0 04/2015 Freescale Semiconductor, Inc. 17 MPC5744P and MC33907/08 alignment Figure 11. Power up sequence Figure 12. Reset de-assertion Integrating the MPC5774P and MC33907/08 for Safety Applications Rev. 0 04/2015 18 Freescale Semiconductor, Inc. MPC5744P and MC33907/08 alignment 4.4. CAN connectivity The CAN_5V linear regulator provides the 5 V CAN transceiver supply. A 1 μF capacitor must be connected between CAN_5V and GND. The MC33907/08 transmits TXD and receives RXD data pins connect with the MPC5744P FlexCAN 0 TXD and RXD pins, respectively. The physical CAN bus interface connects to the CANH and CANL pins on the MC33907/08 side. The MC33907/08 CAN interface is connected to the MPC5744P as shown in MC33907/08 + MPC5744P CAN connections. CAN BUS PwrSBC MPC5744P CANH TXD GPIO16/CAN0_TXD CANL RXD GPIO17/CAN0_RXD CAN_5V 1uF Figure 13. MC33907/08 + MPC5744P CAN connections 4.5. LIN connectivity The VSUP3 voltage provides supply for the LIN physical layer. The MC33907/08 transmit TXD and receive RXD data pins connect with the MPC5744P LIN 1 TXD and RXD pins, respectively. The physical LIN bus interface connects to the LIN pins on the MC33907/08 side. The MC33907/08 LIN interface is connected to the MPC5744P as shown in Figure 14 VSUP3 LIN BUS PwrSBC MPC5744P TXD GPIO94/LIN1_TXD RXD GPIO95/LIN1_RXD LIN Figure 14. MC33907/08 + MPC5744P LIN connections Integrating the MPC5774P and MC33907/08 for Safety Applications Rev. 0 04/2015 Freescale Semiconductor, Inc. 19 MPC5744P and MC33907/08 alignment 4.6. SPI connectivity The Serial Peripheral Interface (SPI) allows bi-directional communication between MPC5744P and MC33907/08. MPC5744P, which acts as the master, accesses the MC33907/08 configuration registers through SPI registers. The watchdog refresh is also communicated via SPI. The MC33907/08 SPI interface is connected to the MPC5744P as shown in Figure 15 PwrSBC MPC5744P MOSI GPIO38/DSPI0_SOUTI MISO GPIO39/DSPI0_SIN SCLK GPIO37/DSPI0_SCK /CS GPIO36/DSPI0_CS0 Figure 15. MPC33907/08 + MPC5744P SPI connections 4.7. Error management connectivity The MC33907/08 pins can be configured as safety inputs from the MPC5744P for continuous monitoring of the MPC5744P FCCU output pins FCCU_F[0] and FCCU_F[1]. MC33907/08 asserts the INTb when an interrupt condition occurs. Pin connects to the Non-Maskable Interrupt (NMI) pin in MPC5744P to trigger NMI. In case a failure occurs, MC33907/08 asserts RSTb to reset MPC5744P. This pin connects to the RESET_B pin in MPC5744P. It is recommended that the fail-safe output FS0b is connected to an external circuit that disconnects the power to the critical circuits of the application when FS0b is asserted to indicate a fault as shown in Figure 16. This mechanism ensures that power to the critical circuits of the application is cut off to prevent potential damage of the system or any injury. It is necessary to use pull up (IO_3) and pull down (IO_2) resistors. The resistors define default state and avoid wrong error detection during startup phase or other phase when MPC5744P does not drive these pins. Integrating the MPC5774P and MC33907/08 for Safety Applications Rev. 0 04/2015 20 Freescale Semiconductor, Inc. MPC5744P and MC33907/08 alignment Figure 16. MC33907/08 + MPC5744P error management connections Integrating the MPC5774P and MC33907/08 for Safety Applications Rev. 0 04/2015 Freescale Semiconductor, Inc. 21 MPC5744P safety requirements 5. MPC5744P safety requirements The MPC5744P requires several external measures to allow safe operation in a system targeting ASIL D functional safety level: • External power supply and monitor • External watchdog timer • Error output monitor The MC33907/08 provides the above functions to ensure that the MPC5744P comes to a safe state in case of failure. Refer to the safety manual: Safety Manual for MPC5744P (document number MPC5744PSM available in freescale.com) for additional details about the safety requirements when using MPC5744P with external components. 5.1. Power supply and monitor MPC5744P includes internal monitors which continuously check the various voltage supplies. The LowVoltage Detector (LVD) and the High-Voltage Detector (HVD) monitor the operating voltages to ensure the device works within the correct voltage range. The operating voltages are supervised by the following voltage monitors: • Duplicated core LVD blocks to monitor the 1.2 V core supply • Duplicated core HVD blocks to monitor the 1.2 V core supply • Four 3.3 V LVD blocks to monitor the 3.3 V VDDIO, VDDREG, VDDFLASH, VDDOSC and VDDADC supplies When the core voltage drops below the LVD threshold level, a 1.2 V low-voltage detection event occurs. Similarly, when the core voltage exceeds the HVD threshold level, a 1.2 V high-voltage detection event occurs. If the voltage is not in the proper range, the system responds with a reset. When the main 3.3 V supply drops below the LVD threshold level, a low-voltage detection event occurs and the system responds with a reset. MPC5744P does not include a high-voltage monitor for the 3.3 V supplies, therefore, for ASIL D applications the overvoltage monitor for the 3.3 V supplies, in addition to the undervoltage monitor, must be provided by an external device. Safety Requirement [SAG_MPC5744P_042] — To fully monitor all voltage supplies, an external device must provide overvoltage and undervoltage monitors for MPC5744P external 3.3 V supplies. This safety requirement is satisfied by MC33907/08 which provides voltage regulation, overvoltage and undervoltage monitors for the 3.3 V supplies. As mentioned in MPC5744P Core supply, the regulated Vcore output is adjusted to 3.3 V using resistors divider connected between Vcore and the voltage feedback pin FB_core. MC33907/08 monitors the undervoltage and overvoltage on the FB_core node which has a typical value of 0.8 V. Table 4 shows the MC33907/08 undervoltage and overvoltage detection thresholds of the regulator outputs. If the FB_core pin drifts to the minimum FB_core overvoltage of 0.84 V, then the regulated Vcore output gets adjusted to 3.44 V and an overvoltage event is detected. As a reaction to the fault condition, the MC33907/08 can be configured to assert the RSTb pin to trigger a reset to the MPC5744P or it can assert the FS0b pin to control a fail-safe circuitry to shut off the power supply to the critical circuits of the application. When MC33907/08 is deactivated, the power to MPC5744P is also shut off to Integrating the MPC5774P and MC33907/08 for Safety Applications Rev. 0 04/2015 22 Freescale Semiconductor, Inc. MPC5744P safety requirements prevent permanent damage of the device. These two error-handling mechanisms will place the MPC5744P in a safe state when an overvoltage event is detected. The MC33907/08 INIT SUPERVISOR1 register must be configured in the INIT phase to select the reaction to Vcore feedback overvoltage and undervoltage events, that is, whether the RSTb or FS0b are asserted upon overvoltage and undervoltage detection. MC33907/08 allows the user to configure how the RSTb and FS0b pins react to overvoltage conditions. The same over and undervoltage protection is provided for the analog power supplies, I/O drivers and CAN driver (part of the MC33907/908) when the MPC5744P’s analog power is supplied from the Vcca and the I/O drivers are supplied from the Vaux regulated output. Table 4. MC33907/08 Overvoltage and Undervoltage Detection Thresholds MC3390/08 Parameters/ Detection Threshold Min [V] Max [V] Overvoltage 5.200 5.550 Undervoltage 4.250 4.800 Overvoltage 7.200 8.000 Overvoltage 0.840 0.905 Undervoltage 0.670 0.773 Overvoltage 3.444 3.711 Undervoltage 2.747 3.169 Overvoltage (5.0 V config) 5.250 5.500 Undervoltage (5.0 V config) 4.500 4.750 Overvoltage (3.3 V config) 3.400 3.600 Undervoltage (3.3 V config) 3.000 3.200 Overvoltage (5.0 V config) 5.250 5.500 Undervoltage (5.0 V config) 4.500 4.750 Overvoltage (3.3 V config) 3.400 3.600 Undervoltage (3.3 V config) 3.000 3.200 VCAN VPRE VCORE_FB VCORE1 VCCA_5V VCCA_3V3 VAUX_5V VAUX_3V3 1 VCORE voltage detection thresholds are transformed from the VCORE_FB detection thresholds through external resistor divider (the equation 1 was used for it). 5.2. External watchdog Some common causes of failure (CCF), such as a complete failure of the power supply are detected because the software running on MPC5744P no longer triggers the watchdog (WD). To detect critical failures that could completely disable MPC5744P, an external WD device must be connected to MPC5744P for ASIL D applications. Integrating the MPC5774P and MC33907/08 for Safety Applications Rev. 0 04/2015 Freescale Semiconductor, Inc. 23 MPC5744P safety requirements Safety Requirement [SAG_MPC5744P_041] - An external device, acting as the supervisor of operations, must provide a watchdog to cover CCFs of the MPC5744P for ASIL D applications. It shall be triggered periodically by the safety-relevant software running on the MPC5744P. This MPC5744P safety requirement is satisfied by the windowed time WD feature of MC33907/08. The windowed time WD concept is shown in Figure 17. This feature requires the MPC5744P to refresh the WD during each open window. The duration of the window is selectable through SPI during MC33907/08 initialization phase. The window duration is configurable to be 1 ms, 2 ms, 3 ms, 4 ms, 8 ms, 16 ms, 32 ms, 64 ms, 128 ms, 256 ms, 512 ms, or 1024 ms in the WD_Window register. The window duty cycle is 50%.The default window duration is 3 ms, which can then be configured to a different value during configuration by MPC5744P. Window Duration CLOSED OPEN Refresh Slot CLOSED OPEN CLOSED t Refresh Slot Figure 17. MC33907/08 windowed watchdog The WD is based on a question and answer principle. MC33907/08 provides a default LFSR value but MPC5744P can send an 8-bit seed to MC33907/08 through the SPI during the INIT phase. This seed initializes the MC33907/08’s Linear Feedback Shift Register (LFSR). MPC5744P and MC33907/08 then runs a pre-defined calculation using the same seed. MPC5744P sends the result of the calculation to MC33907/08 during the open WD window and the result is verified by MC33907/08. If the result is correct, the LFSR is incremented to generate a new pseudo-random word, the WD refresh counter is incremented and the window is restarted. However, if the result is incorrect, the WD error counter is incremented, the WD window is restarted. For each wrong WD refresh, the WD error counter is incremented by 2 (maximum of 6). For each correct WD refresh, the WD error counter is decremented by 1 (minimum of 0). When the WD error counter reaches 6, a reset is generated and the RST error counter is incremented by 1. The WD error and the RST error counters can be read by MPC5744P via SPI from the WD_Counter register and the Diag_FS2 registers respectively. See the Figure 18 for the state diagram of the Error Counter. When MPC5744P generates a Reset, the MC33907 Reset Error Counter is incremented by one. When MPC5744P recover from the reset, MC33907 will be in INIT phase with a 256 ms open window to configure again the device and send the first good WD refresh. As soon as the first good WD refresh is sent, the MC33907 Fail Safe monitoring require periodic WD refresh. Integrating the MPC5774P and MC33907/08 for Safety Applications Rev. 0 04/2015 24 Freescale Semiconductor, Inc. MPC5744P safety requirements Error Counter RESET Reset_Error_Counter++ RNOK RNOK ROK 0 ROK RNOK 1 ROK RNOK 2 ROK RNOK 3 ROK 4 ROK 5 RNOK ROK = WatchDog Refresh OK RNOK = WatchDog Refresh No OK Error_Counter counts up to 6 (it should be also 4 or 2) Figure 18. MP33907/08 watchdog error counter state diagram The RST error counter shown in Figure 19 for the state diagram of the register, can only be decremented by 1 if the WD is correctly refreshed 7 consecutive times (when the WD refresh counter is configured at 6, see Figure 20 for Refresh Counter register). When the RST error counter reaches 3, MC33907/08 activates the FS pins (FS0b) and if the WD continues to be incorrectly refreshed and if the RST error counter reaches 6, then MC33907/08 turns off all the regulators and enters a deep fail state mode. At this point, a new power-up sequence or a key off/on is needed to recover (The recommendation is to connect Key signal to IO_0 – Refer to AN4766 available in freescale.com for more information). Alternatively, MC33907/08 can be configured to activate the FS pins when the RST error counter reaches 1 and to enter a deep fail state mode when the RST error counter reaches 3 (Refer to the MC33907/08 datasheet available at freescale.com for more details). When MPC5744P detects a falling edge on the RESET_B signal, the external reset triggers the start of the reset sequence. Integrating the MPC5774P and MC33907/08 for Safety Applications Rev. 0 04/2015 Freescale Semiconductor, Inc. 25 MPC5744P safety requirements gotoFS POR/from LPOFF mode Reset Error Counter gotoFS Active FS0b Turn OFF regulators gotoFS INCR 7ROK 7ROK - See Refresh counter figure INCR INCR 0 1 7ROK INCR 7ROK INCR 3 2 INCR 7ROK 7ROK INCR 5 4 6 7ROK Events: RSTb_short2hi ABIST_Fail IO_01/45_ERR IO23_ERR gotoFS Undervoltage POR/transition on IO_0 Overvoltage SPI_DED WD Error Counter == 6 (See Error Counter Figure) WD Refresh NOK during INIT or WD timeout FS0b_short2vdd Reset by SPI| Reset_Error_Counter counts up to 6 (it should be also only 2) External Reset RSTb asserted for 8 seconds Figure 19. MP33907/08 watchdog reset error counter state diagram Refresh Counter Reset_Error_Counter-- RNOK 0 ROK 1 ROK RNOK/ WD_OFF 2 ROK RNOK/ WD_OFF 3 ROK RNOK/ WD_OFF 4 ROK RNOK/ WD_OFF ROK 5 ROK RNOK/ WD_OFF 6 RNOK/ WD_OFF ROK = WatchDog Refresh OK RNOK = WatchDog Refresh No OK Refresh_Counter counts up to 7 (it should be also 5 or 2) Figure 20. MP33907/08 watchdog refresh counter state diagram Integrating the MPC5774P and MC33907/08 for Safety Applications Rev. 0 04/2015 26 Freescale Semiconductor, Inc. MPC5744P safety requirements 5.3. Error output monitor The MPC5744P Fault Collection and Control Unit (FCC) supports two external pins FCCU_F[0] and FCCU_F[1] for error indication. When the FCCU receives a fault signal, it reports the failure to the external world via the FCCU_F[1:0] signals. If an error is indicated, the system may disable or reset MPC5744P as a reaction to the error signal. Safety Requirement [SAG_MPC5744P_043] — An external device must be connected to the FCCU via FCCU_F[0] and optionally FCCU_F[1] to continuously monitor the error output pins of the FCCU. MC33907/08 satisfies this safety requirement by providing FCCU monitoring of the error output signals from the MPC5744P. The MC33907/08 IO_2 and IO_3 pins are by default configured as safety inputs for continuous monitoring of the MPC5744P FCCU outputs. When the IO_2 and IO_3 pins are configured as inputs for FCCU monitoring, only the bi-stable protocol can be used. In this mode, the second output FCCU_F[1] is the inverted signal of the first output FCCU_F[0]. In the reset or self-test phase, the FCCU_F[1:0] pins are set as high-impedance. In the normal state, when no FCCU faults are triggered, the FCCU_F[1:0]=01. A fault condition is indicated by FCCU_F[1:0]=10. When a failure is signaled through the IO_2 and IO_3 pins, MC33907/08 then handles the error by one of the following ways: • Assert RSTb (active low) to reset the MPC5744P • Assert FS0b (active low) to power off the system 5.4. Functional and Destructive Reset Escalation These features are implemented in the MPC5744P RGM module. The Functional Reset Escalation is enabled by writing a non-zero value to the FRET field of the RGM_FRET register. It can be used to generate a ‘destructive’ reset if a number (programmed in the RGM_FRET) of ‘functional’ or external resets has occurred between software writes to the RGM_FRET register.The Destructive Reset Escalation is enabled by writing a non-zero value to the DRET field of the RGM_DRET register. It is used to keep MPC5744P in the reset state until the power-on triggers a reset sequence if a number (programmed in the RGM_DRET) of ‘destructive’ resets has occurred between software writes to the RGM_DRET register. When MPC5744P stay in reset it cases that MC33907/08 move to Deep Fail state mode where all the power regulators are turn off. There are two possibilities how to wake up MC33907/08 followed by MPC5744P. The first one is to turn off and turn on the power supply – Power on Reset for MC33907/08. And the second one is the transition on the IO_0 pin of MC33907/08 (IO_0 = 0 followed by IO_0 =1). IO_0 is normally connected to Ignition key of the car to wake up MC33907/08. Integrating the MPC5774P and MC33907/08 for Safety Applications Rev. 0 04/2015 Freescale Semiconductor, Inc. 27 Reference 6. Conclusion This application note has described the hardware aspects on integrating the Freescale MPC5744P and MC33907/08. For further information, refer to the documents mentioned in Reference section. Freescale SafeAssure program: Functional Safety, Simplified. For more information, visit www.freescale.com/SafeAssure. 7. Reference For additional information, refer to the following documents available at freescale.com: • AN4442: Integration the MPC5643L and MC33907/08 for Safety Application • AN4766: MC33907/08 HW Design and Product Guidelines • MPC5744PRM: MPC5744P Microcontroller Reference Manual • MPC5744P: MPC5744P Data Sheet • MC33907-MC33908D2: MC33907/08 Data Sheet • MPC5744PSM : Safety Manual for MPC5744P • MC33907_8SMUG : Safety Manual for MC33907/08 Integrating the MPC5774P and MC33907/08 for Safety Applications Rev. 0 04/2015 28 Freescale Semiconductor, Inc. How to Reach Us: Home Page: freescale.com Web Support: freescale.com/support Information in this document is provided solely to enable system and software implementers to use Freescale products. There are no express or implied copyright licenses granted hereunder to design or fabricate any integrated circuits based on the information in this document. Freescale reserves the right to make changes without further notice to any products herein. Freescale makes no warranty, representation, or guarantee regarding the suitability of its products for any particular purpose, nor does Freescale assume any liability arising out of the application or use of any product or circuit, and specifically disclaims any and all liability, including without limitation consequential or incidental damages. “Typical” parameters that may be provided in Freescale data sheets and/or specifications can and do vary in different applications, and actual performance may vary over time. All operating parameters, including “typicals,” must be validated for each customer application by customer's technical experts. Freescale does not convey any license under its patent rights nor the rights of others. Freescale sells products pursuant to standard terms and conditions of sale, which can be found at the following address: freescale.com/SalesTermsandConditions. Freescale and the Freescale logo are trademarks of Freescale Semiconductor, Inc., Reg. U.S. Pat. & Tm. Off. SafeAssure and SafeAssure logo are trademarks of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. © 2015 Freescale Semiconductor, Inc. Document Number: AN5099 Rev. 0 04/2015