Global Sources
EE Times-Asia
Stay in touch with EE Times Asia
EE Times-Asia > Embedded

Functional safety features in modern MCUs

Posted: 04 Apr 2012 ?? ?Print Version ?Bookmark and Share

Keywords:Functional safety? automotive SoCs? enhanced direct memory access?

1. After an STCU reset event, the SSCM (self-checking computer module) detects that the device self-test has not been run yet.

2. The SSCM reads the self-test parameters from flash nonvolatile memory (NVM).

3. The SSCM loads the self-test parameters into the STCU and passes control over to the STCU.

4. The STCU manages the MBISTs and updates its internal status.

5. The STCU manages the LBISTs and updates its internal status.

6. If faults are detected, the STCU reports the test failures to the FCCU.

7. Once self-test is completed, the STCU signals the Reset Module and the boot sequence proceeds to the next phase. However, if a SIR (stay-in-reset) fault occurs, the STCU keeps the device in reset until an STCU reset event is applied.

Clock monitor unit
CMU is a module that monitors the system PLL output or the external crystal oscillator frequency and signals fault, reset, or interrupt if there is a loss of clock or if the monitored clocks leave a lower or upper frequency boundary. CMUs use the system safe clock (internal RC oscillator clock) as a reference to monitor the clock.

A simplified block diagram of CMU is shown in figure 4.

As can be seen in the diagram above, the CMU provides signals to the reset and FCCU modules if there is oscillator loss-of-clock event or frequency-high/frequency-low event on the monitored clocks. The configurations done on the RESET and FCCU modules determine if the event will generate an interrupt or reset.

Power monitoring unit
There are two types of voltage supervisors implemented on Freescale safety devices, low-voltage detect (LVD) and high-voltage detect (HVD) monitors. All the safety relevant voltage pins are supervised for voltages that are out of these ranges.

Figure 4: A simplified block diagram of CMU.

Because safety relevant voltages have the potential to disable the failure indication mechanisms of the MCU (such as FCCU, pads, and so on) their error indication directly causes the device to transition to the fail-safe state (reset assertion).

Even though the implementation of functional safety features in devices requires redundancy in MCUs, and increased power and die-size, the benefits attached to a robust system (with the device being able to provide fail-safe, fail-silent, or fail-indicate states) are immense. Such functional safety features (as shown for Freescale devices) allow customers to achieve ISO 26262 ASILx and IEC 61508 SILx certification on their applications.

About the author
Arun Mishra is lead design engineer at Freescale Semiconductor.

To download the PDF version of this article, click here.

?First Page?Previous Page 1???2???3

Article Comments - Functional safety features in modern...
*? You can enter [0] more charecters.
*Verify code:


Visit Asia Webinars to learn about the latest in technology and get practical design tips.

Back to Top