AN4266 Application note Safety application guide for SPC56xL70xx family Introduction This document is the safety application guide for the SPC56xL70xx. It provides the conditions of use for the SPC56xL70xx in ASIL D applications. September 2013 Doc ID 024283 Rev 2 1/76 www.st.com Contents AN4266 Contents 1 Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 2 General information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 3 2.1 Mission profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 2.2 Safe state . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 2.3 Failure indication time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 2.4 Error handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11 2.5 Sphere of Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11 Functional safety requirements for application software . . . . . . . . . . 12 3.1 3.2 3.3 2/82 Application software requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 3.1.1 Mandatory software requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 3.1.2 Recommended software requirements . . . . . . . . . . . . . . . . . . . . . . . . . 13 3.1.3 Implementation details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 System Status and Configuration Module (SSCM) . . . . . . . . . . . . . . . . . 13 3.2.1 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 3.2.2 Checking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Self-Test Control Unit (STCU) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 3.3.1 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 3.3.2 Checking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 3.4 Reset Generation Module (MC_RGM) . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 3.5 Clock configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 3.6 SRAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 3.7 Flash memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 3.8 Interrupt Controller (INTC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 3.9 Semaphore Unit (SEMA4) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 3.10 Enhanced Direct Memory Access (eDMA) requests . . . . . . . . . . . . . . . . 17 3.11 Periodic Interrupt Timer (PIT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 3.12 Communication peripherals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 3.13 I/O peripherals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 3.13.1 Read Digital Inputs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 3.13.2 Read PWM Input . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Doc ID 024283 Rev 2 AN4266 Contents 3.14 3.13.3 Read Encoder Inputs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 3.13.4 Write Digital Outputs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 3.13.5 Write PWM Outputs 3.13.6 Other requirements for I/O peripherals . . . . . . . . . . . . . . . . . . . . . . . . . 34 Cross Triggering Unit (CTU) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 3.14.1 3.15 4 Synchronize Sequential Read Input . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 ADC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 3.15.1 Read Analog Inputs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 3.15.2 Other requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 3.16 Temperature sensors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 3.17 Software Watchdog Timer (SWT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 3.18 Redundancy Control Checking Unit (RCCU) . . . . . . . . . . . . . . . . . . . . . . 48 3.19 Cyclic Redundancy Checker Unit (CRC) . . . . . . . . . . . . . . . . . . . . . . . . . 49 3.20 Clock Monitor Unit (CMU) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 3.21 Frequency-Modulated Phase-Locked Loop (FMPLL) . . . . . . . . . . . . . . . 50 3.22 Internal RC Oscillator (IRCOSC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 3.23 Power Management Unit (PMU) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 3.24 Memory Protection Unit (MPU) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 3.25 Register Protection Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 3.26 Error Correction Status Module (ECSM) . . . . . . . . . . . . . . . . . . . . . . . . . 55 3.27 Fault Collection and Control Unit (FCCU) . . . . . . . . . . . . . . . . . . . . . . . . 55 Functions of external devices for ASIL D applications . . . . . . . . . . . . 57 4.1 External Watchdog Function (EXWD) . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 4.2 Power Supply and Monitor Function (PSM) . . . . . . . . . . . . . . . . . . . . . . . 57 4.3 Error Out Monitor Function (ERRM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 4.4 5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 4.3.1 Both FCCU pins connected to external device . . . . . . . . . . . . . . . . . . . 58 4.3.2 Single FCCU pin connected to external device . . . . . . . . . . . . . . . . . . . 59 PWM Output monitored by external ASIC (PWMA) . . . . . . . . . . . . . . . . . 59 Scenarios for automotive applications: Motor control . . . . . . . . . . . . 61 5.1 5.2 Application example 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 5.1.1 Functional safety related inputs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 5.1.2 Functional safety related outputs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 Application example 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 Doc ID 024283 Rev 2 3/82 Contents AN4266 5.3 6 5.2.1 Functional safety related inputs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 5.2.2 Functional safety related outputs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 Application example 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 5.3.1 Functional safety related inputs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 5.3.2 Functional safety related outputs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 ECC logic test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 6.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 6.2 Data pattern - Walking 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 6.3 UTEST mode ECC logic check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 6.4 Fault coverage and execution time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 7 I/O pin/ball configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 8 Further information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 9 4/82 8.1 Conventions and terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 8.2 Acronyms and abbreviations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 8.3 Document references . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 Revision history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 Doc ID 024283 Rev 2 AN4266 List of tables List of tables Table 1. Table 2. Table 3. Table 4. Table 5. Table 6. Table 7. Table 8. Table 9. Table 10. Table 11. Table 12. Table 13. Table 14. Table 15. Table 16. Table 17. Table 18. Table 19. Table 20. Table 21. Table 22. Temperature profile for packaged device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Temperature profile for bare die device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Software BIST and/or test. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Software BIST and/or test. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Software BIST and/or test. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Software BIST and/or test. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Software BIST and/or test. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Software BIST and/or test. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Software BIST and/or test. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Software BIST and/or test. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Software BIST and/or test. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Software BIST and/or test. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 PMU monitored supplies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Functional safety inputs for application example 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 Functional safety outputs for application example 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 Functional safety inputs for application example 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 Functional safety outputs for application example 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 Functional safety inputs for application example 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 Functional safety outputs for application example 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 Data pattern used by the ECC logic test. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 List of conventions and terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 Acronyms and abbreviations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 Doc ID 024283 Rev 2 5/82 List of figures AN4266 List of figures Figure 1. Figure 2. Figure 3. Figure 4. Figure 5. Figure 6. Figure 7. Figure 8. Figure 9. Figure 10. Figure 11. Figure 12. Figure 13. Figure 14. Figure 15. Figure 16. Figure 17. Figure 18. Figure 19. 6/82 Double Read Digital Input . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Double Read PWM Input . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Double encoder read input . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Write Digital Output With Read Back . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Double Write Digital Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Double Write PWM Output configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 Single Write PWM Output With Read Back configuration. . . . . . . . . . . . . . . . . . . . . . . . . . 32 Single Read Analog Input configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Software BISTs to test the multiplexing circuitry (ADC_SWTEST_TEST1) . . . . . . . . . . . . 41 Implementation of ADC_SW_TEST1 through the ADC presample feature . . . . . . . . . . . . 42 Software BISTs to test the multiplexing circuitry (ADC_SWTEST_TEST2) . . . . . . . . . . . . 42 Implementation of ADC_SW_TEST2 through the ADC presample feature . . . . . . . . . . . . 43 Series of acquired analog values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Double Read Analog Inputs configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Logic scheme of the LVD_DIG and HVD_DIG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Logic scheme of the LVD_FLASH, LVD_GPIO and LVD_VREG . . . . . . . . . . . . . . . . . . . . 53 Example of QFP144 pin/pad adjacency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 BGA balls non-adjacent, die pads adjacent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 BGA balls adjacent, die pads non-adjacent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 Doc ID 024283 Rev 2 AN4266 1 Preface Preface This document discusses requirements and assumptions for the use of the SPC56xL70xx Microcontroller Unit (MCU) in ASIL D applications. It prescribes several measures as mandatory (or mandatory under certain preconditions, for example, if a certain module is used) whereby the measure described was assumed to be in place when analyzing the safety of the MCU. This document considers: ● The system assembly that contains the SPC56xL70xx MCU ● The “Safety Element out of Context” section in the “Road vehicles - Functional safety Part 10: Guideline [ISO/DIS 26262-10]” standard ● Certain assumptions about the assembly's functional safety needs based on that standard and determines whether a measure is mandatory or not based on these factors. What this means for designers using the SPC56xL70xx MCU is that if they don’t fulfill a specific Safety Application Guide (SAG) prescription they either have to show to their ISO 26262 assessor that the alternative solution is similarly efficient concerning the safety requirement in question (for example, provides the same coverage, avoids Common Cause Failure (CCF) as effectively, and so on), or they have to specify the increased failure rate/reduced Safe Failure Fraction (SFF) they estimate to incur due to the deviation. Otherwise, the assessor will not recognize the MCU certificate that the customer received with the MCU. This document also contains guidelines on how to configure and operate the SPC56xL70xx for ASIL D applications. These guidelines are preceded by one of the following bold text statements: ● Implementation hint ● Recommended ● Example These guidelines are considered to be useful approaches for the specific topics under discussion, but are not mandatory. The user will need to use discretion in deciding whether these measures are appropriate for their applications. This document is valid only under the assumption that the MCU is used in automotive applications for use cases requiring a fail-silent or a fail-indicate MCU. Mandatory: This document is only valid if the environmental conditions given in the SPC56xL70xx data sheet are maintained. The cores in the SPC56xL70xx can be configured to operate in either Lock-Step Mode (LSM) or Decoupled Parallel Mode (DPM). In LSM, the outputs of a set of replicated modules, identified as the Sphere of Replication (SoR, see Section 2.5, Sphere of Replication for details), are compared to ensure that the operations or transactions that are executed are identical on a clock per clock basis. Mandatory: This document is based on the assumption that the SPC56xL70xx is configured to operate in LSM. Doc ID 024283 Rev 2 7/76 Preface AN4266 As for all devices, device errata must be taken into account during system design and implementation. For a safety-related device such as the SPC56xL70xx, this also concerns safety-related activities such as system safety concept development. Mandatory: The device shall be handled according to JEDEC standards J-STD-020 and JSTD-033. Mandatory: To cover the ISO-07-6.5.4 and ISO-07-6.4.2.1, customers shall report all field failures of the devices to silicon supplier. Mandatory: This document is only valid if the conditions given in the addendum are met (see Section 8.3: Document references). 8/76 Doc ID 024283 Rev 2 AN4266 General information 2 General information 2.1 Mission profile The assumed mission profile is: ● Lifetime: 20 years ● Total operating hours: 12000 hours ● Trip time: 10 hours (Trip time is defined as the maximum time of operation of the MCU without power-on reset) ● Fault Tolerant Time Interval (FTTI, also named Process Safety Time (PST)): 10 ms (maximum time between the first faulty output and a failure indication or reset) Temperature profiles for packaged devices (Table 1) and bare die (Table 2) are shown below. Note: The temperature profile is an assumption of the SPC56xL70xx safety analysis and shall be fulfilled during integration into an ASIL D compliant system. Table 1. Temperature profile for packaged device Table 2. 2.2 Temperature range (°C) Operation time (h) 125–135 120 110–120 960 90–100 7680 30–40 3240 Temperature profile for bare die device Temperature range (°C) Operation time (h) 120–125 120 100–110 960 80–90 7680 20–30 3240 Safe state By definition, the Safe states of the SPC56xL70xx are as follows: ● Completely unpowered ● Reset – ● – ● All pins except possibly the error output pins (FCCU_F[0:1]) are tristated. Operating correctly Outputs depend on application. Explicitly indicating an internal error – Error output pins FCCU_F[0:1] are in a state indicating an error, and the state of other I/O pins will not be reliable. Doc ID 024283 Rev 2 9/76 General information AN4266 Defining these states as safe for the MCU means that the overall system must react safely to the SPC56xL70xx being in, and entering, any of these states. For the ‘Completely unpowered’ and ‘Reset’ states the addition of a pullup or pulldown resistor on relevant signals may be necessary. If an ‘Explicit indication of internal error’ occurs on FCCU_F[0:1], the application must not depend on the MCU for continued operation. This also means that the system must be able to remain in a safe state without any additional actions from the MCU. Mandatory: The system must transition to a safe state when there is an indication of an error. Depending on the configuration the system may disable, or reset, the SPC56xL70xx as a reaction to the error signal. If a system continuously switches between a standard operating state and the reset state, without any device shutdown, the system is not considered to be in a Safe state. Mandatory: The application must identify and signal such switching as a failure condition. 2.3 Failure indication time The SPC56xL70xx failure indication time must be taken into consideration when determining application safety strategies, because it must be less than the FTTI. Failure indication time has three components, two of which are influenced by configuration settings: recognition time + internal processing time + indication time. Each component of failure indication time is described as follows: ● Recognition time is the maximum of the recognition time of all involved safety mechanisms. The three mechanisms with the longest time are: – ADC(a) recognition time is the most demanding HW test in terms of timing. The self-test requires the ADC conversion to complete a full test. A single full test takes at least 70 µs(b). – Recognition time related to the FMPLL loss of clock: it depends on how the FMPLL is configured, but is approximately 20 µs. – Diagnostic cycle time of software self-tests. This time depends closely on the software implementation. ● Internal processing time lasts maximum 10 RC clock cycles (RC is the internal safe clock with nominal frequency of 16 MHz). ● Indication time, the time to notify an observer about the failure, depends on indication protocol configured in the Fault Collection and Control Unit (FCCU): – Dual Rail protocol and time switching protocol: FCCU configured as “fast switching mode”: indication delay is maximum 64 µs. As soon as FCCU receives a fault signal, FCCU reports the failure to the outside world via output pin (if properly configured). 0 = FCCU configured as “slow switching mode”: an indication delay could occur. The maximum delay is equal to period of the error out signal. This parameter shall be configured equal to its minimum which is 128 µs. a. ADC recognition time shall be used only if ADC is used by the safety function. b. This value takes into account the steps needed to run the three ADC hardware self-tests. 10/76 Doc ID 024283 Rev 2 AN4266 General information 0 = Bi-stable protocol: indication delay is maximum 64 µs. As soon as the FCCU receives a fault signal, it reports the failure to the outside world via output pin (FCCU_F[0:1], if properly configured). If the configured reaction to a fault is an interrupt, an additional delay (interrupt latency) can occur until the interrupt handler is able to start executing (for example, higher priority IRQs, XBAR contention, register saving, and so on). General failure rate, or the Failure Modes, Effects and Diagnostic Analysis (FMEDA) report, is available upon request when covered by an NDA (contact your representative). 2.4 Error handling Error handling can be split into two categories: ● Handling of errors during runtime ● Handling of errors during boot time (for example, Logic Built-In Self-Test (LBIST), Memory Built-In Self-Test (MBIST)) Mandatory: Runtime errors shall be handled in a time shorter than the FTTI. Mandatory: Boot time failures shall be handled before the safety function starts. Note: Implementation hint: To satisfy this requirement regarding the LBIST/MIBST, Self-Test Control Unit (STCU) status condition shall be checked by application software before safety application starts (See “Integrity SW Operations” section of the “Self-Test Control Unit (STCU)” chapter in the SPC56xL70xxReference Manual for details). 2.5 Sphere of Replication Sphere of Replication (SoR) is used for duplicating of critical components on the SPC56xL70xx. The following modules are included in the SoR: ● e200z4 Cores ● Enhanced Direct Memory Access (eDMA) ● Interrupt Controller (INTC) ● Crossbar Switch (XBAR) ● Memory Protection Unit (MPU) ● Flash memory controller ● Static RAM Controller (SRAMC) ● System Timer Module (STM) ● Software Watchdog Timer (WDT) ● Peripheral Bridge (PBRIDGE) Doc ID 024283 Rev 2 11/76 Functional safety requirements for application software 3 AN4266 Functional safety requirements for application software This section gives an overview of necessary, or recommended, measures when using the individual modules of the SPC56xL70xx. If a module is implemented without following the text of this section, the safety certificate for the module, or the entire MCU, may not be validated. It is possible to ignore aspects of the text if equivalent measures that are taken can be shown to manage the same failures. Modules not explicitly covered by this document do not require any software measures. The modules covered by the SoR reach very high Diagnostic Coverage (DC) without dedicated measures at application or system levels. 3.1 Application software requirements Application software shall be developed according to ASIL D requirements. 3.1.1 Mandatory software requirements The following sections contain Mandatory design constraints for using the SPC56xL70xx devices in an ASIL D system: 12/76 ● Section 3.2, System Status and Configuration Module (SSCM) ● Section 3.3, Self-Test Control Unit (STCU) ● Section 3.4, Reset Generation Module (MC_RGM) ● Section 3.5, Clock configuration ● Section 3.7, Flash memory ● Section 3.8, Interrupt Controller (INTC) ● Section 3.10, Enhanced Direct Memory Access (eDMA) requests ● Section 3.11, Periodic Interrupt Timer (PIT) ● Section 3.13, I/O peripherals ● Section 3.14, Cross Triggering Unit (CTU) ● Section 3.15, ADC ● Section 3.16, Temperature sensors ● Section 3.17, Software Watchdog Timer (SWT) ● Section 3.19, Cyclic Redundancy Checker Unit (CRC) ● Section 3.20, Clock Monitor Unit (CMU) ● Section 3.21, Frequency-Modulated Phase-Locked Loop (FMPLL) ● Section 3.22, Internal RC Oscillator (IRCOSC) ● Section 3.23, Power Management Unit (PMU) ● Section 3.25, Register Protection Module ● Section 3.27, Fault Collection and Control Unit (FCCU) Doc ID 024283 Rev 2 AN4266 3.1.2 Functional safety requirements for application software Recommended software requirements The following sections contain Recommended design constraints for using the SPC56xL70xx devices in an ASIL D system: 3.1.3 ● Section 3.6, SRAM ● Section 3.12, Communication peripherals ● Section 3.13, I/O peripherals ● Section 3.16, Temperature sensors ● Section 3.18, Redundancy Control Checking Unit (RCCU) ● Section 3.19, Cyclic Redundancy Checker Unit (CRC) ● Section 3.24, Memory Protection Unit (MPU) ● Section 3.25, Register Protection Module ● Section 3.26, Error Correction Status Module (ECSM) Implementation details The following sections contain implementation details for using the SPC56xL70xx devices in an ASIL D system: ● Section 3.2, System Status and Configuration Module (SSCM) ● Section 3.5, Clock configuration ● Section 3.7, Flash memory ● Section 3.8, Interrupt Controller (INTC) ● Section 3.10, Enhanced Direct Memory Access (eDMA) requests ● Section 3.13, I/O peripherals ● Section 3.14, Cross Triggering Unit (CTU) ● Section 3.16, Temperature sensors ● Section 3.17, Software Watchdog Timer (SWT) ● Section 3.19, Cyclic Redundancy Checker Unit (CRC) ● Section 3.20, Clock Monitor Unit (CMU) ● Section 3.21, Frequency-Modulated Phase-Locked Loop (FMPLL) ● Section 3.23, Power Management Unit (PMU) ● Section 3.25, Register Protection Module ● Section 3.27, Fault Collection and Control Unit (FCCU) Note: A section may contain Mandatory constraints, Recommended constraints, Implementation hints or any combination of the three. 3.2 System Status and Configuration Module (SSCM) 3.2.1 Configuration Mandatory: Before executing the safety functions, the SSCM shall be configured to inhibit unintentional execution of the BAM code. Note: Rationale: Since BAM code is not intended to be executed by ASIL D applications, any execution of the BAM, or part of it, must be inhibited. Doc ID 024283 Rev 2 13/76 Functional safety requirements for application software AN4266 Note: Implementation hint: This requirement is satisfied by writing SSCM_ERROR[PAE] = 1. Each access to the BAM memory area produces a Prefetch or Data Abort exception. 3.2.2 Checking Mandatory: After boot, but before executing any safety function, the application software needs to read SSCM_STATUS[LSM] to verify that the device runs in the selected mode of operation: ● Decoupled Parallel Mode (DPM) – SSCM_STATUS[LSM] = 0 ● Lock Step Mode (LSM) – SSCM_STATUS[LSM] = 1 Note: Rationale: To check if the MCU started in LSM 3.3 Self-Test Control Unit (STCU) 3.3.1 Configuration The STCU does not require any configuration written by application software. The default STCU configuration is to execute LBIST/MBIST and to react to detected faults by triggering a Non-Critical Fault (NCF) that signals the FCCU (See “Self-Test Control Unit (STCU)” chapter in the SPC56xL70xx Reference Manual for details). Mandatory: LBISTs and MBISTs shall be configured to be executed once per trip time (trip time defined in Section 2.1, Mission profile). 3.3.2 Checking Mandatory: Once after boot, before the safety application starts, application software shall carry out some STCU checking steps for ensuring STCU reliability. Note: Implementation hint: See “Integrity SW Operations” section of the “Self-Test Control Unit (STCU)” chapter in the SPC56xL70xxReference Manual for details. Note: Rationale: STCU manages the execution, and checks the result, of the LBISTs and MBISTs. The STCU’s correct behavior must be verified by checking the expected results with software. The Integrity SW should confirm that all MBISTs and LBISTs finished successfully with no additional errors flagged. This software confirmation prevents a fault within the STCU itself from incorrectly indicating that the self-test passed. This is an additional safety layer since the STCU propagates the LBIST/MBIST and internal faults using the NCF signals of the FCCU. So, reading STCU_LBS, STCU_LBE, STCU_MBSL, STCU_MBSH, STCU_MBEL, STCU_MBEH and STCU_ERR registers helps increase the STCU auto-test coverage. 3.4 Reset Generation Module (MC_RGM) A redundant fault notification path is achieved through the use of the MC_RGM and the FCCU. MC_RGM configuration is application dependent. Mandatory: However, to have the redundant notification path, both MC_RGM and FCCU shall be configured to react to critical application faults. 14/76 Doc ID 024283 Rev 2 AN4266 Functional safety requirements for application software Note: Rationale: To have two notification paths in case of an error 3.5 Clock configuration The system starts by using the internal RC oscillator clock (IRCOSC) as its source (See “Oscillators” chapter in the SPC56xL70xx Reference Manual and Section 3.22, Internal RC Oscillator (IRCOSC) below for details on IRCOSC configuration). Mandatory: Before safety functions are executed, the FMPLLs must be configured to use the external oscillator (XOSC) as their source clock. Note: Rationale: Since the IRCOSC is used by the CMUs as reference to monitor the output of the two PLLs, it can not be used as input of these PLLs. Note: Implementation hint: MC_CGM_AC3_SC[SELCTL] and MC_CGM_AC4_SC[SELCTL] must be set to 1 to select the XOSC. Mandatory: All safety relevant modules shall be clocked with an FMPLL generated clock signal. Note: Rationale: To reduce the impact of glitches stemming from the external quartz crystal and its hardware connection to the MCU Note: Implementation hint: This requirement is fulfilled by appropriately programming the Clock Generation Module (MC_CGM) Clock Divider Configuration and Clock Select Control registers and Mode Entry Module (MC_ME) MC_ME_<mode>_MC registers (See “Clock Generation Module (MC_CGM)” and “Mode Entry Module (MC_ME)” chapters in the SPC56xL70xx Reference Manual for details). 3.6 SRAM The system SRAM is protected against hardware dormant faults by hardware BISTs (See “MBIST partitioning” section in the “Self-Test Control Unit (STCU)” of the SPC56xL70xx Reference Manual). This test runs at boot, but some software actions are requested (See Section 3.3, Self-Test Control Unit (STCU)). Moreover, the system SRAM is also protected by a single error correction/dual error detection (SEC/DED) ECC scheme. The SRAM SEC/DED concerns data and addresses and thus provides diagnostic coverage to logic addresses. 3.7 Flash memory Non-volatile memory (NVM) flash memory is protected with an SEC/DED ECC scheme. Caution: The single-bit correction reporting functionality is not available as described for flash memory ECC (See errata e3320). In case single-bit corrections need to be tracked, the workaround in the errata shall be used. Be aware that the workaround has a higher probability than the original mechanism to miss corrections if several occur within a short time. Doc ID 024283 Rev 2 15/76 Functional safety requirements for application software AN4266 To support the detection of dormant faults in the entire memory array and addressing logic, and to check the integrity of the logic used for flash memory programming, the following BISTs must be enabled by software: ● Mandatory: Array Integrity Self Check – This BIST is based on functionality built into the flash memory control logic. It calculates a MISR signature over the array content and thus validates the content of the array as well as the decoder logic. The calculated MISR value is dependent on the array content and must be validated by software. Frequency: This check must be performed at boot time. Note: Rationale: To check the integrity of the flash memory array content Note: Implementation hint: This BIST must be started by application software; its result must be validated by reading the corresponding registers in the flash memory controller after it has been finished (See “Array integrity self check” section in the “Flash memory” chapter of the SPC56xL70xx Reference Manual for detailed information about this BIST). ● Note: Rationale: To verify that the written data is coherent with the expected data ● Note: Mandatory: Write operation – When writing flash memory, the corresponding SW driver must validate the correctness of the programming of flash memory by checking the value of C90FL_MCR[PEG]. Furthermore, the data that was written must be read back, then verified by SW that it compares with the intended data value. Frequency: After every write operation or after a series of write operations Mandatory: Flash memory ECC logic test – This BIST tests the (digital) logic within the flash memory that is responsible for detecting and correcting faults (ECC logic) in the read data. Rationale: The intention of this test is to assure that correct data is not accidently modified, and single-bit errors are correctly updated. Reading a set of data words from flash memory and comparing it with expected values is a software initiated function that is controlled by the application. Frequency: Once per FTTI Note: Implementation hint: Section 6, ECC logic test explains how to perform flash memory data compares with SW. 3.8 Interrupt Controller (INTC) No specific hardware protection is provided against spurious or missing interrupt requests caused by Electromagnetic Interface (EMI) on the interrupt lines, or bit flips in the interrupt registers of the peripherals(c). Mandatory: Applications that are not resilient against such errors must include detection or protection measures. Note: Rationale: To manage spurious or missing interrupt requests Note: Implementation hint: A possible way to detect spurious interrupts is to check corresponding interrupt status in the interrupt status register of the related peripheral before executing the Interrupt Service Routine (ISR) service code. c. INTC is a replicated module. No software action is needed to detect faults inside this module. 16/76 Doc ID 024283 Rev 2 AN4266 3.9 Functional safety requirements for application software Semaphore Unit (SEMA4) Semaphore modules are only used in DPM. Failures of the SEMA4 module may cause unwanted interrupts in LSM. Each SEMA4 unit is connected to both replicated INTC modules. This means that even in LSM when SEMA4 units are not used, a corrupted SEMA4 could trigger continuous interrupts to both INTCs. To avoid this possible failure the INTC shall have the SEMA4 interrupt masked (for example, SEMA4 units have the lowest priority in the INTCs). Mandatory: Application software shall keep these interrupt sources masked by programming the interrupt controller appropriately. 3.10 Enhanced Direct Memory Access (eDMA) requests Mandatory: For ASIL D applications, protection against spurious or missing safety relevant eDMA requests must be implemented(d). The methodology used to satisfy this requirement is application dependent. Note: Rationale: To manage spurious or missing eDMA transfer requests Note: Implementation hint: Some implementations which can satisfy these requirements are: ● Counting the number of eDMA transfers triggered inside a control period and compare this with what is the expected value. ● If the eDMA is used to manage the analog acquisition with the Cross-Triggering Unit (CTU) and ADC, the number of the converted ADC channels is saved in the CTU FIFO together with the acquired value. The eDMA transfers this value from the CTU FIFO to a respective SRAM location. Spurious or missing transfer requests can be detected by comparing the converted channel with what is expected. Mandatory: Designers must not use the Periodic Interrupt Timer (PIT) module to trigger an eDMA transfer request for ASIL D applications. Note: Rationale: To avoid a faulty PIT (which is not redundant) from triggering an unexpected eDMA transfer 3.11 Periodic Interrupt Timer (PIT) Mandatory: For ASIL D applications the PIT module must be used in such a way that a possible failure is detected by the Software Watchdog Timer (SWT). Note: Rationale: To catch possible PIT failures Mandatory: If the PIT is used by ASIL D applications, a checksum of its configuration registers must be calculated and compared with the expected value to verify that the PIT configuration is correct. Frequency: Once per FTTI Note: Rationale: To verify that the PIT remains at its expected configuration d. eDMA is a replicated module. No software action is needed to detect faults inside this module. Doc ID 024283 Rev 2 17/76 Functional safety requirements for application software 3.12 AN4266 Communication peripherals The SPC56xL70xx includes the following communication peripherals: ● FlexCAN ● DSPI ● FlexRay ● LINFlexD Recommended: An appropriate safety software protocol should be utilized (for example, Fault Tolerant Communication Layer, FTCOM) for any communication peripheral employed to meet ASIL D application requirements. 3.13 I/O peripherals The following sections cover the use of the following peripherals: ● System Integration Unit Lite (SIUL) ● eTimer ● FlexPWM These modules shall be used to implement the following functions if they are part of the application safety function: ● ● Read Inputs – Read Digital Inputs – Read PWM Inputs – Read Encoder Inputs Write Outputs – Write Digital Outputs – Write PWM Outputs These are the safety functions assumed during analysis of the SPC56xL70xx. 3.13.1 Read Digital Inputs For ASIL D applications, digital inputs used for safety purposes are assumed to be acquired redundantly as described in the following section. Note: Implementation hint: If sufficient diagnostic coverage can be obtained by a plausibility check on a single acquisition for a specific application, a plausibility check can replace a redundant acquisition. This hint is a special case of deviating from mandatory requirements as described in the Preface. Double Read Digital Inputs Hardware elements Double read operation of a digital input is implemented by two general purpose inputs (GPI) of the SIUL unit. SIUL must be configured to allow an input signal to be read from it’s assigned pad. To minimize CCFs, the two input pads must not be physically adjacent (see Section 7, I/O pin/ball configuration for details). 18/76 Doc ID 024283 Rev 2 AN4266 Functional safety requirements for application software Safety Integrity Functions Mandatory: Safety integrity is achieved by replicated reading and software comparison by the processing function. The application shall implement the following tests: ● Note: Rationale: To verify that the configuration of the two pads used corresponds with the expected configuration, and to avoid a CCF caused by incorrectly configured pads ● Note: SIUL_SWTEST_REGCRC GPI_SWTEST_CMP Rationale: To verify that the two input values compare Digital In Double Read Configuration SIUL I Figure 1. = Input Pad I I GPI[x] GPI[y] Double Read Digital Input Software test implementation ● SIUL_SWTEST_REGCRC The SIUL configuration registers are read, then a CRC is calculated. The CRC calculation is compared to the expected CRC value. Note: Implementation hint: The eDMA and CRC modules may be used to implement this Safety Integrity Function (SIF) to avoid overloading the CPU. ● GPI_SWTEST_CMP This software test is used to execute the comparison between the double reads performed by the independent channels. Implementation details The only hardware element that can be used for the safety function is the general purpose input/output (GPIO). Doc ID 024283 Rev 2 19/76 Functional safety requirements for application software AN4266 Note: Implementation hint: Every I/O pad that is not dedicated to a single function can be configured as GPIO (ADC pads are an exception to this rule, as they can only be configured as inputs). Caution: Redundant GPIO shall be selected in a non-contiguous way from the pin perspective to minimize CCF (see Section 7, I/O pin/ball configuration for details). Mandatory: The pads shall be configured via the appropriate pad configuration registers (PCRn) in the SIUL module. Note: Rationale: To configure pads used by this safety function, and avoid CCF caused by improper configuration of the pads. Table 3. 3.13.2 Software BIST and/or test Software BIST or test Frequency SIUL_SWTEST_REGCRC Once after programming GPI_SWTEST_CMP Once for every acquisition Read PWM Input For ASIL D applications, digital inputs used for safety purposes are always assumed to be acquired redundantly as described in the following section. Read PWM Input means any input read related to signal transitions (rise or fall). This may also include the time that the signal was high, low or both. Double Read PWM Inputs Hardware elements A Double Read PWM Input is implemented by two channels, one channel provided by eTimer_0 and the other by eTimer_1. The SIUL module must be configured (via the appropriate SIUL_PCRn) to provide configuration and input direction of the input pads. To minimize CCFs, these input pads must not be physically adjacent (see Section 7, I/O pin/ball configuration for details). Safety Integrity Functions Safety integrity is achieved by reading each input then comparing the values in the processing function (See Figure 2). Mandatory: The software tests that the application must implement are: Note: ● ETIMER0_SWTEST_REGCRC ● ETIMER1_SWTEST_REGCRC ● SIUL_SWTEST_REGCRC Rationale: To verify that the configuration of the modules used by this safety function compare to the expected configuration Mandatory: In addition, the double reads must be compared by the application with the implementation of the following test: ETIMERI_SWTEST_CMP. Note: 20/76 Rationale: To verify that the two sets of data compare Doc ID 024283 Rev 2 AN4266 Functional safety requirements for application software PWM In Double Read Configuration I Figure 2. eTimer_0 eTimer_1 I I ETC[x] ETC[y] = Input Pad Double Read PWM Input Software test implementation ● ETIMER0_SWTEST_REGCRC The eTimer_0 configuration registers are read and a CRC checksum is computed. The checksum is compared with the expected value. ● ETIMER1_SWTEST_REGCRC The eTimer_1 configuration registers are read and a CRC checksum is computed. The checksum is compared with the expected value. ● SIUL_SWTEST_REGCRC The configuration registers of the SIUL are read and a CRC checksum is computed. The checksum is compared with the expected value. Note: Implementation hint: The eDMA and CRC modules should be used to implement these SIFs to avoid overloading the CPU. ● ETIMERI_SWTEST_CMP This software BIST is used to execute the comparison between the double reads performed by a channel on eTimer_0 and another channel on eTimer_1. The comparison must take into account possible approximation because of different capturing of the input asynchronous signals. Implementation details The following hardware elements shall be used for the safety function: ● eTimer_0 channels ● eTimer_1 channels Doc ID 024283 Rev 2 21/76 Functional safety requirements for application software AN4266 Mandatory: The user must select one channel from the eTimer_0 module and another from the eTimer_1. Note: Rationale: To avoid CCF (eTimer_0 and eTimer_1 belonging to different lakes) Mandatory: The pads shall be configured via the appropriate pad configuration registers (SIUL_PCRn). Note: Rationale: To configure pads used by this safety function Table 4. 3.13.3 Software BIST and/or test Software BIST or test Frequency ETIMER0_SWTEST_REGCRC Once after programming ETIMER1_SWTEST_REGCRC Once after programming SIUL_SWTEST_REGCRC Once after programming ETIMERI_SWTEST_CMP Once for every acquisition Read Encoder Inputs For ASIL D applications, encoder inputs used for safety purposes are assumed to be acquired redundantly as described in the following section. Read Encoder Input means any input read related to signal transitions (rise or fall). This may also include signals coming from an encoder. Double Read Encoder Inputs Hardware elements A Double Read Encoder Input is implemented using two channels that can be provided by: ● eTimer_0 ● eTimer_1 ● SIUL When both channels are provided by the timer units, the signals of one encoder must be addressed to eTimer_0 and the signals of the other encoder must be addressed to eTimer_1. Alternatively, one or both channels can be provided by the SIUL, which supports interrupt based reading of encoder signals. This means the SIUL must use general purpose inputs which have edge detection interrupts (See Figure 3 for details). Mandatory: One channel must be addressed by eTimer_0, and the other by eTimer_1. Note: Rationale: Two different eTimers must be used to avoid CCF (eTimer_0 and eTimer_1 belonging to different lakes). For each signal, the SIUL can provide additional channels to support interrupt-based reading. Mandatory: In this configuration, the SIUL must be correctly configured to forward one or two interrupt-based event readings. Note: Rationale: To configure pads used by this safety function Mandatory: The input pads must not be physically adjacent (see Section 7, I/O pin/ball configuration for details). 22/76 Doc ID 024283 Rev 2 AN4266 Note: Functional safety requirements for application software Rationale: To minimize CCF Safety Integrity Functions The safety integrity is achieved by duplicate reads and software comparison by the processing function (See Figure 3). Mandatory: The application software must implement the following tests: Note: ● ETIMER0_SWTEST_REGCRC ● ETIMER1_SWTEST_REGCRC ● SIUL_SWTEST_REGCRC Rationale: To verify that the configuration of the modules used by this safety function compare with what is expected Rationale: To avoid CCF caused by improper configuration of the pads Mandatory: The application software must implement the test ENCI_SWTEST_CMP, which compares signals acquired from each channel. Note: Rationale: To verify that the two sets of data compare Encoder Input Double Read Configuration I = Input Pad Figure 3. eTimer_0 eTimer_1 I I ETC[x] ETC[y] SIUL I EIRQ[x] I EIRQ[y] Double encoder read input Doc ID 024283 Rev 2 23/76 Functional safety requirements for application software AN4266 Software test implementation ● ETIMER0_SWTEST_REGCRC The eTimer_0 configuration registers are read, then a CRC checksum is computed. This computed checksum is compared to the expected value. ● ETIMER1_SWTEST_REGCRC The eTimer_1 configuration registers are read, then a CRC checksum is computed. This computed checksum is compared to the expected value. ● SIUL_SWTEST_REGCRC The configuration registers of the SIUL are read, then a CRC checksum is computed. This computed checksum is compared to the expected value. Note: Implementation hint: The eDMA and CRC modules should be used to implement this SIF to avoid overloading the CPU. ● ENCI_SWTEST_CMP This software test is used to execute the comparison between the double reads performed by one of the following: – one channel on eTimer_0 and one channel on eTimer_1 – one channel on eTimer_1 and one channel on the SIUL – one channel on eTimer_0 and one channel on the SIUL – two channels on the SIUL The comparison must take into account possible approximation because of different captured values of the input asynchronous signals and the execution of interrupt based event reads. Approximation required by different behavior of the encoded inputs must be handled at the application level. Implementation details The following hardware elements shall be used for the safety function: ● eTimer_0 channels ● eTimer_1 channels ● External interrupt via GPIO pins (configured via the SIUL) The user must select one channel from eTimer_0 and one from eTimer_1. The external interrupt pins are optional. Mandatory: The pads shall be configured via the appropriate pad configuration registers (SIUL_PCRn). Note: Rationale: To configure pads used by this safety function Table 5. 24/76 Software BIST and/or test Software BIST or test Frequency ETIMER0_SWTEST_REGCRC Once after programming ETIMER1_SWTEST_REGCRC Once after programming SIUL_SWTEST_REGCRC Once after programming ENCI_SWTEST_CMP Once for every acquisition Doc ID 024283 Rev 2 AN4266 3.13.4 Functional safety requirements for application software Write Digital Outputs For ASIL D applications, digital outputs used for safety purposes are assumed to be written either redundantly or with read back as described in the following section. Note: Application-dependent option: If a sufficient diagnostic coverage can be reached by a plausibility check on a single output channel for a specific application, a plausibility check can replace a redundant write or a direct read back. The element safety function Write Digital Out is implemented as either: ● Single Write Digital Out With Read Back ● Double Write Digital Out Single Write Digital Outputs With Read Back The SIUL hardware element is used to perform a single Write Digital Output With Read Back. Mandatory: The read back must be implemented in one of the two modes shown in Figure 4. Note: Rationale: To verify if written data compares with the expected data Mandatory: The SIUL element must be correctly configured to provide the output write and the pad directions as follows: Note: ● External read back – SIUL is configured to read back the signal from an additional pad, and the loopback is performed outside the device. In this configuration, only half of the available digital outputs are available as safety outputs. ● Internal read back(e) – SIUL is configured to read back the pad value via an internal read path. All pads dedicated to digital input/output are capable of reading the pad digital status using the input logic. Rationale: To verify if written data is coherent with the expected data Mandatory: The application software must implement the software test to check the correct configuration of the pads, SIUL_SWTEST_REGCRC, and to compare the read back with the digital output write. GPOERB_SWTEST_CMP is used for external read back and GPOIRB_SWTEST_CMP is used for internal read back. e. Internal read back does not cover package faults (e.g., wire bond, etc.). Doc ID 024283 Rev 2 25/76 Functional safety requirements for application software Digital Out External Readback Configuration Digital Out Internal Readback Configuration SIUL SIUL I = Input Pad O = Output Pad Pin I O GPI Figure 4. AN4266 Pin GPO O Pin GPO Write Digital Output With Read Back Software test implementation ● SIUL_SWTEST_REGCRC The SIUL configuration registers are read and a CRC checksum is computed. This CRC checksum is compared what is expected. Note: Rationale: To avoid CCF caused by incorrect configuration of the pads Note: Implementation hint: The eDMA and CRC modules should be used to implement this SIF to avoid overloading the CPU. ● GPOERB_SWTEST_CMP This software test is used to execute the comparison between the desired output values and the value read back via external read back configuration. After writing the output value, the test must read the value of the digital input. Note: Rationale: To verify if the read data compares with the written data ● GPOIRB_SWTEST_CMP This software test is used to execute the comparison between the desired output values and the value read back via internal read back configuration. After writing the output value, the test must read the status of the digital input. Note: 26/76 Rationale: To verify if the read data compares with the written data Doc ID 024283 Rev 2 AN4266 Functional safety requirements for application software Implementation details The SIUL hardware element shall be used for the safety function. Every pad that is not dedicated to a single function can be configured as GPIO. Pads dedicated to ADC are an exception to this rule, as they can be configured as inputs only. The pads shall be configured via the appropriate pad configuration registers (PCRn) in the SIUL module. Table 6. Software BIST and/or test Software BIST or test Frequency SIUL_SWTEST_REGCRC Once after programming GPOERB_SWTEST_CMP Once every write GPOIRB_SWTEST_CMP Once every write Double Write Digital Outputs The SIUL is used to perform a Double Write Digital Output. Mandatory: The SIUL must be configured to correctly define the configuration of the output pads used. The software must perform a double write. Note: Rationale: To configure pads used by this safety function Mandatory: To guarantee the integrity of the two output channels, the application shall test the SIUL configuration implementing the SIUL_SWTEST_REGCRC. Note: Rationale: To avoid a CCF caused by incorrect configuration of the pads Mandatory: The application must implement the double output write as defined by the GPODW_SWAPP_WRITE. Note: Rationale: To write a digital output by exploiting redundancy Doc ID 024283 Rev 2 27/76 Functional safety requirements for application software AN4266 Digital Out Double Configuration SIUL O Figure 5. = Output Pad O O GPO[x] GPO[y] Double Write Digital Output Software test implementation ● SIUL_SWTEST_REGCRC The configuration registers of the SIUL are read and a CRC is computed. This CRC value is compared with what is expected. Note: Implementation hint: The eDMA and CRC modules should be used to implement this SIF to avoid overloading the CPU. ● GPODW_SWAPP_WRITE Mandatory: The output write of a redundant channel must be implemented following this guideline: ● The two outputs are written with a single instruction to the appropriate register. ● The output register is read back. Note: Rationale: To minimize CCF of the SIUL Note: Implementation hint: To write two or more GPIOs with a single instruction, the Masked Parallel GPIO Pad Data Out register (MPGPDOx) register can be used. Application software shall verify that the two GPIOs used are in the same MPGPDOx register. To protect the value of the other GPIOs that belong to the same MPGPDOx, the MASK field of the MPGPDOx register needs to be properly configured. Implementation details The only hardware element that can be used for the safety function is the GPIO. 28/76 Doc ID 024283 Rev 2 AN4266 Note: Functional safety requirements for application software Every pad that is not dedicated to a single function can be configured as GPIO. ADCs are an exception to this rule, as they can be configured as inputs only. The pads shall be configured via the appropriate pad configuration registers (PCRn) in the SIUL module. Table 7. 3.13.5 Software BIST and/or test Software BIST or test Frequency SIUL_SWTEST_REGCRC Once after programming GPODW_SWAPP_WRITE Once every write Write PWM Outputs For ASIL D applications, PWM outputs used for safety purposes are assumed to be written either redundantly or with read back as described in the following section. The element safety function Write PWM Output is implemented as Double Write PWM Outputs or Single Write PWM Outputs With Read Back. Double Write PWM Outputs The hardware elements eTimer_0 and eTimer_1 or FlexPWM_0 and FlexPWM_1 are used to perform a Double Write PWM Output. Mandatory: These units must be configured to implement two PWM channels. The SIUL must be configured to define the configuration of the output pads used. The software must perform a double write. Mandatory: Redundant pads must not be adjacent and pad configuration/data registers must be separate SIUL registers (see Section 7, I/O pin/ball configuration for details). Note: Rationale: To avoid CCF Mandatory: To guarantee the integrity of the two output channels, the application should test the SIUL configuration implementing the SIUL_SWTEST_REGCRC. Note: Rationale: To avoid CCF caused by incorrect configuration of the pads Mandatory: The application software must implement a test for the eTimer_0 and eTimer_1 configuration (ETIMER0_SWTEST_REGCRC, ETIMER1_SWTEST_REGCRC) or for the FlexPWM_0 and FlexPWM_1 configuration (FLEXPWM0_SWTEST_REGCRC, FLEXPWM1_SWTEST_REGCRC) and a software write (PWMDW_SWAPP_WRITE). Note: Rationale: To verify that the configuration of the modules used by this safety function adhere to the expected configuration Doc ID 024283 Rev 2 29/76 Functional safety requirements for application software PWM Out Double Write Configuration (eTimer) PWM Out Double Write Configuration (FlexPWM) eTimer_1 Flex PWM_0 Flex PWM_1 O O O O ETC[x]* ETC[y]* n[z]* n[z]* eTimer_0 O AN4266 = Output Pad Note: n[z] represents any FlexPWM output (for example, A[z], B[z] or X[z]), but each output must be driven by different FlexPWM modules. The same consideration is valid for the eTimer; any eTimer output may be used, but each output must be driven by different eTimer module. Figure 6. Double Write PWM Output configuration Software test implementation ● SIUL_SWTEST_REGCRC The SIUL configuration registers are read and a CRC checksum is computed. The CRC checksum is compared to the expected value. ● ETIMER0_SWTEST_REGCRC The eTimer_0 configuration registers are read and a CRC checksum is computed. The checksum is compared to the expected value. ● ETIMER1_SWTEST_REGCRC The eTimer_1 configuration registers are read and a CRC checksum is computed. The checksum is compared to the expected value. ● FLEXPWM0_SWTEST_REGCRC The FlexPWM_0 configuration registers are read and a CRC checksum is computed. The checksum is compared to the expected value. ● FLEXPWM1_SWTEST_REGCRC The FlexPWM_01 configuration registers are read and a CRC checksum is computed. The checksum is compared to the expected value. Note: Implementation hint: The eDMA and CRC modules should be used to implement this SIF to avoid overloading the CPU. ● 30/76 PWMDW_SWAPP_WRITE Doc ID 024283 Rev 2 AN4266 Functional safety requirements for application software Mandatory: The output write of a redundant PWM channel must be implemented by writing the new output values to both the PWM channels. The customer can decide whether to use both eTimers (eTimer_0, eTimer_1) or both FlexPWMs (FlexPWM_0, FlexPWM_1), See Figure 6. Note: Rationale: To write a digital output by exploiting redundancy, and modules must belong to different lakes to decrease the probability of CCF Implementation details The following hardware elements shall be used for the safety function: ● eTimer_0 channels ● eTimer_1 channels ● FlexPWM_0 channels ● FlexPWM_1 channels Mandatory: The pads shall be configured via the appropriate pad configuration registers (PCRn) in the SIUL module. Note: Rationale: To configure pads used by this safety function Table 8. Software BIST and/or test Software BIST or test Frequency SIUL_SWTEST_REGCRC Once after programming(1) ETIMER0_SWTEST_REGCRC(2) Once after programming (2) Once after programming ETIMER1_SWTEST_REGCRC FLEXPWM0_SWTEST_REGCRC(3) Once after programming FLEXPWM1_SWTEST_REGCRC(3) Once after programming PWMDW_SWAPP_WRITE Once every write 1. If a change in a single SIUL configuration register is capable of affecting both the output and the read-back paths, then SIUL_SWTEST_REGCRC must be executed every FTTI. In all other cases configuration errors are covered by the software comparison. 2. This software BIST is needed only if the FlexPWM channels are used for the safety function 3. This software BIST is needed only if the eTimer channels are used for the safety function Single Write PWM Outputs With Read Back The hardware elements eTimer_0 and FlexPWM_1 or eTimer_1 and FlexPWM_0 are used to perform a Write PWM Output With Read Back(f). These units must be configured to implement one PWM output channel and (via internal read back) the eTimer_0 input PWM channel. The SIUL must be configured to define the configuration of the output pads used. The software must perform a write operation followed by a read operation. To guarantee the integrity of the two output channels, the application should test the SIUL configuration implementing the SIUL_SWTEST_REGCRC (to avoid a common failure caused by misconfiguration of the pads). f. eTimer_0 and FlexPWM_0 (eTimer_1 and FlexPWM_1) cannot be used in combination due to the same LBIST partition assignment. Doc ID 024283 Rev 2 31/76 Functional safety requirements for application software Note: AN4266 Implementation hint: A single channel of the eTimer is used with a multiplexing of the internal read back of the different output of the FlexPWM. The read back paths are limited to six signals, two for each sub-module of the FlexPWM. Mandatory: The application software must implement software tests for eTimer_0 and eTimer_1 configurations: Note: ● FLEXPWM0_SWTEST_REGCRC ● FLEXPWM1_SWTEST_REGCRC ● ETIMER0_SWTEST_REGCRC ● ETIMER1_SWTEST_REGCRC Rationale: To verify that the configuration of the modules used by this safety function adheres to the expected configuration Mandatory: The application software must write to the output port and then compare the written value via the read back (See item PWMRB_SWTEST_CMP below). Note: Rationale: To verify that written data is what is expected PWM Out Single Write External Readback Configuration I = Input Pad O = Output Pad PWM Out Single Write Internal Readback Configuration eTimer Flex PWM eTimer Flex PWM I O I O ETC[x] n[z]* n[z]* * Note: n[z] represents any FlexPWM output. Figure 7. 32/76 Single Write PWM Output With Read Back configuration Doc ID 024283 Rev 2 AN4266 Functional safety requirements for application software Software test implementation ● SIUL_SWTEST_REGCRC The SIUL configuration registers are read and a CRC checksum is computed. The checksum is compared to the expected value. ● ETIMER0_SWTEST_REGCRC The eTimer_0 configuration registers are read and a CRC checksum is computed. The checksum is compared to the expected value. ● ETIMER1_SWTEST_REGCRC The eTimer_1 configuration registers are read and a CRC checksum is computed. The checksum is compared to the expected value. ● FLEXPWM0_SWTEST_REGCRC The FlexPWM_0 configuration registers are read and a CRC checksum is computed. The checksum is compared to the expected value. ● FLEXPWM1_SWTEST_REGCRC The FlexPWM_1 configuration registers are read and a CRC checksum is computed. The checksum is compared to the expected value. Note: Implementation hint: The eDMA and CRC modules should be used to implement this SIF to avoid overloading the CPU. ● PWMRB_SWTEST_CMP This procedure output compares the PWM read back provided by a single channel of the eTimer_0 (eTimer_1) with the expected values that have been written to the FlexPWM_1 (FlexPWM_0) output channel. Implementation details The following hardware elements shall be used for the safety function: ● eTimer_0 channels ● eTimer_1 channels ● FlexPWM_0 channels ● FlexPWM_1 channels Mandatory: The pads shall be configured via the appropriate pad configuration registers (PCRn) in the SIUL module. Note: Rationale: To configure pads used by this safety function Doc ID 024283 Rev 2 33/76 Functional safety requirements for application software Table 9. AN4266 Software BIST and/or test Software BIST or test Frequency SIUL_SWTEST_REGCRC Once after programming (1) ETIMER0_SWTEST_REGCRC Once after programming ETIMER1_SWTEST_REGCRC(1) Once after programming FLEXPWM0_SWTEST_REGCRC(2) Once after programming FLEXPWM1_SWTEST_REGCRC(2) Once after programming PWMRB_SWTEST_CMP Once every write 1. This software BIST is needed only if the eTimer channels are used for the safety function. 2. This software BIST is needed only if the FlexPWM channels are used for the safety function. 3.13.6 Other requirements for I/O peripherals Mandatory: Other requirements related to I/O peripherals include the following: ● Note: In the eTimer module, the capture flag (eTimer_n_STS[ICFn]) must be used. Rationale: To detect missing eTimer_n acquisition ● If the eTimer counter is used to decode a primary and secondary external input as quadrature encoded signals, the eTimer watchdog must be used (See “Counting Modes” section of the SPC56xL70xx Reference Manual). Note: Rationale: To detect stalled quadrature counting 3.14 Cross Triggering Unit (CTU) The CTU generates some triggers based on input events (FlexPWMs, eTimers, and/or external pins). The trigger can be caused by: ● A pulse ● An interrupt ● An ADC command (or a stream of consecutive commands) ● All of these Mandatory: The CTU shall be appropriately configured so that the output triggers are generated within the desired time schedule with respect to the input event(s). Note: Rationale: To avoid erratic output trigger generation For each trigger, a set of ADC commands and pulses to be generated can be defined. If the application safety function includes the read of some inputs synchronized with some events (FlexPWMs, eTimers, and/or external pins), the customer can use the CTU module for this purpose. The software needed for targeting the ASIL D is listed in Section 3.14.1, Synchronize Sequential Read Input. For a detailed description on how the CTU works (triggered and sequential mode), its configuration and use, refer to the SPC56xL70xx Reference Manual. 34/76 Doc ID 024283 Rev 2 AN4266 3.14.1 Functional safety requirements for application software Synchronize Sequential Read Input The CTU can be used if the customer needs to synchronize the reading of some inputs with some events (FlexPWMs, eTimers, and/or external pins). Mandatory: If this function is part of the application safety function, the safety integrity is achieved by a mix of hardware mechanisms and software safety integrity functions implemented at the application level: Note: ● CTU_HWSWTEST_TRIGGERNUM ● CTU_SWTEST_TRIGGERTIME ● CTU_HWSWTEST_TRIGGEROVERRUN ● CTU_HWSWTEST_ADCCOMMAND (only if the input is an analog signal) ● CTU_SWTEST_ETIMERCOMMAND ● CTU_HW_CFGINTEGRITY These functions are mandatory only if the CTU is used. Software test implementation ● CTU_HWSWTEST_TRIGGERNUM If the reload signal occurs before all the triggers are generated, an overrun indication is flagged and the application software must handle the error indication. Note: Rationale: Tests if all the triggers configured within a control period have been generated and serviced. Note: Implementation hint: The Cross Triggering Unit Error Flag register (CTUEFR) shows information about the overrun status. ● CTU_SWTEST_TRIGGERTIME Application software must configure one eTimer channel to capture the time at which each trigger event occurs. In triggered mode, the time instant of each trigger within one control period is captured and stored in a FIFO. Application software has to check the FIFO values against the expected ones according to CTU configuration. In sequential mode, one eTimer channel is needed to check the correct time of a single trigger with respect to the corresponding event. Note: Rationale: To verify if triggers are generated at the correct time Note: Implementation hint: Some eTimer inputs are internally connected to the CTU output. eTIMER_2 input/outputs are not connected to pins on LQFP144 package. Use eTIMER_2 channels for implementing this safety function to keep the channels from eTIMER_0 or eTIMER_1 units for functions using port pins (See “Enhanced Motor Control Timer (eTimer)” in the SPC56xL70xx Reference Manual for details). Note: Implementation hint: eTimer capture register implements a two entry FIFO, but in CTU triggered mode up to 8 time values need to be stored. To avoid FIFO overflow condition, Doc ID 024283 Rev 2 35/76 Functional safety requirements for application software AN4266 eTimer can be configured to trigger a eDMA transfer to move the captured value to specific RAM location. ● CTU_HWSWTEST_TRIGGEROVERRUN This hardware mechanism checks if a new trigger occurs that requires an action by a subunit that is currently busy. In this case, an overrun interrupt is generated and the application software must handle the error condition. Over-run detection mechanism shall be enabled by software during CTU configuration. Note: Rationale: Checks if a new trigger occurs that requires an action by a subunit (such as ADC command generator) which is currently busy. Note: Implementation hint: To enable the over-run detection the IEE flag in the Cross Triggering Unit Interrupt/eDMA register (CTUIR) register shall be asserted. This interrupt is shared between several sources of error. The user can discriminate among them by reading the CTUEFR register. ● CTU_HWSWTEST_ADCCOMMAND The CTU stores in its internal FIFOs both the value provided by each ADC conversion and the channel number. Application software must check the ADC channel number sequence against what is expected for each FIFO. Moreover, invalid commands issued by the CTU are flagged and the corresponding error must be handled by the application software. Note: Rationale: To detect if the incorrect channel has been acquired, or if the incorrect ADC result FIFO is selected Note: Implementation hint: To enable invalid command detection, the IEE flag in the CTUIR register must be asserted. This interrupt is shared between several sources of error. The user can discriminate among them by reading the CTUEFR register. This safety integrity function needs to be implemented only when reading analog signals. ● CTU_SWTEST_ETIMERCOMMAND Application software must configure one channel of eTimer_0 or eTimer_1 to count the number of eTimer commands generated within a CTU control period and must check the number against the expected one. Note: Rationale: To verify the correctness of the number of generated commands Note: Implementation hint: Some eTimer inputs are internally connected to the CTU output (See the SPC56xL70xx Reference Manual for details). ● CTU_HW_CFGINTEGRITY This hardware mechanism ensures the consistency of the CTU configuration at the beginning of each CTU control period. The configuration registers are all double-buffered. If the configuration is only partial when the control period starts, the previous configuration is used and an error condition is flagged, which must be handled by the application software. Note: Rationale: Ensures the consistency of the CTU configuration Note: Implementation hint: The CTU uses a safe reload mechanism. The General Reload Enable (GRE) bit in the Cross Triggering Unit Control Register (CTUCR) shall be used to detect partial or incomplete CTU update. 36/76 Doc ID 024283 Rev 2 AN4266 Functional safety requirements for application software To enable the interrupt in case of error during reload, the IEE flag in the CTUIR register shall be asserted. This interrupt is shared between several sources of error. The user can discriminate among them by reading the CTUEFR register. Implementation details The following hardware elements shall be used for the safety function: ● CTU ● One eTimer channel Table 10. Software BIST and/or test Software BIST or test Frequency CTU_HWSWTEST_TRIGGERNUM Once for every control period (< FTTI) CTU_SWTEST_TRIGGERTIME Once for every CTU control period (triggered mode) or every trigger (sequential mode) CTU_HWSWTEST_TRIGGEROVERRUN Once for every trigger CTU_HWSWTEST_ADCCOMMAND Once for every ADC command CTU_SWTEST_ETIMERCOMMAND Once for every control period (< FTTI) CTU_HW_CFGINTEGRITY Once for every control period (< FTTI) Other requirements for CTU module usage Mandatory: The only other requirement related to the CTU is that if the CTU is used to read an analog signal through the ADC, the software shall verify the Invalid Command Error flag (CTU_CTUEFR[ICR]) after programming the ADC command lists. Note: Rationale: To check the presence of invalid commands 3.15 ADC If the ADC is used in a safety function, the following sections must be observed if an ADC BIST is to be performed. It is important to note that the ADC is part of the temperature measuring safety integrity function, and it is therefore required that the HWBIST functions be executed once after the boot even if the ADC is not in application use. 3.15.1 Read Analog Inputs The customer has two options for reading analog inputs: ● Single Read Analog Inputs ● Double Read Analog Inputs Doc ID 024283 Rev 2 37/76 Functional safety requirements for application software AN4266 Single Read Analog Inputs Hardware elements The single-read analog input uses a single-analog-input channel either of ADC_0 or ADC_1 to acquire an analog voltage signal (See Figure 8). To support a high diagnostic coverage two known reference supply voltages are utilized by two software tests which are described in the following sections (ADC_SWTEST_TEST1 and ADC_SWTEST_TEST2). The reference supply voltages are the following: ● VDD_HV_ADR0 (ADC_0 high reference voltage) ● VDD_HV_ADR1 (ADC_1 high reference voltage) ● VSS_HV_ADR0 (ADC_0 low reference voltage) ● VSS_HV_ADR1 (ADC_1 low reference voltage) The SIUL unit must be configured properly to correctly enable the input pads. The pads used for analog inputs are only of type INPUTS. Safety Integrity Functions Mandatory: The safety integrity is achieved by dedicated hardware BIST(g): Note: Rationale: Hardware BIST to check the integrity of the ADC, both analog and digital parts: ● SUPPLY SELF-TESTRESISTIVE-CAPACITIVE SELF-TESTCAPACITIVE SELF-TEST Mandatory: By dedicated software test implemented at the application level: ● ADC_SWTEST_TEST1 ● ADC_SWTEST_TEST2 ● ADC_SWTEST_VALCHK ● ADC0_SWTEST_REGCRC ● ADC1_SWTEST_REGCRC ● SIUL_SWTEST_REGCRC ● ADC_SWTEST_ADCOVERSAMPLING g. These hardware BISTs need some software to activate them. This software shall be developed by the customer. 38/76 Doc ID 024283 Rev 2 AN4266 Functional safety requirements for application software Analog Single Read/Write Internal Readback Configuration ADC_x Reference voltages (Vdd_HV_ADRx and Vss_HV_ADR) I = Input Pad I AN[x] Figure 8. Single Read Analog Input configuration Hardware BIST Three types of self-test algorithms have been implemented in the ADC hardware: ● SUPPLY SELF-TEST ● RESISTIVE-CAPACITIVE SELF-TEST ● CAPACITIVE SELF-TEST Hardware BIST implementationThe hardware BISTs shall be activated by the application in one of the following modes: ● CPU mode ● CTU mode In CPU mode, the application software takes care of the hardware self-test activation and checks the test flow and the timing. In CTU mode, the CTU module takes care of the hardware self-test activation, flow monitoring, and timing. It is important to note that in this operating mode, the CPU does not take part in running the hardware self-test. HW self-tests use analog watchdogs to verify the outcome of self-test conversions. The reference thresholds of these watchdogs are saved in test sector (See “Test flash memory” section and “Test flash information” table in the SPC56xL70xx Reference Manual). Mandatory: Before running the HW self-test, the customer must copy these thresholds from the test sector into the watchdog registers (See “Self test analog watchdog” section of the SPC56xL70xx Reference Manual). Doc ID 024283 Rev 2 39/76 Functional safety requirements for application software AN4266 Note: Rationale: To set the correct threshold for the self-tests Note: Implementation hint: Since user can not directly read the test sector an SSCM feature, called Test Flash Enable, shall be exploited. This action is performed through the following steps: 1. If code is executing in flash memory, it jumps to execute from RAM. 2. Write SSCM_SCTR[TFE] = 1. 3. Test sector is readable at the offset 0x0 of the flash memory address space (See “System Status and Configuration Module (SSCM)” of the Reference Manual). 4. Thresholds are copied from the test sector to the respective register. 5. Write SSCM_SCTR[TFE] = 0. 6. Code can continue execution from the flash memory. BAM implements an access method to read the test sector. Mandatory: Since the BAM is not developed according to the safety standard, a safety application is not allowed to read the test sector through the BAM access method. Additionally, a watchdog timer is implemented to check the sequence of the self-test algorithms. Mandatory: The customer must enable the watchdog timer for CPU mode and CTU mode. The programmable watchdog timeout is the FTTI(h). Note: Rationale: To check the sequence of the self-test algorithms Every hardware BIST is activated via a dedicated command sent to the ADC. Refer to the “Self-testing” section in the “ADC” chapter of the SPC56xL70xx Reference Manual to have all detailed instructions for implementing one of these modes. The supply self-test must be executed without interleaved user conversion. Software tests ● ADC_SWTEST_TEST1 This software BIST exploits the presampling feature of the ADC. Presampling allows to precharge or discharge the ADC internal capacitor before it starts the sampling and conversion phases of the analog input coming from pads. During presampling phase, the ADC samples the internally generated voltage while in the sampling phase the ADC samples analog input coming from pads (See Figure ). Reference voltage which can be used during presampling phase is either VDD_HV_ADR0/1 or VSS_HV_ADR0/1. If there is an open failure in the analog multiplexing circuitry, the signal converted by the ADC is not the analog input coming from the pad, but the presampling reference voltage (VDD_HV_ADR0/1 or VSS_HV_ADR0/1). This BIST must be run for each analog input used by the safety function. Since the pads dedicated to analog inputs are of type INPUT, a missing enable from the SIUL results in an open failure. Note: Rationale: To detect open failures of the channel multiplexing circuitry (See Figure 9) h. This action is not mandatory in case of Double Read Analog Inputs. 40/76 Doc ID 024283 Rev 2 AN4266 Functional safety requirements for application software Open detection: Presampling phase Conversion phase ADC pins ADC ADC Reference value 1 Figure 9. Note: ADC pins Reference value 1 Software BISTs to test the multiplexing circuitry (ADC_SWTEST_TEST1) Implementation hint: Presampling can be enabled on a per channel basis through the ADC_x_PSR0 register. ADC_x_PSCR[PREVAL0] selects which reference voltage is used to precharge/discharge the ADC internal capacitor. ADC_x_PSCR[PRECONV] register shall be 0 (See “Analog-to-Digital Converter (ADC)” chapter in the SPC56xL70xx Reference Manual for details on the presampling feature). Doc ID 024283 Rev 2 41/76 Functional safety requirements for application software AN4266 I Vdd_HV_ADRx or Vss_HV_ADRx Presample Ch A Sample Ch A Convert Ch A Presample Ch B Sample Ch B Convert Ch B t Note: Either VDD_HV_ADR0/1 or VSS_HV_ADR0/1 can be used as presampling voltage. Figure 10. Implementation of ADC_SW_TEST1 through the ADC presample feature ● ADC_SWTEST_TEST2 To detect short failures two different voltages are acquired by the ADC. If these values are different from the expected ones, a short failure on the multiplexed circuitry has been detected. To implement this test a presampling feature of the ADC can be exploited. The presampling must be configured in such a way that the sampling of the channel is bypassed and the presampling reference supply voltages are converted. During the first step the VDD_HV_ADR0/1 is converted and compared with the its expected value, then the VSS_HV_ADR0/1 is converted and compared with its expected value (See Figure 12). Figure 12 includes the conversion of the 2 different presampling reference voltages (VDD_HV_ADR0/1 and VSS_VH_ADR0/1). Note: Rationale: To detect short failures of the channel multiplexing circuitry (See Figure 11) Short detection: First reference conversion Second reference conversion ADC pins ADC ADC Reference value 1 Figure 11. Note: ADC pins Reference value 2 Software BISTs to test the multiplexing circuitry (ADC_SWTEST_TEST2) Implementation hint: The implementation hints of the ADC_SWTEST_TEST1 applies also to the ADC_SWTEST_TEST2 To bypass the conversion of the input channel and convert the presampled values, ADC_x_PSCR[PRECONV] register shall be set to 1. 42/76 Doc ID 024283 Rev 2 AN4266 Functional safety requirements for application software Vdd_HV_ADRx Presample Ch x Convert Ch x Vss_HV_ADRx Presample Ch x Convert Ch x t Note: Either VDD_HV_ADR0/1 or VSS_HV_ADR0/1 can be used as presampling voltage. Figure 12. Implementation of ADC_SW_TEST2 through the ADC presample feature ADC_SWTEST_VALCHK The goal of this software test is to verify correct operation of the control and queue logic of the ADC, and also the CTU, if used. This software measures implementation is dependant on the ADC configuration (for example, CTU or CPU mode): When the ADC is used in CPU mode, the acquired value is read by the ADC_CDRn. This register includes ADC_CDRn[VALID] and ADC_CDRn[RESULT] fields as well as channel n converted data (ADC_CDRn[CDATA]). These fields provide status information about the data acquisition. Application software shall read and verify these fields after every acquisition. When the ADC conversion is triggered by the CTU, the acquired digital sample data are stored in a dual queue along with information about the channel that performed the acquisition. Checking the channel information of the acquisition provides sufficient coverage of the control logic and, in part, the queue logic. Note: Implementation hint: If ADC is configured to work in CTU mode, the conversion results are stored in CTU FIFOs (See “Cross-Triggering Unit (CTU)” chapter in SPC56xL70xx Reference Manual). Along with the converted data, the converted channel number and ADC module are stored. CTU includes two sets of registers to read this information (FIFO Right aligned data, CTU_FRx, and FIFO Left aligned data, CTU_FLx). User must read these registers to verify if the sequence of the acquired channel is what is expected. ● ADC_SWTEST_OVERSAMPLING In case of Single Read Analog Inputs the ADC_SWTEST_ADCOVERSAMPLING_CMP must be implemented as counter measure against random fault. ADC_SWTEST_OVERSAMPLING is an acquisition redundant in time. It refers to sampling the signal at rate significantly higher than the Nyquist Frequency related to the input signal. In case of fault the acquired values are not correlated with themselves. This SIF compares the acquired value to verify the correlation. Against random fault, three consecutive analog values are converted for each acquisition to implement the ADC_SWTEST_OVERSAMPLING The second Doc ID 024283 Rev 2 43/76 Functional safety requirements for application software AN4266 acquisition, A2, is faulty because the first converted value is quite different respect the other two (See Figure 13). Faulty Acquisition t A1 A2 A3 Figure 13. Series of acquired analog values ● ADC0_SWTEST_REGCRC If ADC_0 is used, the ADC_0 configuration registers are read and CRC checksum is computed. The checksum is compared to the expected value. ● ADC1_SWTEST_REGCRC If ADC_1 is used, the ADC_1 configuration registers are read and CRC checksum is computed. The checksum is compared to the expected value. ● SIUL_SWTEST_REGCRC The SIUL configuration registers are read and a CRC checksum is computed. The checksum is compared to the expected value. Implementation details The following hardware elements shall be used for the safety function: ● Analog input channels AN[0:8] of ADC_0 ● Analog input channels AN[11:14] of ADC_0 and ADC_1 (shared channels) ● Analog input channels AN[0:8] of ADC_1 The user must select one channel from ADC_0 or from ADC_1. Shared channels can be used. Mandatory: The input pads are configured via the appropriate pad configuration registers (PCRn) in the SIUL module. Table 11. 44/76 Software BIST and/or test Software BIST and/or test Frequency SUPPLY SELF-TEST Once in the FTTI RESISTIVE-CAPACITIVE SELF-TEST Once in the FTTI CAPACITIVE SELF-TEST Once in the FTTI ADC_SWTEST_TEST1 Once in the FTTI ADC_SWTEST_TEST2 Once in the FTTI ADC_SWTEST_VALCHK Once for every acquisition ADC_SWTEST_OVERSAMPLING Once for every acquisition Doc ID 024283 Rev 2 AN4266 Functional safety requirements for application software Table 11. Software BIST and/or test (continued) Software BIST and/or test Frequency ADC0_SWTEST_REGCRC Once in the FTTI ADC1_SWTEST_REGCRC Once in the FTTI SIUL_SWTEST_REGCRC Once in the FTTI Double Read Analog Inputs Hardware elements The Double Read Analog Input uses two analog input channels to acquire a replicated analog input signal. Both ADC units acquire and digitize the two copies of a redundant analog signal connected to the inputs. In this configuration (if applied to all possible analog inputs), only half of the analog inputs are available to the applications (AN[0:8] of ADC_0 for signals, and AN[0:8] of ADC_1 for signal copies). Mandatory: The shared channels (AN[11:14]) suffer from CCF because they share pads between each ADC module. Therefore, they are omitted (considered not safe) for double reads. The comparison of the results is performed by application software (See Figure 14). Note: Rationale: ADC_0 and ADC_1 share a pad for the channels (AN[11:14]). Omitting them from double read eliminates a possible source of CCF. Mandatory: After boot but before executing the safety function the following tests shall be executed to detect latent faults (See Section , Hardware BIST and Section , Hardware BIST implementation): Note: ● SUPPLY SELF-TEST ● RESISTIVE-CAPACITIVE SELF-TEST ● CAPACITIVE SELF-TEST Rationale: To check the integrity of the ADC modules Mandatory: Before running the HW self-test, the customer must copy the threshold values of the analog watchdogs from test sector into the watchdog registers (See “Self test analog watchdog” section of the “Analog-to-Digital Converter (ADC)” chapter in SPC56xL70xx Reference Manual). Note: Rationale: To set the correct threshold for the self-test Safety Integrity Functions Safety integrity is achieved by replicated acquisition with separate analog input channels and software comparison by the processing function (See Figure 14). Mandatory: The following software test must be implemented by the application software: ADC0_SWTEST_REGCRC, ADC1_SWTEST_REGCRC, SIUL_SWTEST_REGCRC Note: Rationale: To verify that the configuration of the module used by this safety function corresponds with what is expected Note: Rationale: To avoid CCF caused by improper configuration of the pads Mandatory: In addition, the software test ADC_SWTEST_CMP must be implemented to compare the channel reads. Doc ID 024283 Rev 2 45/76 Functional safety requirements for application software Note: AN4266 Rationale: To verify that the two sets of read data compare It is important to note that this safety integrity function might be applied in addition to Single Analog Read Inputs, which increases diagnostic coverage. Analog Double Read Configuration I = Input Pad ADC_0 ADC_1 I I AN[0:8] AN[0:8] Figure 14. Double Read Analog Inputs configuration Software test implementation ● ADC0_SWTEST_REGCRC The ADC_0 configuration registers are read and a CRC checksum is computed. The checksum is compared to the expected value. ● ADC1_SWTEST_REGCRC The ADC_1 configuration registers are read and a CRC checksum is computed. The checksum is compared to the expected value. ● SIUL_SWTEST_REGCRC The SIUL configuration registers are read and a CRC checksum is computed. The checksum is compared to the expected value. ● ADC_SWTEST_CMP This software test is used to execute a comparison between the double acquisition performed by one channel of ADC_0 and one channel of ADC_1. The comparison must be approximated because of conversion differences. 46/76 Doc ID 024283 Rev 2 AN4266 Functional safety requirements for application software Implementation details The following hardware elements shall be used for the safety function: ● Analog input channels AN[0:8] of ADC_0 ● Analog input channels AN[0:8] of ADC_1 The user must select one channel from ADC_0 and one from ADC_1. The input pads are configured via the appropriate pad configuration registers, SIUL_PCRn. Table 12. 3.15.2 Software BIST and/or test Software BIST or test Frequency SUPPLY SELF-TEST Once after boot RESISTIVE-CAPACITIVE SELF-TEST Once after boot CAPACITIVE SELF-TEST Once after boot ADC0_SWTEST_REGCRC Once after programming ADC1_SWTEST_REGCRC Once after progamming SIUL_SWTEST_REGCRC Once after progamming ADC_SWTEST_CMP Once for every acquisition Other requirements Other requirements related to the ADC modules are: 3.16 ● When an application needs to access the ADC result FIFO, a 32-bit read access shall be performed to verify the channel number on which the conversion has been executed. ● If the ADC analog watchdog function is used for function-safety relevant signal, two analog watchdog channels must monitor the same signal. ● If the Sine Wave Generator (SWG) is used, the ADC (in conjunction with CTU) must be used to check the output signal. Temperature sensors There are two temperature sensors: temperature sensor 0 (TSENS_0) mapped to ADC_0 and temperature sensor 1 (TSENS_1) mapped to ADC_1. Mandatory: During power up, the two temperature sensors need to be read by software (TSENS_0 from ADC_0 channel 15, TSENS_1 from ADC_1 channel 15), which must verify that the read values are similar as a means of assessing the functionality of the sensors. However, nothing prohibits reading the temperature sensors during run time if needed. Note: Rationale: A means of assessing functionality of the temperature sensors Mandatory: In addition, the temperature must be acquired from at least one of the temperature sensors by software every FTTI during run time. In case of a fault, software must move the system to a safe state. Note: Rationale: To detect over-temperature faults Doc ID 024283 Rev 2 47/76 Functional safety requirements for application software AN4266 To set a proper threshold the customer must consider that the maximum operating junction temperature is 150 °C (See the SPC56xL70xx data sheet) and the temperature sensor accuracy is 10° C. Note: Implementation hint: See the SPC56xL70xx Reference Manual for details on TSENS_x implementation in relation to the ADC. It is important to note that the ADC is part of the temperature measuring safety integrity function. Therefore, it is required that the BIST of the ADC be executed once after boot even if the ADC is not used by the application. 3.17 Software Watchdog Timer (SWT) Mandatory: These requirements apply to the SWT for ASIL D applications: ● Note: Both of the following must be true: – The SWT is enabled – Configuration registers hard locked to avoid unwanted modification ● The SWT time window settings must be set to a value less than the FTTI. Detection latency shall be smaller than FTTI. ● Before the safety function is executed, software must verify that the SWT is enabled by reading the SWT control register (SWT_CR[WEN] = 1). Rationale: To detect a defective program sequence Mandatory: Control flow monitoring can be implemented by SWT. However, other control flow monitoring approaches that do not used the SWT may also be used. SPC56xL70xx provides the hardware support (SWT) to implement both control flow and temporal monitoring methods. Refer to the SPC56xL70xx Reference Manual for the SWT functional description. Note: Implementation hint: To enable the SWT, and to hard lock the configuration register, SWT_CR[WEN] and SWT_CR[HLK] must be asserted (= 1). The timeout register (SWT_TO) must contain a 32-bit value that represents a timeout less than the FTTI. If Windowed mode and Keyed Service mode (two pseudorandom key values used to service the watchdog) are enabled, it is possible to reach a high effective temporal flow monitoring. 3.18 Redundancy Control Checking Unit (RCCU) The task of the RCCU unit is to perform a cycle-by-cycle comparison of the outputs of the modules included in the SoR. The SoR is the logical part of the device that contains all the modules that are replicated for functional safety reasons. The RCCU is able to detect any mismatch between the outputs of two replicated modules. The error information is forwarded to the MC_RGM and FCCU. For ASIL D applications, use of the RCCU is indispensable. The use of RCCU’s is automatically managed by the SPC56xL70xx device, users cannot disable the RCCU. Note: 48/76 Rationale: To catch faults in the processing channel Doc ID 024283 Rev 2 AN4266 Functional safety requirements for application software The RCCUs are only enabled when the SPC56xL70xx is in LSM. Application software must determine whether LSM mode is activate. Please refer to Section 3.2.2, Checking for further details. 3.19 Cyclic Redundancy Checker Unit (CRC) The CRC module computes CRC checksums, which offloads the CPU. The CRC has the capability of processing two CRC calculations simultaneously. Recommended: The CRC module should be used to detect accidental alteration of data during transmission or storage. The CRC takes as its input a data stream of any length and produces a 32-bit output value. Mandatory: The CRC calculation shall be executed to verify the content of the registers. Note: Rationale: The contents of the configuration registers of the safety-related modules must be checked within the FTTI. Note: Theoretically, the CPU could be used instead of the CRC to verify that the value of the configuration registers have not changed. However, using the CRC is more effective. Note: Implementation hint: The CRC of the configuration registers of the modules involved with the safety function shall be calculated offline. At run time, the same CRC value shall be calculated by the CRC module within the safety process time. To avoid overloading the CPU, the eDMA module can be used to support the data transfer from the registers under check to the CRC module. The result of the runtime computation is then compared to the value of the offline CRC. The application must include detection, or protection measures, against possible faults of the CRC module only if the CRC module is used by any SEF. 3.20 Clock Monitor Unit (CMU) The main task of the Clock Monitor Unit (CMU) is to supervise the integrity of various clock sources. Mandatory: The following supervisor functions shall be used: Note: ● Loss of external crystal oscillator clock ● FMPLL frequency higher than a (programmable) value set as high reference ● FMPLL frequency lower than a (programmable) value set as low reference Rationale: To monitor the integrity of the clock signals This error information is forwarded to the FCCU and to the MC_RGM. SPC56xL70xx includes three CMUs: ● CMU_0 monitors the clock signal of the SoR modules and the clock from the XOSC (XOSC_CLK). ● CMU_1 monitors the clock signal used by the motor control related peripherals (such as eTimer, FlexPWM, CTU and ADC). ● CMU_2 monitors the clock signal for the protocol engine of the FlexRay module. Doc ID 024283 Rev 2 49/76 Functional safety requirements for application software AN4266 Mandatory: For ASIL D applications, use of the CMU is mandatory. If the related modules are used by the application safety function, the user shall verify that the CMUs are enabled and their faults managed by the FCCU. Note: Rationale: To monitor the integrity of the various clock signals Note: Implementation hint: In general, the following two application-dependent configurations must be executed before CMU monitoring will be enabled: ● The first configuration is related to the XOSC_CLK monitor of CMU_0. The software shall configure CMU_0_CSR[RCDIV] to select a divider for the IRCOSC. The divided RCOSC frequency will be compared with the XOSC_CLK. ● The second configuration relates to the other clock signals being monitored. The high frequency reference (CMU_n_HFREFR_A[HFREF_A]) and low frequency reference (CMU_n_LFREFR_A[LFREF_A]) shall be configured depending on the SoR (CMU_0), motor control related peripherals (CMU_1) and FlexRay (CMU_2) clock frequencies. Once the CMUs are configured, the clock monitoring must be enabled by asserting CMU_n_CSR[CME_A] (= 1). 3.21 Frequency-Modulated Phase-Locked Loop (FMPLL) Mandatory: Application software has the responsibility of checking that the system uses the system FMPLL clock as system clock before running any safety element function (PLL_SWCHECK). Note: Rationale: To decrease the risk of a glitch from the crystal or IRCOSC Note: Implementation hint: Application software can verify the current system clock by checking MC_ME_GS[S_SYSCLK] status. MC_ME_GS[S_SYSCLK] = 0x4 indicates system FMPLL clock is used as system clock. Mandatory: Each FMPLL provides a loss of lock error indication which is routed to the MC_RGM and FCCU. The application software must enable the respective fault and configure the FCCU to manage the fault. Note: Rationale: To check the integrity of the FMPLL clock Since the system can be driven by the IRCOSC, if there is a system clock fault, an FMPLL fault is considered a Non-Critical Fault (NCF). If the FMPLL successfully relocks after a clock fault it will typically stay relocked since the locking process includes built in hysteresis between loosing and regaining the lock. Note: Implementation hint: Software must clear FMPLL_n_CR[PLL_FAIL_MASK] so the pll_fail output is not masked. To enable the RGM input related to FMPLL loss of clock, RGM_FERD[D_PLLn] and RGM_FEAR[AR_PLLn] must be configured. To enable FCCU fault paths, registers in the FCCU must be configured (NCF_CFG0, NCFS_CFG0, NCF_TOE0, etc.). Loss of lock signals from FMPLL_0 and FMPLL_1 provide the FCCU NCF[2] and NCF[3] inputs, respectively. The MC_RGM and FCCU configuration includes the reaction in case of FMPLL loss of lock. This reaction is application-dependent. 50/76 Doc ID 024283 Rev 2 AN4266 3.22 Functional safety requirements for application software Internal RC Oscillator (IRCOSC) The frequency meter of CMU_0 must be exploited to verify the availability and frequency of the IRCOSC. This feature allows measuring the IRCOSC frequency using the external oscillator as the clock source. Mandatory: Users must measure the IRCOSC frequency and compare it with what is expected (16MHz(i)). This test must be performed at least once every FTTI (IRC_SW_CHECK_SIF). Note: Rationale: To check the integrity of the IRCOSC Note: If the IRCOSC is not operating due to a fault, the measurement of the IRCOSC frequency will never complete and the CMU_CSR[SFM] flag will remain set. The application shall manage detecting this condition. For example, implementing a software watchdog which monitors the CMU_CSR[SFM] flag status. Safety analysis assumes that this measurement executes at least once every FTTI. Testing frequency can be reduced to once after boot if the customer accepts that most safety mechanisms will be non-functional for the remainder of the operation if the IRCOSC fails. Safety related modules which work with the RC clock are: FCCU, CMU and SWT. These modules stop working if the IRCOSC fails. 3.23 Power Management Unit (PMU) The Power Management Units (PMU) manage the supply voltage of modules on the SPC56xL70xx. The supplies monitored by the PMU and naming conventions are found in Table 13. Table 13. PMU monitored supplies Detector Type Detector Name Voltage Monitored Alternate Name Comments Flash memory LVD LVD_MAIN_3 VDDFLASH LVD_FLASH A redundant LVD is embedded I/O LVD LVD_MAIN_1 VDDIO LVD_GPIO A redundant LVD is embedded VREG LVD LVD_MAIN_2 VDDREG LVD_VREG A redundant LVD is embedded Core main LVD LVD_DIG_MAIN 1.2 V digital — — Core main HVD HVD_DIG_MAIN 1.2 V digital — — Core backup LVD LVD_DIG_BKUP 1.2 V digital — Assists in the self-test of LVD_DIG_MAIN Core backup HVD HVD_DIG_BKUP 1.2 V digital — Assists in the self-test of HVD_DIG_MAIN If one of the monitored voltages falls below or rises above a fixed threshold, a destructive reset is initiated. The Low Voltage Detection (LVD) and High Voltage Detection (HVD) fault indications are forwarded to the MC_RGM. i. Nominal frequency of the IRCOSC is 16 MHz, but a post trim accuracy of ±6% over voltage and temperature must be taken into account. Doc ID 024283 Rev 2 51/76 Functional safety requirements for application software AN4266 Since power is critical to the operation of the SPC56xL70xx there is built-in redundancy to the PMU core LVDs and HVDs. LVD_DIG_MAIN and HVD_DIG_MAIN monitor the digital core voltage and have backups for additional safety protection (LVD_DIG_BKUP and HVD_DIG_BKUP). Internal architecture allows for testing of the functionality of the main and back up LVD_DIG and HVD_DIG, as well as trimming circuitries (See Figure 15). The PMUCTRL module provides software initialized BISTs which test the digital core supply HVD and LVD (both main and backup). reference voltage 2 HVD_DIG_MAIN/ LVD_DIG_MAIN digital supply (1.2V) reference voltage 1 to MC_RGM (destructive reset) self-test circuitry to FCCU to MC_RGM HVD_DIG_BKUP/ LVD_DIG_BKUP Note: This scheme represents only the logical configuration and not the actual silicon implementation structure. Figure 15. Logic scheme of the LVD_DIG and HVD_DIG If the self-test circuitry detects a fault in the main or backup detectors the reaction will be one of the following (See “Built In Self-test (BIST)” subsection of the “Power Management Unit (PMU)” section in the SPC56xL70xx Reference Manual): ● ● Critical Fault (CF[21]) triggered and one or more of the following: – Main Low Voltage Detector Pending – PMUCTRL_IRQS[MLVDP] = 1 – Backup Low Voltage Detector Pending – PMUCTRL_IRQS[BLVDP] = 1 – Main High Voltage Detector Pending – PMUCTRL_IRQS[MHVDP] = 1 – Backup High Voltage Detector Pending – PMUCTRL_IRQS[BHVDP] = 1 Destructive reset triggered If the self-test circuitry detects a fault in the main or backup detectors the FCCU will read a CF. There are dedicated LVD’s in the flash memory, I/O and VREG providing additional redundancy. This solution is different from the 1.2 V digital core supply monitoring, but still provides the same level of safety coverage. The outputs of the first and the second LVD are logically AND’d in such a way that a single LVD can trigger a fault, even if the other LVD is not functioning properly (See Figure 16). 52/76 Doc ID 024283 Rev 2 AN4266 Functional safety requirements for application software reference voltage 2 PMU LVD self-test circuitry 3.3 V supply module LVD to FCCU to MC_RGM (destructive reset) Note: This scheme represents only the logical configuration and not the actual silicon implementation structure. Figure 16. Logic scheme of the LVD_FLASH, LVD_GPIO and LVD_VREG Operation of the LVD_FLASH, LVD_GPIO and LVD_VREG is as follows (software intervention is not needed): ● A single LVD (PMU LVD or module LVF) can trigger a fault even if the other LVD is faulty (this event signals the MC_RGM) ● During each power on cycle self-test circuitry is able to detect failures on one of the two LVD’s (this event signals the FCCU). Mandatory: Core voltage LVD and HVD implement a hardware assisted self-test that needs to be initiated by software once after the boot. Note: Rationale: To check the integrity of the LVD and HVD Note: Implementation hint: The hardware assisted self-tests are initiated by configuring PMUCTRL_CTRL[SILHT[1:0]]. If the self-test passes, an NCF is triggered. If the self-test fails, a PMUCTRL_IRQS flag and CF are asserted. Apart from the self-test, the use of the power management unit for ASIL D applications is transparent to the user, because the operation of the PMU is automatic. The SPC56xL70xx embeds three LVDs which can detect a failure in the 3.3V power supply. Considering the failure mode “Wrong Power Regulation”, a diagnostic coverage of 90% is estimated against both a soft error and DC fault. 3.24 Memory Protection Unit (MPU) The Memory Protection Unit (MPU) provides hardware access control for all memory references generated in a device. Using pre-programmed region descriptors that define memory spaces and their associated access rights, the MPU concurrently monitors all system bus transactions (including those initiated by the eDMA or FlexRay controller) and evaluates the appropriateness of each transfer. Doc ID 024283 Rev 2 53/76 Functional safety requirements for application software AN4266 Memory references that have sufficient access control rights are allowed to complete, while references that are not mapped to any region descriptor or have insufficient rights are terminated with a protection error response. The MPU implements a set of program-visible region descriptors that monitor all system bus addresses. The result is a hardware structure with a two-dimensional connection matrix, where the region descriptors represent one dimension and the individual system bus addresses and attributes represent the second dimension. Recommended: For ASIL D applications, the MPU should be used to ensure that only authorized software routines can configure modules and all other bus masters (eDMA, core, FlexRay) can access only their allocated resources according to their access rights. For the non-replicated master FlexRay, a correct MPU setup is highly recommended. 3.25 Register Protection Module The Register Protection module offers a mechanism to protect defined memory mapped address locations in a module that has been write protected. The address locations that can be protected are module specific. The Register Protection module includes these distinctive features: ● The Register Protection module restricts write accesses for the module under protection to supervisor mode only. This access restriction is in addition to any access restrictions imposed by the protected module. ● A register cannot be written once Soft Lock Protection is set. Soft Lock Protection can be cleared by software or system reset. ● A register cannot be written once Hard Lock Protection is set. Hard Lock Protection can only be cleared by system reset. Mandatory: For ASIL D applications, all configuration registers that aren’t modified during application execution, must be protected with a Hard Lock. Note: Rationale: Hard Lock is the last access protection against unwanted writes to some predefined memory mapped address locations. Mandatory: Access restrictions must be handled at MPU level. Note: Rationale: Access restriction at the MPU level is protection against unwanted read/write accesses to some predefined memory mapped address locations. Recommended: It is recommended that only hardware related software (OS, drivers) run in supervisor mode. Note: Implementation hint: Most of the off-platform peripherals have their own Register Protection module. Register Protection address space is inside the memory space reserved for the peripherals (please, refer to the “SPC56xL70xx registers under protection” section of the SPC56xL70xx Reference Manual). Each peripheral register that can be protected through the Register Protection module has a Set Soft Lock bit reserved in the Register Protection address space. This bit shall be asserted to enable the protection of the related peripheral registers. Moreover, the Hard Lock Bit (REG_PROT_GCR[HLB] = 1) should be set for best write protection. 54/76 Doc ID 024283 Rev 2 AN4266 3.26 Functional safety requirements for application software Error Correction Status Module (ECSM) There is no dedicated ECC module on the SPC56xL70xx. ECC functionality is located in, or near, the different storage modules and may vary slightly depending on the needs (and size) of the storage. The ECSM is used to detect failures of data stored in memory (SRAM only) and addressing failures (See “Error Correction Status Module (ECSM)” in the SPC56xL70xx Reference Manual). The ECSM can detect and correct single-bit errors, detect two bit faults and detect faults affecting more than two bits. For SRAM, addressing information is included in the calculation and evaluation of the ECC to also detect addressing failure of the SRAM arrays. Single-bit addressing failures that are detected are not corrected. Instead, they are treated as a detected multi-bit error. ECC is automatically calculated on memory write accesses and is checked while read accesses are executed on memory. The ECSM corrects read data when a single-bit error is detected. Optionally, the user can raise an interrupt or check the address of last corrected data. In the case of a multi-bit fault, both the FCCU and MC_RGM modules take appropriate actions: ● Activate error out pins ● Reset ● NMI is triggered. The reporting functionality of the ECSM is disabled by default. Mandatory: Before the safety application starts executing, the error reporting shall be enabled. Note: Implementation hint: Error reporting is enabled by configuring the ECC Configuration Register (ECR) of the ECSM module (for example, ECSM_ECR[EPR1BR] = 1b, see section “ECC Configuration Register (ECR)” in the SPC56xL70xx Reference Manual for details). 3.27 Fault Collection and Control Unit (FCCU) The Fault Collection and Control Unit (FCCU) offers a hardware channel to collect faults and to bring the device into a safe state when a failure has occurred. Besides the possible initial configuration, no CPU intervention is necessary for collection and control operation. Doc ID 024283 Rev 2 55/76 Functional safety requirements for application software AN4266 The FCCU offers a systematic approach to fault detection and control. The distinctive features of the module are: ● Collection of redundant hardware checker results (e.g., the RCCU. See Section 3.18, Redundancy Control Checking Unit (RCCU)) ● Collection of error information from modules whose behavior is essential with respect to the safety goal ● Configurable and graded fault control: – Internal reactions No reset reaction IRQ Functional Reset SPC56xL70xx safe mode entered – External reaction (failure is reported to the outside world via output pin) Mandatory: Only functional resets, or a switch to a Safe state, is appropriate as internal reaction for ASIL D applications. Note: Rationale: Maintain the device in the Safe state in case of failure The only exception to this rule is when the CMU monitors a FMPLL that is not used or is used for non-safety critical modules only. In this case, error masking and limited internal reaction can be tolerated. External reaction of the FCCU is always enabled and can not be disabled. Note: Implementation hint: The application shall configure the FCCU to enable all reactions related to faults of peripherals used by the application safety function. Software shall be implemented to avoid cycling between a functional and a fault state. For example, in case of periodic NCFs, the software could clean the respective status and periodically move the device from fault state to normal state. This looping shall be avoided. Mandatory: To prevent permanent cycling between a functional and a fault-state, software needs to keep track of cleaned faults, stop cleaning and stay in safe mode instead in case of inacceptable high frequency of necessary fault cleaning. The limit for the number and frequency of clearances is application dependent. 56/76 Doc ID 024283 Rev 2 AN4266 4 Functions of external devices for ASIL D applications Functions of external devices for ASIL D applications This section describes the external components needed to use the SPC56xL70xx for ASIL D applications. Mandatory: At system level some countermeasures have to be placed in order to bring the safety-critical outputs to their safe state (e.g., by pull-up or pull-down resistors) when an output in high-impedance is not considered safe. It should be noted that the failure rates of external services are not included in FMEDA of the SPC56xL70xx and have to be included in the system FMEDA by the user himself. 4.1 External Watchdog Function (EXWD) Mandatory: An external device, acting as the supervisor of operations, must provide a watchdog to cover CCFs of the SPC56xL70xx for ASIL D applications. The watchdog shall be triggered periodically by safety relevant software running on the SPC56xL70xx or other means demonstrating that the SPC56xL70xx is still working. Note: Rationale: To detect critical CCF as a complete failure of the power supply Some common causes of failure (e.g., failure on power supply) are detected because the software no longer triggers the watchdog. If a failure is detected, the EXWD moves, and maintains, the system (ECU level) to a Safe state condition within the FTTI (such as the EXWD disconnects the SPC56xL70xx device from the power supply). The user can choose how to implement the watchdog communication between the SPC56xL70xx and the external device (for example, communication via serial link, via toggling pin, or via the FCCU error out signals). Note: There must be a signalling path from the safety software to the external system through which the software can confirm correct initialization. This is not automatically guaranteed by the FCCU_F[n] signals which communicate the status of the device independently from software. On the other hand, a different communications interface (such as a serial link) can be used to detect incorrect software initialization. 4.2 Power Supply and Monitor Function (PSM) The SPC56xL70xx includes some internal monitors which continuously check the various voltage supplies (See Section 3.23, Power Management Unit (PMU)). Mandatory: To prevent over voltage conditions causing malfunctions or possibly permanent damage to the SPC56xL70xx, an external device must provide over voltage monitoring for the SPC56xL70xx external 3.3 V supplies (such as I/O and VREG). Under voltage conditions on the 3.3V supply may be detected indirectly by measurements from other functionality like the ADC self-test or ECC/ECD logic. Recommended: To fully monitor all voltage supplies, it is also recommended that an external device provides under voltage monitoring for the SPC56xL70xx external 3.3 V supplies (such as I/O and VREG). Note: Rationale: To monitor the power supply voltage to ensure it is within the acceptable range Doc ID 024283 Rev 2 57/76 Functions of external devices for ASIL D applications AN4266 If the power supply is out of range, the PSM moves and maintains the system (ECU level) to a Safe state condition within the FTTI (for example, the PSM disconnects the SPC56xL70xx device from the power supply). Note: Working outside the specified voltage range may cause permanent damage to the SPC56xL70xx even if the MCU is held in reset (see SPC56xL70xx Data Sheet for correct voltage operating ranges). 4.3 Error Out Monitor Function (ERRM) The FCCU has two external pins: FCCU_F[0], FCCU_F[1]. An external device must be connected to the FCCU via FCCU_F[0] and optionally FCCU_F[1] to continually monitor the error output pins of the FCCU. If a failure is detected, the ERRM moves and maintains the system (ECU level) to a Safe state condition within the FTTI (e.g., the ERRM disconnects the SPC56xL70xx device from the power supply) Mandatory: Depending on user selection, there are two different ways to interface to the FCCU: Note: ● Both FCCU pins connected to the external device ● Only a single FCCU pin connected to the external device Rationale: To monitor the error out signals (FCCU_F[x]) for correct functionality Mandatory: For ASIL D applications, the user can choose between these FCCU configurations, depending on which best fits the hardware and software system. Both FCCU configurations work properly with all the supported error out protocols. Refer to the SPC56xL70xx Reference Manual for a list of supported protocols. Note: The system (for example, ECU) cannot rely on any pins, other than the SPC56xL70xx error output pins (FCCU_F[n]), when those pins indicate an error. 4.3.1 Both FCCU pins connected to external device In this case, both pins FCCU_F[0] and FCCU_F[1] are connected to the external device. Mandatory: The external device must check both signals, taking into account that FCCU_F[0] = FCCU_F[1]. Note: Rationale: To check the integrity of the FCCU In this configuration the external device continuously monitors the output of the FCCU. Thus it can detect if the FCCU does not work properly. The advantage of this configuration with respect to the other one is that it does not need any dedicated software. Note: Implementation hint: Monitoring the error out pins through a combinatorial logic (e.g., XOR port) can generate some glitches. Oversampling these pins reduces the possibility that the glitches occur. 4.3.2 Single FCCU pin connected to external device A single pin, FCCU_F[0] (or FCCU_F[1]), is connected to the external device. 58/76 Doc ID 024283 Rev 2 AN4266 Functions of external devices for ASIL D applications If a fault occurs, the FCCU communicates it to the external device through the FCCU_F[0] (or FCCU_F[1]) pin. The functionality of FCCU_F[0] (or FCCU_F[1]) can be verified in 2 ways: ● FCCU_F[0] (or FCCU_F[1]) output read back (internal connection) ● FCCU_F[0] (or FCCU_F[1]) output connected externally to a normal GPIO. The customer must choose which solution better fits their requirements. Mandatory: After boot, but before executing the safety function, the functionality of FCCU_F[0] (or FCCU_F[1]) pin shall be verified(j). Note: Rationale: To check the integrity of the FCCU error out signals Note: Implementation hint: To verify the functionality of FCCU_F[0] (or FCCU_F[1]) pin, a fault may be injected and the behavior of the pin could be checked by FCCU_F[1] (or FCCU_F[0]), or GPIO. It’s possible to change the polarity of the error out pin by configuring the FCCU_CFG[FCCU_CFG.PS] bit. Other methods for checking the functionality of FCCU_F[0] (or FCCU_F[1]) may be implemented. The advantage of a single FCCU_F[x] signal being used, when compared to using both FCCU_F[x] signals as in the previous section, is that an external device does not need to be used for comparing the FCCU_F[x] signals. 4.4 PWM Output monitored by external ASIC (PWMA) The FlexPWM module integrated in the SPC56xL70xx can insert dead time in the generated PWMs. Mandatory: An ASIL D compliant application shall include an external device which checks the PWM output signals. Note: Rationale: To check the accuracy of the PWM signals The distinctive features that must be managed by the external device are: ● Dead-time must be always positive and greater than the maximum value between TON and TOFF of the inverter switches ● Open pins and short to supply or ground shall be detected in case read back is not performed via input capture functionality on the SPC56xL70xx If a failure is detected, the PWMA moves and maintains the system (ECU level) to a Safe state condition within the FTTI (e.g., the PWMA disconnects the SPC56xL70xx device from the power supply). In general, if the safety application uses I/Os to control actuator with short safety time against wrong control (for example, a motor control application with dead-time requirements to avoid short circuits destroying the motor), those requirements shall be supervised externally if the error reaction delay within the SPC56xL70xx can exceed the safety time of the actuators. j. Since FCCU is a monitor, it is sufficient to verify the FCCU_F[0] (or FCCU_F[1]) signal only at startup in order to avoid latent faults. Doc ID 024283 Rev 2 59/76 Functions of external devices for ASIL D applications Note: 60/76 AN4266 Implementation hint: In case PWM signals drive the switches of a power stage, eTimer can not be used to detect dead-time fault because its failure indication time is normally greater than the time needed to have a physical permanent failure in the power stage. Doc ID 024283 Rev 2 AN4266 5 Scenarios for automotive applications: Motor control Scenarios for automotive applications: Motor control This section shows some examples of safety-related inputs and outputs from some motor control applications. 5.1 Application example 1 ● Application: 3-phase electric motor control ● Motor control algorithm: Field Oriented Control (FOC) ● Position sensor(s): Incremental encoder; 3 Hall sensors ● Current sensor(s): 3 shunts on motor phases or on inverter legs ● Current sensor(s) for diagnostic: 1 shunt on direct-current (DC) link 5.1.1 Functional safety related inputs Table 14. Functional safety inputs for application example 1 Signal description Input signal (alias) Destination Source (module on SPC56xL70xx) Comments FCCU input FCCU_F[1] (if used) FCCU output pin FCCU_F[0] FCCU FCCU output loop-back signal. Phase current 1 AN[0] ASIC or current sensor ADC_0 Precautions for usage are presented in Section , Single Read Analog Inputs. Phase current 2 AN[15] ASIC or current sensor ADC_1 Precautions for usage are presented in Section , Single Read Analog Inputs. Phase current 3 AN[11] ASIC or current sensor ADC_0 ADC_1 Precautions for usage are presented in Section , Single Read Analog Inputs. DC voltage for DC ripple compensation AN[1] ASIC ADC_0 Precautions for usage are presented in Section , Single Read Analog Inputs. DC-link current AN[16] ASIC or current sensor ADC_1 Precautions for usage are presented in Section , Single Read Analog Inputs. Non-maskable interrupt NMI(1) External component (ASIC) WKPU Critical interrupt routine or error/fault signal coming from external device. RESET B External component (ASIC, companion chip) MC_RGM Reset signal Doc ID 024283 Rev 2 Reset signal coming from external device. 61/76 Scenarios for automotive applications: Motor control Table 14. AN4266 Functional safety inputs for application example 1 (continued) Signal description Input signal (alias) Destination Source (module on SPC56xL70xx) Comments Incremental Encoder management ETC[0–1] ETC[0–1] Incremental encoder eTimer_0 eTimer_1 Precautions for usage are presented in Section , Double Read Encoder Inputs. Hall sensors management ETC[2–4] ETC[2–4] Hall sensors SIUL Precautions for usage are presented in Section , Double Read PWM Inputs. DSPI receive signal SIN External component (ASIC) DSPI_0 If DSPI_0 is used, an appropriate safety protocol must be utilized. DSPI receive signal SIN External component (ASIC) DSPI_1 If DSPI_1 is used, an appropriate safety protocol must be utilized. FlexCAN receive signal CAN_RX External component (ASIC) FlexCAN_0 If FlexCAN_0 is used, an appropriate safety protocol must be utilized. FlexCAN receive signal CAN_RX External component (ASIC) FlexCAN_1 If FlexCAN_1 is used, an appropriate safety protocol must be utilized. FlexRay receive signals FR_CA_RX FR_CB_RX External component (ASIC) FlexRay If FlexRay is used, an appropriate safety protocol must be utilized. 1. The NMI input is not intended or certified for use as the sole mechanism to react to the failure of a system component external to the SPC56xL70xx. For ASIL D certification, additional measures at the system level are necessary to handle failures of non-SPC56xL70xx components beyond notification of the SPC56xL70xx device via NMI. 5.1.2 Functional safety related outputs Table 15. Functional safety outputs for application example 1 Source Signal description Output sIgnal (alias) (module on SPC56xL70xx) FCCU output FCCU_F[0] FCCU_F[0] Destination Comments FCCU External component (ASIC) Error out signal that indicates the presence of a failure in the device. FCCU Alternative 1: FCCU_F[1] FCCU output loop-back signal. FCCU_F[1] = FCCU_F[0] FCCU Alternative 2: External component (ASIC) Inverted Error out signal that indicates the presence of a failure in the device. A[0–2], B[0–2] FlexPWM External component (ASIC) Precautions for usage are presented in Section , Single Write PWM Outputs With Read Back. FCCU output PWM output signal 62/76 Doc ID 024283 Rev 2 AN4266 Table 15. Scenarios for automotive applications: Motor control Functional safety outputs for application example 1 (continued) Output sIgnal Signal description (alias) Clockout CLK_OUT Clockout inverted signal CLK_OUT Transceiver enable (for communication peripherals) GPO[–] Source (module on SPC56xL70xx) Destination Comments MC_CGM External component (ASIC) Clockout signal to be used if the external components needs the SPC56xL70xx clock for internal usage or for monitoring. MC_CGM External component (ASIC) Inverted clockout signal to be used if the external components needs the SPC56xL70xx clock for internal usage or for monitoring. SIUL External component (ASIC, transceiver) Precautions for usage are presented in Section , Single Write Digital Outputs With Read Back. Reset signal for the external External component(s) component Precautions for usage are (ASIC, presented in Section , Single Write companion chip) Digital Outputs With Read Back. Reset signal GPO[0] SIUL DSPI transmit signal SOUT DSPI_0 External component (ASIC) If DSPI_0 is used, an appropriate safety protocol must be utilized. DSPI transmit signal SOUT DSPI_1 External component (ASIC) If DSPI_1 is used, an appropriate safety protocol must be utilized. FlexCAN transmit signal CAN_TX FlexCAN_0 External component (ASIC) If FlexCAN_0 is used, an appropriate safety protocol must be utilized. FlexCAN transmit signal CAN_TX FlexCAN_1 External component (ASIC) If FlexCAN_1 is used, an appropriate safety protocol must be utilized. FlexRay transmit signals FR_CA_TX FR_CB_TX FlexRay External component (ASIC) If FlexRay is used, an appropriate safety protocol must be utilized. 5.2 Application example 2 ● Application: 3-phase electric motor control ● Motor control algorithm: Field Oriented Control (FOC) ● Position sensor(s): Resolver; 3 Hall sensors ● Current sensor(s): 3 shunts on motor phases or on inverter legs ● Current sensor(s) for diagnostic: 1 shunt on DC link Doc ID 024283 Rev 2 63/76 Scenarios for automotive applications: Motor control AN4266 5.2.1 Functional safety related inputs Table 16. Functional safety inputs for application example 2 Signal description Input Signal (alias) Destination Source (module on SPC56xL70xx) Comments FCCU input FCCU_F[1] (if used) FCCU output pin FCCU_F[0] FCCU FCCU output loop-back signal. Phase current 1 AN[0] ASIC or current sensor ADC_0 Precautions for usage are presented in Section , Single Read Analog Inputs. Phase current 2 AN[15] ASIC or current sensor ADC_1 Precautions for usage are presented in Section , Single Read Analog Inputs. Phase current 3 AN[11] ASIC or current sensor ADC_0 ADC_1 Precautions for usage are presented in Section , Single Read Analog Inputs. DC voltage for DC ripple compensation AN[1] ASIC ADC_0 Precautions for usage are presented in Section , Single Read Analog Inputs. DC-link current AN[16] ASIC or current sensor ADC_1 Precautions for usage are presented in Section , Single Read Analog Inputs. Non-maskable interrupt NMI(1) External component (ASIC) Wake-up Unit Critical interrupt routine or error/fault signal coming from external device. Reset signal RESET B External component (ASIC, companion chip) MC_RGM Resolver management (sine/cosine) AN[2–3] AN[17–18] Resolver ADC_0 ADC_1 Precautions for usage are presented in Section , Single Read Analog Inputs. Hall sensors management ETC[0–2] ETC[0–2] Hall sensors eTimer_0 eTimer_1 Precautions for usage are presented in Section , Double Read PWM Inputs. DSPI receive signal SIN External component (ASIC) DSPI_0 If DSPI_0 is used, an appropriate safety protocol must be utilized. DSPI receive signal SIN External component (ASIC) DSPI_1 If DSPI_1 is used, an appropriate safety protocol must be utilized. FlexCAN receive signal CAN_RX External component (ASIC) FlexCAN_0 If FlexCAN_0 is used, an appropriate safety protocol must be utilized. 64/76 Doc ID 024283 Rev 2 Reset signal coming from external device. AN4266 Table 16. Scenarios for automotive applications: Motor control Functional safety inputs for application example 2 (continued) Signal description Input Signal (alias) Destination Source (module on SPC56xL70xx) FlexCAN receive signal CAN_RX External component (ASIC) FlexCAN_1 FlexRay receive signals FR_CA_RX FR_CB_RX External component (ASIC) FlexRay Comments If FlexCAN_1 is used, an appropriate safety protocol must be utilized. If FlexRay is used, an appropriate safety protocol must be utilized. 1. The NMI input is not intended or certified for use as the sole mechanism to react to the failure of a system component external to the SPC56xL70xx device. For ASIL D certification, additional measures at the system level are necessary to handle failures of non-SPC56xL70xx components beyond notification of the SPC56xL70xx device via NMI. 5.2.2 Functional safety related outputs Table 17. Functional safety outputs for application example 2 Source Signal description Output signal (alias) (module on SPC56xL70xx) FCCU output FCCU_F[0] FCCU_F[0] Destination Comments FCCU External component (ASIC) Error out signal, that indicates the presence of a failure in the device. FCCU Alternative 1: FCCU_F[1] FCCU output loop-back signal. FCCU_F[1] = FCCU_F[0] FCCU Alternative 2: External component (ASIC) Inverted Error out signal that indicates the presence of a failure in the device. PWM output signal A[0–2], B[0–2] FlexPWM External component (ASIC) Precautions for usage are presented in Section , Single Write PWM Outputs With Read Back. Resolver excitation DA [0] SWG Resolver Precautions for usage are presented in Section , Single Read Analog Inputs. MC_CGM External component (ASIC) Clockout signal to be used if the external components need the SPC56xL70xx clock for internal usage or for monitoring. MC_CGM External component (ASIC) Inverted clockout signal to be used if the external components need the SPC56xL70xx clock for internal usage or for monitoring. SIUL External component (ASIC, transceiver) Precautions for usage are presented in Section , Single Write Digital Outputs With Read Back. FCCU output Clockout Clockout inverted signal Transceiver enable (for communication peripherals) CLK_OUT CLK_OUT GPO[-] Doc ID 024283 Rev 2 65/76 Scenarios for automotive applications: Motor control Table 17. AN4266 Functional safety outputs for application example 2 (continued) Output signal Signal description (alias) Source (module on SPC56xL70xx) Destination Comments Reset signal for the external External component(s). component Precautions for usage are (ASIC, companion chip) presented in Section , Single Write Digital Outputs With Read Back. Reset signal GPO[0] SIUL DSPI transmit signal SOUT DSPI_0 External component (ASIC) If DSPI_0 is used, an appropriate safety protocol must be utilized. DSPI transmit signal SOUT DSPI_1 External component (ASIC) If DSPI_1 is used, an appropriate safety protocol must be utilized. FlexCAN transmit signal CAN_TX FlexCAN_0 External component (ASIC) If FlexCAN_0 is used, an appropriate safety protocol must be utilized. FlexCAN transmit signal CAN_TX FlexCAN_1 External component (ASIC) If FlexCAN_1 is used, an appropriate safety protocol must be utilized. FlexRay transmit signals FR_CA_TX FR_CB_TX FlexRay External component (ASIC) If FlexRay is used, an appropriate safety protocol must be utilized. 5.3 Application example 3 ● Application: 3-phase electric motor control ● Motor control algorithm: Sinusoidal Control (SC) or 6-step mode ● Position sensor(s): Incremental encoder; 3 Hall sensors ● Current sensor(s) for diagnostic: 1 shunt on DC link 5.3.1 Functional safety related inputs Table 18. Functional safety inputs for application example 3 Signal description Input signal (alias) Destination Source (module on SPC56xL70xx) Comments FCCU input FCCU_F[1] (if used) FCCU output pin FCCU_F[0] FCCU FCCU output loop-back signal. DC voltage for DC ripple compensation AN[0] ASIC ADC_0 Precautions for usage are presented in Section , Single Read Analog Inputs. DC-link current AN[15] ASIC or current sensor ADC_1 Precautions for usage are presented in Section , Single Read Analog Inputs. 66/76 Doc ID 024283 Rev 2 AN4266 Table 18. Scenarios for automotive applications: Motor control Functional safety inputs for application example 3 (continued) Signal description Input signal (alias) Destination Source (module on SPC56xL70xx) Comments NMI(1) External component (ASIC) Wake-up Unit Reset signal RESET B External component (ASIC, companion chip) MC_RGM Reset signal coming from external device. Incremental Encoder management ETC[0–1] ETC[0–1] Incremental encoder eTimer_0 eTimer_1 Precautions for usage are presented in Section , Double Read Encoder Inputs. Hall sensors management ETC[2–4] ETC[2–4] Hall sensors eTimer_0 eTimer_1 Precautions for usage are presented in Section , Double Read PWM Inputs. DSPI receive signal SIN External component (ASIC) DSPI_0 If DSPI_0 is used, an appropriate safety protocol must be utilized. DSPI receive signal SIN External component (ASIC) DSPI_1 If DSPI_1 is used, an appropriate safety protocol must be utilized. FlexCAN receive signal CAN_RX External component (ASIC) FlexCAN_0 If FlexCAN_0 is used, an appropriate safety protocol must be utilized. FlexCAN receive signal CAN_RX External component (ASIC) FlexCAN_1 If FlexCAN_1 is used, an appropriate safety protocol must be utilized. FlexRay receive signals FR_CA_RX FR_CB_RX External component (ASIC) FlexRay Non-maskable interrupt Critical interrupt routine or error/fault signal coming from external device. If FlexRay is used, an appropriate safety protocol must be utilized. 1. The NMI input is not intended or certified for use as the sole mechanism to react to the failure of a system component external to the SPC56xL70xx device. For ASIL D certification, additional measures at the system level are necessary to handle failures of non-SPC56xL70xx components beyond notification of the SPC56xL70xx device via NMI. 5.3.2 Functional safety related outputs Table 19. Functional safety outputs for application example 3 Source Signal description Output signal (alias) (module on SPC56xL70xx) FCCU output FCCU_F[0] FCCU Destination Comments External component (ASIC) Error out signal, that indicates the presence of a failure in the device. Doc ID 024283 Rev 2 67/76 Scenarios for automotive applications: Motor control Table 19. AN4266 Functional safety outputs for application example 3 (continued) Signal description Output signal Source Clockout Clockout inverted signal Transceiver enable (for communication peripherals) Comments FCCU_F[0] FCCU Alternative 1: FCCU_F[1] FCCU output loop-back signal. FCCU_F[1] = FCCU_F[0] FCCU Alternative 2: External component (ASIC) Inverted Error out signal, that indicates the presence of a failure in the device. A[0–2], B[0–2] FlexPWM External component (ASIC) Precautions for usage are presented in Section , Single Write PWM Outputs With Read Back. MC_CGM External component (ASIC) Clockout signal to be used if the external components need the SPC56xL70xx clock for internal usage or for monitoring. MC_CGM External component (ASIC) Inverted clockout signal to be used if the external components need the SPC56xL70xx clock for internal usage or for monitoring SIUL External component (ASIC, transceiver) Precautions for usage are presented in Section , Single Write Digital Outputs With Read Back. FCCU output PWM output signal Destination (alias) (module on SPC56xL70xx) CLK_OUT CLK_OUT GPO[–] Reset signal for the external External component(s). component Precautions for usage are (ASIC, presented in Section , Single Write companion chip) Digital Outputs With Read Back. Reset signal GPO[0] SIUL DSPI transmit signal SOUT DSPI_0 External component (ASIC) If DSPI_0 is used, an appropriate safety protocol must be utilized. DSPI transmit signal SOUT DSPI_1 External component (ASIC) If DSPI_1 is used, an appropriate safety protocol must be utilized. FlexCAN transmit signal CAN_TX FlexCAN_0 External component (ASIC) If FlexCAN_0 is used, an appropriate safety protocol must be utilized. FlexCAN transmit signal CAN_TX FlexCAN_1 External component (ASIC) If FlexCAN_1 is used, an appropriate safety protocol must be utilized. FlexRay transmit signals FR_CA_TX FR_CB_TX FlexRay External component (ASIC) If FlexRay is used, an appropriate safety protocol must be utilized. 68/76 Doc ID 024283 Rev 2 AN4266 ECC logic test 6 ECC logic test 6.1 Overview This appendix describes the required information on how to develop the software for such ECC logic test. A flash memory ECC logic test is needed to perform a test to check flash memory ECC logic every FTTI (10 ms). The goal is to ensure high coverage of the faults in ECC logic with minimum performance penalty to customer’s application. Thus, the performance penalty must be less than 2% which means that the test lasts less than 200 µs considering a FTTI of 10 ms. The SPC56xL70xx flash memory has a UTEST (user-test) mode ECC logic check feature which can be utilized for this ECC logic test. A data pattern with walking 0 through data and ECC parity bits can be applied during the ECC logic check procedure to achieve high fault coverage of the ECC logic and fast execution. 6.2 Data pattern - Walking 0 To reach the needed performances the use of the data pattern with walking 0 through data and ECC parity bits must be used. Table 20 shows the data vectors. Table 20. Data pattern used by the ECC logic test(1) Data vector number 8-bit ECC parity bits 64-bit data bits 0 0xFF 0xFFFF_FFFF_FFFF_FFFE 1 0xFF 0xFFFF_FFFF_FFFF_FFFD 2 0xFF 0xFFFF_FFFF_FFFF_FFFB 3 0xFF 0xFFFF_FFFF_FFFF_FFF7 4 0xFF 0xFFFF_FFFF_FFFF_FFEF 5 0xFF 0xFFFF_FFFF_FFFF_FFDF 6 0xFF 0xFFFF_FFFF_FFFF_FFBF 7 0xFF 0xFFFF_FFFF_FFFF_FF7F ... ... ... 62 0xFF 0xBFFF_FFFF_FFFF_FFFF 63 0xFF 0x7FFF_FFFF_FFFF_FFFF 64 0xFE 0xFFFF_FFFF_FFFF_FFFF 65 0xFD 0xFFFF_FFFF_FFFF_FFFF ... ... ... 71 0x7F 0xFFFF_FFFF_FFFF_FFFF 72 0xFF 0xFFFF_FFFF_FFFF_FFFF 1. Each vector is a 72-bit ECC code-word. Doc ID 024283 Rev 2 69/76 ECC logic test AN4266 It is important to note that for double word data = 0xFFFF_FFFF_FFFF_FFFF, the correct ECC check bits should be 0xFF. Therefore, every data vector in the data pattern in Table 20, except the last one, contains a single-bit ECC error and will result in a single-bit correction. 6.3 UTEST mode ECC logic check The procedure to use the UTEST mode ECC logic check is listed as below: 6.4 1. Write 0xF9F9_9999 to UT0 to enable UTEST mode (UT0[UTE] will be set). 2. Write UT0[SBCE] to 1 to enable single-bit error correction visibility. 3. Write UT0[EIE] to 1. 4. Write UT0[DSI], UT1[DAI] and/or UT2[DAI] bits to provide the current data vector including the double-word data and check bit values to be read. The data and check bit values are from the chosen ECC test data pattern, i.e., walking 0 pattern shown above. 5. Write double-word address to receive the data input in step 4 into the ADR register. 6. Reads the address stored in ADR register via BIU using a CPU instruction. The expected data, and corrections or detections should be observed based on data written into the UT0[DSI], UT1[DAI] and/or UT2[DAI] registers. MCR[EER] and MCR[SBC] will be checked to evaluate the status of reads done. 7. Repeat steps 4 to 6 for all the data vectors in the proposed test data pattern. 8. Once completed, clear the UT0[EIE] bit to 0. Fault coverage and execution time The described ECC logic test reaches a 92.7% fault coverage of ECC decode logic. The execution of the test code takes 176 µs at 80 MHz. 70/76 Doc ID 024283 Rev 2 AN4266 7 I/O pin/ball configuration I/O pin/ball configuration Mandatory: The user must avoid configurations that place redundant signals on neighboring pads or pins. Whether two functions on two package pins/balls are adjacent to each other can easily be determined by looking at the mechanical drawings of the packages (see the SPC56xL70xx Data Sheet) together with the pin/spheres (balls) number information of the packages as seen in the SPC56xL70xx Reference Manuals “System Integration Unit Lite (SIUL)” section and the “Pin muxing” table. The internal die pad sequence can be derived from the package pin sequence of the QFP144 pin package shown in the SPC56xL70xx Data Sheet. Figure 17. Example of QFP144 pin/pad adjacency For example, the internal die pads supporting the functionality described in Figure 17 are referred to by “Port Pin” in the first column. From this figure you can see that the port pins are B[9] and B[10]. Since these two port pins are in sequential order on the same port (Port B) the die pads are adjacent to each other. The corresponding two QFP144 package pin numbers are directly adjacent to each other, QFP144 pins 52 and 53. In general, the internal die pads follow the same sequence as the corresponding package pins for QFP144 packages. If pins on the QFP144 pins are adjacent to each other, the corresponding internal die pads are also adjacent. Likewise, if package pins are not adjacent to each other the corresponding die pads are also not adjacent. An example on the BGA package as shown in Figure 18 has two balls belonging to port pins B[9] and B[10], which are balls U7 and R8, respectively. They are not directly adjacent to Doc ID 024283 Rev 2 71/76 I/O pin/ball configuration AN4266 each other on the BGA package. However, their corresponding die pads are adjacent to each other as described above since the same die is used in the QFP144 and BGA packages. Figure 18. BGA balls non-adjacent, die pads adjacent Figure 19. BGA balls adjacent, die pads non-adjacent In another example looking at balls U4 and U5 in Figure 18. Their functionality is implemented by Port Pins E[4] and C[2] (QFP144 pins 42 and 45, respectively, shown in Figure 19). These two spheres are adjacent to each other on the BGA, but not on the QFP144. Therefore, the two corresponding die pads are not adjacent to each other. The above examples are valid for corresponding pins on BGA (257 balls) and QFP144 packages only. For a thorough analysis of pin adjacency related to all signals see . This table can be used to determine whether two pins are adjacent in the internal die for all signals and packages. Two pins, identified by the columns ‘Port Name’, are adjacent on the internal die if the numbers in the ‘Physical Pad Sequence’ column are consecutive (for example, pad number n and pad number n + 1 are adjacent). 72/76 Doc ID 024283 Rev 2 AN4266 Further information 8 Further information 8.1 Conventions and terminology Table 21 shows the list of conventions for this document. Table 21. List of conventions and terminology Convention Description error Discrepancy between a computed, observed, or measured value or condition and the true, specified or theoretically correct value or condition. fault Abnormal condition that may cause a reduction in, or loss of, the capability of a functional unit to perform a required function. failure The termination of the ability of a functional unit to perform a required function. 8.2 Acronyms and abbreviations A short list of acronyms and abbreviations used in this document is reported below for completeness. Table 22. Acronyms and abbreviations Terms Meanings ADC Analog to Digital Converter BAM Boot Assist Module CCF Common Cause Failure CF Critical Fault CMU Clock Monitor Unit CRC Cyclic Redundancy Check CTU Cross-Triggering Unit DC Diagnostic Coverage DED Dual Error Detection ECC Error Correcting Code ECSM Error Correction Status Module eDMA Enhanced Direct Memory Access ERRM Error Out Monitor function EXWD External Watchdog function FCCU Fault Collection and Control Unit FMEDA Failure Modes, Effects and Diagnostic Analysis FMPLL Frequency-Modulated Phase-Locked Loop Doc ID 024283 Rev 2 73/76 Further information Table 22. 8.3 Acronyms and abbreviations (continued) Terms Meanings GPIO General Purpose Input/Output LBIST Logic Built-In Self-Test LSM Lock Step Mode MBIST Memory Built-In Self-Test MC_CGM Clock Generation Module MC_ME Mode Entry MCU (Microcontroller Unit) MPU Memory Protection Unit NCF Non-Critical Fault NMI Non-Maskable Interrupt NVM Non-Volatile Memory PMU Power Management Unit PSM Power Supply and Monitor function PWM Pulse Width Modulation RCCU Redundancy Control Checking Unit MC_RGM Reset Generation Module SAG Safety Application Guide SEC Single Error Correction SEF Safety Element Function SFF Safe Failure Fraction SIF Safety Integrity Function SIL Safety Integrity Level SoR Sphere of Replication SWG Sine Wave Generator SWT Software Watchdog Timer Document references ● 74/76 AN4266 Safety application guide for SPC56xL70xx family reference manual addendum (TN0983, Doc ID 024257). Doc ID 024283 Rev 2 AN4266 9 Revision history Revision history Table 23. Document revision history Date Revision Changes 18-Feb-2013 1 Initial release 17-Sep-2013 2 Updated disclaimer. Doc ID 024283 Rev 2 75/76 AN4266 Please Read Carefully: Information in this document is provided solely in connection with ST products. STMicroelectronics NV and its subsidiaries (“ST”) reserve the right to make changes, corrections, modifications or improvements, to this document, and the products and services described herein at any time, without notice. All ST products are sold pursuant to ST’s terms and conditions of sale. Purchasers are solely responsible for the choice, selection and use of the ST products and services described herein, and ST assumes no liability whatsoever relating to the choice, selection or use of the ST products and services described herein. No license, express or implied, by estoppel or otherwise, to any intellectual property rights is granted under this document. If any part of this document refers to any third party products or services it shall not be deemed a license grant by ST for the use of such third party products or services, or any intellectual property contained therein or considered as a warranty covering the use in any manner whatsoever of such third party products or services or any intellectual property contained therein. UNLESS OTHERWISE SET FORTH IN ST’S TERMS AND CONDITIONS OF SALE ST DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY WITH RESPECT TO THE USE AND/OR SALE OF ST PRODUCTS INCLUDING WITHOUT LIMITATION IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE (AND THEIR EQUIVALENTS UNDER THE LAWS OF ANY JURISDICTION), OR INFRINGEMENT OF ANY PATENT, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT. ST PRODUCTS ARE NOT DESIGNED OR AUTHORIZED FOR USE IN: (A) SAFETY CRITICAL APPLICATIONS SUCH AS LIFE SUPPORTING, ACTIVE IMPLANTED DEVICES OR SYSTEMS WITH PRODUCT FUNCTIONAL SAFETY REQUIREMENTS; (B) AERONAUTIC APPLICATIONS; (C) AUTOMOTIVE APPLICATIONS OR ENVIRONMENTS, AND/OR (D) AEROSPACE APPLICATIONS OR ENVIRONMENTS. WHERE ST PRODUCTS ARE NOT DESIGNED FOR SUCH USE, THE PURCHASER SHALL USE PRODUCTS AT PURCHASER’S SOLE RISK, EVEN IF ST HAS BEEN INFORMED IN WRITING OF SUCH USAGE, UNLESS A PRODUCT IS EXPRESSLY DESIGNATED BY ST AS BEING INTENDED FOR “AUTOMOTIVE, AUTOMOTIVE SAFETY OR MEDICAL” INDUSTRY DOMAINS ACCORDING TO ST PRODUCT DESIGN SPECIFICATIONS. PRODUCTS FORMALLY ESCC, QML OR JAN QUALIFIED ARE DEEMED SUITABLE FOR USE IN AEROSPACE BY THE CORRESPONDING GOVERNMENTAL AGENCY. Resale of ST products with provisions different from the statements and/or technical features set forth in this document shall immediately void any warranty granted by ST for the ST product or service described herein and shall not create or extend in any manner whatsoever, any liability of ST. ST and the ST logo are trademarks or registered trademarks of ST in various countries. Information in this document supersedes and replaces all information previously supplied. The ST logo is a registered trademark of STMicroelectronics. All other names are the property of their respective owners. © 2013 STMicroelectronics - All rights reserved STMicroelectronics group of companies Australia - Belgium - Brazil - Canada - China - Czech Republic - Finland - France - Germany - Hong Kong - India - Israel - Italy - Japan Malaysia - Malta - Morocco - Philippines - Singapore - Spain - Sweden - Switzerland - United Kingdom - United States of America www.st.com 82/82 Doc ID 024283 Rev 2