FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

Inputs integrity check for Digital Input/ ADC/PWM

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Inputs integrity check for Digital Input/ ADC/PWM

a week ago
181 Views
AshokSubramani
Contributor III

I am working on a safety-critical ECU design using the MPC5746C microcontroller, where I need to ensure the integrity of functional safety-relevant inputs (digital inputs, ADC, PWM ) for my ASILB ECU.

As per the MPC5746C Safety Manual (Rev. 2), sections 5.2.31 (SIUL2) and assumptions [SM_232], [SM_233], and [SM_237], it is recommended to use redundant I/O modules or replicated sensors to achieve the required safety integrity.

However, due to hardware constraints in my current system, I have only single hardware inputs available — no redundant pins or duplicated sensors. Hence, I cannot implement hardware-level redundancy.

I would like to request your guidance on:

  1. What software or MCU-level mechanisms (e.g., diagnostics, self-tests, or plausibility checks) are recommended or supported to ensure input data integrity in such a non-redundant configuration?

  2. Are there any registers, internal cross-checks, or peripheral features within SIUL2, ADC, or other modules that can be leveraged to detect faults (stuck-at, short to VDD/GND, etc.) at runtime?

  3. Does NXP provide any reference implementation or example for single-channel input integrity monitoring as an alternative to hardware redundancy?

Tags (1)
0 Kudos
Reply
3 Replies

a week ago
167 Views
petervlna
NXP TechSupport
NXP TechSupport

Hello,

What software or MCU-level mechanisms (e.g., diagnostics, self-tests, or plausibility checks) are recommended or supported to ensure input data integrity in such a non-redundant configuration?

Ok, you will hardly replace redundant reads on HW level with SW countermeasures. I am not sure what exactly ASIL-B asks in standard regarding the ADC read redundancy, but you can do multiple reads on the same channel (like a burst), and then see if all data are within desired thresholds.

But in case the input is disturbed by the EMC, this wont help much.

Therefore physical read on 2 channels spread on pinout is required.

Are there any registers, internal cross-checks, or peripheral features within SIUL2, ADC, or other modules that can be leveraged to detect faults (stuck-at, short to VDD/GND, etc.) at runtime?

I would no worry about peripheral integrity as it is tested on every destructive reset by STCU2 logic BIST. This device do not have build in ADC self test like ASIL-D devices.

Does NXP provide any reference implementation or example for single-channel input integrity monitoring as an alternative to hardware redundancy?

No, we support this in HW by multiple channels. And I do not see how any SW example will help eliminate the EMC on analog pins.

I expect this ASIL-B requirement is all about eliminating wrong reads on channel caused by EMC, thus you will do redundant reads, on pins which are spread across the uC.

Best regards,

Peter

0 Kudos
Reply

a week ago
157 Views
AshokSubramani
Contributor III

As you mentioned, performing multiple reads on the same ADC channel (burst sampling) can improve diagnostic coverage but cannot detect all types of faults. This approach is therefore not fully effective for ensuring input integrity under EMC conditions.

what about connecting the single ADC inputs to different ADC channels internally and validating the output of the both the channels..? - Does the statement is valid..?

Could you please clarify how similar integrity checks or fault detection mechanisms can be implemented for digital inputs and PWM inputs?

AshokSubramani_0-1760001920479.png

From my understanding, peripheral integrity is already verified by the STCU during each destructive reset, while ADC input integrity can only be fully ensured through redundant input channels. Please confirm if this interpretation is correct.

 

Tags (1)
0 Kudos
Reply

a week ago
133 Views
petervlna
NXP TechSupport
NXP TechSupport

Hello,

what about connecting the single ADC inputs to different ADC channels internally and validating the output of the both the channels..? - Does the statement is valid..?

That con eliminate fault at internal ADC modules. But such can be also eliminated by doing a ADC test measurement in intervals to ensure that ADC is converting correctly signal from pin.

Some UC has also ADC HW self test for this purpose. But not this one.

If there is EMC disturbance on the pin (induction) then this EMC will be also propagated from the pin to the all routed ADC channels.

In other words, if you measure incorrect voltage on the pin (due to induction) you can only eliminate such by dual sensing trough 2 input pins whose are not close to each other.

I do not see any workaround here.

Maybe if you know the range of expected voltages to be measured, then you can write a comapre+test algo to be at least in the expected range and if not, you will go to safe state (reset/remeasure etc....). But this wont catch corner case scenarios.

Could you please clarify how similar integrity checks or fault detection mechanisms can be implemented for digital inputs and PWM inputs?

Here are some general tips:

1. Digital Inputs – Integrity Monitoring Techniques

 Stuck-at Fault Detection

Pull-up/Pull-down Resistor Toggling:

  • Configure the input pin with an internal pull-up, then switch to pull-down.
  • If the input value doesn’t change accordingly, it may be stuck-at or shorted.

Input Excitation (if possible)

  • If the input is connected to a controllable external signal (e.g., via MCU output or test mode), toggle the signal and verify the input response.

Plausibility Checks

  • Temporal behavior: Ensure the input toggles within expected time intervals.
  • Cross-check with system state: For example, if a switch is expected to be off during a certain operation, flag unexpected ON states.

2. PWM Inputs – Integrity Monitoring Techniques

Capture and Measure Duty Cycle

  • Use eMIOS in input capture mode to:
    • Measure frequency, duty cycle, and pulse width.
    • Compare against expected ranges or patterns.

Plausibility Checks

  • Range checks: Ensure duty cycle and frequency are within valid bounds.
  • Rate-of-change: Detect sudden jumps or frozen signals.
  • Timeout detection: If no edge is detected within a time window, flag a fault.

Cross-check with ADC or System State

  • If PWM input controls a physical actuator (e.g., fan), compare measured PWM with ADC feedback (e.g., RPM sensor).

 

From my understanding, peripheral integrity is already verified by the STCU during each destructive reset, while ADC input integrity can only be fully ensured through redundant input channels. Please confirm if this interpretation is correct.

Yes, in case the STCU BIST for ADC is selected and enabled. I do not see other way how to ensure the measured signal correct other then redundant measurement. As EMC usually do not strike all pins. It is just induction from neighbor pins. 

Best regards,

Peter

0 Kudos
Reply