AN4266 Datasheet, PDF(36/76 Page) STMicroelectronics – Safety application guide for SPC56xL70xx family

English

English German Russian Spanish Italian Polish Chinese Japanese Korean French Portuguese	Language :

AN4266 Datasheet, PDF (36/76 Pages) STMicroelectronics – Safety application guide for SPC56xL70xx family

◁

Functional safety requirements for application software

AN4266

Note:

eTimer can be configured to trigger a eDMA transfer to move the captured value to specific

RAM location.

â CTU_HWSWTEST_TRIGGEROVERRUN

This hardware mechanism checks if a new trigger occurs that requires an action by a

subunit that is currently busy. In this case, an overrun interrupt is generated and the

application software must handle the error condition.

Over-run detection mechanism shall be enabled by software during CTU configuration.

Rationale: Checks if a new trigger occurs that requires an action by a subunit (such as ADC

command generator) which is currently busy.

Implementation hint: To enable the over-run detection the IEE flag in the Cross Triggering

Unit Interrupt/eDMA register (CTUIR) register shall be asserted. This interrupt is shared

between several sources of error. The user can discriminate among them by reading the

CTUEFR register.

â CTU_HWSWTEST_ADCCOMMAND

The CTU stores in its internal FIFOs both the value provided by each ADC conversion

and the channel number. Application software must check the ADC channel number

sequence against what is expected for each FIFO. Moreover, invalid commands issued

by the CTU are flagged and the corresponding error must be handled by the

application software.

Rationale: To detect if the incorrect channel has been acquired, or if the incorrect ADC

result FIFO is selected

Implementation hint: To enable invalid command detection, the IEE flag in the CTUIR

This interrupt is shared between several sources of error. The user can discriminate among

them by reading the CTUEFR register.

This safety integrity function needs to be implemented only when reading analog

signals.

â CTU_SWTEST_ETIMERCOMMAND

Application software must configure one channel of eTimer_0 or eTimer_1 to count the

number of eTimer commands generated within a CTU control period and must check

the number against the expected one.

Rationale: To verify the correctness of the number of generated commands

Implementation hint: Some eTimer inputs are internally connected to the CTU output (See

the SPC56xL70xx Reference Manual for details).

â CTU_HW_CFGINTEGRITY

This hardware mechanism ensures the consistency of the CTU configuration at the

beginning of each CTU control period.

The configuration registers are all double-buffered. If the configuration is only partial

when the control period starts, the previous configuration is used and an error condition

is flagged, which must be handled by the application software.

Rationale: Ensures the consistency of the CTU configuration

Implementation hint: The CTU uses a safe reload mechanism. The General Reload

Enable (GRE) bit in the Cross Triggering Unit Control Register (CTUCR) shall be used to

detect partial or incomplete CTU update.

36/76

Doc ID 024283 Rev 2

▷