manualshive.com logo in svg

ST SPC582B Series, Application Note, Page: 2 / 35

Share
Download
ST SPC582B Series Application Note Download Page 2

1

Overview

The FCCU is a key element of the functional safety concept of the SPC58 and SPC57 families of SPC5
32-bit automotive MCUs. It is responsible for collecting and reacting to failure notifications coming from different
modules indicated as monitors. Examples of monitors are CMU, MEMU, XBIC and so forth.

Figure 1. 

FCCU monitor to reaction path

FCC

U

Clear

Clear

Error out/in

Reset request

Reset

Fault

Fault

Set 

Set

.

.

.

INTC

Interrupt request

(ALARM)

Interrupt

RGM

NMI

Monitor 1

Monitor N

.

Core_0

FCCU

FOSU

destructive 

reset

Note:

Some monitors might miss the set and clear signals.

The 

Figure 1

 shows how the FCCU is connected to the other blocks. The reader shall consider the above figure,

and all other figures in this document, as a logic schema that not exactly reflects the physical implementation in
the silicon.
In case of a fault, the FCCU can move the device into the safe state (the safety manual defines the safe states)
without any core intervention. Since the FCCU and the whole error reaction path are prone to latent failures, the
safety concept requires the execution of a software test to verify the integrity of the error reaction. The user shall
run this software test at least once per trip time.

Note:

The safety analysis assumes a trip time of 12 hours.

This document goes through the list of the faults reported by the FCCU. For each of them it describes how to
test the reaction path to fulfill the previous requirement. Note that the user cannot test the error reaction path for
certain monitors.
The 

Table 1

 lists and describes all FCCU input fault sources for SPC582Bx MCUs.

Table 1. 

FCCU failure inputs

FCCU input #

Source

Failure description

Error reaction path

0

PMC DIG

Temperature out of range

Not testable

1

PMC DIG

Voltage out of range from LVDs

Not testable

2

PMC DIG

Voltage out of range from HVDs

Not testable

3

PMC DIG

Digital PMC initialization error during DCF data load

Not testable

4

PMC DIG

Digital PMC voltage detector BIST

Testable

5

SSCM/FLASH_0

SSCM transfer error OR Flash memory initialization error

Not testable

6

STCU

BIST result-wrong signature (STCU unrecoverable fault)

Testable

AN5752

Overview

AN5752

 - 

Rev 1

page 2/35

Summary of Contents for SPC582B Series

Page 1: ...utomotive MCUs Before reading this document the reader should have a clear understanding about the usage of FCCU For further details on this module refer to Fault Collection and Control Unit FCCU chap...

Page 2: ...whole error reaction path are prone to latent failures the safety concept requires the execution of a software test to verify the integrity of the error reaction The user shall run this software test...

Page 3: ...8 MEMU Flash ECC uncorrectable error Testable 29 MEMU Flash ECC overflow error Testable 30 IMA IMA activation Testable 32 PLATFORM SMPU SMPU XBAR 1 monitor incorrectly refuses an access Not testable 3...

Page 4: ...CMU_1 CMU_2 CMU_3 CMU_11 CMU_14 5 FHH or FLL event from CMU_6 CMU_12 Before the safety application starts the user shall configure a proper reaction for each FCCU failure input source See FCCU regist...

Page 5: ...SET CLEAR Mon 2 Fault Mon 3 Fault FCCU_RF_Sn register Mon 2 Register FSM The FCCU can trigger a fault event directly in the monitor even if no real failure is occurred through the fake fault interface...

Page 6: ...a fault as HW recoverable fault that is the fault status within the FCCU remains asserted until the monitor keeps the fault indication asserted As soon as the monitor clears the fault indication it al...

Page 7: ...temperature detector detects if the temperature exceeds the defined thresholds and the PMC_DIG forwards this fault to the FCCU There are three thresholds TS0 TS1 and TS2 Temperature detector threshold...

Page 8: ...the Flash memory and pushes it to the various clients inside the microcontroller Note System configuration is mainly saved as DCF records that are located either in the test or UTest sectors of the Fl...

Page 9: ...that is configured as recoverable fault the STCU forwards this fault to the FCCU Note The user shall configure the STCU to trigger either a recoverable or an unrecoverable fault if the BIST fails This...

Page 10: ...a dedicated glue logic forwards this fault to the FCCU The two error signals are put in OR before arriving at the FCCU failure input 9 The user can inject this fault by the FCCU fake fault interface...

Page 11: ...aults RGM Error out Reset request reset EDC after ECC FCCU INTC Interrupt request Interrupt Fault 15 Set Clear TCD RAM Fault 48 Fault 10 Fault 14 3 5 1 DMA_1 gasket monitor fault 10 In case of hardwar...

Page 12: ...ions For further details on Flash and PFLASHC refer to the device SPC582Bx reference manual RM0403 Figure 9 Flash PFLASHC faults RGM Error out Reset request reset Memory Interface FCCU INTC Interrupt...

Page 13: ...user test FLASH_0_UT0 UTE 0x1 6 Disabling the customer programmable EDC after ECC detection FLASH_0_UT0 CPE 0x0 7 Disabling the user test FLASH_0_UT0 UTE 0x0 8 Clear the relevant FLASH error flag FLAS...

Page 14: ...such as software getting trapped in a loop or if a bus transaction fails to terminate When enabled the SWT requires periodic execution of a watchdog servicing operation The servicing operation resets...

Page 15: ...relevant FCCU_RF_S0 RFS21 bit Alternatively the user can use the IMA to inject a correctable error in the system RAM location and cause the detection of this correctable error accessing to this syste...

Page 16: ...on path is verified if the FCCU_RF_S0 RFS26 status bit is set The user must clear the relevant bit MEMU_DEBUG FR_PR_CEO or MEMU_DEBUG FR_PR_UCO or MEMU_DEBUG FR_PR_EBO before clearing the relevant FCC...

Page 17: ...relevant FCCU_RF_S0 RFS30 bit 3 11 SMPU faults The SMPU provides hardware access control for system bus memory references The SMPU concurrently monitors and evaluates system bus transactions using pr...

Page 18: ...ne check condition the Core_2 forwards this fault to the FCCU The user can inject this fault by a SW procedure that accesses to a not existing address The machine check interrupt IVOR1 must be handled...

Page 19: ...CMU faults RGM Error out Reset request reset CMU_0 Fault 51 FCCU INTC Interrupt request Interrupt CMU_14 CMU_2 CMU_11 CMU_3 CMU_1 CMU_12 CMU_6 Fault 53 Fault 54 Fault 52 3 14 1 CMU_0 error fault 51 Th...

Page 20: ...er can inject this fault by a SW procedure that sets a misconfigured value for one of the monitoring thresholds for example the user can set the CMU_y_HFREFR HFREF field with y 6 12 to a value lower t...

Page 21: ...error for example a write error in the RAM controller resulting in corrupted RAM access the PRAM controller detects this fault and it forwards it to the FCCU The user cannot inject this fault 3 16 2...

Page 22: ...ult 3 17 3 Test circuitry group 3 activation fault 80 In case of unwanted activation of the test circuitry in the related diagnostic function test domain the event is detected and forwarded to the FCC...

Page 23: ...ause a corrupted ECC correction The EDC after ECC can detect this fault and forward it to the FCCU The user cannot inject this fault 3 19 MC_RGM fault The MC_RGM centralizes the different reset source...

Page 24: ...O buffers over temperature pressure and voltage Figure 21 Compensation cell fault RGM Error out Reset request reset Compensation Cell FCCU INTC Interrupt request Interrupt Fault 95 Set Clear 3 20 1 Pa...

Page 25: ...of fault Enable output pins For each fault identified as testable the software Verify the FCCU status before injection If it is in normal state proceed otherwise if it is in alarm or fault state stop...

Page 26: ...d lower than the trip time for example 12 hours The methodology for these tests is based on fault injection and verification whether the FCCU correctly receives it and depends on the specific FCCU inp...

Page 27: ...nterrupt request JTAG NPC Joint Test Action Group Nexus debug port LBIST Logic Built in self test LVD Low voltage detector MC_ME Mode entry module MCU Microcontroller Unit NMI Non maskable interrupt N...

Page 28: ...rystal Table 3 Reference documents Document name Document title RM0403 SPC58 2B Line 32 bit Power Architecture automotive MCU z2 core 80 MHz 1 MByte Flash ASIL B ES0413 SPC582Bx devices errata JTAG_ID...

Page 29: ...Revision history Table 4 Document revision history Date Revision Changes 26 Nov 2021 1 Initial release AN5752 AN5752 Rev 1 page 29 35...

Page 30: ...fault 6 9 3 3 2 BIST result wrong signature STCU recoverable fault fault 7 9 3 3 3 MBIST control activation fault 8 9 3 4 Glue logic faults 10 3 4 1 JTAG NPC or debug functionality out of reset or SS...

Page 31: ...erflow error fault 29 16 3 10 IMA fault 16 3 10 1 IMA activation fault 30 17 3 11 SMPU faults 17 3 11 1 SMPU XBAR 1 monitor incorrectly refuses an access fault 32 17 3 11 2 SMPU XBAR 1 monitor correct...

Page 32: ...3 17 3 Test circuitry group 3 activation fault 80 22 3 17 4 Test circuitry group 4 activation fault 81 22 3 18 PBRIDGE faults 22 3 18 1 PBRIDGE_1 e2eEDC error fault 89 23 3 18 2 PBRIDGE_1 e2eEDC error...

Page 33: ...List of tables Table 1 FCCU failure inputs 2 Table 2 Acronyms and abbreviations 27 Table 3 Reference documents 28 Table 4 Document revision history 29 AN5752 List of tables AN5752 Rev 1 page 33 35...

Page 34: ...96 10 Figure 8 DMA faults 11 Figure 9 Flash PFLASHC faults 12 Figure 10 SWT faults 14 Figure 11 MEMU faults 15 Figure 12 IMA fault 17 Figure 13 SMPU faults 17 Figure 14 PLL DIG faults 18 Figure 15 CM...

Page 35: ...ts and ST assumes no liability for application assistance or the design of Purchasers products No license express or implied to any intellectual property right is granted by ST herein Resale of ST pro...

Reviews:

No comments