september 2013 doc id 023294 rev 2 1/32 AN4124 application note using spc56el60x fault collection and control unit (fccu) introduction this application note describes in detail how to use the main features of the spc56el60x fault collection and cont rol unit module (fccu). the fault collection and control unit offers a redundant hardware channel to collect errors and, as soon as a failure is detected, to lead the device to a safety state in a controlled way. no cpu intervention is required for collection and control operation. the fccu circuitry is checked at start-up (aft er boot) by the self-checking procedure. the fccu is operative with a default configuration (without cpu intervention) immediately after the completion of the self-checking procedure. two classes of faults are identified based on the criticity and the related reactions. internal (that is, short or long functional reset, interrupt request) and external (eout signaling) reactions are statically defined or programmable based on the fault criticity. the default configuration can be modified only in a specific fccu state for application/test/debugging purposes. www.st.com
contents AN4124 2/32 doc id 023294 rev 1 contents 1 fccu main features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 2 hw/sw recoverability fault . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 3 fault dual path: fccu and rgm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 3.1 rgm module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 4 fault: cf and ncf . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 4.1 critical fault (cf) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 4.2 non-critical fault (ncf) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11 5 fccu settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 5.1 example 1: fccu critical fault injection (no nmi assertion) . . . . . . . . . . . 13 5.1.1 fccu init . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 5.2 example 2: fccu critical fault injection (nmi assertion) . . . . . . . . . . . . . 15 5.2.1 fccu init . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 5.3 example 3: fccu - non-critical fault injection . . . . . . . . . . . . . . . . . . . . . 16 5.4 lock fccu configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 5.5 hardware: xpc56xl minimodule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 appendix a redundancy and functions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 a.1 path redundancy on critical error reaction. . . . . . . . . . . . . . . . . . . . . . . . . 19 a.2 general purpose function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 a.2.1 config state. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 a.2.2 normal state . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 a.2.3 lock fccu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 a.2.4 read status register . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 a.2.5 clear fault . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 a.2.6 clear all critical faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 a.2.7 clear all non-critical faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 a.2.8 read fccu - state machine. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 a.2.9 non-critical fault - enable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 a.2.10 ncf - normal to alarm - read state . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 a.2.11 ncf - normal to alarm - clear state . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
AN4124 contents doc id 023294 rev 1 3/32 a.2.12 irq status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 a.3 general purpose functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 a.3.1 example n1: fake ncf by external irq . . . . . . . . . . . . . . . . . . . . . . . . . 26 a.3.2 example n2: fake cf by external irq . . . . . . . . . . . . . . . . . . . . . . . . . . 28 appendix b further information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 b.1 acronyms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 revision history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
list of tables AN4124 4/32 doc id 023294 rev 1 list of tables table 1. rgm_fes register . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 table 2. critical fault . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 table 3. non-critical fault . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 table 4. acronyms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 table 5. document revision history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
AN4124 list of figures doc id 023294 rev 1 5/32 list of figures figure 1. fccu state machine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 figure 2. xpc56el minimodule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 figure 3. dual path faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 figure 4. rgm/fccu ? no dual path faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 figure 5. rgm/fccu ? dual path faults (criti cal faults) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 figure 6. rgm/fccu ? dual path faults (non- critical faults) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 figure 7. xpc56xxmb mother board . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 figure 8. ncf injection flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 figure 9. cf injection flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
fccu main features AN4124 6/32 doc id 023294 rev 2 1 fccu main features the fccu features are: the fault control and collection unit (fccu) is a hardware ip providing a central capability to control and collect faults reported by individual modules of the soc. faults are reported to the outside world via output pin(s), if no recovery is provided by soc. no internal actions (such as irq, reset) can be taken. the operation of the fault collection unit is independent of the cpu, so the fccu provides a fault reporting mechanism even if the cpu is malfunctioning. the fault control and collection unit is developed specifically to increase the level of the safety of the system and ecu . the fccu allows a redundant path to the rgm to enter failsafe mode in case of error. below figure 1 fccu-sm (state machine): figure 1. fccu state machine �&�2�1�)�,�* �1�2�5�0�$�/ �)�$�8�/�7 �$�/�$�5�0 �q�r�q���f�u�l�w�l�f�d�o���i�d�x�o�w ���x�q�p�d�v�n�h�g���$�1�' �w�l�p�h���r�x�w���h�q�d�e�o�h�g�� �q�r�q���f�u�l�w�l�f�d�o���i�d�x�o�w �u�h�f�r�y�h�u�h�g �i�d�x�o�w���u�h�f�r�y�h�u�h�g �q�r�q���f�u�l�w�l�f�d�o���i�d�x�o�w ���x�q�p�d�v�n�h�g���$�1�'���w�l�p�h���r�x�w�� �g�l�v�d�e�o�h�g�� �2�5���f�u�l�w�l�f�d�o���i�d�x�o�w �q�r�q���f�u�l�w�l�f�d�o���i�d�x�o�w���x�q�u�h�f�r�y�h�u�h�g �q�r�q���f�u�l�w�l�f�d�o���i�d�x�o�w���q�r�w���u�h�f�r�y�h�u�h�g�� �r�q���w�l�p�h���2�5���f�u�l�w�l�f�d�o���i�d�x�o�w �2�5���q�r�q���f�u�l�w�l�f�d�o���i�d�x�o�w�����x�q�p�d�v�n�h�g�� �$�1�'���w�l�p�h���g�l�v�d�e�o�h�g�� ���f�r�q�i�l�j�x�u�d�w�l�r�q���h�q�w�u�\�����$�1�' �1�2�7�����f�r�q�i�l�j�x�u�d�w�l�r�q���o�r�f�n�h�g�� �f�r�q�i�l�j�x�u�d�w�l�r�q���h�[�l�w �2�5���w�l�p�h���r�x�w �5�h�v�h�w �q�r�q���f�u�l�w�l�f�d�o���i�d�x�o�w�����p�d�v�n�h�g�� �*�$�3�*�&�)�7����������
AN4124 hw/sw recoverability fault doc id 023294 rev 2 7/32 2 hw/sw recoverability fault in general, the following definitions are applicable to fault management: hw recoverable fault: the fault indication is a level sensitive signal that is asserted until the cause of the fault is removed. typically the fault signal is latched in an external module to the fccu. the fccu state transitions are consequently executed on the state changes of the input fault signal (fccu_cf[] or fccu_ncf[]). no sw intervention in the fccu is required to recover the fault condition. sw recoverable fault: the fault indication is a signal asserted without a defined time duration. the fault signal is resynchronized and latched in the fccu. the fault recovery is executed following a sw recovery procedure (status/flag register clearing). the following types of reset are applicable: destructive reset: any type of reset related to a power failure condition that implies a complete system reinitialization long functional reset: implies flash and digital circuitry (with some exceptions , including fccu, stcu) initialization short functional reset: implies digital circuitry (with some exceptions, including fccu, stcu) initialization
fault dual path: fccu and rgm AN4124 8/32 doc id 023294 rev 2 3 fault dual path: fccu and rgm due to the dual path, many faults (cri tical and not) reach the rgm and fccu. nmi can be mapped in ram. for this reason the nmi is cleared after reset condition. in general, when a fault occurs, if it is mapped on rgm and fccu, the rgm generates a reset, independently of fccu settings. after reset (generated by fault) the system is in safe state. looking in the fccu cfsx status r egister (by procedure), it may recognize the fault, and react to it. after fault recovery the system transition can be: safe => run. if the fault is mapped only on fccu (as cf[20]), when it occurs the system resets or generates an nmi assertion, depending on fccu settings. in reset case, the fccu generates a reset by rgm. since the system stays in safe state, it does nothing. after the system transitions from safe to run (and fault is set), the system unmasks the nmi. by nmi isr it is possible to clear the fault state registers. 3.1 rgm module the reset generation module (mc_rgm) centralizes the different reset sources and manages the reset sequence of the device. ta ble 1 shows the rgm_fes (functional event status) register bitmap. table 1. rgm_fes register 0123456789101112131415 r f_exr f_fccu_hard f_fccu_soft f_st_done f_cmu12_fhl fl_ecc_rcc f_pll1 f_swt f_fccu_safe f_cmu0_fhl f_cmu0_clr f_pll0 f_cwd f_soft f_core f_jtag w w1c w1c w1c w1c w1c w1c w1c w1c w1c w1c w1c w1c w1c w1c w1c w1c reset0000000000000000
AN4124 fault: cf and ncf doc id 023294 rev 2 9/32 4 fault: cf and ncf the fault state has a higher priority than the alarm state, in the case of concurrent fault events (critical and non-critical) that occur in the normal state. in case of concurrent critical faults, the fault reaction corresponds to the worst case (for example, a long functional reset is asserted if it has been programmed). the alarm to fault state transition occurs if a fault (unmasked and with time-out disabled) is asserted in the alarm state. any critical fault (programmed to react with a hard or soft reaction) that occurs when the fccu is already in the fault state causes an immediate hard or soft reaction (long or short functional reset). the alarm to normal state transition occurs only if all the non-critical faults (including the faults that have been collected after entry to alarm state) have been cleared (sw or hw recovery). otherwise the fccu will remain in the alarm state. the fault to normal state transition occurs only if all the critical and non-critical faults (including the faults that have been collected after entry to fault/alarm state) have been cleared (sw or hw recovery). otherwise the fccu remains in the fault state (if any critical fault is still pending) or returns to the alarm state (if any non-critical fault is still pending and the time-out has not elapsed). 4.1 critical fault (cf) below is the cf table: table 2. critical fault critical fault source signal short/long/non e default func. reset set/clear injection cf[0] rccuo[0] rcc_out long x cf[1] rccu1[0] rcc_out long x cf[2] rccuo[1] rcc_out long x cf[3] rccu1[1] rcc_out long x cf[4] rccuo[2] rcc_out long x cf[5] rccu1[2] rcc_out long x cf[6] rccuo[3] rcc_out long x cf[7] rccu1[3] rcc_out long x cf[8] rccuo[4] rcc_out long x cf[9] rccu1[4] rcc_out long x cf[10] rccuo[5] rcc_out long x cf[11] rccu1[5] rcc_out long x cf[12] rccuo[6] rcc_out long x
fault: cf and ncf AN4124 10/32 doc id 023294 rev 2 cf[13] rccu1[6] rcc_out long x cf[14] swt_0 software watchdog timer long ? cf[15] swt_1 software watchdog timer long ? cf[16] mcm_nce_0 ecc not correctable error long ? cf[17] mcm_nce_1 ecc not correctable error long ? cf[18] adc_cf_0 internal self test (critical fault) ? x (by adc itself) cf[19] adc_cf_1 internal self test (critical fault) ? x (by adc itself) cf[20] stcu_cf bist results (critical faults) ? x cf[21] lvd_hvd_ 1.2v lvd/hvd bist failure result in test mode ?x cf[22] sscm_xfer_err sscm transfer error (during the stcu config loading) ?? cf[23] lsm_dpm_err0 lsm <-> dpm runtime switch long x cf[24] lsm_dpm_err1 lsm <-> dpm runtime switch long x cf[25] ? ? ? ? cf[26] ? ? ? ? cf[27] stcu stcu fault condition (run in application mode) long ? cf[28] dft0 combination of safety critical signals from test control unit (tcu) long ? cf[29] dft1 combination of safety critical signals from test control unit (tcu) long ? cf[30] dft2 combination of safety critical signals from test control unit (tcu) long ? cf[31] dft3 combination of safety critical signals from test control unit (tcu) long ? table 2. critical fault (continued) critical fault source signal short/long/non e default func. reset set/clear injection
AN4124 fault: cf and ncf doc id 023294 rev 2 11/32 4.2 non-critical fault (ncf) ta ble 3 is about the ncf table: table 3. non-critical fault non- critical fault source signal short/long/ none default func reset fault management polarity set/clear injection ncf[0] core_0 watchdog p_wrs[0] long latched high ? ncf[1] core_0 watchdog p_wrs[1] long latched high ? ncf[2] fm_pll_0 loss of lock long latched high ? ncf[3] fm_pll_1 loss of lock long latched high ? ncf[4] cmu_0 loss of xosc clock long latched high ? ncf[5] cmu_0 sysclk frequency out of range long latched high ? ncf[6] cmu_1 motc_clk frequency out of range long latched high ? ncf[7] cmu_2 frpe_clk frequency out of range long latched high ? ncf[8] mcm_ecn_0 ecc 1-bit error correction notification ? latched high ? ncf[9] mcm_ecn_1 ecc 1-bit error correction notification ? latched high ? ncf[10] adc_ncf_0 internal self test (non-critical fault) ? latched high x (by adc itself) ncf[11] adc_ncf_1 internal self test (non-critical fault) ? latched high x (by adc itself) ncf[12] stcu_ncf bist results (non-critical faults) ? latched high x ncf[13] lvd_ 1.2v lvd bist ok in test mode/ lvd nok in user mode ? latched high x ncf[14] hvd_ 1.2v hvd bist ok in test mode/ hvd nok in user mode ? latched high x ncf[15] lvd vreg lvd vreg fault detected by self-checking ? latched high x ncf[16] lvd flash lvd flash fault detected by self-checking ? latched high x ncf[17] lvd io lvd io fault detected by self- checking ? latched high x ncf[18] pmu comparator fault detected by self-checking ? latched high ? ncf[19] flexr_ecn ecc 1-bit error correction notification ? latched high ?
fault: cf and ncf AN4124 12/32 doc id 023294 rev 2 ncf[20] flexr_nce ecc not correctable error ? latched high ? ncf[21] mc_me software device reset ? latched high ? ncf[22] bp_ballast0 bypass ballast0 ? latched high ? ncf[23] bp_ballast1 bypass ballast1 ? latched high ? ncf[24] bp_ballast2 bypass ballast2 ? latched high ? ncf[25] ? ? ? ? ? ? ncf[26] ? ? ? ? ? ? ncf[27] ? ? ? ? ? ? ncf[28] ? ? ? ? ? ? ncf[29] ? ? ? ? ? ? ncf[30] ? ? ? ? ? ? ncf[31] ? ? ? ? ? ? table 3. non-critical fault (continued) non- critical fault source signal short/long/ none default func reset fault management polarity set/clear injection
AN4124 fccu settings doc id 023294 rev 2 13/32 5 fccu settings normally the fccu is configured at start up. in any case, it is possible to manage some registers only in config state (according to ip specification block guide). 5.1 example 1: fccu critical fault injection (no nmi assertion) we show the fccu functionality by means of an example w hich uses fault injection (with fake funtionality), in order to show the fccu reaction. the example is without nmi assertion. the fault is checked and cleared by looking in the cfsx registers. example description put fccu in config state : set registers return to normal state by means of a procedure or by allowing timer out to elapse inject (fake) faults after reset (by rgm), verify, in safe state (without nmi), which fault was detected (fccu_cfs0 register) clear the fccu_cfs0 register (by suitable procedure) example procedure after reset the fccu automatically enters normal state. configure fccu in config with dual-rail encoding protocol. ? write the key to the fccu_ctrlk register [op1]. ? write the fccu_ctrl register (operation op1). emulate all (fake) sw/hw faults. ? fccu_cfg: (configuration register) ? sm = 1 (eout protocol (dual-rail, time-switching) fast switching mode) ? ps = 1 (fcc_eout[1] active low, fcc_eout[0] active low) ? fom = 000 (fault output mode selection = dual-rail (default state) [fccu_eout[1:0] = outputs]) ? fop=0 (fault output prescaler = input clock frequency (ipg_clk_safe clock) is divided by 2048) enter normal state. ? write the key into the fccu_ctrlk register [op2]. ? write the fccu_ctrl register (operation op2). set fault by fccu_cff registers (reset assertion by rgm). read and verify fccu_cfs0..3 by means of procedure (nmi was masked). clear hw/sw faults from fccu_cf s0..3 by means of procedure.
fccu settings AN4124 14/32 doc id 023294 rev 2 code after the core initialization in main function the code is (nmi masked): if (me.gs.b.s_current_mode == 2){ /* safe mode */ if((fccu_clear_critical_fault()) == pass){ /* test pass */ }else{ while(1); /* test fail */ } }else{ /* drun mode */ /* ----------------- test init --------------------- */ if((tc0_init()) == pass){ /* ----------------- fake fault --------------------- */ fccu.cff.r = 0; /* first fault injection */ }else{ while(1); /* test fail */ } /* -----------------end test init --------------------- */ } description at the beginning the microcontroller is in drun mode, the ?else? condition is asserted, by tc0_init procedure. in the tc0_init, the fccu wi ll be configured. when the injection fault is asserted (fccu.cff.r = 0), the system will reset. after the start up, in main function the system is in safe mode (the nmi is masked). then the ?if? condition is asserted, and all faults are cleared. 5.1.1 fccu init uint16_t tc0_init(void){ /* ----------------- config state --------------------- */ fccu_config_state();/* config state */ fccu.cfg.b.sm = 1; /* eout protocol (dual-rail, time-switching) fast switching mode*/ fccu.cfg.b.ps = 1; /* fcc_eout[1] active low, fcc_eout[0] active low */ fccu_cfg_fom_config(cfg_fom0); /* cfg_fom0 = dual-rail (default state) [fccu_eout[1:0]= outputs] */ fccu_cfg_fop_config(0); * fault output prescaler= input clock frequency (ipg_clk_safe clock) is divided by 2 x 1024 */ /* ----------------- normal state --------------------- */ fccu_normal_state(); /* normal state */ return(pass); }
AN4124 fccu settings doc id 023294 rev 2 15/32 5.2 example 2: fccu critical fault injection (nmi assertion) in this example we show the fault injection (with fake funtionality), in order to show an fccu reaction. the example is with nmi assertion. the fault is checked and cleared inside the nmi subroutine by looking in the cfsx registers. example description put fccu in config state: set registers. return to normal state: by means of procedure or by allowing timer out to elapse. inject (fake) faults. verify that in safe state (nmi management), and that fault is detected (fccu_cfs0 register). clear the fccu_cfs0 register (by suitable procedure). example procedure after the reset the fccu automatically enters normal state. configure fccu in config with dual-rail encoding protocol. ? write the key to the fccu_ctrlk register [op1]. ? write the fccu_ctrl register (operation op1). emulate all (fake) sw/hw faults. ? fccu_cfg_to = 0x7 (set timer out) ? fccu_cfg: (configuration register) ? sm = 1 (eout protocol (dual-rail, time-switching) fast switching mode) ? ps = 1 (fcc_eout[1] active low, fcc_eout[0] active low) ? fom = 000 (fault output mode selection = dual-rail (default state) [fccu_eout[1:0] = outputs]) ? fop = 0 (fault output prescaler= input clock frequency (ipg_clk_safe clock) is divided by 2048) ? fccu_cfs_cfg0 = 0 (no reset reaction) enter normal state. ? write the key to the fccu_ctrlk register [op2]. ? write the fccu_ctrl register (operation op2). set fault by fccu_cff registers (no reset assertion). nmi assertion: nmi_isr managing read and verify fccu_cfs0..3 by means of procedure. clear hw/sw faults from fccu_cf s0..3 by means of procedure. code after the core initialization in main function the code is: if((tc0_init()) == pass){ /* ----------------- fake fault --------------------- */ fccu.cff.r = 20; /* n. 20 fault injection */ delay(10000); /* dealay */ }else{ /* tc0_init - failure */ }
fccu settings AN4124 16/32 doc id 023294 rev 2 description first the microcontroller is in drun mode, the ?if? condition is asserted, by the tc0_init procedure. the fccu is configured in the tc0_init. next the cf 20 is injected (in order to generate an nmi, without reset). when the injection fault is asserted (fccu.cff.r = 20), the system asserts nmi. in nmi isr the fault is cleared and the system enters run mode. 5.2.1 fccu init uint16_t tc0_init(void){ /* ----------------- config state --------------------- */ fccu.cfg_to.r = 0x7;/* set timer out cconfig state to 8.192 ms */ fccu_config_state();/* config state */ fccu.cfg.b.sm = 1; /* eout protocol (dual-rail, time-switching) fast switching mode*/ fccu.cfg.b.ps = 1; /* fcc_eout[1] active low, fcc_eout[0] active low */ fccu_cfg_fom_config(cfg_fom0); /* cfg_fom0 = dual-rail (default state) [fccu_eout[1:0]= outputs] */ fccu_cfg_fop_config(0); /* fault output prescaler= input clock frequency (ipg_clk_safe clock) is divided by 2 x 1024 */ /* set the critical fault reaction */ fccu.cfs_cfg0.r = 0; /* no reset reaction */ /* ----------------- normal state --------------------- */ fccu_normal_state();/* normal state */ return(pass); } 5.3 example 3: fccu - non- critical fault injection in this example we show fault injection (with fake funtionality), in order to show an fccu reaction. the example is with fault_isr assertion. the fault is checked and cleared in fault_isr subroutine by looking in the cfsx registers. example description put fccu in config state: set registers. return to normal state: by means of procedure or by allowing timer out to elapse. inject (fake) faults (ncf n. 12). verify that in run state (fault_isr management), and that fault is detected (fccu_ncfs0 register). clear the fccu_ncfs0 register (by suitable procedure).
AN4124 fccu settings doc id 023294 rev 2 17/32 example procedure after the reset the fccu automatically enters normal state. configure fccu in config with dual-rail encoding protocol. ? write the key to the fccu_ctrlk register [op1]. ? write the fccu_ctrl register (operation op1). emulate all (fake) sw/hw faults. ? fccu_cfg_to=0x7 (set timer out) ? fccu_cfg: (configuration register) ? sm=1 (eout protocol (dual-rail, time-switching) fast switching mode) ? ps=1 (fcc_eout[1] active low, fcc_eout[0] active low) ? fom=000 (fault output mode selection= dual-rail (default state) [fccu_eout[1:0]= outputs]) ? fop=0 (fault output prescaler= input clock frequency (ipg_clk_safe clock) is divided by 2 x 1024) ? fccu_ncfs_cfg0 = 0 (no reset reaction) ? fccu_ncfe0 = 0xffffffff; (enable fccu to move to alarm or fault state) ? fccu_ncf_toe0 = 0xffffffff; (fccu moves into the alarm state if the respective fault is enabled (ncfex is set)) ? fccu_ncf_to = 0xffffffff; (non-critical fault time-out) enter normal state. ? write the key to the fccu_ctrlk register [op2]. ? write the fccu_ctrl register (operation op2). set fault by fccu_ncff registers (ncf n. 12). isr assertion: fault_isr managing (isr n. 250) read and verify fccu_ncfs0..3 by means of procedure. clear hw/sw faults from fccu_ncfs0..3 by means of procedure. code after the core initialization in main function the code is: if((tc1_init()) == pass){ /* ----------------- fake ncf fault --------------------- */ fccu.ncff.r = 12; /* n. 12 ncf fault injection */ delay(10000); /* delay */ }else{ /* tc1_init - failure */ } description at the beginning the micro is in drun mode. t he fccu is configured in the tc1_init. next the ncf 12 is set. when the injection fault is asserted (fccu.ncff.r = 12), the system asserts fault isr. in fault isr the fault is cleared and the system enters run mode.
fccu settings AN4124 18/32 doc id 023294 rev 2 5.4 lock fccu configuration the configuration state is used to modify the default configuration of the fccu only. a sub- set of the fccu registers, dedicated to defining the fccu configuration (global configuration, reactions to fault, time-out, non-critical fault masking), can be accessed in write mode, in the config state only. the config state is accessible in normal state only and only if the configuration is not locked. the configuration lock can be disabled only by a global reset of the fccu. to lock the fccu see section a.2.3 0 function. 5.5 hardware: xpc56xl minimodule the examples are executed by xpc56el minimodule, using the motherboard. the motherboard provides common functionality used in most applications, such as serial communication interface, can transceivers, spi bus, i/o pins, power supply, buttons and leds. the minimodule provides a minimum setup for the microprocessor, for example, socket for the processor, crystal oscillator and debug interface. figure 2 displays the xpc56xl minimodule layout. figure 2. xpc56el minimodule gapgcft00698
AN4124 redundancy and functions doc id 023294 rev 2 19/32 appendix a redundancy and functions a.1 path redundancy on critical error reaction all faults detected are reported to the centra l fault collection and control unit (fccu) and rgm. depending on the particular fault, the fccu puts the device into the appropriate configured fail-safe state. this prevents propagation of faults to system level. critical errors detected normally are forwarded independently by each channel to rgm and fccu. the state of the rgm is forwarded to the fccu. the fccu forwards an additional reset request to the rgm. this strategy is used as it drastically decreases the common mode failure on the reset path. figure 3. dual path faults for some faults: the fault is triggered to the fccu. fccu reacts independently of the rgm. fault reaction depends on the fccu settings. figure 4. rgm/fccu ? no dual path faults �&�3�8�$ �&�3�8�% �&�k�h�f�n�h�u �&�k�h�f�n�h�u �5�*�0 �)�&�&�8 �(�[�w�h�u�q�d�o�� �'�h�y�l�f�h �(�"�1�(�$�'�5���������� �0�&�0 �i�d�x�o�w�����1�&�)�� �)�&�&�8 �5�*�0 �(�"�1�(�$�'�5����������
redundancy and functions AN4124 20/32 doc id 023294 rev 2 for some faults (critical faults): rgm and fccu react to the fault independently. rgm resets the device (lr). ? fccu is not reset by rgm reset. fccu takes some action depending on the configuration. ? fccu signals the fault externally. ? after the reset the device enters safe mode. ?nmi figure 5. rgm/fccu ? dual path faults (critical faults) for some faults (non-critical faults): rgm and fccu react to the fault independently/ rgm reaction is configurable. ?irq fccu takes some action depending on the configuration. ? fccu waits for the ncf timeout. ? fccu signals the fault externally. ? device enters safe mode ?nmi figure 6. rgm/fccu ? dual path fa ults (non-critical faults) �5�&�&�8 �i�d�x�o�w�����&�)�� �)�&�&�8 �5�*�0 �(�"�1�(�$�'�5���������� �&�0�8 �i�d �x�o�w�����1�&�)�� �)�&�&�8 �5�*�0 �(�"�1�(�$�'�5����������
AN4124 redundancy and functions doc id 023294 rev 2 21/32 a.2 general purpose function below are some general purpose functions, settinf and clearing registers. a.2.1 config state uint32_t fccu_config_state(void){ /* ----------------- config state --------------------- */ fccu.ctrlk.r = ctrlk_op1; /* key for the operation op1 */ fccu.ctrl.r = ctrl_opr1; /* set the fccu into the config state [op1] */ while(fccu.ctrl.b.ops != ctrl_ops3); /* wait for the completion of the operation */ return 1; } a.2.2 normal state uint32_t fccu_normal_state(void){ /* ----------------- normal state --------------------- */ fccu.ctrlk.r = ctrlk_op2; /* key for the operation op2 */ fccu.ctrl.r = ctrl_opr2; /* set the fccu into the normal state [op2] */ while(fccu.ctrl.b.ops != ctrl_ops3); /* wait for the completion of the operation */ return 1; } a.2.3 lock fccu uint32_t fccu_lock(void){ /* ----------------- normal state --------------------- */ fccu.ctrlk.r = ctrlk_op16; /* key for the operation op16 */ fccu.ctrl.r = ctrl_opr2; /* lock the fccu configuration [op16] */ while(fccu.ctrl.b.ops != ctrl_ops3); /* wait for the completion of the operation */ return 1; } a.2.4 read status register uint32_t fccu_cfs_read(uint32_t cfs_number, uint32_t* cfs_value){ uint32_t exit_value= 0;/* returned value = error */ uint32_t reg_selection = 0;/* register selection [0..3] */ if (cfs_number <= 127){ fccu.ctrl.b.opr = ctrl_opr9; /* set the op9 */ while(fccu.ctrl.b.ops != ctrl_ops3); /* wait for the completion of the operation */ reg_selection = (cfs_number/32); /* int(cfs_number/32)*/ switch (reg_selection){ case 0 : *cfs_value = (fccu.cfs0.r >> (cfs_number%32)) & 1; /* read the critical fault latched state */ break; case 1 : *cfs_value = (fccu.cfs1.r >> (cfs_number%32)) & 1; /* read the critical fault latched state */ break; case 2 : *cfs_value = (fccu.cfs2.r >> (cfs_number%32)) & 1;
redundancy and functions AN4124 22/32 doc id 023294 rev 2 /* read the critical fault latched state */ break; case 3 : *cfs_value = (fccu.cfs3.r >> (cfs_number%32)) & 1; /* read the critical fault latched state */ break; default: *cfs_value = (fccu.cfs3.r >> (cfs_number%32)) & 1; /* read the critical fault latched state */ break; } exit_value = 1; /* returned value = success */ } else { /* error*/ }; return(exit_value); } a.2.5 clear fault uit32_t fccu_cfs_clear(uint32_t cfs_number){ uint32_t exit_value= 0; /* returned value = error */ uint32_t reg_selection = 0; /* register selection [0..3] */ uint32_t support = 0; /* support variable */ uint32_t cfs_value; if (cfs_number <= 127){ reg_selection = (cfs_number/32); /* int(cfs_number/32)*/ switch (reg_selection){ case 0 : support = fccu.cf_cfg0.r; break; case 1 : support = fccu.cf_cfg1.r; break; case 2 : support = fccu.cf_cfg2.r; break; case 3 : support = fccu.cf_cfg3.r; break; default: support = fccu.cf_cfg3.r; break; } support = (support >> (cfs_number%32)) & 0x1; if (support == cfg_sw){ /* sw recoverable fault*/ do{ switch (reg_selection){ case 0 : fccu.cfk.r = cfk_key; /* set the critical fault key */ fccu.cfs0.r = (uint32_t) (1 << (cfs_number%32)); /* reset the critical fault state */ break; case 1 : fccu.cfk.r = cfk_key; /* set the critical fault key */ fccu.cfs1.r = (uint32_t) (1 << (cfs_number%32)); /* reset the critical fault state */ break; case 2 : fccu.cfk.r = cfk_key; /* set the critical fault key */ fccu.cfs2.r = (uint32_t) (1 << (cfs_number%32)); /* reset the critical fault state */ break; case 3 : fccu.cfk.r = cfk_key; /* set the critical fault key */ fccu.cfs3.r = (uint32_t) (1 << (cfs_number%32)); /* reset the critical fault state */ break; default: fccu.cfk.r = cfk_key; /* set the critical fault key */ fccu.cfs3.r = (uint32_t) (1 << (cfs_number%32)); /* reset the critical fault state */
AN4124 redundancy and functions doc id 023294 rev 2 23/32 break; } while(fccu.ctrl.b.ops != ctrl_ops3); /* wait for the completion of the operation */ if ( fccu_cfs_read(cfs_number, &cfs_value)){ if (cfs_value == 0){ exit_value = 1; /* returned value = success */ } } }while(cfs_value==1); } else { /* hw recoverable fault*/ } }; return(exit_value); } a.2.6 clear all critical faults uint16_t fccu_clear_critical_fault(void){ tu32 cfs_value; uint8_t tc0_error = 0;/* error counter */ for(num_fault = 0;num_fault <= 24; num_fault++){ /* num_fault <= 24 */ /* ----------------- read state --------------------- */ if(fccu_cfs_read(num_fault, &cfs_value)){ if (cfs_value == 1){/* the fault was latched correctly */ if((rgm.fes.r & 0x0080) == 0x0080){ /* retun from fccu safe mode reset */ fccu_cfs_clear(num_fault); /* clear the fault by procedure */ rgm.fes.r = 0xffff; /* clear fer register */ me.mctl.r = (drun_mode << 28 | 0x00005af0); /* mode & key */ me.mctl.r = (drun_mode << 28 | 0x0000a50f); /* mode & key * /* wait for mode entry to complete */ while(me.gs.b.s_mtrans==1); /* check drun mode has been entered */ while(me.gs.b.s_current_mode!=drun_mode); tc0_error = 0; /* error counter */ } }else{ /* no fault was latched */ } }else{ /* read state error */ } } if(tc0_error == 0) return(pass); return(fail); } a.2.7 clear all non-critical faults uint16_t fccu_clear_non_critical_fault(void){ tu32 ncfs_value; uint8_t tc1_error = 0;/* error counter */ for(num_fault = 0; num_fault <= 24; num_fault++){ /* ----------------- read state --------------------- */ if(fccu_ncfs_read(num_fault, &ncfs_value)){ if (ncfs_value == 1){/* the fault was latched correctly */
redundancy and functions AN4124 24/32 doc id 023294 rev 2 /* retun from fccu safe mode reset */ fccu_ncfs_clear(num_fault); /* clear the fault */ rgm.fes.r = 0xffff; /* clear fer register */ me.mctl.r = (drun_mode << 28 | 0x00005af0);/* mode & key */ me.mctl.r = (drun_mode << 28 | 0x0000a50f);/* mode & key */ /* wait for mode entry to complete */ while(me.gs.b.s_mtrans==1); /* check drun mode has been entered */ while(me.gs.b.s_current_mode!=drun_mode); tc1_error = 0; /* error counter */ }else{ /* not non-critical fault was latched */ } }else{ /* read state error */ } } if(tc1_error == 0) return(pass); return(fail); } a.2.8 read fccu - state machine uint32_t fccu_status_read(uint32_t* status_value){ uint32_t exit_value= 0; /* returned value = error */ fccu.ctrl.b.opr = ctrl_opr3; /* set the op3 */ while(fccu.ctrl.b.ops != ctrl_ops3); /* wait for the completion of the operation */ *status_value = fccu.stat.r; /* read the status register */ exit_value = 1; /* returned value = success */ return(exit_value); } a.2.9 non-critical fault - enable uint32_t fccu_ncf_enable(uint32_t ncfe_number, uint32_t ncfe_value){ uint32_t exit_value= 0; /* returned value = error */ uint32_t reg_selection = 0;/* register selection [0..3] */ if (ncfe_number <= 127){ reg_selection = (ncfe_number/32); /* int(ncfe_number/32)*/ if (ncfe_value == ncfe_en){ switch (reg_selection){ case 0 : fccu.ncfe0.r |= (uint32_t) (ncfe_en << (ncfe_number%32)); /* enable the non-critical fault */ break; case 1 : fccu.ncfe1.r |= (uint32_t) (ncfe_en << (ncfe_number%32)); /* enable the non-critical fault */ break; case 2 : fccu.ncfe2.r |= (uint32_t) (ncfe_en << (ncfe_number%32)); /* enable the non-critical fault */ break; case 3 : fccu.ncfe3.r |= (uint32_t) (ncfe_en << (ncfe_number%32)); /* enable the non-critical fault */ break; default: fccu.ncfe3.r |= (uint32_t) (ncfe_en << (ncfe_number%32)); /* enable the non-critical fault */ break; } }else{
AN4124 redundancy and functions doc id 023294 rev 2 25/32 switch (reg_selection){ case 0 : fccu.ncfe0.r &= (uint32_t) ~(ncfe_en << (ncfe_number%32)); /* disable the non-critical fault */ break; case 1 : fccu.ncfe1.r &= (uint32_t) ~(ncfe_en << (ncfe_number%32)); /* disable the non-critical fault */ break; case 2 : fccu.ncfe2.r &= (uint32_t) ~(ncfe_en << (ncfe_number%32)); /* disable the non-critical fault */ break; case 3 : fccu.ncfe3.r &= (uint32_t) ~(ncfe_en << (ncfe_number%32)); /* disable the non-critical fault */ break; default: fccu.ncfe3.r &= (uint32_t) ~(ncfe_en << (ncfe_number%32)); /* disable the non-critical fault */ break; } } }; return(exit_value); } a.2.10 ncf - normal to alarm - read state uint32_t fccu_nafs_read(uint32_t* nafs_value){ uint32_t exit_value= 0; /* returned value = error */ fccu.ctrl.b.opr = ctrl_opr4; /* set the op4 */ while(fccu.ctrl.b.ops != ctrl_ops3); /* wait for the completion of the operation */ *nafs_value = fccu.nafs.r; /* read the nafs latched state */ exit_value = 1; /* returned value = success */ return(exit_value); } a.2.11 ncf - normal to alarm - clear state uint32_t fccu_nafs_clear(void){ uint32_t exit_value= 0; /* returned value = error */ fccu.ctrl.b.opr = ctrl_opr13; /* set the op13 */ while(fccu.ctrl.b.ops != ctrl_ops3); /* wait for the completion of the operation */ exit_value = 1; /* returned value = success */ return(exit_value); } a.2.12 irq status uint32_t fccu_irq_status(uint32_t cfg_to_stat, uint32_t* alrm_stat, uint32_t* nmi_stat){ uint32_t exit_value= 0; /* returned value = error */ if (cfg_to_stat == 1){ fccu.irq_stat.b.cfg_to_stat |= 1;/* clear the configuration time out error */ }else{ fccu.irq_stat.b.cfg_to_stat &= ~(1);/* no effect on bit */ } *alrm_stat = fccu.irq_stat.b.alrm_stat;/* read alarm interrupt status */ *nmi_stat = fccu.irq_stat.b.nmi_stat;/* read nmi interrupt status */
redundancy and functions AN4124 26/32 doc id 023294 rev 2 exit_value= 1; return(exit_value); } a.3 general purpose functions two examples have been developed to show the features of fccu. the examples have been implemented on the xpc56xxmb. the xpc56xxmb was plugged to xpc56el mini- module with spc56elx 144 pins. figure 7. xpc56xxmb mother board a.3.1 example n1: fake ncf by external irq in this example we show the ncf fault injection (by external irq funtionality), in order to show an fccu reaction. the ex ample includes alarm and nmi isr assertion. the fault is checked and cleared with a subroutine by looking in the ncfsx registers. two external buttons have been used to inject and clear the ncf (key 1 and key 2) and led1 on the motherboard has been used to view the fault status. to connect the two buttons to input pins (interrupt), we need to connect j8 pin 1b to jp9 pin 1, and j8 pin 2b to jp9 pin 2. gapgcft00699
AN4124 redundancy and functions doc id 023294 rev 2 27/32 the flow is: press key1: to inject asynchronous external irq (isr) external irq (isr) ? blinking led1 ? fake ncf ? fccu state = alarm -> alarm irq (isr) alarm irq (isr) ? wait for alarm-time-out (5 s) or check external push button (key2) if alarm-timeout ? fccu state = fault -> nmi irq (without reset): ? device state = safe ?led1 off ? clear fccu fault and return to main if key 2 pressed ? led1 off ? clear fccu fault and return to main figure 8. ncf injection flow �5�h�v�h�w �)�&�&�8�� �,�q�l�w �p�d�l�q �? �*�(�1�(�5�$�/���6�(�7�7�,�1�* �? �? �f�r�g�h �? �(�[�w�h�u�q�d�o�� �,�5�4 �(�;�7�(�5�1�$�/���,�5�4�����,�6�5���������� �)�$�.�(���1�2�7���&�5�,�7�,�&�$�/���)�$�8�/�7 �5�8�1 �.�(�<�� �1�&�)�� �? �q�r�w���5�(�6�(�7���u�h�d�f�w�l�r�q �$�/�$�5�0 �7�l�p�h���2�x�w �< �1 �? �f�r�g�h �? �6�$�)�( �5�8�1 �1�0�,���,�6�5 �&�o�h�d�u���)�&�&�8���6�w�d�w�x�v���i�o�d�j�� �? �? �$�/�$�5�0���,�6�5�����,�6�5���������� �? �$�/�$�5�0�� �,�5�4 �.�(�<�� �.�(�<�� �3�u�h�v�v�h�g �< �1 �&�o�h�d�u���)�&�&�8���6�w�d�w�x�v���i�o�d�j�� �5�8�1 �5�h�v�h�w �)�&�&�8�� �,�q�l�w �p�d�l�q �? �*�(�1�(�5�$�/���6�(�7�7�,�1�* �? �? �f�r�g�h �? �(�[�w�h�u�q�d�o�� �,�5�4 �(�;�7�(�5�1�$�/���,�5�4�����,�6�5���������� �)�$�.�(���1�2�7���&�5�,�7�,�&�$�/���)�$�8�/�7 �5�8�1 �.�(�<�� �1�&�)�� �? �q�r�w���5�(�6�(�7���u�h�d�f�w�l�r�q �$�/�$�5�0 �7�l�p�h���2�x�w �< �1 �? �f�r�g�h �? �6�$�)�( �5�8�1 �1�0�,���,�6�5 �&�o�h�d�u���)�&�&�8���6�w�d�w�x�v���i�o�d�j�� �? �? �$�/�$�5�0���,�6�5�����,�6�5���������� �? �$�/�$�5�0�� �,�5�4 �.�(�<�� �.�(�<�� �3�u�h�v�v�h�g �< �1 �&�o�h�d�u���)�&�&�8���6�w�d�w�x�v���i�o�d�j�� �5�8�1 �(�"�1�(�$�'�5����������
redundancy and functions AN4124 28/32 doc id 023294 rev 2 a.3.2 example n2: fake cf by external irq in this example we show the cf fault injection (by external irq funtionality), in order to show an fccu reaction. the example includes nmi isr assertion. the fault is checked and cleared with subroutine by looking in the cfsx registers. this example employs the cf external button (key 1) to inject and clear, and the led1 on the motherboard to view the fault. to connect the button to input pins (interrupt), we need to connect j8 pin 1b to jp9 pin 1. the flow is: blink led1 press key1: to inject asynchronous external irq (isr) external irq (isr) ? fake cf ? led1 off ? fccu state = fault ? device state = safe ? reset ?nmi irq (isr) after reset: unmask nmi nmi irq (isr) ? clear fccu fault and return to main
AN4124 redundancy and functions doc id 023294 rev 2 29/32 figure 9. cf injection flow �5�h�v�h�w �)�&�&�8�� �,�q�l�w �p�d�l�q �? �*�(�1�(�5�$�/���6�(�7�7�,�1�* �? �? �f�r�g�h �? �(�[�w�h�u�q�d�o�� �,�5�4 �(�;�7�(�5�1�$�/���,�5�4�����,�6�5���������� �)�$�.�(���&�5�,�7�,�&�$�/���)�$�8�/�7 �5�h�v�h�w �p�d�l�q �? �*�(�1�(�5�$�/���6�(�7�7�,�1�* �8�1�0�$�6�.���1�0�, �? �6�$�)�( �5�8�1 �1�0�,���,�6�5 �&�o�h�d�u���)�&�&�8���6�w�d�w�x�v���i�o�d�j�� �? �5�8�1 �8�1�0�$�6�.���1�0�,�� �1�0�,���,�5�4 �.�(�<�� �5�h�v�h�w �)�&�&�8�� �,�q�l�w �p�d�l�q �? �*�(�1�(�5�$�/���6�(�7�7�,�1�* �? �? �f�r�g�h �? �(�[�w�h�u�q�d�o�� �,�5�4 �(�;�7�(�5�1�$�/���,�5�4�����,�6�5���������� �)�$�.�(���&�5�,�7�,�&�$�/���)�$�8�/�7 �5�h�v�h�w �p�d�l�q �? �*�(�1�(�5�$�/���6�(�7�7�,�1�* �8�1�0�$�6�.���1�0�, �? �6�$�)�( �5�8�1 �1�0�,���,�6�5 �&�o�h�d�u���)�&�&�8���6�w�d�w�x�v���i�o�d�j�� �? �5�8�1 �8�1�0�$�6�.���1�0�,�� �1�0�,���,�5�4 �.�(�<�� �(�"�1�(�$�'�5����������
further information AN4124 30/32 doc id 023294 rev 2 appendix b further information b.1 acronyms table 4. acronyms acronym name crc cyclic redundancy check dma direct memory access fccu fault control and collection unit intc interrupt controller mcu microcontroller unit pit periodic interrupt timer tcd transfer control descriptor
AN4124 revision history doc id 023294 rev 2 31/32 revision history table 5. document revision history date revision changes 02-aug-2012 1 initial release. 17-sep-2013 2 updated disclaimer.
AN4124 32/32 doc id 023294 rev 2 please read carefully: information in this document is provided solely in connection with st products. stmicroelectronics nv and its subsidiaries (?st ?) reserve the right to make changes, corrections, modifications or improvements, to this document, and the products and services described he rein at any time, without notice. all st products are sold pursuant to st?s terms and conditions of sale. purchasers are solely responsible for the choice, selection and use of the st products and services described herein, and st as sumes no liability whatsoever relating to the choice, selection or use of the st products and services described herein. no license, express or implied, by estoppel or otherwise, to any intellectual property rights is granted under this document. i f any part of this document refers to any third party products or services it shall not be deemed a license grant by st for the use of such third party products or services, or any intellectual property contained therein or considered as a warranty covering the use in any manner whatsoev er of such third party products or services or any intellectual property contained therein. unless otherwise set forth in st?s terms and conditions of sale st disclaims any express or implied warranty with respect to the use and/or sale of st products including without limitation implied warranties of merchantability, fitness for a particular purpose (and their equivalents under the laws of any jurisdiction), or infringement of any patent, copyright or other intellectual property right. st products are not designed or authorized for use in: (a) safety critical applications such as life supporting, active implanted devices or systems with product functional safety requirements; (b) aeronautic applications; (c) automotive applications or environments, and/or (d) aerospace applications or environments. where st products are not designed for such use, the purchaser shall use products at purchaser?s sole risk, even if st has been informed in writing of such usage, unless a product is expressly designated by st as being intended for ?automotive, automotive safety or medical? industry domains according to st product design specifications. products formally escc, qml or jan qualified are deemed suitable for use in aerospace by the corresponding governmental agency. resale of st products with provisions different from the statem ents and/or technical features set forth in this document shall immediately void any warranty granted by st for the st product or service described herein and shall not create or extend in any manner whatsoev er, any liability of st. st and the st logo are trademarks or register ed trademarks of st in various countries. information in this document supersedes and replaces all information previously supplied. the st logo is a registered trademark of stmicroelectronics. all other names are the property of their respective owners. ? 2013 stmicroelectronics - all rights reserved stmicroelectronics group of companies australia - belgium - brazil - canada - china - czech republic - finland - france - germany - hong kong - india - israel - ital y - japan - malaysia - malta - morocco - philippines - singapore - spain - swed en - switzerland - united kingdom - united states of america www.st.com
|
