Co nfident ial
T riCore™ AURIX™ Famil y
32-bit
Sta rtup Software Safety Consid erations
AP32320
Application Note
About this document
Scope and purpose
This document presents the summary of the AURIX microcontroller startup software (SSW) safety analysis of
possible malfunctions and workarounds to be considered on system level.
Intended audience
Architects, System and Software engineers using the AURIX microcontroller in a safety-related application.
Table of Contents
About this document ..................................................................................................................... 1
Table of Contents .......................................................................................................................... 1
1
2
3
4
5
6
7
8
9
Wrong installation of CCUCONx registers ........................................................................ 2
Wrong/missing SRAM repair ........................................................................................... 3
Wrong installation of SCU_EVROSCCTRL and SCU_EVRRSTCON ........................................ 4
Wrong installation of P21_LPCR1, Pn_PDR0, Pn_PDR1 and Pn_PDISC ............................... 5
Wrong installation of SCU_CHIPID register ...................................................................... 6
Unintentional SRAM initialization after Warm Power-On reset .......................................... 7
Wrong handling of ESR0 pin ........................................................................................... 8
Wrong installation of DSADC_GLOBCFG .......................................................................... 9
Wrong installation of SCU_DTSCON .............................................................................. 10
10
Wrong installation of FLASH0_FCON ............................................................................. 11
NDA required
1
v1.0, 2015-10
Downloaded by IFXDMZ\par-blackert 05/03/2020 13:35:33
Startup Software Safety Considerations
AP32320
Wrong installation of CCUCONx registers
1
Wrong installation of CCUCONx registers
Confidential
Potential Causes / Mechanism of Failure
Soft error model during writing to SFR
Description
CCUCONx reset value(s) maybe wrongly installed during the SSW execution.
Safety impact
Due to an error in CCUCON, the clock cannot be faster than the clock source (FBACK) during SSW
execution
→ This cannot lead to any safety relevant impact (too high frequency)
Customer worst case scenario: due to wrong CCUCON settings, after the switch to PLL source, some
dividers may generate a too high frequency for some clock users (e.g. SPB > 100MHz)
Workaround
User shall program all the register related to clock according to the requirements of the application.
Application Note
2
v1.0, 2015-10
NDA required
Downloaded by IFXDMZ\par-blackert 05/03/2020 13:35:33
Startup Software Safety Considerations
AP32320
Wrong/missing SRAM repair
2
Wrong/missing SRAM repair
Potential Causes / Mechanism of Failure
Soft error model during data transfer from PFLASH to FPI SFR
Description
Confidential
Due to a failure during SSW execution, defect RAM location(s) may be not replaced (i.e. repaired) by the
redundancy mechanism.
Safety impact
Reading from defect and not repaired RAM location(s) will permanently trigger ECC error so the location(s)
may be not usable (upon uncorrectable errors).
Workaround
Use only SRI SRAMs before SMU & MTU is active, because a trap will occur so identifying ECC error
In case other RAM(s) used before SMU & MTU is active, error status bits (MCx_ECCD.UERR/CERR) shall be
checked to identify either ECC error has happened
Note: HSM is locked after boot and HSM RAMs cannot be checked.
Application Note
3
v1.0, 2015-10
NDA required
Downloaded by IFXDMZ\par-blackert 05/03/2020 13:35:33
Startup Software Safety Considerations
AP32320
Wrong installation of SCU_EVROSCCTRL and SCU_EVRRSTCON
Confidential
3
Wrong installation of SCU_EVROSCCTRL and
SCU_EVRRSTCON
Potential Causes / Mechanism of Failure
Soft error model during data transfer from DFLASH to FPI SFR
Description
A failure during SSW execution may lead to a wrong installation of SCU_EVROSCCTRL and SCU_EVRRSTCON
reset values.
Safety impact
The primary bandgap trimming or power monitoring may be wrong.
Workaround
User shall verify configuration of register SCU_EVROSCCTRL (Offset to SCU base address: 1D8H) and
SCU_EVRRSTCON registers.
EVR hard reset control values: User shall read 4 B from offset 110H in UCB4 and check or reconfigure
SCU_EVRRSTCON.
EVR oscillator control values: User shall read 4 B from offset 14CH in UCB4 and check or reconfigure
SCU_EVROSCCTRL.
Application Note
4
v1.0, 2015-10
NDA required
Downloaded by IFXDMZ\par-blackert 05/03/2020 13:35:33
Startup Software Safety Considerations
AP32320
Wrong installation of P21_LPCR1, Pn_PDR0, Pn_PDR1 and Pn_PDISC
Confidential
4
Wrong installation of P21_LPCR1, Pn_PDR0, Pn_PDR1
and Pn_PDISC
Potential Causes / Mechanism of Failure
Soft error model during data transfer from DFLASH to FPI SFR.
Soft error model during data read from config sector.
Soft error model during data transfer from PFLASH to FPI SFR.
Description
A failure during SSW execution may lead to a wrong installation of P21_LPCR1, Pn_PDR0, Pn_PDR1 and
Pn_PDISC reset values.
Safety impact
Only error pin has a safety impact as other ports are application dependent parts and should be protected
with application level safety mechanisms
→ Error pin is assumed to be tested during application startup.
Workaround
User shall implement application level safety mechanisms or
User shall check or re-configure P21_LPCR1, Pn_PDR0, Pn_PDR1 and Pn_PDISC registers according to
the requirements of its application (e.g. pin availability, driver mode etc.)
Application Note
5
v1.0, 2015-10
NDA required
Downloaded by IFXDMZ\par-blackert 05/03/2020 13:35:33
Startup Software Safety Considerations
AP32320
Wrong installation of SCU_CHIPID register
Confidential
5
Wrong installation of SCU_CHIPID register
Potential Causes / Mechanism of Failure
Soft error model during data transfer from PFLASH to FPI SFR.
Description
A failure during SSW execution may lead to a wrong installation of SCU_CHIPID.
Safety impact
No reference to SCU_CHIPID in safety manual. No direct impact on AURIX Safety Concept.
However, might have an impact on SW that are designed to be executed on specific devices and check
SCU_CHIPID.
Workaround
User shall implement plausibility check, e.g.
Try accessing registers of modules that are not supposed to be implemented to distinguish different
devices.
To differentiate different dvp steps of a device do plausibility check by checking module ID register of a
module that changed from a dvp step to another.
User shall programm the value of SCU_CHIPID to flash.
Application Note
6
v1.0, 2015-10
NDA required
Downloaded by IFXDMZ\par-blackert 05/03/2020 13:35:33
Startup Software Safety Considerations
AP32320
Unintentional SRAM initialization after Warm Power-On reset
Confidential
6
Unintentional SRAM initialization after Warm Power-
On reset
Potential Causes / Mechanism of Failure
Soft error model during reading from SFR.
Description
A failure during SSW execution may cause unintentional SRAM initialization after Warm Power-On reset. This
is applicable for CPUx and LMU SRAMs.
Safety impact
User software might relies on safety related data stored in these SRAMs
Workaround
User SW shall evaluate that SRAM data were not unintentionally initialized by SSW, e.g. by storing a simple
pattern in these SRAMs and check if it is still there after Warm PORST.
Application Note
7
v1.0, 2015-10
NDA required
Downloaded by IFXDMZ\par-blackert 05/03/2020 13:35:33
Confidential
Startup Software Safety Considerations
AP32320
Wrong handling of ESR0 pin
7
Wrong handling of ESR0 pin
Potential Causes / Mechanism of Failure
Soft error model during reading from SFR
Description
A failure caused by wrong read from
the SCU Reset Control Unit ESR Input Register SCU_IN or
the DFlash Protection Configuration FLASH0_PROCOND or
wrong installation of SCU_ESROCFG during SSW access
may lead to a wrong handling of ESR0 pin.
Safety impact
As a consequence the user code start is not synchronized with ESR0:
User code never starts.
→ No issue (safe), because covered by external WDG.
SSW starts user code earlier/later as indicated by external releasing ESR0 pin which may cause system
related startup failures.
Workaround
User shall consider timing related or stuck-at failure related to the ESR0 signal handling.
→ Proposal: system level application to monitor releasing of ESR0.
Application Note
8
v1.0, 2015-10
NDA required
Downloaded by IFXDMZ\par-blackert 05/03/2020 13:35:33