SM1.FCCU.UNINTENDED_DEBUG_MON necessary?

RandyKrakora · ‎07-19-2024

Customer is Aurora.

s32g2

They are having trouble with a method to trigger a debug without needing to perform a reset first. So they are wondering if they even need to consider SM1.FCCU.UNINTENDED_DEBUG_MON?

It seems to me a debugger can be "attached" to a running system, so being able to detect this and force a fault to trigger a chip reset would be vital to safety? But they are indicating the test for this fault requires a chip reset, so it wouldn't be the same as a debugger "attach".

-Randy Krakora

antoinedubois

Hi Randy, I don't have access to their private community. Some customer have figured out a way to do it.

What I would do:
- The simpler method is that you assert the fault manually in FCCU NCF to self-test the SW can at least recover if this fault is trigger. Then I can ask design of a diagram to show that NXP has a redundant HW connections to this Debug Fault (we have a lot of low level fault signals ORed together to this fault). I can ask design to provide an overview. There cannot be tested.

What do you think?

Best regards,

Antoine

antoinedubois · ‎08-23-2024

Hi Randy,

I created a ticket. I doubt we would be able to change it for S32G however we will try to improve our future product.

RandyKrakora

Antoine,

So what can customers do about this for now?

Here is a link to the discussion I had with Leah how to test it, just for reference:

https://community.nxp.com/t5/S32G-Internal-Community/Trigger-debug-fault/m-p/1912046#M22284

-Randy Krakora

antoinedubois

Hi Randy, I don't have access to their private community. Some customer have figured out a way to do it.
What I would do:
- The simpler method is that you assert the fault manually in FCCU NCF to self-test the SW can at least recover if this fault is trigger. Then I can ask design of a diagram to show that NXP has a redundant HW connections to this Debug Fault (we have a lot of low level fault signals ORed together to this fault). I can ask design to provide an overview. There cannot be tested.

antoinedubois · ‎07-25-2024

Hi Randy,

Yes this is a key assumptions of the Safety concept to have this fault activated. The reason is for the freedom from interference. All the Debug logic in the SoC is really complex and really intrusive. Therefore it is developed QM (you can see the number of errata due to debug...). If any part of the debug logic is activated due to a random HW failure (not when a debugger is attached) the core will likely violate its safety goals, as it is a dependent failure between its functions and safety mechanisms (lockstep may not work correctly, watchdog may be impacted, configuration of safety related IP may changed).

That's why in the design all the low level debug signals are ORed together and connected to FCCU, if for any reason debug is activated, the assumptions is to go to safe state.

The Use Case that the application is running safety related application while the Debug is attached was not considered. It is usually done for prototyping therefore has a different Safety standard than ISO26262 (I forgot the name of this standard for Safety for testing on public road...).

Now it seems Aurora is also searching for a method to trigger the debug (for latent fault test I imagine). I agree this is a tricky one that we have been discussing at NXP. My current argument is that we do not need fault injection to prove the SM is working as there are multiple redundant path that would trigger it within the design. What I say may be contradicting the AoU in the Safety Manual, but it is currently in debate within the safety community and a conservative approach was taken.

RandyKrakora · ‎08-13-2024

Antoine,

Can we update any documentation stating the customers do not need to test for this fault?

I think that may be what Aurora is looking for here.

-Randy Krakora