ST SPC582B Series Installation and operating instructions

Introduction

This application note describes the FCCU failure input sources. Furthermore, for each of them, it describes how to verify the

integrity of the error reaction path and the recommended methods to inject a fault.

The device mentioned in this document is the SPC582Bx (40 nm–Body–ASIL B). Most of the concepts, however, are also valid

for the other devices belonging to the 40 nm and 55 nm families of SPC5 32-bit automotive MCUs.

Before reading this document, the reader should have a clear understanding about the usage of FCCU. For further details on

this module, refer to “Fault Collection and Control Unit (FCCU)” chapter of the SPC582Bx microcontroller reference manual

RM0403. For description of the functional and electrical problems of the SPC582Bx devices, the reader should also refer to the

SPC582Bx errata sheet ES0413.

A reference code is available.

SPC582Bx FCCU fault sources and reaction

AN5752

Application note

AN5752 - Rev 1 - November 2021

For further information contact your local STMicroelectronics sales office.

www.st.com

1Overview

The FCCU is a key element of the functional safety concept of the SPC58 and SPC57 families of SPC5

32-bit automotive MCUs. It is responsible for collecting and reacting to failure notifications coming from different

modules indicated as monitors. Examples of monitors are CMU, MEMU, XBIC and so forth.

Figure 1. FCCU monitor to reaction path

FCC

Clear

Error out/in

Reset request Reset

Fault

Set

INTC

Interrupt request

(ALARM)

Interrupt

RGM

NMI

Monitor 1

Monitor N

Core_0

FCCU

FOSU

destructive

reset

Note: Some monitors might miss the set and clear signals.

The Figure 1 shows how the FCCU is connected to the other blocks. The reader shall consider the above figure,

and all other figures in this document, as a logic schema that not exactly reflects the physical implementation in

the silicon.

In case of a fault, the FCCU can move the device into the safe state (the safety manual defines the safe states)

without any core intervention. Since the FCCU and the whole error reaction path are prone to latent failures, the

safety concept requires the execution of a software test to verify the integrity of the error reaction. The user shall

run this software test at least once per trip time.

Note: The safety analysis assumes a trip time of 12 hours.

This document goes through the list of the faults reported by the FCCU. For each of them it describes how to

test the reaction path to fulfill the previous requirement. Note that the user cannot test the error reaction path for

certain monitors.

The Table 1 lists and describes all FCCU input fault sources for SPC582Bx MCUs.

Table 1. FCCU failure inputs

FCCU input # Source Failure description Error reaction path

0 PMC DIG Temperature out of range Not testable

1 PMC DIG Voltage out of range from LVDs Not testable

2 PMC DIG Voltage out of range from HVDs Not testable

3 PMC DIG Digital PMC initialization error during DCF data load Not testable

4 PMC DIG Digital PMC voltage detector BIST Testable

5 SSCM/FLASH_0 SSCM transfer error OR Flash memory initialization error Not testable

6 STCU BIST result-wrong signature (STCU unrecoverable fault) Testable

AN5752

Overview

AN5752 - Rev 1 page 2/35

FCCU input # Source Failure description Error reaction path

7 STCU BIST result-wrong signature (STCU recoverable fault) Testable

8 STCU MBIST control activation Testable

9 GLUE LOGIC JTAG, NPC or debug functionality moved out of reset or

SSCM activation Testable

10 PLATFORM/DMA DMA_1 gasket monitor error Not testable

11 PLATFORM/DSMC DSMC ECC error Not testable

12 PLATFORM/CORE Core_2 I-bus ECC error Not testable

13 PLATFORM/CORE Core_2 D-bus ECC error Not testable

14 PLATFORM/DMA DMA_1 ECC error Not testable

15 PLATFORM/DMA DMA_1 TCD EDC after ECC Not testable

16 FLASH_0/1 Flash reset error Not testable

18 PLATFORM/SWT SWT_2 reset request Testable

21 MEMU System RAM ECC correctable error Testable

22 MEMU System RAM ECC uncorrectable error Testable

23 MEMU System RAM ECC overflow error(1) Testable

24 MEMU Peripheral RAM ECC correctable error Testable

25 MEMU Peripheral RAM ECC uncorrectable error Testable

26 MEMU Peripheral RAM ECC overflow error(2) Testable

27 MEMU Flash ECC correctable error Testable

28 MEMU Flash ECC uncorrectable error Testable

29 MEMU Flash ECC overflow error Testable

30 IMA IMA activation Testable

32 PLATFORM/SMPU SMPU XBAR 1 monitor incorrectly refuses an access Not testable

34 PLATFORM/SMPU SMPU XBAR 1 monitor correctly refuses an access Testable

48 PLATFORM/DMA DMA_1 TCD RAM feedback error Testable

49 PLL DIG PLL0 loss of lock error Testable

50 PLL DIG PLL1 Loss of Lock error Testable

51 CMU CMU_0 error (XOSC less than IRC, XTAL pin floating,

EXTAL pin floating) Not testable

52 CMU Frequency out of range(3) Testable

53 CMU Frequency out of range(4) Testable

54 CMU Frequency out of range(5) Testable

56 PLATFORM/XBAR 1 XBIC error detected Testable

63 FLASH_0 Flash read reference error Testable

64 PLATFORM/FLASH_1 EDC after ECC error for Flash array Testable

65 PLATFORM/FLASH_1 EDC after ECC error for Flash controller Not testable

66 PLATFORM/FLASH_1 Flash encoding error Testable

67 PLATFORM/FLASH_1 PFLASH address feedback error Testable

74 PLATFORM/PRAM 2 Corrupted system RAM access or late-write buffer mismatch Not testable

75 PLATFORM/PRAM 2 EDC after ECC for system RAM Not testable

78 TCU Test circuitry group 1 activation Not testable

AN5752

Overview

AN5752 - Rev 1 page 3/35

FCCU input # Source Failure description Error reaction path

79 TCU Test circuitry group 2 activation Not testable

80 TCU Test circuitry group 3 activation Not testable

81 TCU Test circuitry group 4 activation Not testable

84 PLATFORM/CORE Safety Core_2 exception (machine check exception) Testable

89 PLATFORM/PBRIDGE PBRIDGE_1 e2eEDC error Not testable

91 PLATFORM/PBRIDGE PBRIDGE_2 e2eEDC error Not testable

94 MC_RGM Safe mode entry indication Not testable

95 COMPENSATION CELLS Pad compensation deactivation Not testable

96 GLUE LOGIC Error input pin (from the external world) Testable

1. Aggregate of RAM correctable error overflow flag, RAM uncorrectable error overflow flag, RAM error buffer overflow flag.

2. Aggregate of peripheral RAM correctable error overflow flag, peripheral RAM uncorrectable error overflow flag, peripheral

RAM error buffer overflow flag.

3. FHH or FLL event for CMU_0.

4. FHH or FLL event from CMU_1, CMU_2, CMU_3, CMU_11, CMU_14.

5. FHH or FLL event from CMU_6, CMU_12.

Before the safety application starts, the user shall configure a proper reaction for each FCCU failure input

source. See “FCCU registers reset values” paragraph in SPC582Bx Reference Manual for the device default

configuration.

Possible reactions to a failure are:

• Internal reactions:

Note: The user can configure separately the internal reaction for each FCCU input.

– No reset reaction

– IRQ

– Short functional reset

– Long functional reset

– NMI

• External reaction:

– Error out (EOUT) signaling.

The FCCU controls EOUT pins that signal the status of the MCU without any core intervention.

A dedicated module called FOSU monitors the integrity of the FCCU. The FOSU triggers a destructive reset if its

internal counter reaches a timeout before the FCCU takes a reaction to an incoming – and enabled – fault.

Note: There is a 'do nothing' FOSU input coming from the FCCU that indicates that the FCCU is programmed for no

reaction.

The FOSU does not require any configuration done by the user. A functional reset has no impact on the FCCU.

AN5752

Overview

AN5752 - Rev 1 page 4/35

2FCCU fault injection, clearing and fake fault interface

The application can use the fault injection to diagnose physical defects affecting the connections between the

hardware monitors and the FCCU. The procedure to inject a fault depends on the specific monitor.

Three different sets of fault inputs can be distinguished:

• faults injectable by using the FCCU fake fault interface (“Mon 1” in Figure 2);

• faults injectable by using a SW procedure to stimulate the fault (“Mon 2” in Figure 2);

• faults not injectable (“Mon 3” in Figure 2).

Figure 2. FCCU inner diagram

FCCU_RFF

RGM

Error out

Reset request

Mon 1

Fault

CLEAR

INTC

Interrupt request

SET

CLEAR

Mon 2

Fault

Mon 3

Fault

FCCU_RF_Sn

Mon 2 Register

FSM

The FCCU can trigger a fault event directly in the monitor (even if no real failure is occurred) through the fake fault

interface.

To generate this fault event, an additional (and optional) signal is available (set signal in Figure 2, yellow arrow).

Note: Not all monitors embed this interface. When available, fake fault injection method is suggested in the following

sections.

The fake fault injection is executed by a write operation into the FCCU_RFF register and the corresponding

reaction is not maskable. Some monitors miss the set signal. In this case (set signal in Figure 2, blue arrow) the

write operation into the FCCU_RFF register does not affect the monitor but only the FCCU reaction.

AN5752

FCCU fault injection, clearing and fake fault interface

AN5752 - Rev 1 page 5/35

To clear a fault directly in the monitor, an additional (and optional) signal is available (clear signal in Figure 2,

yellow arrow). The de-assertion of the FCCU_RF_Sn status bit indicates that the software has properly cleared

the fault. Some monitors miss the clear signal. In this case (clear signal in Figure 2, blue arrow) the fault can be

cleared by a write operation into a specific register of the monitor.

Depending on the monitor, the fault indication is a pulse, that is, fault edge triggered, or a constant value, fault

level triggered.

The fault management shall consider that the user can configure a fault as:

• HW recoverable fault, that is, the fault status within the FCCU remains asserted until the monitor keeps the

fault indication asserted. As soon as the monitor clears the fault indication, it also clears the fault status

within the FCCU.

• SW recoverable fault, that is, the fault status within the FCCU remains asserted until the software clears it

even if the monitor de-asserts the fault indication.

The generic recommendation is to configure all faults as SW recoverable. In such a way, the FCCU clears the

respective status flag only after an explicit request from the software. In case of HW recoverable, the status flag

automatically clears, and the application may not react properly to the incoming fault.

AN5752

FCCU fault injection, clearing and fake fault interface

AN5752 - Rev 1 page 6/35

3Faults description

The following sections describe all the faults collected by FCCU for SPC582Bx device and how, if possible, to

inject them for checking the integrity of the relevant reaction path.

The following convention is adopted in the following figures:

1. a green arrow marks the faults injectable by the FCCU fake fault interface;

2. a blue arrow marks the faults injectable by using a SW procedure to stimulate the fault;

3. a red arrow marks the faults that the user cannot inject.

3.1 PMC_DIG faults

PMC_DIG is the source of five different FCCU input faults.

For further details on PMC_DIG, refer to the device SPC582Bx microcontroller reference manual RM0403.

Figure 3. PMC_DIG faults

RGM

Error out

Reset request

reset

TSENS

FCCU

INTC

Interrupt request

Interrupt

LVDs

HVDs

DCF

BIST

PMC_Dig

Fault #2

Fault #0

Fault #1

Fault #3

Fault #4

Set

Clear

3.1.1 Temperature detector out of range (fault #0)

The temperature detector detects if the temperature exceeds the defined thresholds and the PMC_DIG forwards

this fault to the FCCU. There are three thresholds: TS0, TS1, and TS2. Temperature detector thresholds are

trimmed at testing phase and cannot be configured by the user.

The user cannot inject this fault.

3.1.2 Voltage out of range from LVDs (fault #1)

Each LVD detects a voltage that drops below the defined threshold and the PMC_DIG forwards this fault to the

FCCU. The MCU embeds some LVDs (for further details on LVDs, refer to SPC582Bx reference manual RM0403)

and their output signals are put in OR before arriving at the FCCU failure input #1.

The user cannot inject this fault.

3.1.3 Voltage out of range from HVDs (fault #2)

Each HVD detects a voltage that raises above the defined threshold and the PMC_DIG forwards this fault to

the FCCU. The MCU embeds some HVDs (for further details on LVDs, refer to SPC582Bx reference manual

RM0403) and their output signals are put in OR before arriving at the FCCU failure input #2.

The user cannot inject this fault.

AN5752

Faults description

AN5752 - Rev 1 page 7/35

3.1.4 Digital PMC initialization error during DCF data load (fault #3)

DCF records are used to configure certain registers in the device during system boot. If an error occurs while the

SSCM loads the values into the PMC registers, the PMC_DIG forwards this fault to the FCCU.

The user cannot inject this fault.

3.1.5 Digital PMC voltage detector BIST (fault #4)

The voltage detector BIST verifies the integrity of all the voltage monitors. In case the BIST fails, the PMC_DIG

forwards this fault to the FCCU.

The user can inject this fault by the FCCU fake fault interface.

The user must set the PMC_DIG_BIST_CTRL[NCFEN] bit to enable a user BIST not critical fault indication to the

FCCU and inject a fake fault by setting the FCCU_RFF[FRFC] field to the value 0x04. The FCCU error reaction

path is verified if both the FCCU_RF_S0[RFS4] and the BIST_CTRL[NCFST] status bits are set.

The BIST_CTRL[NCFST] status bit indicates a BIST fail on completion of BIST sequence, and it is cleared by HW

on clearing the relevant FCCU_RF_S0[RFS4] bit.

3.2 SSCM/Flash_0 fault

The SSCM reads the system configuration from the Flash memory and pushes it to the various clients inside the

microcontroller.

Note: System configuration is mainly saved as DCF records that are located either in the test or UTest sectors of the

Flash memory.

For further details on SSCM, refer to the device SPC582Bx reference manual RM0403.

Figure 4. SSCM/Flash faults

RGM

Error out

Reset request reset

SSCM

FCCU

INTC

Interrupt request

Interrupt

FLASH

Fault #5

3.2.1 SSCM transfer error OR Flash memory initialization error (fault #5)

A fault can occur while the SSCM loads the STCU configuration and the SSCM forwards this fault to the FCCU.

Moreover, an unexpected condition, for example, ECC double-bit detections on the reset reads, can occur within

the Flash memory during its initial configuration and the Flash memory forwards this fault to the FCCU.

The two error signals are put in OR before arriving to the FCCU failure input #5.

The user cannot inject this fault.

3.3 STCU faults

The STCU is a comprehensive programmable hardware module that controls the execution of the self-test during

both the off-line and/or on-line procedure. The STCU is the source of three different FCCU input faults. For further

details on STCU, refer to the device SPC582Bx microcontroller reference manual RM0403.

AN5752

SSCM/Flash_0 fault

AN5752 - Rev 1 page 8/35

Figure 5. STCU2 faults

RGM

Error out

Reset request reset

STCU2 FCCU

INTC

Interrupt request

Interrupt

Fault #7

Fault #6

Fault #8

Set

Clear

3.3.1 BIST result-wrong signature (STCU unrecoverable fault) (fault #6)

If the BIST detects a fault that is configured as unrecoverable fault, the STCU forwards this fault to the FCCU.

Note: The user shall configure the STCU to trigger either a recoverable or an unrecoverable fault if the BIST fails. This

configuration is done by programming the proper DCF records.

Although BIST is able to detect permanent faults, this fault can be also triggered in case of transient faults. The

STCU can trigger this fault only during BIST execution.

The user can inject this fault by the FCCU fake fault interface.

The user can inject a fake fault by setting the FCCU_RFF[FRFC] field to the value 0x06. The FCCU error reaction

path is verified if both the FCCU_RF_S0[RFS6] and the STCU2_ERR_STAT[UFSF] status bits are set.

The STCU2_ERR_STAT[UFSF] status bit indicates errors that trigger the unrecoverable fault condition, and it is

cleared by HW on clearing the relevant FCCU_RF_S0[RFS6] bit.

3.3.2 BIST result-wrong signature (STCU recoverable fault) (fault #7)

If the BIST detects a fault that is configured as recoverable fault, the STCU forwards this fault to the FCCU.

Note: The user shall configure the STCU to trigger either a recoverable or an unrecoverable fault if the BIST fails. This

configuration is done by programming the proper DCF records.

Although BIST is able to detect permanent faults, this fault can be also triggered in case of transient faults. The

STCU can trigger this fault only during BIST execution.

The user can inject this fault by the FCCU fake fault interface.

The user can inject a fake fault by setting the FCCU_RFF[FRFC] field to the value 0x07. The FCCU error reaction

path is verified if both the FCCU_RF_S0[RFS7] and the STCU2_ERR_STAT[RFSF] status bits are set.

The STCU2_ERR_STAT[RFSF] status bit indicates errors that trigger the recoverable faults condition, and it is

cleared by HW on clearing the relevant FCCU_RF_S0[RFS7] bit.

3.3.3 MBIST control activation (fault #8)

Unexpected activation of MBIST control signals may move the system RAM array into the BIST mode during the

execution of the application. The STCU detects this activation control and forwards this fault to the FCCU.

The user can inject this fault by the FCCU fake fault interface.

The user can inject a fake fault by setting the FCCU_RFF[FRFC] field to the value 0x08. The FCCU error reaction

path is verified if the FCCU_RF_S0[RFS8] status bit is set.

AN5752

STCU faults

AN5752 - Rev 1 page 9/35

3.4 Glue logic faults

Figure 6. Glue logic fault #9

RGM

Error out

Reset request reset

JTAG/

NPC

FCCU

INTC

Interrupt request

Interrupt

SSCM

Fault #9

Set

Clear

Figure 7. Glue logic fault #96

RGM

Error out

Reset request

reset

FCCU

INTC

Interrupt request

Interrupt

Fault #96

EOUT/EIN

SIUL PAD

3.4.1 JTAG-NPC or debug functionality out of reset or SSCM activation (fault #9)

Unexpected activation of JTAG, NPC or debug functionality during the execution of the application can interfere

with the application. If this event occurs, a dedicated glue logic forwards this fault to the FCCU. The hardware

also monitors the unwanted activation of the SSCM and, if this event occurs, a dedicated glue logic forwards this

fault to the FCCU. The two error signals are put in OR before arriving at the FCCU failure input #9.

The user can inject this fault by the FCCU fake fault interface.

The user can inject a fake fault by setting the FCCU_RFF[FRFC] field to the value 0x09. The FCCU error reaction

path is verified if the FCCU_RF_S0[RFS9] status bit is set.

3.4.2 Error input pin (from the external world) (fault #96)

If an external device pulls down the EIN (error input) pin, the MCU receives a notification of a faulty condition

detected by this external device. A dedicated glue logic forwards this fault to the FCCU.

The EOUT pin driven to FAULTY state (logic ‘0’) asserts back via the pad the EIN signal. This results in a loop

where FCCU is in FAULT state and driving EOUT which in turn keeps driving EIN.

AN5752

Glue logic faults

AN5752 - Rev 1 page 10/35

Table of contents

Popular Microcontroller manuals by other brands

Novatek

Novatek NT6861 manual

Espressif Systems

Espressif Systems ESP8266 SDK AT Instruction Set

Nuvoton

Nuvoton ISD61S00 ChipCorder Design guide

STMicrolectronics

STMicrolectronics ST7 Assembler Linker user manual

Texas Instruments

Texas Instruments Chipcon CC2420DK user manual

Lantronix

Lantronix Intrinsyc Open-Q 865XR SOM user guide

NEC

NEC 78GK0S/K 1+ Series Application note

Mikroe

Mikroe SEMITECH N-PLC Click Application note

Intel

Intel Agilex user guide

Cypress

Cypress CY4607 HX2VL quick start guide

DIGITAL-LOGIC

DIGITAL-LOGIC MICROSPACE manual

Texas Instruments

Texas Instruments TMS320F2837 D Series Workshop Guide and Lab Manual

CYPRES

CYPRES CY14NVSRAMKIT-001 user guide

Espressif Systems

Espressif Systems ESP8266EX Programming guide

Abov

Abov AC33M8128L user manual

Laird

Laird BL654PA user guide

Silicon Laboratories

Silicon Laboratories C8051F800 user guide

Energy micro

Energy micro EFM32 Giant Gecko Starter Kit user manual