FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

Is using one FCCU pin enough for ASIL D?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED
Jump to solution

Is using one FCCU pin enough for ASIL D?

Jump to solution
‎05-05-2026 02:51 AM
585 Views
haythemLtifi
Contributor II

hello , 

I was wondering if using one FCCU pin is enough for the ASIL D or i have to use both?

I found this table in one of the presentation so i belive one pin is enough.

haythemLtifi_0-1777974700032.png

Also in case of the S32K3 MCU , does it support one FCCU pin or it has to be in pair bi stable ?

i found this in the application note AN14068 page 25 but its not clear to me :

FCCU monitoring by pair (bi-stable protocol)

When connected to the S32K3 MCU FCCU_ERR0 and FCCU_ERR1 pins, the FCCU1 and FCCU2 input

pins must be configured by pair to work in bi-stable protocol by default. This configuration cannot be changed

because the S32K3 only supports this protocol. The FCCU pins' polarity and the SBC reaction upon a fault can

be changed nonetheless.

The default settings for FCCU pins are configured as below:

• FCCU1 = 0 or FCCU2 = 1 is considered as a fault (can be reversed using FCCU12_FLT_POL bits)

• When a fault occurs, the impact can be configured on RSTB, FS0B, and LIMP0 (using FCCU12_[RSTB/

FS0B/LIMP0]_IMPACT)

 

thank you

 

 

0 Kudos
Reply
1 Solution

Jump to solution
‎05-05-2026 11:18 PM
520 Views
danielmartynek
NXP TechSupport
NXP TechSupport

Hello @haythemLtifi,

S32K3xx is a SEooC, therefore ASIL‑D applies to the complete system, not just the MCU.
ASIL‑D is possible with a single FCCU EOUT signal; however, this introduces a latent fault scenario on the safety path (e.g. the pin stuck at “no fault” due to a short to GND or VDD, depending on polarity).
Referring to the FMEDA (SM3.FCCU_MON), the justification assumes a high diagnostic coverage (~99%). This requires external monitoring, typically implemented by the SBC (e.g. FS26). When both FCCU EOUT signals are used and monitored in a bi‑stable (or fault‑toggle) configuration, the SBC can achieve the required diagnostic coverage. as it detects stuck‑at and line faults structurally. In contrast, when using a single FCCU signal, additional independent mechanisms are required to reach the same level of coverage.

Regards,

Daniel

 

 

View solution in original post

0 Kudos
Reply
1 Reply

Jump to solution
‎05-05-2026 11:18 PM
521 Views
danielmartynek
NXP TechSupport
NXP TechSupport

Hello @haythemLtifi,

S32K3xx is a SEooC, therefore ASIL‑D applies to the complete system, not just the MCU.
ASIL‑D is possible with a single FCCU EOUT signal; however, this introduces a latent fault scenario on the safety path (e.g. the pin stuck at “no fault” due to a short to GND or VDD, depending on polarity).
Referring to the FMEDA (SM3.FCCU_MON), the justification assumes a high diagnostic coverage (~99%). This requires external monitoring, typically implemented by the SBC (e.g. FS26). When both FCCU EOUT signals are used and monitored in a bi‑stable (or fault‑toggle) configuration, the SBC can achieve the required diagnostic coverage. as it detects stuck‑at and line faults structurally. In contrast, when using a single FCCU signal, additional independent mechanisms are required to reach the same level of coverage.

Regards,

Daniel

 

 

0 Kudos
Reply