## AURIX 2G Safety Management Unit(SMU)

Thomas
IFCN ATV SMD GC SAE MC
2018/5/2





#### Content

- Fault Management System(SMU): Concept
- 2 SMU Safety Feature: Update







- AURIX supports FTTI ≥ 10 ms
- Fault detection time worst case is the software diagnostic time interval (application dependent)
- AURIX hardware safety mechanism provides a very fast fault detection time, in most cases way below 1µs @100MHz



#### **AURIX Fault Reaction Concept**

Error management is centralized in the Safety Management Unit



## Failure Reaction Example NMI + Internal Reset





### Failure Reaction Example Recovery Timer





## Failure Reaction Example NMI + FSP and SSC delayed reaction





### Safety Management Unit



- Central hardware module that collects alarms from every hardware safety mechanisms as well as error signals related to the architecture (bus error,...)
- Unified fault management: dedicated alarms can also be triggered by the software
- Pre-defined reaction can be configured individually for each alarm:

#### **External reaction**

 transition Fail Safe Protocol on the error pin (P33.8) to "fault state"

### Internal reaction, to be selected b/w

- Issue NMI to all CPUs
- Issue interrupt to a configurable set of CPUs
- Issue a system reset (recommended), or application reset
- Force a configurable set of CPUs into IDLE mode

Note: both external and internal reaction can be configured for a given alarm, for example FSP fault state activation + NMI



#### Application/System Reset





#### Port Emergency Stop

- Scope: used to disconnect quickly and reliably critical outputs in case of dangerous situation
- Possible usages: stop all communication on CAN bus, disconnect PWM signals from actuator,...
- All digital I/O ports have an emergency stop logic. It can be configured for each pin if it reacts on the global emergency stop signal in register Pn\_ESR.
- The pin configuration is switched to the default state after reset (input function with internal pull-up, or tristate)





#### Content

1 Fault Management System(SMU): Concept

2 SMU Safety Feature : Update



### Safety Feature Update

- 2.1 Architecture
- 2.2 SMU Changes
- 2.3 SMU More Details

### Safety Management Unit (SMU) Introduction



- The SMU centralizes all the alarm signals related to the different hardware and software-based safety mechanisms
- Each alarm can be individually configured to trigger
  - internal actions and/or notify
  - externally the presence of faults via a fault signaling protocol
- The SMU in combination with the embedded safety mechanisms enable to detect and report more than 99% of the critical failure modes of the microcontroller within the fault tolerance time interval

#### SMU Architecture update

### : Redundancy & Diversity







### Safety Feature Update

- 2.1 Architecture
- 2.2 SMU Changes
- 2.3 SMU More Details



#### SMU Changes: Motivation

- Independent (power and clock domain) and redundant monitor for Alarms
- Control of Fault Management System Latent Faults and SEU(Single Event Upset)
- Control of Systematic Faults: alternative implementation to the SMU\_Core
- State of the art on the market
- Consistent and simplified implementation for External Error Signalling (FSP) and monitoring
- Unified/systematic solution for both Power Domains: Core and Standby



#### SMU Changes

#### **Software Compatibility:**

- Much more alarms handled by AURIX™ TC3xx SMU than TC2xx
- Alarm grouping changed completely because of increased number of alarms
- "Alarm Executed" mechanism implemented.

If one kind of Alarm-Handling (e.g. RST0 request) was executed, the Alarm Executed Status needs to be cleared before the same Alarm-Handling can be executed again.

#### Safety-related changes:

- CPU IDLE requests changed to CPU core reset requests.
- Alarm-Handlings which are triggered from Alarms coming at the same time are now executed concurrently (if different reactions are configured, if not then see Alarm Executed mechanism above).
- > Safety FFs added to safety critical blocks (SSH, PMS, SCU,...) with alarms and self-test control in SMU

#### Redundant SMU in Standby Domain: SMU\_Stdby:

- Alive Alarm from SMU\_Core to SMU\_Stdby
- Contains the control of MONBIST: enables users to test all alarm paths, alarm configurations, alarm reactions
- Upon SMU\_Stdby alarm detection, FSP pins can be put into fault state.

#### **FSP updates:**

- ➤ Redundant FSP pin: FSP[1] → new protocol is introduced (Dynamic Dual Rail)
- Glitch filter for EMS input via Error Pin (FSP[0])

#### Safety Flip-Flops updates:

- Separated Register Monitor control and status bits per IP with SFF
- Both SMUs contain SFFs as SMs



#### SMU\_STDBY

#### SMU Standby Memory Map:

Table 872 Register Overview - SMU\_STDBY (ascending Offset Address)

| Short Name    | Long Name                               | Offset                | Access I | Mode    | Reset        |
|---------------|-----------------------------------------|-----------------------|----------|---------|--------------|
|               |                                         | Address               | Read     | Write   |              |
| AG2i_STDBY    | Alarm Status Register                   | 188 <sub>H</sub> +i*4 | U,SV     | SV,SE,P | LVD Reset    |
| MONBISTSTAT   | SMU_stdby BIST Status<br>Register       | 190 <sub>H</sub>      | U,SV     | BE      | See page 109 |
| MONBISTCTRL   | SMU_stdby BIST Control<br>Register      | 198 <sub>H</sub>      | U,SV     | SV,SE,P | See page 108 |
| CMD_STDBY     | SMU_stdby Command<br>Register           | 19C <sub>H</sub>      | U,SV     | SV,SE,P | See page 103 |
| AG2iFSP_STDBY | SMU_stdby FSP<br>Configuration Register | 1A4 <sub>H</sub> +i*4 | U,SV     | SV,SE,P | See page 105 |

#### > SMU\_stdby Built-In Self Test

- The SMU\_stdby contains a built-in mechanism that enables users to test all alarm paths, alarm configurations, and alarm reactions.
- The MONBISTCTRL register enables the user to start the BIST of the SMU\_stdby. Results of the BIST are available in the MONBISTSTAT register.







#### SMU Changes: FSP pins

- FSP protocol layer block to support all 3 protocol:
  - Bi-stable (default)
  - Dynamic dual-rail
  - Time-switching protocols
- FSP status is generated/decoded by the FSP Protocol layer in SMU\_CORE domain.
- FSP0EN (FSP[0]) and FSP1EN (FSP[1]) are controlled by the register CMD\_STDBY.





#### SMU Changes: Glitch Filtered Error Pin



#### Glitch Filter (not available in TC39x A-Step)

In systems which are using the Error Pin in Open Drain mode, glitches up to 1.2  $\mu$ s shall have no effect on the current system behavior. Therefore a glitch filter is available inside the SMU which suppresses glitches up to 1.2 $\mu$ s. There are two relevant pathes from the Error Pin in case of Open Drain mode usage:

- Error Pin to STS.FSP[0]
  - For this path the filter can be switched on/off in PCTL.GFSTS\_EN
- Error Pin to SCU for Port Emergency Stop usage
  - For this path the filter can be switched on/off in PCTL.GFSCU\_EN



#### SMU Changes: SFF Register Monitor

#### RMCTL, RMEF and RMSTS: Separated control and status bits per IP with SFFs



| SMU_RMEF[0]  | MTU             |
|--------------|-----------------|
| SMU_RMEF[1]  | ЮМ              |
| SMU_RMEF[2]  | IR              |
| SMU_RMEF[3]  | ЕМЕМ            |
| SMU_RMEF[4]  | SCU/SRU         |
| SMU_RMEF[5]  | PMS             |
| SMU_RMEF[6]  | DMA             |
| SMU_RMEF[7]  | SMU_core        |
| SMU_RMEF[8]  | CERBERUS        |
| SMU_RMEF[9]  | SYS_PLL/PER_PLL |
| SMU_RMEF[10] | CCU             |

| RMEF<br>Regist | er Mon | itor Er | ror Fla | gs |      |     | (0304 | 1 <sub>H</sub> ) |     | Ар  | plicatio | on Res | et Valu | e: 0000 | 0000 |
|----------------|--------|---------|---------|----|------|-----|-------|------------------|-----|-----|----------|--------|---------|---------|------|
| 31             | 30     | 29      | 28      | 27 | 26   | 25  | 24    | 23               | 22  | 21  | 20       | 19     | 18      | 17      | 16   |
| 0              | 0      | 0       | 0       | 0  | 0    | 0   | 0     | 0                | 0   | 0   | 0        | 0      | 0       | 0       | 0    |
| r              | r      | r       | r       | r  | r    | r   | r     | r                | r   | r   | r        | r      | r       | r       | r    |
| 15             | 14     | 13      | 12      | 11 | 10   | 9   | 8     | 7                | 6   | 5   | 4        | 3      | 2       | 1       | 0    |
| 0              | 0      | 0       | 0       | 0  | EF10 | EF9 | EF8   | EF7              | EF6 | EF5 | EF4      | EF3    | EF2     | EF1     | EF0  |
| r              | r      | r       | r       | r  | rwh  | rwh | rwh   | rwh              | rwh | rwh | rwh      | rwh    | rwh     | rwh     | rwh  |

| Field        | Bits | Type | Description                                                                                                                                                                                                                                                                                                                                                                                    |
|--------------|------|------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| EFz (z=0-10) | z    | rwh  | Status flag related to the different instances of the register monitor safety mechanism.  It reports a real flip flop failure in non-test mode as well as an unexpected behavior in test-mode.  This flag can only be cleared by software, a set by software has no effect 0 <sub>B</sub> Error flag z does not report a fault condition 1 <sub>B</sub> Error flag z reports a fault condition |

|   | RMSTS<br>Registe |    | itor Se | lf Test | Status | 6     |      | (0308 | 3 <sub>H</sub> ) |      | Ар   | plicatio | on Rese | et Valu | e: 0000 | 0000 <sub>H</sub> |
|---|------------------|----|---------|---------|--------|-------|------|-------|------------------|------|------|----------|---------|---------|---------|-------------------|
| _ | 31               | 30 | 29      | 28      | 27     | 26    | 25   | 24    | 23               | 22   | 21   | 20       | 19      | 18      | 17      | 16                |
|   | 0                | 0  | 0       | 0       | 0      | 0     | 0    | 0     | 0                | 0    | 0    | 0        | 0       | 0       | 0       | 0                 |
| - | r                | r  | r       | r       | r      | r     | r    | r     | r                | r    | r    | r        | r       | r       | r       | r                 |
|   | 15               | 14 | 13      | 12      | 11     | 10    | 9    | 0     | - 1              | О    | 5    | 4        | 3       | 2       | 1       | U                 |
|   | 0                | 0  | 0       | 0       | 0      | STS10 | STS9 | STS8  | STS7             | STS6 | STS5 | STS4     | STS3    | STS2    | STS1    | STS0              |
| - | r                | r  | r       | r       | r      | rwh   | rwh  | rwh   | rwh              | rwh  | rwh  | rwh      | rwh     | rwh     | rwh     | rwh               |

| Field         | Bits | Type | Description                                                                                                                                                                                                                                                                                           |
|---------------|------|------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| STSz (z=0-10) |      | rwh  | Ready flag related to the different instances of the register monitor safety mechanism.  A logical '1' of this bit indicates that the register monitor test has been executed. This bit can only be cleared by software, a set by software has no effect.  O <sub>B</sub> Self-test has not completed |
|               |      |      | 1 <sub>B</sub> Self-test has completed                                                                                                                                                                                                                                                                |



### SMU\_Stdby BIST (MONBIST)

- > SMU\_Stdby Built-In Self Test control/status
  - The SMU\_Stdby contains the control of MONBIST that enables users to test all alarm paths, alarm configurations, and alarm reactions.
  - The MONBISTCTRL register enables the user to start the BIST of the SMU\_Stdby. Results of the BIST are available in the MONBISTSTAT register.





### Safety Feature Update

- 2.1 Architecture
- 2.2 SMU Changes
- 2.3 SMU More Details

### Safety Management Unit (SMU) Alarm Groups



### Alarm are grouped into 11 alarm groups:

- CPU0
- CPU1
- CPU2
- 3. CPU3
- 4. CPU4
- CPU5
- GTM, CAN, E-RAY
- 7. SRAM, Lockstep
- 8. CCU, SCU, IR, DMA
- DTS,EVR,HSM,EMEM, SPU
- 10. Software
- 11. SRI (LMU, XBAR, DMU, HSSL, SFI)



Minor safety mechanisms are combined into pre-alarms prior to the alarm grouping

#### Safety Management Unit (SMU) Interfaces





# Safety Management Unit (SMU) Access, Configure and Lock



- In addition to the generic register access protection part of the microcontroller architecture, the SMU implements an independent configuration locking mechanism
- SMU registers protected by
  - Master protection mechanism
  - 2. Safety ENDINIT
  - Lock mechanism for SMU module register AGC, RTC, RTACn, AGnCFx, AGnFSP(n=0...11), PCTL, RMCTL but not for CMD register
    - SMU\_KEYS.CFGLCK enables to configure the registers
    - SMU\_KEYS.PERLCK will lock registers until application reset

# Safety Management Unit (SMU) Access, Configure and Lock



#### Code example:

```
// Pre-condition: SV mode
// clear safety endinit bit
safety endinit clear();
// unlock configuration
SMU KEYS = 0 \times 0.0BC;
// configure SMU registers
// permanent lock
SMU KEYS = 0 \times FF00;
// set safety endinit bit
safety endinit set();
```

| ID   Module Identifier   08 <sub>H</sub>   U, SV   BE   Application Reset   Page                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | Short      | Description         |                  | Acces | s Mode     | ed                   | o                |
|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------|---------------------|------------------|-------|------------|----------------------|------------------|
| Kernel Registers:  CMD Command interface                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | Name       |                     | Offset<br>Addr   | Read  | Write      | Reset Tyl            | Descripti<br>See |
| Kernel Registers:  CMD Command interface                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | System Re  | gisters             | •                | •     |            |                      |                  |
| CMD         Command interface         20 <sub>H</sub> U, SV         SV,P,SE,32         Application Reset         Page Reset           STS         Status         24 <sub>H</sub> U, SV         SV,P,SE,32         Application Reset         Page Reset           FSP         FSP control         28 <sub>H</sub> U, SV         SV,P,SE,32         Application Reset         Page Reset           AGC         Alarm Global Configuration         2C <sub>H</sub> U, SV         SV,P,SE,32         Application Reset         Page Reset           RTC         Recovery Timer Configuration         30 <sub>H</sub> U, SV         SV,P,SE,32         Application Reset         Page Reset           KEYS         Register access Register access Reset         34 <sub>H</sub> U, SV         SV,P,SE,32         Application Reset         Page Reset           DBG         Hardware debug         38 <sub>H</sub> U, SV         SV,P,SE,32         Power-on Reset         Page Reset           PCTL         FSP Port Control Register         3C <sub>H</sub> U, SV         SV,P,SE,32         Power-on Reset         Page Reset           AFCNT         Alarm and Fault Counter Register         40 <sub>H</sub> U, SV         SV,P,SE,32         Application Reset         Page Reset           RTAC0         Recovery Timer 1 Alarm Configuration         <                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              | ID         | Module Identifier   | 08 <sub>H</sub>  | U, SV | BE         |                      | Page 10-70       |
| interface                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                | Kernel Reg | gisters:            | •                |       | •          |                      | •                |
| FSP FSP control 28 <sub>H</sub> U, SV SV,P,SE,32 Power-on Reset  AGC Alarm Global Configuration 30 <sub>H</sub> U, SV SV,P,SE,32 Application Reset  RTC Recovery Timer Configuration 30 <sub>H</sub> U, SV SV,P,SE,32 Application Reset  KEYS Register access keys 34 <sub>H</sub> U, SV SV,P,SE,32 Application Reset  DBG Hardware debug 38 <sub>H</sub> U, SV SV,P,SE,32 Power-on Reset  PCTL FSP Port Control Register  AFCNT Alarm and Fault Counter Register  RTAC0 Recovery Timer 0 Alarm Configuration  RTAC1 Recovery Timer 1 Alarm Configuration  RTAC1 Recovery Timer 1 Alarm Configuration  AG0CF0 Alarm 100 <sub>H</sub> U, SV SV,P,SE,32 Application Page                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   | CMD        |                     | 20 <sub>H</sub>  | U, SV | SV,P,SE,32 |                      | Page 10-85       |
| AGC Alarm Global Configuration    RTC Recovery Timer Configuration    REYS Register access keys    DBG Hardware debug    PCTL FSP Port Control Register    AFCNT Alarm and Fault Counter Register    AFCNT Alarm and Fault Counter Register    RTAC0 Recovery Timer 0 Alarm Configuration    RTAC1 Recovery Timer 1 Alarm Configuration    RESET APplication Page Reset    RESET APPlication Page Reset    RESET APPlication Page Reset    RESET APPLICATION    APPLICATION Reset    RESET APPLICATION Page RESET    RESET APP           | STS        | Status              | 24 <sub>H</sub>  | U, SV | SV,P,SE,32 |                      | Page 10-86       |
| RTC       Recovery Timer Configuration       30H       U, SV       SV,P,SE,32 Application Reset       Page Reset         KEYS       Register access keys       34H       U, SV       SV,P,SE,32 Application Reset       Page Reset         DBG       Hardware debug       38H       U, SV       SV,P,SE,32 Power-on Reset       Page Reset         PCTL       FSP Port Control Register       3CH       U, SV       SV,P,SE,32 Power-on Reset       Page Reset         AFCNT       Alarm and Fault Counter Register       40H       U, SV       SV,P,SE,32 Power-on Reset       Page Reset         RTAC0       Recovery Timer 0 Alarm Configuration       60H       U, SV       SV,P,SE,32 Application Reset       Page Reset         RTAC1       Recovery Timer 1 Alarm Configuration       64H       U, SV       SV,P,SE,32 Application Reset       Page Reset         AG0CF0       Alarm       100H       U, SV       SV,P,SE,32 Application Reset       Page Reset                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   | FSP        | FSP control         | 28 <sub>H</sub>  | U, SV | SV,P,SE,32 |                      | Page 10-88       |
| Configuration  KEYS Register access keys  DBG Hardware debug  SV,P,SE,32 Power-on Reset  PCTL FSP Port Control Register  AFCNT Alarm and Fault Counter Register  RTAC0 Recovery Timer 0 Alarm Configuration  RESET  RESET  RESET  APplication Page Reset  Page Reset  Page Reset  Page Reset  Page Reset  Page Reset  RTAC1 Recovery Timer 1 Alarm Configuration  AG0CF0  Alarm Configuration  AG0CF0  Alarm AG0CF0  Alarm Alarm Alarm Alarm Alarm Alarm Alarm Configuration  AG0CF0  Alarm Agocepa  AG0CF0  Alarm           | AGC        |                     | 2C <sub>H</sub>  | U, SV | SV,P,SE,32 |                      | Page 10-90       |
| keysResetDBGHardware debug38HU, SVSV,P,SE,32Power-on ResetPCTLFSP Port Control Register3CHU, SVSV,P,SE,32Power-on ResetAFCNTAlarm and Fault Counter Register40HU, SVSV,P,SE,32Power-on ResetRTAC0Recovery Timer 0 Alarm Configuration60HU, SVSV,P,SE,32Application ResetRTAC1Recovery Timer 1 Alarm Configuration64HU, SVSV,P,SE,32Application ResetAG0CF0Alarm100HU, SVSV,P,SE,32Application Reset                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      | RTC        |                     | 30 <sub>H</sub>  | U, SV | SV,P,SE,32 |                      | Page 10-92       |
| PCTL FSP Port Control Register SV,P,SE,32 Power-on Reset Reset RTAC0 Recovery Timer 0 Alarm Configuration RTAC1 Recovery Timer 1 Alarm Configuration AG0CF0 Alarm 100 <sub>H</sub> U, SV SV,P,SE,32 Application Reset RTAC0 Recovery Timer 1 Alarm Configuration RTAC1 Recovery Timer 1 Alarm Configuration RTAC1 Recovery Timer 1 Alarm Configuration RTAC1 Recovery Timer 1 Alarm Configuration Reset RTAC1 Recovery Timer 1 Alarm Configuration Reset R | KEYS       | li -                | 34 <sub>H</sub>  | U, SV | SV,P,SE,32 |                      | Page 10-93       |
| Register  AFCNT Alarm and Fault Counter Register  RTAC0 Recovery Timer 0 Alarm Configuration  RTAC1 Recovery Timer 1 Alarm Configuration  AG0CF0 Alarm 100 <sub>H</sub> U, SV SV,P,SE,32 Application Reset  Reset  Reset  Reset  Page  Reset  Reset  Page  Reset  Page  Reset  Reset  Page  Reset  Page  Reset  Page  Reset  Page  Reset  Page  Reset  Page  AG0CF0 Alarm  Alarm  Configuration  Page  Reset  Page  Page  AG0CF0 Alarm  Alarm  Configuration  Page                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               | DBG        | Hardware debug      | 38 <sub>H</sub>  | U, SV | SV,P,SE,32 |                      | Page 10-94       |
| Counter Register  RTAC0  Recovery Timer 0 Alarm Configuration  RTAC1  Recovery Timer 1 Alarm Configuration  AG0CF0  Alarm  Configuration  RTAC1  Recovery Timer 1 Alarm Configuration  AG0CF0  Reset  Reset  Application Page  Reset  Reset  Application Page  Reset  Reset  Application Page                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | PCTL       |                     | 3C <sub>H</sub>  | U, SV | SV,P,SE,32 |                      | Page 10-95       |
| Alarm Configuration  RTAC1 Recovery Timer 1 Alarm Configuration  AG0CF0 Alarm 100 <sub>H</sub> U, SV SV,P,SE,32 Application Reset  Reset Page  Reset Page  Reset Page  Reset Page  Application Page                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      | AFCNT      |                     | 40 <sub>H</sub>  | U, SV | SV,P,SE,32 |                      | Page 10-96       |
| Alarm Configuration Reset  AG0CF0 Alarm 100 <sub>H</sub> U, SV SV,P,SE,32 Application Page                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               | RTAC0      | Alarm               | 60 <sub>H</sub>  | U, SV | SV,P,SE,32 |                      | Page 10-97       |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          | RTAC1      | Alarm               | 64 <sub>H</sub>  | U, SV | SV,P,SE,32 |                      | Page 10-99       |
| Comiguration                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             | AG0CF0     | Alarm configuration | 100 <sub>H</sub> | U, SV | SV,P,SE,32 | Application<br>Reset | Page 10-10       |

#### Safety Management Unit (SMU) External and internal alarm behavior



Reset Value: Table 655

- External Fault signaling protocol (FSP) SMU\_AGnFSP (n=0...11)
- Internal SMU\_AGnCFx (n=0...11) (x=0-2) 3-bit code (Table 10-25) is spread over 3 registers

| FE31   | FE30   | FE29 | FE28 | FE27 | FE26 | FE25    | FE24 | FE23    | FE22     | FE21   | FE20 | FE19   | FE18    | FE17     | FE16 |
|--------|--------|------|------|------|------|---------|------|---------|----------|--------|------|--------|---------|----------|------|
| rw     | rw     | rw   | rw   | rw   | rw   | rw      | rw   | rw      | rw       | rw     | rw   | rw     | rw      | rw       | rw   |
| 15     | 14     | 13   | 12   | 11   | 10   | 9       | 8    | 7       | 6        | 5      | 4    | 3      | 2       | 1        | 0    |
| FE15   | FE14   | FE13 | FE12 | FE11 | FE10 | FE9     | FE8  | FE7     | FE6      | FE5    | FE4  | FE3    | FE2     | FE1      | FEO  |
| rw     | rw     | rw   | rw   | rw   | rw   | rw      | rw   | rw      | rw       | rw     | rw   | rw     | rw      | rw       | rw   |
| Field  |        | Bits |      | Туре | e De | escript | ion  |         |          |        |      |        |         |          |      |
| FEz (z | =0-31) | Z    |      | rw   |      | roup i. |      | led for | this ala | rm eve | nt   | m z be | longing | g to ala | arm  |

| Code | Name        | Behavior                                                                                                                            |
|------|-------------|-------------------------------------------------------------------------------------------------------------------------------------|
| 0x0  | SMU_NA      | No Action. Reset value. Alarm disabled.                                                                                             |
| 0x1  | SMU_RSVD    | Reserved. No Action. Alarm disabled.                                                                                                |
| 0x2  | SMU_IGCS0   | Sends an interrupt request to the interrupt system according to the Interrupt Generation Configuration Set 0 from the AGC register. |
| 0x3  | SMU_IGCS1   | Sends an interrupt request to the interrupt system according to the Interrupt Generation Configuration Set 1 from the AGC register. |
| 0x4  | SMU_IGCS2   | Sends an interrupt request to the interrupt system according to the Interrupt Generation Configuration Set 2 from the AGC register. |
| 0x5  | SMU_NMI     | Sends an NMI request to the SCU                                                                                                     |
| 0x6  | SMU_RESET   | Sends a reset request to the SCU. The SCU shall be configured to generate an application or system reset.                           |
| 0x7  | SMU_CPU_RST | Triggers a CPU reset request using CPU Reset Configuration Set from the AGC register                                                |

| larm | Config | uratio | n Regis | ter  |      | (01  | 00 <sub>H</sub> +i* | 12+j*4 | )    |      |      | Re   | set Val | ue: Ta | ole 65 |
|------|--------|--------|---------|------|------|------|---------------------|--------|------|------|------|------|---------|--------|--------|
| 31   | 30     | 29     | 28      | 27   | 26   | 25   | 24                  | 23     | 22   | 21   | 20   | 19   | 18      | 17     | 16     |
| CF31 | CF30   | CF29   | CF28    | CF27 | CF26 | CF25 | CF24                | CF23   | CF22 | CF21 | CF20 | CF19 | CF18    | CF17   | CF16   |
| rw   | rw     | rw     | rw      | rw   | rw   | rw   | rw                  | rw     | rw   | rw   | rw   | rw   | rw      | rw     | rw     |
| 15   | 14     | 13     | 12      | 11   | 10   | 9    | 8                   | 7      | 6    | 5    | 4    | 3    | 2       | 1      | 0      |
| CF15 | CF14   | CF13   | CF12    | CF11 | CF10 | CF9  | CF8                 | CF7    | CF6  | CF5  | CF4  | CF3  | CF2     | CF1    | CF0    |
| rw   | rw     | rw     | rw      | rw   | rw   | rw   | rw                  | rw     | rw   | rw   | rw   | rw   | rw      | rw     | rw     |

| Field        | Bits | Type | Description                                                                                                                                                                                                                                                                                                                                                                                           |
|--------------|------|------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| CFz (z=0-31) | Z    | rw   | Configuration flag x (x=0-2) for alarm z belonging to alarm group i.  The configuration flags 0, 1 and 2 must be used together to define the behavior of the SMU_core when a fault state is reported by the alarm n belonging to this group (see "Alarm Configuration" on Page 44).  0 <sub>B</sub> Configuration flag x (x=0-2) is set to 0  1 <sub>B</sub> Configuration flag x (x=0-2) is set to 1 |

AGIFSP (i=0-11)

AGICEI (i=0-11:i=0-2)

SMU\_core FSP Configuration Register

### Safety Management Unit (SMU) Internal alarm behavior: Alarm actions



- Available internal alarm actions:
  - No action (alarm disabled)
  - Generate an interrupt request (to one or all CPUs)
  - Generate an NMI request to all CPUs
  - Reset the microcontroller
  - Triggers a CPU reset request

## Safety Management Unit (SMU) Internal alarm behavior: Alarm Global Configuration



- Each bit in the Interrupt Generation Configuration Set SMU\_AGC.IGCSn (n=0-2) configures one SMU Service Request SRC\_SMUm (m=0-2)
- Example: ALM3[12] "EVR 1.3V digital over voltage" alarm should raise an CPU0 interrupt level 5 and CPU2 interrupt level 7

```
// Configure ALARM3[12] to use
// configurations set 0 (code 0x2)
SMU_AG3CF0[12]=0;
SMU_AG3CF1[12]=1;
SMU_AG3CF2[12]=0;

// select two outputs
SMU_AGC.IGCS0=3; // Two SRCs

// Service request TOS=CPU0, SRPN=5
SRC_SMU0= 0<<11 | 5;

// Service request TOS=CPU2, SRPN=7
SRC_SMU1= 2<<11 | 7;</pre>
```

| arm ( | Globa | l Configu | uratio | n  |     |       | (0020 | C <sub>H</sub> ) |    | App   | plication | on Res | et Valu | e: 0000 | 000 |
|-------|-------|-----------|--------|----|-----|-------|-------|------------------|----|-------|-----------|--------|---------|---------|-----|
| 31    | 30    | 29        | 28     | 27 | 26  | 25    | 24    | 23               | 22 | 21    | 20        | 19     | 18      | 17      | 16  |
| C     | )     | EFRST     |        |    | PES | is s  |       |                  | 0  | 8     |           | R      | cs      |         |     |
| i     |       | rw        |        | -  | rw  |       | 3     |                  | r  |       | -         | r      | w       | -       |     |
| 15    | 14    | 13        | 12     | 11 | 10  | 9     | 8     | 7                | 6  | 5     | 4         | 3      | 2       | 1       | 0   |
|       |       | 0         |        |    |     | IGCS2 |       | 0                |    | IGCS1 |           | 0      |         | IGCS0   |     |
|       |       | r         |        | Ĩ  |     | rw    |       | r                | I  | rw    |           | r      |         | rw      |     |

| Field | Bits  | Type | Description                                                                                                                                                                                                                                                                                               |
|-------|-------|------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| IGCS0 | 2:0   | rw   | Interrupt Generation Configuration Set 0 Defines the output value of the interrupt request vector when the alarm configuration flag selects the interrupt configuration set 0. Enables to issue an interrupt request to several CPUs: see "Interfaces to the Interrupt Router" on Page 7.                 |
| IGCS1 | 6:4   | rw   | Interrupt Generation Configuration Set 1  Defines the output value of the interrupt request vector when the alarm configuration flag selects the interrupt configuration set 1. Enables to issue an interrupt request to several CPUs: see "Interfaces to the Interrupt Router" on Page 7.                |
| IGCS2 | 10:8  | rw   | Interrupt Generation Configuration Set 2  Defines the output value of the interrupt request vector when the alarm configuration flag selects the interrupt configuration set 2. Enables to issue an interrupt request to several CPUs: see "Interfaces to the Interrupt Router" on Page 7.                |
| RCS   | 21:16 | rw   | CPU Reset Configuration Set  Defines the output value of the CPU reset request vector when the alarm configuration flag selects the CPU Reset Configuration Set. Enables to issue an reset request to several CPUs if required. More complex reset scenarios can be handled by using software interrupts. |

#### Safety Management Unit (SMU) External alarm behavior: Alarm actions



- Alarms can also trigger external alarm actions:
  - Assert fault state using fault signaling protocol (error pin)
  - Assert the port emergency stop
    - Enabled port pins switch from output mode to input mode (optionally with internal pull-up)

## Safety Management Unit (SMU) External alarm behavior: Fault Signaling protocol (Error pin)

- The error pin is push-pull active-low
  - low: error detected, system must be in a safe state
  - high: no error, system is free to work
- During a power on reset the error pin has high impedance
- After a power on reset the error pin is low, until set to high by SW
- SW sets SetErrorPin flag to zero/one, the error pin shall go to low/high
- A status flag represent the current logic status

## Safety Management Unit (SMU) SMU state machine (SSM): transition conditions and actions

Requirement Any reset triggered by SW shall have no effect on the SSM



# Safety Management Unit (SMU) External alarm behavior: Fault Signaling Protocol (FSP)

- The Fault Signaling Protocol enables the microcontroller to report a critical situation to an external safety controller device in order to control the safe state of the safety system.
- Three different protocol modes can be configured
  - Bi-stable protocol (default)
  - Dynamic dual-rail protocol\*
  - Time-switching protocol
- Two Prescaler define
  - Fault State Tick (PRE1)  $f_{SMU FS}$
  - Fault Free Tick (PRE2) f<sub>SMU\_FFS</sub>
- Min/Max of Fault State defined by TFSP\_LOW/TFSP\_HIGH

| SMU<br>Fault | _  |    | Prot | ocol  |       |    | (2 | 8 <sub>H</sub> ) |    |    | Res | et Va | lue: 0 | 03F F | FF00 <sub>H</sub> |
|--------------|----|----|------|-------|-------|----|----|------------------|----|----|-----|-------|--------|-------|-------------------|
| 31           | 30 | 29 | 28   | 27    | 26    | 25 | 24 | 23               | 22 | 21 | 20  | 19    | 18     | 17    | 16                |
|              |    |    |      | TFSP. | _HIGH | •  |    |                  |    |    |     | TFSP  | _LOW   | ĺ     |                   |
|              |    |    |      | r     | w     |    |    |                  |    |    |     |       | r      |       |                   |
| 15           | 14 | 13 | 12   | 11    | 10    | 9  | 8  | 7                | 6  | 5  | 4   | 3     | 2      | 1     | 0                 |
|              |    |    | TFSP | LOW   | ,     |    |    | PES              | MC | DE | PF  | E2    |        | PRE1  |                   |
|              |    |    |      | r     |       |    |    | rw               | r  | w  | r   | w     |        | rw    |                   |

| Field     | Bits    | Type | Description                                                                                                                                                                                                                                                                |
|-----------|---------|------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| PRE1      | [2:0]   | rw   | Prescaler1                                                                                                                                                                                                                                                                 |
| PRE2      | [4:3]   | rw   | Prescaler2                                                                                                                                                                                                                                                                 |
| MODE      | [6:5]   | rw   | Fault Signaling Protocol configuration  0 <sub>H</sub> Bi-stable protocol  1 <sub>H</sub> Dual Rail code  2 <sub>H</sub> Time switching protocol  3 <sub>H</sub> Reserved                                                                                                  |
| PES       | 7       | rw   | Port Emergency Stop (PES)                                                                                                                                                                                                                                                  |
| TFSP_LOW  | [21:8]  | r    | Specifies the FSP fault state duration<br>T <sub>FSP_FS</sub> = TFSP_HIGH & TPSP_LOW. TFSP_LOW shall be specified as a number of F <sub>SMU_FS</sub> ticks.<br>TFSP_LOW is defined so that the minimum duration is greater than 250 us. It can not be changed by software. |
| TFSP_HIGH | [31:22] | rw   | Specifies the FSP fault state duration  T <sub>FSP_FS</sub> = TFSP_HIGH & TPSP_LOW. TFSP_HIGH shall be specified as a number of F <sub>SMU_FS</sub> ticks.  TFSP_HIGH and PRE1 shall enable to configure a fault state duration of 500 ms.                                 |

<sup>\*</sup> not connected in AURIX™ Family



#### FSP pins

- FSP protocol layer block to support all 3 protocol:
  - Bi-stable (default)
  - Dynamic dual-rail
  - Time-switching protocols
- FSP status is generated/decoded by the FSP Protocol layer in SMU\_CORE domain.
- FSP0EN (FSP[0]) and FSP1EN (FSP[1]) are controlled by the register CMD\_STDBY.



### Safety Management Unit (SMU) Fault Signaling Protocol (FSP): Bi-stable fault





## Safety Management Unit (SMU) Fault Signaling Protocol (FSP): Dynamic dual-rail fault





# Safety Management Unit (SMU) Fault Signaling Protocol (FSP): Time switching protocol



Infineon



#### Recovery Timer

- Recovery timers allow time to react to alarms and attempt a recovery before a time-out occurs
  - If enabled, an alarm starts the recovery timer
  - At the same time, the alarm triggers an NMI or interrupt to start an error handler
  - The error handler software can attempt recovery, and if successful, stop the recovery timer
  - If the recovery timer is not stopped, it results in a recovery timer time-out alarm
    - The user can configure the action for this time-out alarm (for example, trigger a reset)
- The SCU implements two recovery timers
  - Each recovery timer can be started by up to four alarms



#### Recovery Timer and Watchdog Alarms

- Recovery timer 0 is used to support watchdog functionality
  - A watchdog time-out alarm triggers a NMI pre-warning to the CPUs
  - At the same time, recovery timer 0 is started
  - The recovery timer time-out triggers a reset





#### SFF Register Monitor

#### RMCTL, RMEF and RMSTS: Separated control and status bits per IP with SFFs

| RMCTL<br>Regist |    | itor Co | ntrol |      |     |                                                                                                                                                                              | (0300 | ) <sub>н</sub> ) |     | Application Reset Value: 0000 0000 <sub>H</sub> |     |     |     |     |     |
|-----------------|----|---------|-------|------|-----|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------|------------------|-----|-------------------------------------------------|-----|-----|-----|-----|-----|
| 31              | 30 | 29      | 28    | 27   | 26  | 25                                                                                                                                                                           | 24    | 23               | 22  | 21                                              | 20  | 19  | 18  | 17  | 16  |
| 0               | 0  | 0       | 0     | 0    | 0   | 0                                                                                                                                                                            | 0     | 0                | 0   | 0                                               | 0   | 0   | 0   | 0   | 0   |
| r               | r  | r       | r     | r    | r   | r                                                                                                                                                                            | r     | r                | r   | r                                               | r   | r   | r   | r   | r   |
| 15              | 14 | 13      | 12    | 11   | 10  | 9                                                                                                                                                                            | 8     | 7                | 6   | 5                                               | 4   | 3   | 2   | 1   | 0   |
| 0               | 0  | 0       | 0     | 0    | TE1 | 0 TE9                                                                                                                                                                        | TE8   | TE7              | TE6 | TE5                                             | TE4 | TE3 | TE2 | TE1 | TEO |
| r               | r  | r       | r     | r    | rw  | rw                                                                                                                                                                           | rw    | rw               | rw  | rw                                              | rw  | rw  | rw  | rw  | rw  |
| Field           |    | Bits    |       | Туре | · [ | Descripti                                                                                                                                                                    | on    |                  |     |                                                 |     |     |     |     |     |
| T s             |    |         |       |      |     | Test Enable. This bit controls the timing of the test mode of the register monitor safety mechanism.  0 <sub>B</sub> 0 Test mode disabled 1 <sub>B</sub> 1 Test mode enabled |       |                  |     |                                                 |     |     |     |     |     |

| SMU_RMEF[0]  | MTU             |
|--------------|-----------------|
| SMU_RMEF[1]  | IOM             |
| SMU_RMEF[2]  | IR              |
| SMU_RMEF[3]  | EMEM            |
| SMU_RMEF[4]  | SCU/SRU         |
| SMU_RMEF[5]  | PMS             |
| SMU_RMEF[6]  | DMA             |
| SMU_RMEF[7]  | SMU_core        |
| SMU_RMEF[8]  | CERBERUS        |
| SMU_RMEF[9]  | SYS_PLL/PER_PLL |
| SMU_RMEF[10] | CCU             |
|              | • •             |

| RMEF<br>Regist | er Mon | itor Er | ror Fla | gs |      |     | (0304 | 1 <sub>H</sub> ) |     | Application Reset Value: 0000 0000 <sub>H</sub> |     |     |     |     |     |
|----------------|--------|---------|---------|----|------|-----|-------|------------------|-----|-------------------------------------------------|-----|-----|-----|-----|-----|
| 31             | 30     | 29      | 28      | 27 | 26   | 25  | 24    | 23               | 22  | 21                                              | 20  | 19  | 18  | 17  | 16  |
| 0              | 0      | 0       | 0       | 0  | 0    | 0   | 0     | 0                | 0   | 0                                               | 0   | 0   | 0   | 0   | 0   |
| r              | r      | r       | r       | r  | r    | r   | r     | r                | r   | r                                               | r   | r   | r   | r   | r   |
| 15             | 14     | 13      | 12      | 11 | 10   | 9   | 8     | 7                | 6   | 5                                               | 4   | 3   | 2   | 1   | 0   |
| 0              | 0      | 0       | 0       | 0  | EF10 | EF9 | EF8   | EF7              | EF6 | EF5                                             | EF4 | EF3 | EF2 | EF1 | EF0 |
| r              | r      | r       | r       | r  | rwh  | rwh | rwh   | rwh              | rwh | rwh                                             | rwh | rwh | rwh | rwh | rwh |

| Field        | Bits | Type | Description                                                                                                                                                                                                                                                                                                                                                                                    |
|--------------|------|------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| EFz (z=0-10) | z    | rwh  | Status flag related to the different instances of the register monitor safety mechanism.  It reports a real flip flop failure in non-test mode as well as an unexpected behavior in test-mode.  This flag can only be cleared by software, a set by software has no effect 0 <sub>8</sub> Error flag z does not report a fault condition 1 <sub>8</sub> Error flag z reports a fault condition |

|   | RMSTS<br>Registe |    | itor Se | lf Test | Status | 5     |      | (0308 | 3 <sub>H</sub> ) |      | Ар   | plicatio | on Rese | et Valu | e: 0000 | 0000 <sub>H</sub> |
|---|------------------|----|---------|---------|--------|-------|------|-------|------------------|------|------|----------|---------|---------|---------|-------------------|
| _ | 31               | 30 | 29      | 28      | 27     | 26    | 25   | 24    | 23               | 22   | 21   | 20       | 19      | 18      | 17      | 16                |
|   | 0                | 0  | 0       | 0       | 0      | 0     | 0    | 0     | 0                | 0    | 0    | 0        | 0       | 0       | 0       | 0                 |
| - | r                | r  | r       | r       | r      | r     | r    | r     | r                | r    | r    | r        | r       | r       | r       | r                 |
|   | 15               | 14 | 13      | 12      | 11     | 10    | 9    | 0     | - 1              | О    | 5    | 4        | 3       | 2       | 1       | U                 |
|   | 0                | 0  | 0       | 0       | 0      | STS10 | STS9 | STS8  | STS7             | STS6 | STS5 | STS4     | STS3    | STS2    | STS1    | STS0              |
| - | r                | r  | r       | r       | r      | rwh   | rwh  | rwh   | rwh              | rwh  | rwh  | rwh      | rwh     | rwh     | rwh     | rwh               |

| Field         | Bits | Type | Description                                                                                                                                                                                                                                                                                                                                   |
|---------------|------|------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| STSz (z=0-10) | z    | rwh  | Ready flag related to the different instances of the register monitor safety mechanism.  A logical '1' of this bit indicates that the register monitor test has been executed. This bit can only be cleared by software, a set by software has no effect.  O <sub>B</sub> Self-test has not completed  1 <sub>B</sub> Self-test has completed |



Part of your life. Part of tomorrow.

