FCCU is a programmable unit that monitors the integrity status of the microcontroller and provides flexible safe state control by collecting errors and leading the device in a controlled way to a safe state when a failure is present. No CPU intervention is requested for collection and control operation.
A simplified block diagram of FCCU is shown here.
FCCU implements a finite state machine that moves from one state to another on the basis of the errors occurring in the system and the actions/inactions taken upon them. Depending on the fault configuration, the faults occurrence may cause a reset or maskable/non-maskable interrupt or no reaction to occur. There are also two pins (EOUT0/1) provided on the SoC to allow communication to external environment about the faults occurring in the system.
Self-test control unit (STCU)
This is a self-diagnostic measure for the device that is run at boot/shutdown time to ensure that there are no latent/dormant faults present in the device that may corrupt its operation during the application run. Generally, the self-test is run on the digital logic (called LBIST) and embedded memories (called MBIST) with enough coverage to meet the required Safety Integrity Level (SIL) of the system.
Fig. 3. STCU Operation during system boot-up
Clock monitor unit (CMU)
- After an STCU reset event, the SSCM (self-checking computer module) detects that the device self-test has not been run yet.
- The SSCM reads the self-test parameters from flash nonvolatile memory (NVM).
- The SSCM loads the self-test parameters into the STCU and passes control over to the STCU.
- The STCU manages the MBISTs and updates its internal status.
- The STCU manages the LBISTs and updates its internal status.
- If faults are detected, the STCU reports the test failures to the FCCU.
- Once self-test is completed, the STCU signals the Reset Module and the boot sequence proceeds to the next phase. However, if a SIR (stay-in-reset) fault occurs, the STCU keeps the device in reset until an STCU reset event is applied.
CMU is a module that monitors the system PLL output or the external crystal oscillator frequency and signals fault, reset, or interrupt if there is a loss of clock or if the monitored clocks leave a lower or upper frequency boundary. CMUs use the system safe clock (internal RC oscillator clock) as a reference to monitor the clock.
A simplified block diagram of CMU is shown here.
As can be seen in the diagram above, the CMU provides signals to the reset and FCCU modules if there is oscillator loss-of-clock event or frequency-high/frequency-low event on the monitored clocks. The configurations done on the RESET and FCCU modules determine if the event will generate an interrupt or reset.
Power monitoring unit
There are two types of voltage supervisors implemented on Freescale safety devices, low-voltage detect (LVD) and high-voltage detect (HVD) monitors. All the safety relevant voltage pins are supervised for voltages that are out of these ranges.
Because safety relevant voltages have the potential to disable the failure indication mechanisms of the MCU (such as FCCU, pads, and so on) their error indication directly causes the device to transition to the fail-safe state (reset assertion).
Even though the implementation of functional safety features in devices requires redundancy in MCUs, and increased power and die-size, the benefits attached to a robust system (with the device being able to provide fail-safe, fail-silent, or fail-indicate states) are immense. Such functional safety features (as shown for Freescale devices) allow customers to achieve ISO 26262 ASILx and IEC 61508 SILx certification on their applications.
1. “Next Generation Automotive Electrical Motor Control: Trends & Solutions” by Leos Chalupa, Freescale Semiconductor
2. MPC5643L Reference Manual
3. MPC574x Reference Manual
Arun Mishra is lead design engineer at Freescale Semiconductor.
If you liked this article, go to the Automotive Designline home page
for the latest in automotive electronics design, technology, trends, products, and news. Also, get a weekly highlights update delivered directly to your inbox by signing up for our weekly automotive electronics newsletter here