Blog area

Homepage
Blog post
Blog content

Introduction to the FCCU module of NXP S32K3 functional safety

keywords : S32K3 functional safety FCCU error management

I. Overview

The S32K3 series MCU launched by NXP is a high-performance automotive-grade MCU for automotive applications. This series of chips supports the highest ASIL-D level of functional safety and is widely used in automotive applications such as automotive BMS, chassis controllers, and body controllers. This article will introduce the FCCU module in the S32K3 chip.This module is one of the key modules to achieve functional safety. This module is mainly responsible for collecting hardware errors and related control of the chip. The following will focus on the functions of this module.

2. The main characteristics of the FCCU module

FCCU (Fault Collection and Control Unit) module, that is, the error collection and control module, when an error occurs in other modules, the error signal will be transmitted to the FCCU for unified management.

The FCCU module of S32K3 has the following main features:

  • Manage non-critical failures
  • Hardware and software failure recovery management
  • Error collection of security-related modules on the chip
  • Error injection
  • Collect test results
  • Configuration can be locked
  • Configurable error control
  • The internal chip response of each non-critical fault can be configured (including functional reset, NMI interrupt, IRQ, and no action)

3. The function of the FCCU module

The internal block diagram of the FCCU module is shown below:

Figure 3.1 FCCU module Block diagram
 
Figure 3.1 FCCU module Block diagram

FCCU has the following four working states:

(1) CONFIGURATION status

The default STATE after S32K3 starts is CONFIG. In this state, you can configure the operation of the FCCU's registers, and then manually SWITCH to NORMAL MODE after the configuration is COMPLETE. In addition, when the FCCU configuration times out, IT will automatically ENTER NORMAL MODE. The configuration of the FCCU is the default configuration.

(2) NORMAL state

When the FCCU detects an error on any channel of the NCF, it will automatically switch from NORMAL to ALRAM or FAULT mode (depending on whether the ALRAM interrupt of the NCF channel is enabled)

(3) ALRAM status

IF the NCF channel enables the ALRAM interrupt and an error occurs, then the FCCU will SWITCH FROM NORMAL MODE TO ALRAM mode, AND there WILL BE AN ALARM INTERRUPT. The USER CAN handle the error IN THE INTERRUPT. IF THE ERROR DISAPPEARS AFTER processing, THEN THE FCCU will SWITCH to NORMAL MODE. In ADDITION, the FCCU also has ALRAM. timer, if the error does not disappear within a certain period of time, it will enter the FAULT state.

(4) FAULT status

If the NCF channel does not enable the ALRAM interrupt, the FCCU will switch from NORMAL to FAULT state when an error occurs. When the FAULT STATE is ENTERED, you can choose to TRIGGER A functional reset or an NMI interrupt. If all errors are eliminated through a functional reset or an NMI interrupt, the FCCU will switch from FAULT.BACK TO NORMAL, IF THE ERROR IS NOT ELIMINATED, A FUNCTIONAL reset (configurable, UP TO 15 TIMES) WILL BE TRIGGERED CONTINUOUSLY, AND A destructive reset (configurable, UP TO 15 TIMES) WILL BE TRIGGERED IF N CONSECUTIVE DESTRUCTIVE RESETS ARE NOT ELIMINATED. If MORE THAN N consecutive DESTRUCTIVE RESETS CANNOT BE ELIMINATED, THEY WILL ALWAYS BE STUCK IN THE reset STATE.

The FOLLOWING DESCRIBES several typical timings of FCCU working state switching. The following figure shows A typical timing of non-critical fault management. When an error event occurs, the STATE of the FCCU switches from NORMAL to ALRAM, and an ALRAM interrupt is generated at the same time. The NCF timer starts counting. When the fault is restored, the FCCU's STATE switches from NORMAL to ALRAM. At THE same time, AN ALRAM interrupt is generated, and the NCF timer starts counting. When the fault is restored, the FCCU's STATE SWITCHES from NORMAL to ALRAM.The state is restored to NORMAL, and the state of the NCF timer becomes IDLE at the same time.

Figure 3.2 Timing of recovery from ALRAM state for non-critical failures
 
Figure 3.2 Timing of recovery from ALRAM state for non-critical failures
 
THE PICTURE BELOW shows A typical timing diagram of recovery AFTER switching FROM THE ALRAM state TO the FAULT state. WHEN A NON-critical fault occurs, THE FCCU state SWITCHES FROM NORMAL TO ALRAM, AND AN ALARM INTERRUPT request is generated AT THE SAME TIME. THE NCF TIMER starts counting. When THE TIMER expires AND THE FAULT HAS NOT BEEN RESTORED, THE FCCU switches FROM the ALRAM state.To the FAULT state, an NMI interrupt is generated at the same time, and the EOUT pin outputs the level of the error state. After a certain period of time, the system switches from the operating state to the safe state, and the NCF timer becomes the IDLE state. When the fault resumes, the FCCU will return from the FAULT state to THE NORMAL state, ALRAM interrupt request and NMI interrupt request will bothStop, the EOUT signal also stops.
Figure 3.3 Timing of recovery of non-critical errors from ALRAM to FAULT state
 
Figure 3.3 Timing of recovery of non-critical errors from ALRAM to FAULT state
 
Fourth, reference materials

1. "S32K3XXRM. pdf", Rev 9, 2024.07

★The content of the blog posts is provided by individuals and has nothing to do with the platform. If there is any violation or infringement, please contact the website administrator.

★Go online in a civilized manner, please speak rationally. The content was reported 5 times in a week, and the writer entered the little black house~

Reference source

comment