ST AN3324 Application note
AN3324
Application note
Implementing power-on self tests for SPC56EL60 in locked step
Introduction
SPC56EL60 is a 32-bit system-on-chip (SoC) automotive microcontroller designed for safety applications with a focus to minimize software measures within the CPU core subsystem.
In order to reach this state, several software measures are required during the MCU poweron start-up procedure. This application note describes the software measures that user must perform after the boot in order to detect and manage latent faults.
This document is valid only under the assumption that the MCU is used in locked step for automotive applications with fail-silent or fail-indicate micros.
This application note is based on AN3077 rev. 2 (see B.1: Reference documents).
All the topics covered in this document also refer to RM0032 rev. 5, SPC56EL60L3, SPC56EL60L5 datasheet rev. 5 and AN3121 rev. 1 (see B.1: Reference documents in Appendix B).
This application note applies to SPC56EL60 devices according to Table 1.
Table 1. |
Device summary |
|
|
Part number |
Package |
|
|
|
|
SPC56EL60L3 |
LQFP100 (3.3 V) |
|
|
|
|
SPC56EL60L5 |
LQFP144 (3.3 V) |
|
|
|
January 2011 |
Doc ID 18311 Rev 1 |
1/37 |
www.st.com
AN3324 |
Contents |
|
|
Contents
1 |
Document hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
. 6 |
||
2 |
How to implement power-on self test features . . . . . . . . . . . . . . . . . . . . |
7 |
||
|
2.1 |
MCU initialization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
7 |
|
|
|
2.1.1 |
Safety initialization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
8 |
|
2.2 |
Safety verification and faults checking . . . . . . . . . . . . . . . . . . . . . . . . . . . |
10 |
|
3 |
Module software requirements for non applicative peripherals . . . . . |
12 |
||
|
3.1 |
System Status and Configuration Module (SSCM) . . . . . . . . . . . . . . . . . |
12 |
|
|
3.2 |
Self Test Control Unit (STCU) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
12 |
|
|
3.3 |
Redundancy Control Checker Unit (RCCU) . . . . . . . . . . . . . . . . . . . . . . . |
13 |
|
|
3.4 |
Reset Generation Module (MC_RGM) . . . . . . . . . . . . . . . . . . . . . . . . . . . |
13 |
|
|
3.5 |
Fault Collection and Control Unit (FCCU) . . . . . . . . . . . . . . . . . . . . . . . . |
13 |
|
|
3.6 |
Clock configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
15 |
|
|
3.7 |
Clock Monitor Unit (CMU) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
18 |
|
|
3.8 |
Frequency-Modulated Phase-Locked Loop (FMPLL) . . . . . . . . . . . . . . . . |
18 |
|
|
3.9 |
Internal RC Oscillator (IRCOSC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
19 |
|
|
3.10 |
Flash memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
19 |
|
3.10.1 Array integrity self check procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
3.11 Temperature sensors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 3.12 Software Watchdog Timer (SWT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 3.13 Power Management Unit (PMU) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
4 |
Module software requirements for applicative peripherals . . . . . . . . . |
24 |
|
|
4.1 |
Analog to Digital Converter (ADC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
24 |
4.1.1 Self test algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 4.1.2 Analog watchdog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
5 |
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
27 |
|
Appendix A CPU core initialization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
28 |
||
|
A.1 |
CPU register initiliazation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
28 |
|
A.2 |
Example of SPC56EL60 boot file for Flash . . . . . . . . . . . . . . . . . . . . . . . . |
29 |
|
|
Doc ID 18311 Rev 1 |
2/37 |
Contents |
AN3324 |
|
|
Appendix B Additional information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
B.1 Reference documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 B.2 Acronyms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Revision history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
3/37 |
Doc ID 18311 Rev 1 |
AN3324 |
List of tables |
|
|
List of tables
Table 1. Device summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Table 2. Fault assertion conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Table 3. SPC56EL60 registers to initialize . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Table 4. Acronyms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Table 5. Document revision history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Doc ID 18311 Rev 1 |
4/37 |
AN3324 |
List of figures |
|
|
List of figures
Figure 1. Initialization flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Figure 2. Safety initialization flow. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Figure 3. Faults check flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Figure 4. FCCU configuration flow. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Figure 5. SPC56EL60 system clock generation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Figure 6. Clock configuration flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Figure 7. Built-in self test flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Figure 8. PMU power-on self test flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Figure 9. ADC self test in CPU mode using one shot sequence . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Figure 10. SPC56EL60: checking flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Doc ID 18311 Rev 1 |
5/37 |
AN3324 |
Document hierarchy |
|
|
1 Document hierarchy
The Safety Application Guide (SAG) (please refer to AN3077, see B.1: Reference documents in Appendix B) is the reference document to use.
This application note is focused to describe the individual software measures.
The SAG describes which measure to apply according to the application and peripheral usage.
The hints that are described in this document should be considered as proposals to implement the requirements described in SPC56EL60 SAG. Based on their applications and the SAG, user can decide to use different implementations.
Doc ID 18311 Rev 1 |
6/37 |
AN3324 |
How to implement power-on self test features |
|
|
2 How to implement power-on self test features
The goal of this application note is to show how users can implement properly the safety initialization and the self tests to allow to detect latent fault(a) and to manage them.
2.1MCU initialization
|
At power-on, after register initialization (see Section 3.3: Redundancy Control Checker Unit |
|
(RCCU)) and other basic initializations (MMU configuration, stack initialization, etc.) (see |
|
Appendix A: CPU core initialization) user software has to verify if MCU is in alarm state or in |
|
safe mode (coming from a Reset Condition) (see Section B.1: Reference documents in |
|
Appendix B) and in that case must manage fault causes. |
|
If current mode in Mode Entry module is default run mode (DRUN), software can proceed |
|
with the default safety MCU initialization with self test features (see Figure 1: Initialization |
|
flow). |
Note: |
User can verify alarm state by reading Non Critical Fault on FCCU while he can verify safe |
|
mode by reading Current Mode field (GS register) on Mode Entry module. |
a.Latent fault: multiple point fault whose presence is not detected by a safety mechanism nor perceived by the driver within the multiple point fault detection interval.
Doc ID 18311 Rev 1 |
7/37 |
AN3324 |
How to implement power-on self test features |
|
|
Figure 1. Initialization flow
Reset
CPU Core
Initialization
Read Non Critical
Faults
FCCU in
Safe State or Alarm
State
Yes |
|
NO |
|
|
|
MCU
Initialization
Check Faults
Fault Manager |
|
User Code |
|
|
|
2.1.1Safety initialization
Figure 2 shows an example of how to implement a safety initialization (see Section 3: Module software requirements for non applicative peripherals).
User should take care that:
1.Execution order is not mandatory but it is strongly recommended (see Figure 2: Safety initialization flow).
2.SWT (Software Watchdog Timer) is enabled.
3.RGM (Re set Generation Module) and FCCU (Fault Collection and Control Unit) must be configured before all monitors or detectors are initialized.
Doc ID 18311 Rev 1 |
8/37 |
AN3324 |
How to implement power-on self test features |
|
|
Figure 2. Safety initialization flow
Begin
Disable SWT
Enable All
Peripherals
Init FCCU
Init RGM
Init Magic Carpet
(ME-Clocks-FMPLL-Wait States)
Inhibit BAM
Execution
Configure CMU
Init Peripheral
Bridge
Init and Enable
IRQ Management
End
Doc ID 18311 Rev 1 |
9/37 |
AN3324 |
How to implement power-on self test features |
|
|
2.2Safety verification and faults checking
At the end of safety initialization, user software has to verify some basic safety requirements and verify if there is any fault (see Section 3: Module software requirements for non applicative peripherals). Figure 3 shows an example of how to implement the faults check flow.
Doc ID 18311 Rev 1 |
10/37 |
AN3324 |
|
|
|
|
How to implement power-on self test features |
|||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Figure 3. |
Faults check flow |
|
|
|
|
|
|
|
|
||
|
|
|
|
|
|
|
|
Begin |
||||
|
|
|
|
|
NO |
|
|
|
|
|
||
|
|
|
|
|
|
|
|
|
|
|||
|
|
|
|
|
MCU in |
|||||||
|
|
|
|
|
|
|
|
|||||
|
|
|
|
|
|
|
|
Lock Step |
||||
|
|
|
|
|
|
|
|
|
|
|
||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
YES |
|
||
|
|
|
|
|
NO |
|
|
|
|
|
||
|
|
|
|
|
Flash Array Integrity |
|||||||
|
|
|
|
|
|
|
|
|||||
|
|
|
|
|
|
|
|
Check |
||||
|
|
|
|
|
|
|
|
|
|
|||
|
|
|
|
|
|
|
|
|
|
|
||
|
|
|
|
|
|
|
|
|
YES |
|
||
|
|
|
|
|
NO |
|
|
|
|
|
||
|
|
|
|
|
|
|
|
|
|
|||
|
|
|
|
|
|
|
|
STCU Check |
||||
|
|
|
|
|
|
|
|
|||||
|
|
|
|
|
|
|
|
|
|
|||
|
|
|
|
|
|
|
|
|
|
|
||
|
|
|
|
|
|
|
|
|
YES |
|
||
|
|
|
|
|
NO |
|
|
|
|
|
||
|
|
|
|
|
|
|
|
|
|
|||
|
|
|
|
|
|
|
|
PMU Check |
||||
|
|
|
|
|
|
|
|
|||||
|
|
|
|
|
|
|
|
|
|
|||
|
|
|
|
|
|
|
|
|
|
|
||
|
|
|
|
|
|
|
|
|
YES |
|
||
|
|
|
|
|
NO |
|
|
|
|
|
||
|
|
|
|
|
|
|
|
|
|
|||
|
|
|
|
|
|
|
|
IRC Check |
||||
|
|
|
|
|
|
|
|
|||||
|
|
|
|
|
|
|
|
|
|
|||
|
|
|
|
|
|
|
|
|
|
|
||
|
|
|
|
|
|
|
|
|
YES |
|
||
|
|
|
|
|
NO |
|
|
|
|
|
||
|
|
|
|
|
|
|
|
|
|
|||
|
|
|
|
|
|
|
|
Temperature Check |
||||
|
|
|
|
|
|
|
|
|||||
|
|
|
|
|
|
|
|
|
|
|||
|
|
|
|
|
|
|
|
|
|
|
||
|
|
|
|
|
|
|
|
|
YES |
|
||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Configure SWT |
|
|||
|
|
|
|
|
NO |
|
|
|
|
|
||
|
|
|
|
|
|
|
|
|
|
|||
|
|
|
|
|
SWT Check |
|||||||
|
|
|
|
|
|
|
|
|||||
|
|
|
|
|
|
|
|
|||||
|
|
|
|
|
|
|
|
|
|
|||
|
|
|
|
|
|
|
|
|
|
|
||
|
|
|
|
|
|
|
|
|
YES |
|
||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Fault Manager |
|
|
|
|
End |
||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Doc ID 18311 Rev 1 |
11/37 |
AN3324 |
Module software requirements for non applicative peripherals |
|
|
3Module software requirements for non applicative peripherals
This chapter describes the requirements of the software modules that should check the system peripherals and the Flash. The checks are required for any application.
The peripherals treated in this chapter are accounted as non applicable peripherals because they are not involved directly in any application Safety Integrity Function (SIF) please refer to AN3077 (see B.1: Reference documents in Appendix B).
3.1System Status and Configuration Module (SSCM)
|
Before executing safety functions, user must perform two actions: |
|
|
1. |
Configure the SSCM to inhibit unintentional execution of the BAM code. |
Note: |
This requirement is satisfied by asserting the flag PAE in the ERROR register of the SSCM. |
|
|
Each access to the BAM memory area produces a Prefetch or Abort exception. |
|
|
2. |
Verify that the device operates in Lock-Step Mode (LSM). |
Note: |
Software needs to check this condition by reading the LSM flag in the System Status |
|
|
Register (SSCM_STATUS) and verifying that the device is operated in the intended mode of |
|
|
operation. |
|
3.2 |
Self Test Control Unit (STCU) |
|
|
After boot, user software must check the STCU to ensure its reliability. The software must |
|
|
perform several operations based on the STCU status conditions after the power-on self |
|
|
test. Even if no errors are reported, user software should confirm that the expected and |
|
|
actual values within the CRC (Cyclic Redundancy Check) and LBIST MISR registers do not |
|
|
indicate an error. |
|
|
This software confirmation prevents a fault within the STCU itself incorrectly indicating that |
|
|
the self test passed. |
|
|
In the case of no reported errors, user software should confirm that: |
|
|
1. |
The internal CRC computation result matches the expected value. |
Note: |
Read the CRCE and CRCR registers to check the coherency with the STCU_ERR[CRCS] |
|
|
flag. |
|
|
2. |
The signature registers of each of the LBIST results match their corresponding |
|
|
expected values. |
Note: |
For each LBIST, read the STCU_LBMISREL/H and STCU_LBIST_NMISRRL/H registers to |
|
|
check the coherency with the STCU_LBS bits. |
|
|
3. |
Read the registers used for Reported Errors and verify that their values are as |
|
|
expected. Refer to the “Integrity SW operations” section in RM0032 (see B.1: |
|
|
Reference documents in Appendix B). |
Note: |
Verify that STCU_LBS, STCU_LBE, STCU_MBSL, STCU_MBEL flag registers values are |
|
|
as expected. (LBIST and MBIST finished with success). |
|
Doc ID 18311 Rev 1 |
12/37 |
Loading...