View AN4287_8304262.PDF datasheet online --- IC-ON-LINE

Datasheet File OCR Text:

s e p tember 2013 d o cid024464 rev 2 1/27 AN4287 application note safety application guide for spc564axx family introduction this document contains guidelines on how to configure and use the spc564a7x/ spc564a80 device for safety relevant applications. www.st.com
contents AN4287 2/27 d o c i d 0 2 4 464 rev 2 contents 1 preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2 general information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 2.1 mission profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 2.2 safe state . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 2.3 failure indication time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 2.4 error handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 3 functional safety requirements for applicat ion software . . . . . . . . . . . 7 3.1 application software requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 3.2 core . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 3.3 system clock and frequency-modulated phase-locked loop (fmpll) . 7 3.4 general-purpose static ram (sram) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 3.5 flash memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 3.6 interrupt controller (intc) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 3.7 enhanced direct memory access (edma) . . . . . . . . . . . . . . . . . . . . . . . . 10 3.8 communication peripherals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 3.9 i/o peripherals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 3.9.1 read digital inputs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 3.9.2 read pwm inputs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 3.9.3 write digital outputs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 3.9.4 write pwm outputs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 3.10 enhanced queued analog-to-digital converter (eqadc) . . . . . . . . . . . . 14 3.10.1 double read analog inputs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 3.10.2 additional mechanisms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 3.11 temperature sensor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 3.12 software watchdog timer (swt) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 3.13 cyclic redundancy checker unit (crc) . . . . . . . . . . . . . . . . . . . . . . . . . 15 3.14 multi-layer ahb crossbar switch (xbar) . . . . . . . . . . . . . . . . . . . . . . . . 16 3.15 memory protection unit (mpu) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 3.16 peripheral bridge (pbridge) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 3.17 power management controller (pmc) . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
d ocid024464 rev 2 3/27 AN4287 contents 3.18 error correction status module (ecsm) . . . . . . . . . . . . . . . . . . . . . . . . . 17 3.19 other modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 4 functions of exte rnal devices for safety applicat ions . . . . . . . . . . . . . 19 4.1 external watchdog function (exwd) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 4.2 power supply monitor function (psm) . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 4.3 pwm output monitor function (pwmm) . . . . . . . . . . . . . . . . . . . . . . . . . . 20 5 ecc logic test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 5.1 overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 5.2 data pattern ? walking 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 5.3 utest mode ecc logic check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 5.4 fault coverage and execution time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 appendix a further information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 5.5 conventions and terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 5.6 acronyms and abbreviations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 appendix b reference documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 revision history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
list of tables AN4287 4/27 d o c i d 0 2 4 464 rev 2 list of tables table 1. data pattern used by the ecc logic test. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 table 2. list of conventions and terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 table 3. acronyms and abbreviations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 table 4. document revision history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
d ocid024464 rev 2 5/27 AN4287 preface 1 preface this document contains guidelines on how to configure and use the spc564a7x/spc564a80 device for safety relevant applications. these guidelines are preceded by one of the following bold text statements: ? suggested; ? implementation hint; ? rationale. these guidelines are considered to be useful approaches for the specific topics under discussion, but are not mandatory. the user needs to use discretion in deciding whether these measures are appropriate for their applications. this document is valid only under the assumption that the mcu is used in automotive applications for use cases requiring a fail-silent or a fail-indicate mcu and if the environmental conditions specified in the spc564a7x/spc564a80 device datasheet are maintained. together with the standard documentation as the reference manual and the datasheet, also spc564a7x/spc564a80 device errata must be taken into account during system design and implementation.
general information AN4287 6/27 d o c i d 0 2 4 464 rev 2 2 general information 2.1 mission profile the assumed mission profile is: ? lifetime: 20 years; ? total operating hours: 12000 hours; ? trip time (a) : 10 hours; ? process safety time (b) : 10 ms. 2.2 safe state by definition, the safe states of the spc564a7x/spc564a80 are as follows: ? completely unpowered; ? reset; ? operating correctly; ? explicitly indicating an internal error. if the spc564a7x/spc564a80 signals an internal failure, the surrounding subsystem shall no longer use the spc564a7x/spc564a80 outputs for safety functions since these signals are no longer considered reliable. if an error is indicated, the system must be able to remain in a safe state without any additional actions. depending on its configuration, the system may disable, or reset, the spc564a7x/spc564a80 as a reaction to the error signal. suggested: the system must transition the system itself to a safe state when an error is indicated. 2.3 failure indication time the spc564a7x/spc564a80 failure indication time must be taken into consideration when determining application safety strategies, because it must be less than the ftti. 2.4 error handling error handling can be split into two categories: ? handling of errors during run-time; ? handling of errors during boot-time. suggested: run-time failures shall be handled in a time shorter than the ftti. suggested: boot-time failures shall be handled before the safety application starts. a. trip time is defined as the maximum mcu operation time without power-on reset. b. process safety time (pst), also named fault tolerance time interval (ftti), is maximum time between t he f irst faulty output and a failure indication or reset.
d ocid024464 rev 2 7/27 AN4287 functional safety requirements for application software 3 functional safety requirements for application software this section gives an overview of suggested measures when using the individual modules of the spc564a7x/spc564a80. it is possible to ignore aspects of the text if equivalent measures that are taken can be shown to manage the same failures. modules not explicitly covered by this document are assumed not safety relevant and do not require any software measures. 3.1 application software requirements application software shall be developed according to safety requirements. the following sections contain suggested assumptions and requirements for using the spc564a7x/spc564a80 devices in a safety application. 3.2 core suggested: all exception shall be enabled, if not enabled by default, and managed. these specific software countermeasures can run once after the power-on reset (por) before running the sif. suggested: this safety mechanism consists of two redundant diverse software implementations in one hardware channel. using different hardware resources (e.g. different ram, rom memory ranges) can increase the diagnostic coverage. for more details see iso26262-5 d.2.3.4 technique. suggested: this safety mechanism checks the sequence of executed program tasks in order to detect a defective program sequence. a defective program sequence exists if the individual tasks of a program (e.g. software modules, functions or statements) are processed in the wrong sequence. for more details see iso26262-5 d.2.9.5 technique. these specific software countermeasures can run once per ftti. suggested: this safety mechanism is intended to supervise the reliability of program execution in consideration of periodicity and maximum timing constraints of periodicity. for more details see iso26262-5 d.2.9.5 technique. these specific software countermeasures can run once per ftti. suggested: specific software countermeasures shall be implemented to detect core permanent faults. these specific software countermeasures can run once after the power- on reset (por) before running the sif and/or once per ftti. 3.3 system clock and frequency-modulated phase-locked loop (fmpll) external oscillator (xosc) and fmpll output are monitored by the hardware module called clock quality monitor (cqm). suggested: fmpll shall be configured to use the external oscillator (xosc) as their source clock and all safety relevant modules shall be clocked with the fmpll generated
functional safety requirements for application software AN4287 8/27 d o c i d 0 2 4 464 rev 2 clock signal. the cqm loss-of-clock (xosc failure, i.e. fmpll reference failure) and the cqm loss-of-lock (fmpll failure) detection shall be enabled with relevant isr request. the management of these errors is application-dependent. these specific software countermeasures can run once after the power-on reset (por) before running the sif. rationale: to reduce the impact of glitches stemming from the external quartz crystal or the ircosc and to check the fmpll clock integrity. suggested: it shall be checked that the device is using fmpll clock as system clock and the integrity of the cqm module before running the sif. rationale: to check the correctness of fmpll configuration and the integrity of the cqm module. implementation hint: e.g. a wrong pll configuration is set in order to inject a loss-of-lock and then the cqm response will be tested. 3.4 general-purpose static ram (sram) suggested: the system sram is protected by a single error correction/dual error detection (sec/ded) ecc scheme. the sec/ded ecc scheme reporting shall be configured (interrupt request). the sram sec/ded concerns data and not the addresses. these specific software countermeasures can run once after the power-on reset (por) before running the sif. suggested: in order to increase the diagnostic coverage, specific software countermeasures shall be implemented to detect ram address logic faults. these specific software countermeasures can run once per ftti. rationale: to verify the integrity of ram address logic. implementation hint: e.g. known pattern can be written and then read-back. suggested: in order to increase the diagnostic coverage, specific software countermeasures shall be implemented to detect fault in the ram ecc logic. aim is to assure that correct data are not accidentally modified and that bit errors are properly corrected/detected. these specific software countermeasures can run once per ftti. rationale: to verify the integrity of ram ecc logic. implementation hint: ecsm module can force the generation of single-bit and/or double- bit data inversions in ram allowing the check of the ecc logic. in particular ecsm module can generate errors during data write cycles, such that subsequent reads of the corrupted address locations generate ecc events, either single-bit corrections or double-bit non- correctable errors that are terminated with an error response. suggested: in order to increase the diagnostic coverage, one or more industry-standard mbist algorithms (such as the ?march? algorithm, the checkerboard algorithm, the varied pattern background algorithm and the array bist) shall be implemented to protect the system sram against hardware dormant faults. the implemented mbist algorithms can run once after the power-on reset (por). rationale: to check the integrity of the ram memory.
d ocid024464 rev 2 9/27 AN4287 functional safety requirements for application software 3.5 flash memory suggested: flash memory is protected by a single error correction/dual error detection (sec/ded) ecc scheme. the sec/ded ecc scheme reporting shall be configured (interrupt request). the flash memory sec/ded concerns data and not the addresses. these specific software countermeasures can run once after the power-on reset (por) before running the sif. suggested: in order to increase the diagnostic coverage, specific software countermeasures shall be implemented to detect flash memory address logic faults. these specific software countermeasures can run once per ftti. rationale: to verify the integrity of flash memory address logic. implementation hint: e.g. known pattern can be read. suggested: in order to increase the diagnostic coverage, specific software countermeasures shall be implemented to detect flash ecc logic faults. the aim is to assure that correct data are not accidentally modified and that single bit errors are rightly corrected. these specific software countermeasures can run once per ftti. rationale: to verify the integrity of flash ecc logic. implementation hint: see chapter 5: ecc logic test for further details. suggested: in order to increase the diagnostic coverage, an mbist algorithms shall be implemented to protect the system flash memory against hardware dormant faults. the implemented mbist algorithms can run once after the power-on reset (por). rationale: to check the integrity of the flash memory. implementation hint: hardware support test called array integrity self check can be used (refer to the spc564a7x/spc564a80 reference manual to have all additional details). suggested: in order to check the correctness of the writing process, written data shall be read-back and compared with the intended ones. these specific software countermeasures can run once after every write operation or after a series of write operations. rationale: to verify that written data are coherent with the intended ones. 3.6 interrupt controller (intc) suggested: integrity of the intc module shall be checked. these specific software countermeasures can run once after the power-on reset (por) before running the sif. implementation hint: e.g. the intc module is configured to generate some interrupt requests and the expected behavior is verified. suggested: considering that no specific hardware protection is implemented against failures in the interrupt controller, spurious/missing interrupt requests caused by electromagnetic interference (emi) or by bit flips in the interrupt registers of the peripherals, applications not resilient against such errors shall include detection or protection software countermeasures. these specific software countermeasures can run for each interrupt request. rationale: to verify interrupt requests are serviced correctly. implementation hint: e.g. spurious interrupts can be detected checking corresponding interrupt status in the interrupt status register of the related peripheral before executing the
functional safety requirements for application software AN4287 10/27 d ocid024464 rev 2 interrupt service routine (isr) code and missing interrupts, if they are synchronous, can be detected checking the program flow. 3.7 enhanced direct memory access (edma) suggested: considering that no specific hardware protection is implemented against failures in the edma, spurious/missing edma requests caused by electromagnetic interference (emi) or by bit flips in the interrupt registers of the peripherals, applications not resilient against such errors shall include detection or protection software countermeasures. these specific software countermeasures can run once after the power-on reset (por) before running the sif. rationale: to verify edma requests are serviced correctly. implementation hint: specific software countermeasures shall be implemented to detect edma permanent faults. these specific software countermeasures are application- dependent. 3.8 communication peripherals the spc564a7x/spc564a80 includes the following communication peripherals: ? flexcan; ? deserial serial peripheral interface (dspi); ? flexray communication controller (flexray); ? enhanced serial communication interface (esci). suggested: an appropriate safety software protocol should be utilized (e.g. fault tolerant communication layer or ftcom) for any communication peripheral employed to meet safety application requirements. 3.9 i/o peripherals the spc564a7x/spc564a80 includes the following i/o peripherals: ? system integration unit lite (siul); ? configurable enhanced modular io subsystem (emios200); ? enhanced time processing unit (etpu2). these modules shall be used to implement the following functions if they are part of the application: ? read digital inputs; ? read pwm inputs; ? write digital outputs; ? write pwm outputs. 3.9.1 read digital inputs suggested: digital inputs shall be acquired redundantly. each double acquisition can be implemented using two pads configured as gpis by the siu unit. digital input signal shall be
d o c i d 0 2 4 464 rev 2 11/27 AN4287 functional safety requirements for application software applied on selected pads in order to be acquired and then the acquired values shall be compared by software. rationale: to verify that the two input values match. implementation hint: if, for a specific application, a plausibility check on a single acquisition assures sufficient diagnostic coverage, it can replace the redundant acquisition. this hint is a special case of deviating from recommended requirements as described in the preface. the two selected pads shall not be physically adjacent to minimize ccfs. each pad not dedicated to a specific function can be configured as gpio with the exception of adc pads, as they can only be configured as gpis. siu pads can be configured via the relevant pad configuration registers (pcrn). 3.9.2 read pwm inputs suggested: digital inputs shall be acquired redundantly. each double acquisition can be implemented using two pads configured as emios200 channel by the siu unit and configured with input capture feature by emios200 module. pwm input signal shall be applied on selected pads in order to be acquired and then the acquired set of data (duty cycle and period) shall be compared by software. rationale: to verify that the two sets of data match. implementation hint: the comparison must take into account possible approximation because of different capturing of the input asynchronous signals. each pad not dedicated to a specific function can be configured as gpio with the exception of adc pads, as they can only be configured as gpis. siu pads can be configured via the relevant pad configuration registers (pcrn). the two selected pads shall not be physically adjacent to minimize ccfs. pwm input signal can be generated using one other emios200 channel correctly configured or one etpu2 channel correctly configured and the etpu2 channels instead of the emios200 channels can be used. 3.9.3 write digital outputs suggested: digital outputs shall be written either redundantly or with read-back. write digital output operation can be implemented as single write digital output with read-back or double write digital output. rationale: to verify that the two output values match. implementation hint: if, for a specific application, a plausibility check on a single write assures sufficient diagnostic coverage, it can replace the redundant write or the write with read-back. this hint is a special case of deviating from recommended requirements as described in the preface. each pad not dedicated to a specific function can be configured as gpio with the exception of adc pads, as they can only be configured as gpis. siu pads can be configured via the relevant pad configuration registers (pcrn). single write digital output with read-back implementation hint: siu pads are used to perform a single write digital output with read- back. the read-back shall be done using the external configuration or the internal. siu pads shall be configured as follows: ? external read-back: one siu pad is configured to allow read-back of the output write on the selected siu pad and the loop-back is done with an external connection outside the d evice. using this configuration, only half of the available digital outputs can be used as
functional safety requirements for application software AN4287 12/27 d ocid024464 rev 2 safety outputs. in case of external read-back, the two selected pads shall not be physically adjacent; ? internal read-back (c) : one siu pad is configured to allow read-back of the output writ e o n the selected siu pad via an internal read path. using this configuration, all availabl e d igital outputs can be used as safety outputs. double write digital outputs implementation hint: siu pads are used to perform a double write digital output. siu pads shall be correctly configured and the output write of the selected channels shall be implemented following these guidelines: ? the two outputs are written with a single instruction to the appropriate register; ? the output register is read-back. the two selected pads shall not be physically adjacent to minimize ccfs. each pad not dedicated to a specific function can be configured as gpio with the exception of adc pads, as they can only be configured as gpis. siu pads can be configured via the relevant pad configuration registers (pcrn).to write two (or more) gpios with a single write instruction, the parallel gpio pad data out (pgpdox) register can be used. user has to take care that the two selected gpios are controlled by the same pgpdox register. to protect the value of the other gpios that belong to the same pgpdox register, the masked parallel gpio pad data out (mpgpdox) register shall be properly configured before writing the pgpdox register. 3.9.4 write pwm outputs suggested: some pwm outputs shall be written either redundantly or with read-back. write pwm output operation can be implemented as single write pwm output with read-back or double write pwm output. rationale: to verify that the two sets of data match. c. i nternal read back does not cover package faults (e.g . wire bond). refer to the specific reference manual to verify the availability of the internal read path.
d o c i d 0 2 4 464 rev 2 13/27 AN4287 functional safety requirements for application software figure 1. block scheme of external/internal read-back single write pwm output with read-back implementation hint: two pins are used to implement this function. one pin to generate the pwm output and another pin to read-back this pwm to check its integrity. each single write with read-back can be implemented using pads configured as emios200 channel by the siu unit and configured as pwm by emios200 module. pwm set of data (duty cycle and period) shall be applied by software. the read-back shall be done using the external configuration or the internal. siu pads shall be configured as follows: ? external read-back: one siu pad is configured as emios200 channel by the siu unit and configured with input capture feature by emios200 module to allow read-back of t he output written on the output pad. the loop-back is done with an external connecti on o utside the device. in case of external read-back, the two selected pads shall not be physically adjacent; ? internal read-back (d) : one siu pad is configured as emios200 channel by the siu uni t a nd configured with input capture feature by emios200 module to allow read-back of t he output write on the selected pad. the loop-back is done via an internal read path. the two selected pads shall not be physically adjacent to minimize ccfs. siu pads can be configured via the relevant pad configuration registers (pcrn). etpu2 channels instead of emios200 channels can be used. d. internal read back does not cover package faults (e.g. wire bond). refer to the specific reference manual to verify the availability of the internal read path. siul gpo g p o o i g p i external readback configuration siul gpo g p o o gpi internal readback configuration
functional safety requirements for application software AN4287 14/27 d ocid024464 rev 2 double write pwm outputs implementation hint: each double write can be implemented using two pads configured as emios200 channel by the siu unit and configured as pwm by emios200 module. pwm set of data (duty cycle and period) shall be applied by software. the two selected pads shall not be physically adjacent to minimize ccfs. siu pads can be configured via the relevant pad configuration registers (pcrn). etpu2 channels instead of emios200 channels can be used. 3.10 enhanced queued analog-to-digital converter (eqadc) the spc564a7x/spc564a80 device is equipped with one eqadc module integrating two analog-to-digital converter macro-cells. suggested: acquisition of some reference voltages shall be done. these specific software countermeasures can run once after the power-on reset (por) before running the sif and/or once per ftti. rationale: to check the integrity of the eqadc module. implementation hint: some eqadc channels are internally connected to some reference voltages as buffered band gap, reference voltage for 1.2 v lvd and so on (refer to the spc564a7x/spc564a80 reference manual to have all additional details). moreover recommendation is to acquire analog input redundantly. this module, if safety relevant, shall be used to implement the following function: ? double read analog inputs; ? additional mechanisms. 3.10.1 double read analog inputs suggested: safety relevant analog inputs shall be acquired redundantly using both analog- to-digital converter macro-cells integrated in the eqadc module. the measured values shall be compared by software. rationale: to verify that the two measured analog input values match. implementation hint: shared channels shall not be used for double read operation in order to avoid ccfs due to the pad sharing. implementation hint: siu pads can be configured via the relevant pad configuration registers (pcrn). 3.10.2 additional mechanisms the two analog-to-digital converter macro-cells share the same digital interface. to increase the diagnostic coverage against failures impacting this common logic, some additional counter measures can be developed. for example: ? oversampling; ? plausibility check. suggested: the analog inputs shall be acquired redundantly in time. rationale: to increase the diagnostic coverage.
d o c i d 0 2 4 464 rev 2 15/27 AN4287 functional safety requirements for application software implementation hint: the sampling rate shall be significantly higher than the nyquist frequency related to the input signal. the acquired values shall be compared by software in order to verify the correlation. in case of fault, the acquired values are not correlated with themselves. against random faults, at least three consecutive analog values shall be acquired for each analog input. 3.11 temperature sensor spc564a7x/spc564a80 devices are equipped with a temperature sensor in order to monitor the device temperature. this temperature sensor generates a voltage that increases linearly with temperature and that can be read by software using the on-board eqadc module, so the read value can be used with the band-gap voltage and constants stored in flash memory during factory test to calculate device junction temperature. suggested: the temperature sensor output voltage shall be read by software and the corresponding temperature shall be compared with the upper limit of the operating range. in case an over-temperature fault is detected, the device shall be moved to a safe state. this check shall run once per ftti. rationale: to detect over-temperature faults. implementation hint: to set the proper operating range threshold, the temperature sensor accuracy of 10 c and the maximum operating junction temperature of 150 c (see device data sheet) shall be considered. note: external temperature sensor could be used to check internal temperature sensor output. 3.12 software watchdog timer (swt) suggested: swt module shall be used to implement control flow monitoring function. the swt shall be clocked by oscillator clock. these specific software countermeasures can run once after the power-on reset (por) before running the sif. however, other control flow monitoring approaches that do not use the swt may also be used. spc564a7x/spc564a80 devices provide the hardware support (swt) to implement both control flow monitoring and temporal flow monitoring methods. rationale: to detect a defective program sequence. implementation hint: swt can be enabled asserting the bit swt_mcr[wen] and the configuration registers can be hard-locked asserting the bit swt_mcr[hlk]. the timeout register (swt_to) must contain a 32-bit value that represents a timeout less than the ftti. before the safety function is executed, software must verify that the swt is enabled checking the bit swt_mcr[wen]. if windowed mode and keyed service mode (two pseudo-random key values used to service the watchdog) are enabled, it is possible to reach a high effective temporal flow monitoring. 3.13 cyclic redundancy checker unit (crc) crc module shall be used to detect accidental alteration of data during storage or transmission operations. this shall be done for each storage or transmission operation. suggested: correct working of the crc module shall be checked. these specific software countermeasures can run once after the power-on reset (por) before running the sif.
functional safety requirements for application software AN4287 16/27 d ocid024464 rev 2 implementation hint: e.g. the crc signature of a known data pattern shall be calculated and it is compared to the expected one, i.e. the off line calculated crc signature or the crc signature of a random data pattern shall be redundantly calculated by software and by the crc module and then the two crc signatures are compared. suggested: crc module shall be used to check the correctness of the content of the configuration registers of each safety-related module. if crc module is used by sef, specific software countermeasures shall be implemented to detect or to protect against possible faults of the crc module. this check shall run once per ftti. implementation hint: e.g. the crc signature of the content of the configuration registers of each safety-related module shall be calculated off line. at run time, the same crc signature shall be calculated by the crc module within the spt. the run-time calculated crc signature is then compared to the expected one, i.e. the off line calculated crc signature. these operations allow also checking the integrity of the crc module. theoretically, crc signature could be calculated by software using one or more industry-standard crc algorithms, but practically, using the crc module is more effective. to avoid cpu overloading, the edma module can be used to support the data transfer from the registers under check to the crc module. 3.14 multi-layer ahb crossbar switch (xbar) suggested: the configuration and the integrity of the xbar shall be checked. these specific software countermeasures can run once after the power-on reset (por) before running the sif and/or once per ftti. implementation hint: e.g. the integrity of the xbar module can be checked reading a checking pattern (stored in the flash memory) with the master core and edma, calculating the crc of the checking pattern and comparing this with the expected one. different checking patterns (stored in different location of the flash memory) could be chosen for each ftti. 3.15 memory protection unit (mpu) the mpu provides hardware access control for all device memory locations. suggested: mpu shall be configured in order to ensure that all bus masters (core, edma and flexray) can access only their allocated resources according to their access rights. the configuration and the correct working of the mpu shall be checked. these specific software countermeasures can run once after the power-on reset (por) before running the sif and/or once per ftti. rationale: to avoid to give access to the device resources to unauthorized master and to deny access to authorized master. implementation hint: e.g. the integrity of the mpu module can be checked reading data from reserved and not-reserved flash memory locations with the master core and edma and verifying if the mpu module gives access or not. different flash memory locations could be chosen for each ftti.
d o c i d 0 2 4 464 rev 2 17/27 AN4287 functional safety requirements for application software 3.16 peripheral bridge (pbridge) suggested: pbridge shall be configured in order to ensure that all bus masters (core, edma and flexray) can access only their allocated resources according to their access rights. the configuration and the correct working of the pbridge shall be checked. these specific software countermeasures can run once after the power-on reset (por) before running the sif and/or once per ftti. rationale: to avoid to give access to the device resources to unauthorized master and to deny access to authorized master. implementation hint: e.g. the integrity of the pbridge module can be checked calculating the crc of the configuration registers value of 3 ips and comparing each one with the expected one. different ips could be chosen for each ftti. 3.17 power management controller (pmc) spc564a7x/spc564a80 devices use three supply voltages, nominally 5v, 3.3v and 1.2v. the 5v supply voltage must be supplied from the outside while the other supply voltages are supplied by internal regulators. moreover, spc564a7x/spc564a80 devices embed lvi for all supply voltages. the pmc controls the internal regulators and the lvi circuits. suggested: lvi failure reaction for all supply voltages shall be configured (system reset or interrupt request). these specific software countermeasures can run once after the power- on reset (por) before running the sif. rationale: to check if supply voltages are in the correct operation range. suggested: lvi circuits operation (for supply voltages generated by internal regulators, i.e. 3.3v and 1.2v) shall be checked. these specific software countermeasures can run once after the power-on reset (por) before running the sif. implementation hint: the output of each internal regulator can be set to a value lower than the lvi threshold value configuring the pmc_ trimr register. according to this, enabling only the interrupt request as lvi failure reaction, the generation of the lvi interrupt requests confirms the correctness of lvi circuits operation. then, the correct value of the pmc_ trimr register can be restored. suggested: correct execution of power-on reset sequence shall be checked. these specific software countermeasures can run once after the power-on reset (por) before running the sif. implementation hint: e.g. reserved ram is used to store a key which can be used if the current reset is a por or not according to the por bit in the ecsm_mrsr register. moreover the default reset value of the registers of each ip can be checked. 3.18 error correction status module (ecsm) the ecsm is able to detect data storage failures in memory (flash and sram) and addressing these. the ecsm can detect and correct single-bit errors, detect double-bit faults and detect faults affecting more than two bits. ecc functionality concerns data and not the addresses. ecc is automatically calculated on memory write accesses and is checked while read accesses are executed on memory.
functional safety requirements for application software AN4287 18/27 d ocid024464 rev 2 suggested: t o enable ecc reporting logic in the ecsm in order to provide an optional managing failures interrupt mechanism. in addition to the interrupt generation, the ecsm captures specific information (memory address, attributes and data, bus master number, etc.) which can be useful for subsequent failure analysis. rationale: to manage failures and perform failure analysis. 3.19 other modules suggested: a ll other modules, if safety relevant, shall be protected at application level.
d o c i d 0 2 4 464 rev 2 19/27 AN4287 functions of external devices for safety applications 4 functions of external devices for safety applications this section gives an overview of the external components suggested to use with the spc564a7x/spc564a80 device. suggested: at system level some countermeasures have to be placed in order to bring the safety-critical outputs to their safe state (e.g., by pull-up or pull-down resistors). it should be noted that the failure rates of external services are not included in fmeda of the spc564a7x/spc564a80 device and have to be included in the system fmeda by the user himself. 4.1 external watchdog function (exwd) suggested: an external low-cost device, acting as system supervisor, shall provide also a watchdog to cover ccfs of the spc564a7x/spc564a80 device. it shall be triggered periodically by the spc564a7x/spc564a80 device. rationale: to detect ccf as a complete failure of the power supply. some common causes of failure (e.g., failure on power supply) are detected because the software no longer triggers the watchdog. if a failure is detected, the exwd moves, and maintains, the system (ecu level) to a safe state condition within the ftti (e.g., the exwd disconnects from the power supply the spc564a7x/spc564a80 device). the user can choose how to implement the watchdog communication between the spc564a7x/spc564a80 device and the external device (for example, communication via serial link or via toggling pin). 4.2 power supply monitor function (psm) the spc564a7x/spc564a80 device embeds lvi for all internal supplies. latent failures impacting these lvis can?t be detected. suggested: an external low-cost device, acting as system supervisor, shall provide also over-/under-voltage monitor for the spc564a7x/spc564a80 on all supplies available externally. rationale: to ensure voltage power supply is within the defined operating range. if the voltage power supply is out of the defined operating range, the psm moves, and maintains, the system (ecu level) to a safe state condition within the ftti (e.g., the psm disconnects from the power supply the spc564a7x/spc564a80 device). for the voltage power supply operating range, please refer to the spc564a7x/spc564a80 device data sheet. it should be noted that an over voltage outside the specified range may cause permanent damage to the spc564a7x/spc564a80 device even if kept in reset.
functions of external devices for safety applications AN4287 20/27 d ocid024464 rev 2 4.3 pwm output monitor function (pwmm) the emios200 module and the etpu2 module integrated in the spc564a7x/spc564a80 device can generate pwm output signals. in general, if the safety application uses these pwm output signals to control an actuator with short safety time against wrong control (such as the inverter of a three-phase motor control application with a dead-time requirements to avoid short circuits destroying the inverter and the motor), those requirements shall be supervised externally if the failure reaction delay within the spc564a7x/spc564a80 device can exceed the safety time of the actuator. the distinctive features that should be managed by the external device are the correctness of inserted dead-time and the occurrence of an open-circuit and/or short-circuit to supply or ground. suggested: an external low-cost device, acting as system supervisor, shall provide also a pwm monitor to check the generated pwm output signals. rationale: to check the accuracy of the pwm output signals. if a failure is detected, the pwmm moves, and maintains, the system (ecu level) to a safe state condition within the ftti (e.g., the pwmm disconnects from the power supply the spc564a7x/spc564a80 device). implementation hint: in case pwm signals drive the switches of a power stage, emios200 channels or etpu2 channels cannot be used to detect a dead-time fault because its failure indication time is normally greater than the time enough to produce a physical permanent failure of the power stage.
d o c i d 0 2 4 464 rev 2 21/27 AN4287 ecc logic test 5 ecc logic test 5.1 overview this section describes the required information on how to develop the software for such ecc logic test. the goal is to ensure high coverage of the ecc logic faults with minimum performance penalty to customer?s application. thus, the performance penalty must be less than 2% (e.g. the test time should be less than 200 s considering a ftti of 10 ms). the spc564a7x/spc564a80 flash memory has a utest (user-test) mode ecc logic check feature which can be utilized for this ecc logic test. a data pattern with walking 0 through data and ecc parity bits can be applied during the ecc logic check procedure to achieve high fault coverage of the ecc logic and fast execution. 5.2 data pattern ? walking 0 to reach the needed performances the use of the data pattern with walking 0 through data and ecc parity bits must be used. tab le 1 shows the data pattern. it is important to note that for double word data = 0xffff_ffff_ffff_ffff, the correct e cc check bits should be 0xff. therefore, every data vector in the data pattern in ta ble 1 , except the last one, contains a single-bit ecc error and will result in a single-bit correction. table 1. data pattern used by the ecc logic test data vector number 8-bit ecc parity bits 64-bit data bits 0 0xff 0xffff_ffff_ffff_fffe 1 0xff 0xffff_ffff_ffff_fffd 2 0xff 0xffff_ffff_ffff_fffb 3 0xff 0xffff_ffff_ffff_fff7 4 0xff 0xffff_ffff_ffff_ffef 5 0xff 0xffff_ffff_ffff_ffdf 6 0xff 0xffff_ffff_ffff_ffbf 7 0xff 0xffff_ffff_ffff_ff7f ?? ? 62 0xff 0xbfff_ffff_ffff_ffff 63 0xff 0x7fff_ffff_ffff_ffff 64 0xfe 0xffff_ffff_ffff_ffff 65 0xfd 0xffff_ffff_ffff_ffff ?? ? 71 0x7f 0xffff_ffff_ffff_ffff 72 0xff 0xffff_ffff_ffff_ffff
ecc logic test AN4287 22/27 d ocid024464 rev 2 5.3 utest mode ecc logic check the procedure to use the utest mode ecc logic check is listed as below: ? enable utest mode (write 0xf9f9_9999 to ut0 register, ut0[ute] will be set). ? write ut0[sbce] to 1 (to enable single-bit error correction visibility). ? write ut0[eie] to 1. ? write ut0[dsi], ut1[dai] and/or ut2[dai] bits to provide data and check bit values to b e read. single or double bit detections/corrections can be simulated by properly choosing data and check bit combinations. ? write double word address to receive the data inputted in step 3 into the adr register. ? reads can now be done through the biu in a read request type fashion. in the even t o f a biu read requested from an address that matches the address in the adr register , e xpected data, and corrections or detections should be observed based on data wri tten i nto the ut0[dsi], ut1[dai] and/or ut2[dai] registers. mcr[eer] an d m cr[sbcsbc] can be checked to evaluate the status of reads done. ? repeat steps 4 to 6 for all the data vectors in the proposed test data pattern. ? once completed, clear the ut0[eie] bit to 0. 5.4 fault coverage and execution time the described ecc logic test reaches a 92.7% fault coverage of ecc decode logic. the execution of the test code takes about 176 s at 80 mhz, room temperature and nominal voltages.
d o c i d 0 2 4 464 rev 2 23/27 AN4287 further information appendix a further information 5.5 conventions and terminology ta ble 2 shows the list of conventions for this document. 5.6 acronyms and abbreviations a short list of acronyms and abbreviations used in this document is reported in the following ta ble 3 . table 2. list of conventions and terminology convention description error discrepancy between a computed, observed, or measured value or condition and the true, specified or theoretically correct value or condition. fault abnormal condition that may cause a reduction in, or loss of, the capability of a functional unit to perform a required function. failure the termination of the ability of a functional unit to perform a required function. table 3. acronyms and abbreviations term meaning ccf common cause failure crc cyclic redundancy check ded dual error detection ecc error correcting code ecsm error correction status module edma enhanced direct memory access exwd external watchdog function eqadc enhanced queued analog-to-digital converter fmeda failure modes, effects and diagnostic analysis fmpll frequency-modulated phase-locked loop fom failure output monitor function ftti fault tolerant time interval gpio general purpose input/output lbist logic built-in self-test lvi low voltage inhibit mbist memory built-in self-test mcu microcontroller unit mpu memory protection unit
further information AN4287 24/27 d ocid024464 rev 2 pmc power management controller psm power supply monitor function pst process safety time pwm pulse width modulation ram random access memory sec single error correction swt software watchdog timer table 3. acronyms and abbreviations (continued) term meaning
d o c i d 0 2 4 464 rev 2 25/27 AN4287 reference documents appendix b reference documents 1. spc564a70b4, spc564a70l7 32-bit mcu family built on the embedded power architecture ? (rm0068, docid18132) 2. 32-bit power architecture ? based mcu for automotive powertrain applications (spc564a70b4, spc564a70l7 ? docid18078) 3. spc564a74xx, spc564a80xx 32-bit mcu family built on the embedded power architecture ? (rm0029, docid15177) 4. 32-bit mcu family built on the embedded power architecture ? (spc564a74b4, spc564a74l7, spc564a80b4, spc564a80l7 ? docid15399) 5. spc564a70x device errata jtag_id = 0x0ae03041 (spc564a70b4, spc564a70l7 ? docid022776) 6. spc564a70x device errata jtag_id = 0x1ae03041 (spc564a70b4, spc564a70l7 ? docid022787) 7. spc564a80 device errata jtag_id = 0x0ae02041 (spc564a80 ? docid16797) 8. spc564a80 device errata jtag_id = 0x0ae02041 (spc564a80 ? docid17624) 9. spc564a80x device errata jtag_id = 0x1ae02041 (spc564a80 ? docid18436)
revision history AN4287 26/27 d ocid024464 rev 2 revision history table 4. document revision history date revision changes 09-apr-2013 1 initial release. 24-sep-2013 2 updated disclaimer.
docid024464 rev 2 27/27 AN4287 27 please read carefully: information in this document is provided solely in connection with st products. stmicroelectronics nv and its subsidiaries (?st ?) reserve the right to make changes, corrections, modifications or improvements, to this document, and the products and services described he rein at any time, without notice. all st products are sold pursuant to st?s terms and conditions of sale. purchasers are solely responsible for the choice, selection and use of the st products and services described herein, and st as sumes no liability whatsoever relating to the choice, selection or use of the st products and services described herein. no license, express or implied, by estoppel or otherwise, to any intellectual property rights is granted under this document. i f any part of this document refers to any third party products or services it shall not be deemed a license grant by st for the use of such third party products or services, or any intellectual property contained therein or considered as a warranty covering the use in any manner whatsoev er of such third party products or services or any intellectual property contained therein. unless otherwise set forth in st?s terms and conditions of sale st disclaims any express or implied warranty with respect to the use and/or sale of st products including without limitation implied warranties of merchantability, fitness for a parti cular purpose (and their equivalents under the laws of any jurisdiction), or infringement of any patent, copyright or other intellectual property right. st products are not designed or authorized for use in: (a) safety critical applications such as life supporting, active implanted devices or systems wi th product functional safety requirements; (b) aeronautic applications; (c) automotive applications or environments, and/or (d) aerospace applications or environments. where st products are not designed for such use, the purchaser shall use products at purchaser?s sole risk, even if st has been informed in writing of such usage, unless a product is expressly designated by st as being intended for ?automotive, automotive safety or medical? industry domains according to st product design specifications. products formally escc, qml or jan qualified are deemed suitable for use in aerospace by the corresponding governmental agency. resale of st products with provisions different from the statements and/or technical features set forth in this document shall immediately void any warranty granted by st for the st product or service described herein and shall not create or extend in any manner whatsoev er, any liability of st. st and the st logo are trademarks or registered trademarks of st in various countries. information in this document supersedes and replaces all information previously supplied. the st logo is a registered trademark of stmicroelectronics. all other names are the property of their respective owners. ? 2013 stmicroelectronics - all rights reserved stmicroelectronics group of companies australia - belgium - brazil - canada - china - czech republic - finland - france - germany - hong kong - india - israel - ital y - japan - malaysia - malta - morocco - philippines - singapore - spain - sweden - switzerland - united kingdom - united states of america www.st.com

▲Up To Search▲

Price & Availability of AN4287

	To Download AN4287 Datasheet File
If you can't view the Datasheet, Please click here to try to view without PDF Reader .