AN3077 Datasheet, PDF(57/82 Page) STMicroelectronics

English

English German Russian Spanish Italian Polish Chinese Japanese Korean French Portuguese	Language :

AN3077 Datasheet, PDF (57/82 Pages) STMicroelectronics – Safety application guide

◁

AN3077

Functions of external devices for ASIL D applications

Note:

If the power supply is out of range, the PSM moves and maintains the system (ECU level) to

a Safe state condition within the FTTI (for example, the PSM disconnects the

Device_Number device from the power supply).

Working outside the specified voltage range may cause permanent damage to the

Device_Number even if the MCU is held in reset (see Device_Number Data Sheet for

correct voltage operating ranges).

4.3

Note:

4.3.1

Note:

4.3.2

Error Out Monitor Function (ERRM)

The FCCU has two external pins: FCCU_F[0], FCCU_F[1].

An external device must be connected to the FCCU via FCCU_F[0] and optionally

FCCU_F[1] to continually monitor the error output pins of the FCCU.

If a failure is detected, the ERRM moves and maintains the system (ECU level) to a Safe

state condition within the FTTI (e.g., the ERRM disconnects the Device_Number device

from the power supply)

Mandatory: Depending on user selection, there are two different ways to interface to the

FCCU:

â Both FCCU pins connected to the external device

â Only a single FCCU pin connected to the external device

Rationale: To monitor the error out signals (FCCU_F[x]) for correct functionality

Mandatory: For ASIL D applications, the user can choose between these FCCU

configurations, depending on which best fits the hardware and software system.

Both FCCU configurations work properly with all the supported error out protocols. Refer to

the Device_Number Reference Manual for a list of supported protocols.

The system (for example, ECU) cannot rely on any pins, other than the Device_Number

error output pins (FCCU_F[n]), when those pins indicate an error.

Both FCCU pins connected to external device

In this case, both pins FCCU_F[0] and FCCU_F[1] are connected to the external device.

Mandatory: The external device must check both signals, taking into account that

FCCU_F[0] = FCCU_F[1].

Rationale: To check the integrity of the FCCU

In this configuration the external device continuously monitors the output of the FCCU. Thus

it can detect if the FCCU does not work properly.

The advantage of this configuration with respect to the other one is that it does not need any

dedicated software.

Implementation hint: Monitoring the error out pins through a combinatorial logic (e.g., XOR

port) can generate some glitches. Oversampling these pins reduces the possibility that the

glitches occur.

Single FCCU pin connected to external device

A single pin, FCCU_F[0] (or FCCU_F[1]), is connected to the external device.

DocID16384 Rev 10

57/82

▷