We are not using FCCU Eout Pin. Instead of Eout Pin, we plan to use NMI and trigger reset in the interrupt vector.
Our understanding of Eout Pin is to give the chance to recover the fault. In our use case, it could have more reset.
In order to ensure we would like to predict the probability of the reset due to the fault notification from FCCU. We would like to compare between Eout Pin use case and No Eout Pin use case how often more reset could occur.
Is there any way that we can quantitively estimate it?
Solved! Go to Solution.
Hello,
Per the latest response (and previous responses) on the topic of FCCU Eout Pin, we are considering this topic closed. Thank You.
Dear Dave Fantl,
Please share the following :
- The failure modes covered by SM3.FCCU_MON [PMIC and FCCU Eout]
- The cut-set [2nd/3th] mitigated by SM3.FCCU_MON [PMIC and FCCU Eout]
Also, what is the relation with reaching to ASIL D by using SM3.FCCU_MON [PMIC and FCCU Eout]
Many thanks,
Hello Heebeom,
1. PMIC is responsible for monitoring the EOUT and other signals to generate a system state indication signal.
2. The system uses the system state indication signal (or signals) to ensure a reliable transition into a system safe state. The system waits for a grace period before performing that transition to allow the chip to apply a recovery measure without being disturbed.
3. SM3.FCCU_MON is the monitoring of the FCCU output pins by the PMIC. EOUTs indicate the error sate of MCU to the PMIC. As such it is an integral part of the safe state handling (see Chapter 5 of the Safety Manual) and an intrinsic element of the fault reaction and fault recovery flow assumed by all safety mechanism (see sections 2.7 and 2.8 within the Safety Concept chapter of the Safety Manual) and the overall Safety Concept
4. Any fault occurrence has to be serviced within FTTI and in case of fault reaction timeout EOUT is asserted so the external system monitoring the EOUT signal knows that system safe state has to be achieved within FTTI.
5. Chip functional reset(R3 reaction) is the recommended reaction in case of critical fault such as Core lockups, uncorrectable SRAM/FLASH errors etc. R3 reaction is the assertion of chip functional reset along EOUT assertion.
6. Now in your scenario
7. NXP recommends an R3 reaction for faults considered in point 5(See the fault map in Reference Manual). This avoids the complications mentioned for your approach.
8. The dependent failure analysis (and hence the cut sets) is performed for the chip’s architecture with respect to the assumed safety concept. NXP’S safety concept already recommends the reaction for faults associated with the fault recovery concept are not repeated as part of the dependent failure analysis performed for this device. Instead related dependencies are listed in the AoU(s) associated with this concept (e.g. master safety core) and are not considered for the dependent failure analysis. Deviating from this concept does invalidate this assumptions and would require a corresponding analysis as is already highlighted
9. In other words the above discussed common cause failures are relevant for your context alone and it's related fault handling. You need to determine the related cut-sets yourself and justify the mitigation measures to cover them.
10. For all the reasons mentioned above EOUT monitoring cannot be avoided irrespective of the the Target ASIL.
Hoping this finally clears it.
Thanks!
-Yashwant
Dear Yashwant,
thank you very much for your answer. However the answer is not corresponding to the original question we asked about the failure modes and cutsets covered by SM3.FCCU_MON.
Due to the fact that NXP performs the safety anlaysis for the internal component of the MCU, NXP only knows the cutsets. VNE cannot know the internal cutsets of NXP MCU. We kindly ask to provide the information we requested.
Also in response to the comment from #8 like " related dependencies are listed in the AoU(s) associated with this concept (e.g. master safety core) ", can you specify which AoU requirements? Can you provide the identification number of the corresponding AoU(es)?
Many thanks,
Hello,
Per the latest response (and previous responses) on the topic of FCCU Eout Pin, we are considering this topic closed. Thank You.
We are going to use NMI instead of Eout Pin for ASIL D. However, in terms of the dependent failure can you be more specific about the dependent failure? If we use NMI instead of Eout Pin, why it cannot be used for ASIL D? Can you show up the architecture and the failure and so on in more detail?
Hello,
The failure of CGM to correctly generate the core_clock can be the common cause failure for both the AXBS and the Core M7 cores themselves. Another example would be the failure of CGM to correctly generate the AIPS_PLAT clock which will render the various on chip register interfaces unusable for the application cores.
In the event of such faults the application core would not be able to trigger a reset as either the interconnect or the register interfaces are not clocked correctly. Therefore the application will not be able to assert a functional reset by reacting to the NMI sent by the FCCU as a fault reaction.
Although there are measures in place such as independent clock monitoring to take care of such dependent failures but as mentioned in my previous response it is not possible to “quantify” such dependent failures to accurately estimate the probability of reset assertion.
It is recommended to assert EOUT pins because if the internal functional reset generation within the chip is not successful, then PMIC will assert destructive reset to the SoC via RESET_B pin when the watchdog timer window in the PMIC expires. This certainly ups the probability of reset assertion as it avoids dependent failures if we compare the EOUT vs Non EOUT case. This is why we recommend EOUT assertion (irrespective of ASIL target actually) owing to the said higher probability.
Hoping this helps!
Thanks!
-Yashwant
Posting on behalf of Michael
Hope this clarifies the question.
Thanks!
-Yashwant
In response to the common cause failures can you provide the following?
- The cutsets [at least 2/3 orders] , which can be covered/mitigated by using Eout Pin that PMIC triggers reset
Hello Yashwant,
Thanks for the explaination.
For your information, NXP PMIC is not used in the module, another System Base chip is used with NXP MCU. Could you let us know what effect will have if the EOUT pin is not used for S32K388 MCU? Thanks.
Thank you for your answer.
However in S32K388-289pins_2022_R2.1.xlsx , the relevant SM "SM3.FCCU_MON" is not stated for the portion of what you explained to mitigate the common cause failure. The SM is only used for PADs.
Also it shall be specified in safety manual?
Many thanks,
Heebeom,
Hello,
Hoping this helps!
Thanks!
-Yashwant
Dear Yashwant,
thank you for your kind answer. The following are the your answers that are prefixed with [Answer from Yashwant_Nr]. I have commented below with the prefix[Question from HB_Nr]
[Question from HB_1] In this case, the external watchdog as indirect detection measures for the
following modes in FMEDA could cover? Also if FCCU Eout Pin is not used, the following portion of FMEDA can be "Not applicable"?
Hello,
The probability of reset assertion (or failure to assert the reset) via the SW route can be estimated using the failure rate of the respective modules being utilized in the reset trigger path. The failure rates of FCCU, CORE, NVIC, Interconnects and RGM can be derived from the FMEDA to mathematically compute the probability of a successful reset assertion.
However by configuring the FCCU to assert functional resets for your faults under consideration would bypass the core, interconnects etc. and so has a higher probability of enabling system safe-state.
Regarding the EOUT vs non EOUT it must also be noted that apart from the random hardware failures there is also the case of Dependent failures such as common clock or power for the modules in the reset assertion path and currently there is now way to quantify the dependent failure analysis.
We would strongly recommend to make use of FCCU EOUT pins if the MCU is targeted for ASIL-D application to avoid dependent failures. If the MCU is targeted for ASIL-B application, then maybe you can be more flexible and decide not to use FCCU EOUT.
Thanks!
-Yashwant
Dear Yashwant,
for ASIL D, it was strongly recommended that FCCU Eout Pin shall be used.
Can you explain why the ASIL D requires this in terms of the diagnostic coverage and which failure modes?
Many thanks,
Hello Heebeom,
In the initial post of this thread the question was more around FCCU and the device was not mentioned (which was ascertained later in this thread and in other parallel ones to be K3xx) so my initial response was more general in nature.
The intention behind "We would strongly recommend making use of FCCU EOUT pins if the MCU is targeted for ASIL-D application to avoid dependent failures. If the MCU is targeted for ASIL-B application, then maybe you can be more flexible and decide not to use FCCU EOUT" was to cover both the K1xx (targeting ASIL B) and K3x (targeting ASIL D) where the latter has the FCCU/EOUT indication available and the former doesn't.
The K1xx relies upon the external system monitoring the MCUs error flags/status registers for error indication.
Hoping this clears it up.
Thanks!
-Yashwant
Dear Yashwant,
thank you very much. We are going to use S32K3xx. In case ASIL B, then the more flexibility instead of using the EoutPin of FCCU? However for ASIL D, then the Eout Pin must be used?
Many thanks,
Hello Heebeom,
In S32K3xx EOUT monitoring is applicable for both ASIL B and ASIL D use cases. This is because the overall chip architecture and susceptibility to dependent failures remains the same.
The major difference between ASIL B and D is the use of M7 cores in split lock and lockstep respectively.
Thanks!
-Yashwant
thank you very much.
Can you explain it with graphical view? So in case lockstep is used, the FCCU is some mitigation measures? For the detail, for which failure modes, the FCCU is needed to reach to ASIL D?
With the provided the FMDEA, FCCU Eout Pin mechanism [SM3.FCCU_MON] are used for FCCU Pins and PAD. It is not used for the core. In order to understand the usage of PMIC with FCCU Eout Pin, we need more information.