Is using one FCCU pin enough for ASIL D?

haythemLtifi

hello ,

I was wondering if using one FCCU pin is enough for the ASIL D or i have to use both?

I found this table in one of the presentation so i belive one pin is enough.

Also in case of the S32K3 MCU , does it support one FCCU pin or it has to be in pair bi stable ?

i found this in the application note AN14068 page 25 but its not clear to me :

FCCU monitoring by pair (bi-stable protocol)

When connected to the S32K3 MCU FCCU_ERR0 and FCCU_ERR1 pins, the FCCU1 and FCCU2 input

pins must be configured by pair to work in bi-stable protocol by default. This configuration cannot be changed

because the S32K3 only supports this protocol. The FCCU pins' polarity and the SBC reaction upon a fault can

be changed nonetheless.

The default settings for FCCU pins are configured as below:

• FCCU1 = 0 or FCCU2 = 1 is considered as a fault (can be reversed using FCCU12_FLT_POL bits)

• When a fault occurs, the impact can be configured on RSTB, FS0B, and LIMP0 (using FCCU12_[RSTB/

FS0B/LIMP0]_IMPACT)

thank you

danielmartynek

Hello @haythemLtifi,

S32K3xx is a SEooC, therefore ASIL‑D applies to the complete system, not just the MCU.
ASIL‑D is possible with a single FCCU EOUT signal; however, this introduces a latent fault scenario on the safety path (e.g. the pin stuck at “no fault” due to a short to GND or VDD, depending on polarity).
Referring to the FMEDA (SM3.FCCU_MON), the justification assumes a high diagnostic coverage (~99%). This requires external monitoring, typically implemented by the SBC (e.g. FS26). When both FCCU EOUT signals are used and monitored in a bi‑stable (or fault‑toggle) configuration, the SBC can achieve the required diagnostic coverage. as it detects stuck‑at and line faults structurally. In contrast, when using a single FCCU signal, additional independent mechanisms are required to reach the same level of coverage.

Regards,

Daniel

元の投稿で解決策を見る

danielmartynek

Hello @haythemLtifi,

S32K3xx is a SEooC, therefore ASIL‑D applies to the complete system, not just the MCU.
ASIL‑D is possible with a single FCCU EOUT signal; however, this introduces a latent fault scenario on the safety path (e.g. the pin stuck at “no fault” due to a short to GND or VDD, depending on polarity).
Referring to the FMEDA (SM3.FCCU_MON), the justification assumes a high diagnostic coverage (~99%). This requires external monitoring, typically implemented by the SBC (e.g. FS26). When both FCCU EOUT signals are used and monitored in a bi‑stable (or fault‑toggle) configuration, the SBC can achieve the required diagnostic coverage. as it detects stuck‑at and line faults structurally. In contrast, when using a single FCCU signal, additional independent mechanisms are required to reach the same level of coverage.

Regards,

Daniel