AN4266 Datasheet, PDF(58/76 Page) STMicroelectronics – Safety application guide for SPC56xL70xx family

English

English German Russian Spanish Italian Polish Chinese Japanese Korean French Portuguese	Language :

AN4266 Datasheet, PDF (58/76 Pages) STMicroelectronics – Safety application guide for SPC56xL70xx family

◁

Functions of external devices for ASIL D applications

AN4266

Note:

If the power supply is out of range, the PSM moves and maintains the system (ECU level) to

a Safe state condition within the FTTI (for example, the PSM disconnects the SPC56xL70xx

device from the power supply).

Working outside the specified voltage range may cause permanent damage to the

SPC56xL70xx even if the MCU is held in reset (see SPC56xL70xx Data Sheet for correct

voltage operating ranges).

4.3

Note:

4.3.1

Note:

4.3.2

Error Out Monitor Function (ERRM)

The FCCU has two external pins: FCCU_F[0], FCCU_F[1].

An external device must be connected to the FCCU via FCCU_F[0] and optionally

FCCU_F[1] to continually monitor the error output pins of the FCCU.

If a failure is detected, the ERRM moves and maintains the system (ECU level) to a Safe

state condition within the FTTI (e.g., the ERRM disconnects the SPC56xL70xx device from

the power supply)

Mandatory: Depending on user selection, there are two different ways to interface to the

FCCU:

â Both FCCU pins connected to the external device

â Only a single FCCU pin connected to the external device

Rationale: To monitor the error out signals (FCCU_F[x]) for correct functionality

Mandatory: For ASIL D applications, the user can choose between these FCCU

configurations, depending on which best fits the hardware and software system.

Both FCCU configurations work properly with all the supported error out protocols. Refer to

the SPC56xL70xx Reference Manual for a list of supported protocols.

The system (for example, ECU) cannot rely on any pins, other than the SPC56xL70xx error

output pins (FCCU_F[n]), when those pins indicate an error.

Both FCCU pins connected to external device

In this case, both pins FCCU_F[0] and FCCU_F[1] are connected to the external device.

Mandatory: The external device must check both signals, taking into account that

FCCU_F[0] = FCCU_F[1].

Rationale: To check the integrity of the FCCU

In this configuration the external device continuously monitors the output of the FCCU. Thus

it can detect if the FCCU does not work properly.

The advantage of this configuration with respect to the other one is that it does not need any

dedicated software.

Implementation hint: Monitoring the error out pins through a combinatorial logic (e.g., XOR

port) can generate some glitches. Oversampling these pins reduces the possibility that the

glitches occur.

Single FCCU pin connected to external device

A single pin, FCCU_F[0] (or FCCU_F[1]), is connected to the external device.

58/76

Doc ID 024283 Rev 2

▷