S32G VR5510 Safety Concept

AN13118
S32G VR5510 Safety Concept

Rev. 3 — 19 August 2022 Application note
Document information
Information Content
Keywords VR5510, PF5300, S32G2, S32G3, S32G, Safety, Monitoring, Fault
management
Abstract This document describes the safety concept of the S32G processor and the
VR5510 PMIC.
NXP Semiconductors
AN13118
Revision history
Rev Date Description
v.3 20220819 • Inserted mandatory revision history into the document to conform with NXP document
content guidelines.
• Section 2.3, Figure 1, updated the image.
• Section 4.5.2, Figure 12, updated the image.
• Section 4.5.5, Figure 14, updated the image.
v.2 20220304 • Global changes:
– Performed minor grammatical and/or typographic corrections throughout.
– Revised the keywords in the Document information table.
– Removed the Revision history.
– Revised "S32G" to "S32G2" throughout.
– Included information for S32G3.
• Section 1, inserted second paragraph starting with "This application note.…"
• Section 2.1, revised the bullet "Automotive safety integrity level...."
• Section 2.3, Figure 1, updated the image.
• Section 2.3.1, inserted "This statement is valid for S32G2 and S32G3 applications" to
the end of the second paragraph.
• Section 3, inserted "and PF5300" in the section title.
• Section 3.3, inserted new section.
• Section 4, revised "S32G-VNP-RDB2" to "S32G-VNP-RDB3" in the first sentence.
• Section 4.1, inserted "for VF5510 and S32G2" in the section title, and revised the first
two paragraphs.
• Section 4.2, inserted new section.
• Section 4.3.1, Figure 6, revised the image.
• Section 4.5.1, revised the first paragaph, inserted a new paragraph after Table 1,
inserted Table 2, and inserted a note after the table.
• Section 4.5.2, inserted "for S32G2 applications" in the section title, revised "S32G" to
"S32G2" in the first paragraph, inserted three paragraphs to the end of the section.
• Section 4.5.3, inserted new section.
• Section 4.5.4, inserted "for S32G2 applications" in the section title, revised the
second paragraph, inserted two recommendations after the second paragraph, and
revised the image in Figure 13.
• Section 4.5.5, inserted new section.
• Section 4.5.10, inserted "(not S32G3)" in the section title, and inserted new paragraph
at the section end starting with "For the S32G3 solution.…"
• Section 7.2, inserted new paragraph starting with "In the VR5510, PF5300 and
S32G3 applilcations...."
• Section 7.3, inserted new sentence to the paragraph below Figure 21 that starts with
"In the S32G3 solution.…"
v.1 20210303 Initial version
AN13118 All information provided in this document is subject to legal disclaimers. © 2022 NXP B.V. All rights reserved.
Application note Rev. 3 — 19 August 2022

2 / 33
NXP Semiconductors
AN13118
1 Introduction
This application note describes the safety concepts related to the S32G processor and
the VR5510 PMIC. The document covers the S32G and VR5510 safety functions and
how they interact to ensure system-level coverage of the ASIL D safety integrity level.
This application note covers the VR5510 and PF5300 PMIC’s solution for the S32G3
applications. All the specific modifications and updates are described in Section 4.2.
2 S32G Overview
2.1 S32G application processor

The versatile S32G processor enables the next generation of vehicle gateways and
architectures by combining different features such as:
• Hardware security.
• Automotive safety integrity level (ASIL) D safety in combination with the PMIC VR5510
and the PMIC PF5300.
• High-performance real-time and application processing.
• Network acceleration for service-oriented gateways, domain controllers, and safety co-
processors.
• Power saving techniques, such as low power standby mode, in combination with the
VR5510 PMIC.
2.2 S32G safety concept

The S32G family safety concept is a system solution developed to ensure that the
platform on which the application is running is protected against random hardware
failures as well as common cause failures.
The safety concept solution relies on S32G on-chip safety functions and an interface to
the safety functions of an external device, in this case the PMIC VR5510.
The PMIC VR5510 provides off-chip safety mechanisms which can manage the transition
to a system safe-state when the S32G is no longer functioning correctly. The VR5510
also monitors its own functions and transitions the system to a safe-state when an
internal failure occurs.
2.3 S32G/VR5510 safety interface overview

The following section provides an overview of the interface between the S32G and the
VR5510 safety functions. For more details on the VR5510 safety functions, see Section 4
"S32G and VR5510 Safety Functions".

3 / 33
NXP Semiconductors
AN13118
VR5510 (plus PF5300) S32G2/3
PMIC_Sense
Core supply
Vehicle supply VOLTAGE GENERATION
Other chip supplies SPD
VOLTAGE SUPERVISION
STATE DETECTION Comms interface SAFETY CORE SOFTWARE

ALIVE SUPERVISION
EXECUTION
RESET CONTROL AND Reset

MC_RGM
SUPERVISION
Error indication
ERROR SUPERVISION FCCU
System state indication 1 System state indication 2
Chip VR5510 PF5300
S32G2 Yes No
S32G3 Yes Yes (core supply only)

aaa-044141
Figure 1. S32G and VR5510 safety functions interface
2.3.1 Chip supplies and voltage supervision

There are no precision voltage monitors on the S32G. The simple Supply Presence
Detectors (SPD) are intended to detect when a supply has become disconnected from
the S32G and can only detect an undervoltage condition when that is the case.
The VR5510 monitors all S32G supply voltages for undervoltage and overvoltage
conditions with configurable thresholds. When a supply is outside the configured range,
the VR5510 can be configured to put the S32G and the system into a safe-state. This
statement is valid for S32G2 and S32G3 applications.
2.3.2 Communication interface and alive supervision

The communication interface is bi-directional and is used by:
• a safety core to configure the VR5510 during a boot of the system
• a safety core to indicate to the VR5510 that the S32G is alive and operating correctly to
provide VR5510 status information at the request of the S32G
S32G alive indication involves the activation of a watchdog service on the VR5510. The
type of watchdog (Simple or Challenger) and the service time window are configurable.
See Section 4.4 "Watchdog" for watchdog details.
2.3.3 Reset control and supervision

The reset interface is bi-directional and is used by:
• the reset generation module of the S32G (MC_RGM) to indicate to the VR5510 that the
S32G is in reset

4 / 33
NXP Semiconductors
AN13118
• the VR5510 to force the S32G into a safe-state in the presence of a fault that could
lead to the violation of a safety goal
Whenever the VR5510 forces the S32G into a safe-state, it simultaneously indicates a
system safe-state that is independent of the S32G state indication.
2.3.4 S32G error supervision

The fault collection and control unit (FCCU) on the S32G is a hardware module that can
be configured to indicate on the error-out pins when a non-recoverable fault has occurred
in the S32G.
The VR5510 monitors the FCCU error-out pins and ensures that a system safe-state is
entered when a non-recoverable fault in the S32G occurs.

5 / 33
NXP Semiconductors
AN13118
3 VR5510 and PF5300 Power Management IC
3.1 VR5510 description

The VR5510 is the proposed Power Management Integrated Circuit (PMIC) for the S32G
application processor. It is an automotive multi-output PMIC, with focus on Gateway,
ADAS, V2X, and Infotainment applications. Its main features are shown on the block
diagram below:
Figure 2. VR5510 functional block diagram
The VR5510 is divided into two domains:

• the Main domain, which includes multiple high-efficiency switch mode and linear
voltage regulators.
• the Safety domain, which includes enhanced safety features with fail-safe output, and
the capability to fully implement a safety-oriented system partitioning in compliance with
ASIL D.

6 / 33
NXP Semiconductors
AN13118
These domains are electrically independent and physically isolated. The Fail-safe
domain is supplied by its own reference voltages and current, has its own oscillator, has
duplicated analog paths to minimize the common cause failures, and has LBIST/ABIST
to cover latent faults.
3.2 VR5510 safety overview

The main safety functions of the VR5510 are:
• Seven independent voltage monitors to detect overvoltage / undervoltage on the
regulators,
• Windowed watchdog: two types are available (Simple or Challenger)
• FCCU monitoring
• Three safety outputs (PGOOD, RSTB, FS0B)
• Fault recovery strategy in combination with S32G
• Latent failure detection (ABIST, LBIST)
More information can be found in the VR5510 Safety Manual.
3.3 PF5300 description

The PF5300 is the proposed PMIC to complement the VR5510 in the S32G3 application
processor. The PF53 integrates a high performance 12 A buck converter to power high-
end automotive processors. This current capability enables the supply of the S32G3
core.
Clock synchronization and spread-spectrum features reduce EMC issues at the system.
Built-in functional safety features help with robust product design and fast time to market.
Figure 3 shows the functional block diagram of the PF53 device.
PF53 - 12A Integrated FET Core Supply with AVP
Input Voltage: 3.0 V to 5.5 V

Output Voltage: 0.5 V to 1.2 V
Low Rdson High and Low Side MOSFETs
+/- 1% DC Accuracy
High-bandwidth loop with AVP
Watchdog Timer
Temperature Current Limit

OTP Memory
Protection Protection
Analog Built-In Self Programmable OV/UV Clock Synchronization

Test (ABIST) Monitoring Spread Spectrum
aaa-043897
Figure 3. PF5300 functional block diagram
The application with the S32G3 processor includes the PF5300 PMIC in QM version. The
safety features are managed by the VR5510 PMIC. See Section 4.2 "Safety hardware
connections for VR5510, PF5300 and S32G3 solution" for more details about the
hardware connections.

7 / 33
NXP Semiconductors
AN13118
4 S32G and VR5510 Safety Functions

The S32G-VNP-RDB3 board is the reference design board used as an example to show
the voltage monitor connections and settings in this section.
4.1 Safety hardware connections for VR5510 and S32G2

The VR5510 is used to supply the S32G and multiple peripherals (LPDDR4, CAN PHYs,
etc.).
Figure 4 represents an overview of the blocks and connections for a typical application of
the devices VR5510 and S32G2 with the high-level safety connections.
Figure 4. VR5510 and S32G2 solution
• RSTB: Used to reset the application processor when needed. Reset can be requested
by the S32G or applied by the VR5510 when a fault occurs.

8 / 33
NXP Semiconductors
AN13118
• PGOOD: Connected to the PORB pin of the S32G. Used to indicate that all power
outputs are correct.
• FS0B: Safety pin used to transition the system into a safe-state (can be connected to a
CAN PHY, for example).
• FCCU1/2: In charge of monitoring the S32G hardware error outputs. Bi-stable protocol
is used.
• Watchdog: Monitors software failures on the S32G.
• Standby connections
– STBY: This pin is internally connected to both domains (Main and Safety) on the
VR5510. The Safety domain manages the standby entry.
4.2 Safety hardware connections for VR5510, PF5300 and S32G3

solution
The FB pin of the PF5300 BUCK should be connected to the PMIC_SENSE of the
S32G3 to avoid the voltage drop error and optimize the voltage accuracy.
The VMON1 of the VR5510 should monitor the PF5300 output. The VR5510 monitors the
discharge of the PF5300 output in the standby entry. The external discharge monitoring
should be enabled by setting the bit EXT_STBY_DISCH_OTP to 1.
VCOREMON should be connected to the VR5510 BUCK1 output.
The HVLDO is configured in switch mode, in order to track the PF5300 BUCK output
voltage. A minimum voltage drop is mandatory between the VDD_CORE and the
VDD_CORE_STBY domains. The HVLDOMON should be disabled setting the bit
HVLDO_VMON_EN_OTP to 0.
The PF5300_PGOOD should be connected to the PSYNC pin of the VR5510 to allow
the HVLDO transition to switch mode. This function should be enabled by setting the
PSYNC_PGOOD_EXT_OTP to 1 and PSYNC_EN_OTP to 0.
Figure 5 shows the safety connections for the VR5510, PF5300 and S32G3 solution.

9 / 33
NXP Semiconductors
AN13118
VR5510 S32G3
POWER MANAGEMENT MAIN DOMAIN

DOMAIN
HV BUCK 3.3 V
VBAT VDD_IO_B
3.3 V to 5.4 V
PF5300
POWER MANAGEMENT VDD_IO_STBY
DOMAIN
BUCK1 1.8 V
BUCK1 0.8 V
0.4 V to 1.8 V VDD_CORE
0.5 V to 1.2 V
BUCK1 FB PMIC_SENSE
PWRON PGOOD
BUCK2 1.1 V
0.4 V to 1.8 V
BUCK3 1.1 V
VDD_IO_DDR0
0.4 V to 1.8 V
LDO1 1.8 V
VDD_V1P8_ANA
1 V to 5 V
LDO2 1.8 V
VDD_IO_QSPI
1.5 V to 5 V
BOOST
LPDDR4 VDD_IO_USB
5V
LDO3 3.28 V
VDD_IO_A
LOAD SWITCH
LOAD SWITCH 0.8 V

VDD_CORE_STBY
HV LDO
MAIN LOGIC AND CONTROL I2C

I2C, MCU INTERFACE, COMMUNICATION
REGULATOR CONTROL
LOW STBY_EXIT STBY

POWER
DOMAIN STBY_PGOOD STBY_PGOOD
STBY_TIMING_WINDOW_ LOW POWER DOMAIN

COUNTER
PSYNC
SAFETY DOMAIN MAIN DOMAIN
SAFETY LOGIC RSTB RESET_B

AND
FS0B GPIO
CONTROL
I2C, SYSTEM SAFE STATE
STBY
MONITORING TRANSITION
UNIT PGOOD POR_B
STBY_ENTRY_TIMING FCCU FCCU

COUNTER
aaa-044845
Figure 5. VR5510, PF5300 and S32G3 power supply solution
4.3 FCCU monitoring

The FCCU input pins are used to inform the PMIC of a hardware failure in the S32G. The
VR5510 monitors the FCCU pins as soon as the INIT_FS is closed. The FCCU pins are
configured by pair for this application, therefore FCCU_CFG[1:0] =01.
When a FCCU fault is detected, the Fail-safe reaction on RSTB and/or FS0B is
configurable with the FCCU12_FS_IMPACT bit during the INIT_FS phase.
4.3.1 FCCU monitoring by pair

When FCCU12 are used by pair, the bi-stable protocol is supported as shown in Figure 6:

10 / 33
NXP Semiconductors
AN13118
Reset phase
Normal phase Error phase Config phase
FCCU1
FCCU2
aaa-040941
Figure 6. FCCU bistable protocol
The polarity of the FCCU fault signals is configurable with FCCU12_FLT_POL bit during
the INIT_FS phase. By default FCCU12_FLT_POL=0 (FCCU1=0 or FCCU2=1 level is
fault).
When a FCCU fault is detected, there is a fail-safe reaction on RSTB and/or FS0B
according to the configuration. The configuration must be done by FCCU12_FS_IMPACT
bit during the INIT_FS phase.
The S32G-VNP-RDB2 hardware connections are shown in Figure 7.
BUCK2_FB
32
FCCU1/WD1 VR5510_FCCU0
31
FCCU2 VR5510_FCCU1
30
PSYNC
29
R291 R285
5.1 kΩ 22 kΩ
VR5510 VDDIO
R659 GND FCCU_ERR0

P6 VR5510_FCCU0 U13
0Ω
R663 FCCU_ERR1
P6 VR5510_FCCU1 AA14
0Ω
aaa-040942
Figure 7. S32G-VNP-RDB2 hardware connections
During the INIT_FS state, the S32G must properly configure the FCCU pin levels to avoid
a fault when the INIT_FS state is exited.
4.4 Watchdog
The VR5510 features a watchdog that must be refreshed periodically by the processor.
This requires a watchdog service routine from the S32G. The VR5510 can detect a
software failure on the S32G if the watchdog is not correctly refreshed.
The watchdog is a windowed watchdog for the Simple and the Challenger watchdog.
A good watchdog refresh is a correct watchdog response during the OPEN window. A
bad watchdog refresh is an incorrect watchdog response during the OPEN window, no
watchdog refresh during the OPEN window, or a correct watchdog response during the
CLOSED window.

11 / 33
NXP Semiconductors
AN13118
After a good or a bad watchdog refresh, a new window period starts immediately so that
the MCU stays synchronized with the windowed watchdog.
Figure 8 shows the watchdog window error possibilities
WD_Window
Closed Opened
Closed window Opened window
Bad data WD_failure WD_failure
Watchdog
Answer Good data WD_failure WD_OK
(from MCU) WD window period
None No issue WD_failure with DC configurable
aaa-039390
Figure 8. Watchdog window error
The duration of the watchdog window and the duty cycle are configurable.
In the VR5510, the watchdog can only be disabled during the initialization phase
INIF_FS. A good watchdog refresh is needed to close the INIT_FS even if the watchdog
has been disabled during this phase. If the watchdog has been disabled during the
INIT_FS phase, the watchdog disable takes effect once INIT_FS closes. If the watchdog
is enabled, the MCU must refresh the watchdog periodically.
Refer to the VR5510 datasheet for more details on INIT_FS and the watchdog.
4.4.1 Simple Watchdog

The Simple watchdog uses a unique seed. The MCU can send its own seed to the
WD_SEED bitfield (FS_WD_SEED register) or it can use the default value 0x5AB2.
This seed must be written in the WD_ANSWER bitfield (FS_WD_ANSWER register)
during the OPEN watchdog window. When the result is correct, the watchdog window
is restarted. When the result is incorrect, the WD error counter is incremented and the
watchdog window is restarted.
In Simple watchdog configuration, a 0xFFFF and 0x0000 value cannot be written to
WD_SEED. If a 0x0000 or 0xFFFF write is attempted, a communication error is reported.
4.4.2 Challenger Watchdog

The Challenger watchdog is based on a question/answer process with the MCU. During
the initialization phase (INIT_FS), the MCU sends the seed for the LFSR or uses the
default LFSR value generated by the VR5510 (0x5AB2), available in the WD_SEED
register. Using this LFSR, the MCU performs a calculation based on the below formula
and writes the results in the WD_ANSWER register.
WD_SEED[23:8] X + - NOT / WD_answer[23:8]
4 6 4 4
aaa-039391
Figure 9. Challenger watchdog formula

2
The result is sent through I C during the OPEN watchdog window and verified by the
VR5510. When the result is correct, the watchdog window is restarted and a new LFSR
is generated. When the result is incorrect, the WD error counter is incremented, the
watchdog window is restarted, and the LFSR value is not changed.

12 / 33
NXP Semiconductors
AN13118
4.4.3 Watchdog error counter

The VR5510 features two different counters: the watchdog error counter and the
watchdog refresh counter. The watchdog counter strategy is available for the Challenger
watchdog and the Simple watchdog.
WD OFF WD refresh OK WD refresh NOT OK/WD OFF
0 0 WD refresh NOT OK/

WD_OFF
WD refresh OK WD refresh OK
WD refresh
NOT OK 1 1
WD refresh 2 2
NOT OK
WD refresh OK
WD refresh OK
WD refresh 3 3
NOT OK
WD refresh 4 4
NOT OK WD refresh NOT OK/
WD refresh OK WD_OFF
WD refresh OK
WD refresh 5 5 WD refresh NOT OK/

NOT OK
WD OFF/
WD refresh OK
WD refresh 6 6
NOT OK
WD refresh OK WD_RFR_LIMIT = 00
WD refresh 7
NOT OK
WD_ERR_LIMIT = 00 aaa-040886
Figure 10. Watchdog error counter and refresh counter
The watchdog error counter is implemented in the device to filter an incorrect watchdog
refresh. Each time a watchdog failure occurs, the device increments this counter by two.
The watchdog error counter is decremented by one each time the watchdog is properly
refreshed. This principle ensures that a cyclic ’OK/NOK’ behavior converges on a failure
detection.
To allow flexibility in the application, the maximum value of this counter is configurable
with the WD_ERR_LIMIT[1:0] register during the INIT_FS phase.
The watchdog error counter can be read by the MCU for diagnostic purposes from the
WD_ERR_CNT[3:0] bitfield.
The watchdog refresh counter is used to decrement the fault error counter. Each time
the watchdog is properly refreshed, the watchdog refresh counter is incremented by
one. Each time the watchdog refresh counter reaches its maximum value (6 by default)
and if the next WD refresh is also good, the fault error counter is decremented by one.
Regardless of the position the watchdog refresh counter is in, each time there is a wrong
refresh watchdog, the watchdog refresh counter is reset to zero.

13 / 33
NXP Semiconductors
AN13118
To allow flexibility in the application, the maximum value of this watchdog refresh counter
is configurable with the WD_RFR_LIMIT[1:0] register during the INIT_FS phase.
The watchdog refresh counter value can be read by the MCU for diagnostic purposes
with the WD_RFR_CNT[2:0] bits.
4.4.4 MCU fault recovery strategy

This function extends the watchdog window to allow the MCU to perform a fault recovery
strategy. The goal is to prevent the MCU from being reset while it is trying to recover the
application after a failure event.
When a fault is triggered by the MCU via its FCCU pins, the device asserts the FS0B
pins and the watchdog window duration becomes automatically an open window (no
more duty cycles). This open window duration is configurable up to a maximum of
1024 ms with the WDW_RECOVERY [3:0] bit field during the INIT_FS phase.
The transition from WD_WINDOW to WDW_RECOVERY happens when the FCCU pin
indicates an error and FS0B is asserted.
If the MCU sends a good watchdog refresh before the end of the WDW_RECOVERY
duration, the device switches back to the WD_WINDOW duration and the
associated duty cycle if the FCCU pins no longer indicate an error. Otherwise, a new
WDW_RECOVERY period is started.
If the MCU does not send a good watchdog refresh before the end of the
WDW_RECOVERY duration, a reset pulse is generated and the Fail-safe state machine
moves back to INIT_FS.
FCCU Normal phase Error phase Normal phase Error phase
FCCU error FCCU error

FLT_ERR_CNT +1 FLT_ERR_CNT +1
Bad WD or
FSOB Good WD Good WD window timeout
WD_WINDOW WDW_PERIOD WDW_RECOVERY WDW_PERIOD WDW_RECOVERY WDW_RECOVERY INIT_FS
RSTB
aaa-040943
Figure 11. Fault recovery strategy

14 / 33
NXP Semiconductors
AN13118
4.5 Voltage monitoring
4.5.1 Voltage monitor connections

Table 1 shows all the settings/connections on the voltage monitors used on the S32G-
VNP-RDB2 for the S32G2 and VR5510 solution.
Table 1. S32G-VNP-RDB2 voltage monitor setting/connections for the S32G2 and VR5510 solution
Monitor Regulator Voltage UV OTP setting OV OTP setting
VCOREMON BUCK12 0.8 V −4.5% 6.0%
VMON1 LDO2 1.8 V −5.0% 5.0%
VMON2 BUCK3 1.1 V −2.5% 4.5%
VMON3 VPRE 3.3 V −4.5% 6.0%
VMON4 LDO1 1.8 V −5.0% 5.0%
VDDIOMON LDO3 3.3 V −5.0% 5.0%
HVLDOMON HVLDO 0.8 V −7.0% 7.0%
Table 2 shows all the settings/connections on the voltage monitors used on the S32G-
VNP-RDB3 for the S32G3, VR5510 and PF5300 solution.
Table 2. S32G-VNP-RDB2 voltage monitor setting/connections

Monitor Regulator Voltage UV OTP setting OV OTP setting
VCOREMON BUCK1 1.8 V −4.5% 4.5%
VMON1 PF53 BUCK 0.8 V −4.5% 6.0%
VMON2 BUCK3 1.1 V −2.5% 4.5%
VMON3 VPRE 3.3 V −4.5% 6.0%
VMON4 LDO1 1.8 V −5.0% 5.0%
VDDIOMON LDO3 3.3 V −5.0% 5.0%
HVLDOMON HVLDO Disabled — —
Note: See Section 4.2 for details about the monitoring connections for this solution.
2
For all the voltage monitors, the OV/UV safety reaction can be programmed via I C
on the dedicated OV/UV_FS_IMPACT registers. Refer to Section 6 " Fault impact
configuration" for more details on safety reactions.
By default, the fault reaction is:
• UV: Only the FS0B pin is asserted,
• OV: FS0B and RSTB are asserted, regulator is switched OFF.
4.5.2 VCOREMON connection and settings for S32G2 applications

VCOREMON is used to monitor the BUCK1/2 output voltage connected to the S32G2
VDD_CORE rail. The OV/UV settings above are compatible with the SVS voltage.
The recommended connections are shown in Figure 12.

15 / 33
NXP Semiconductors
AN13118
VR5510 S32G2
R1 VDD
BUCK1_SW
BUCK2_SW
VCOREMON
BUCK2_FB PMIC_SENSE
BUCK1_FB
LV_HVLDO_IN VDD_CORE_STBY
HVLDO
aaa-040944
Figure 12. VCOREMON recommended connections
The recommended setting for the OV OTP threshold is 6%.

The recommended setting for the UV OTP threshold is -4.5%.
These settings support the SVS use case.
VCOREMON is used to monitor the BUCK1 output voltage connected to the LPDDR4
input supply.
The recommended setting for the OV OTP threshold is 4.5%.
The recommended setting for the UV OTP threshold is –4.5%.
4.5.3 VCOREMON connection and settings for S32G3 applications

VCOREMON is used to monitor the BUCK1 output voltage connected to the LPDDR4
input supply.
The recommended setting for the OV OTP threshold is 4.5%.
4.5.4 VMON1 connections and settings for S32G2 applications

VMON1 is used to monitor the LDO2 regulator. The output voltage of these regulators is
set to 1.8 V.
The VMON1 of the VR5510 should monitor the PF5300 output. The VR5510 monitors the
discharge of the PF5300 output in the standby entry. The external discharge monitoring
should be enabled by setting the bit EXT_STBY_DISCH_OTP to 1.

16 / 33
NXP Semiconductors
AN13118
LDO2_1V8 R626 LDO2_MON1

1.8 V 27.4 kΩ
R295
22 kΩ
GND
aaa-044133
Figure 13. VMON1 connections
LDO2_MON1 is connected to the VMON1 input of VR5510. A resistor divider is used to

set the monitor input voltage to 0.8 V.
Recommended setting for the OV OTP threshold is 5%.
Recommended setting for the UV OTP threshold is –5%.
Note: The resistors should be the 0.1% type.
4.5.5 VMON1 connections and settings for S32G3 applications

The VMON1 of the VR5510 should monitor the PF5300 output.
The recommended connections are shown in Figure 14.

17 / 33
NXP Semiconductors
AN13118
PF5300 S32G3
VDD
BUCK_SW
BUCK_FB PMIC_SENSE
PGOOD
VR5510
SYNC
1.8 V
BUCK1_SW
VCOREMON
BUCK1_FB
LV_HVLDO_IN
HVLDO
VMON1
aaa-045620
Figure 14. VMON1 connections for S32G3 applications
The VR5510 monitors the discharge of the PF5300 output in the standby
entry. The external discharge monitoring should be enabled by setting the bit
EXT_STBY_DISCH_OTP to 1.
4.5.6 VMON2 connections and settings

VMON2 is used to monitor the BUCK3 regulator. The output voltage of this regulators is
set to 1.1 V and is used to power the LPDDR4.

18 / 33
NXP Semiconductors
AN13118
BUCK3_1V1 R627 BUCK3_VMON2

1.1 V 8.25 kΩ
R296
22 kΩ
GND
aaa-040947
Recommended setting for the OV OTP threshold is 4.5%.

Recommended setting for the UV OTP threshold is –2.5%.
Note: The resistors should be 0.1% type.

VMON3 is used to monitor the VPRE regulator. The output voltage of this regulators is
set to 3.3 V.
VPRE_3V3 R628 VPRE_MON3

3.3 V 68.1 kΩ
R297
22 kΩ
GND
aaa-040948

Recommended setting for the UV OTP threshold is –4.5%.

VMON4 is used to monitor the LDO1 regulator. The output voltage of this regulators is
set to 1.8 V.
LDO1_1V8 R621 LDO1_MON4

1.8 V 27.4 kΩ
R287
22 kΩ
GND
aaa-040949


19 / 33
NXP Semiconductors
AN13118
4.5.9 VDDIOMON connection and settings

VDDIOMON is used to monitor the LDO3 regulator. The output voltage of this regulators
is set to 3.3 V.
There is no external resistor divider needed for this monitor. The voltages is set internally
by OTP.
4.5.10 HVLDOMON connection and settings (not S32G3)

HVLDOMON is used to monitor the HVLDO regulator. The output voltage of this regulator
is 0.8 V.
There is no external resistor divider needed for this monitor. The voltage is set internally
by OTP.
In normal cases, this monitor checks that the HVLDO is working (ON/OFF in switch
mode). It does not monitor the voltage precisely because the voltage is already being
monitored by VCOREMON.
Recommended setting for the UV OTP threshold is 7%.
For the S32G3 solution, the HVLDOMON is disabled by OTP.
5 Modes of Operation
5.1 S32G and VR5510 startup sequence

When leaving an unpowered state, it is assumed that the S32G is held in the power
on reset (POR) state by the VR5510 until the safety related power supply rails have
stabilized in the normal operating range of the S32G. The correct monitoring ranges must
be configured by OTP.
Unpowered state here also refers to standby mode, where only the standby domain
remains powered. Exiting from standby mode is similar to exiting a completely
unpowered state in that the S32G must remain in POR state until all of the chip's main
operating power supplies have stabilized.

20 / 33
NXP Semiconductors
AN13118
5.1.1 Startup flow diagram

supplies stable
RSTB, POR_b
released
RSTB release OFF Mode FS
No
LBIST_OK == 1
LBIST fail prevent the release of FS0B pin
ABIST1 fail prevent the release of FS0B pin HSE BOOT
Yes
Upload image (HSE core)
INIT_FS window
Possibility to go back to OFF Mode FS

by I2C and restart the device from off-chip Flash
No LBIST, MBIST (POR only,
ABIST1_OK == 1 if configured)
Yes application SW start

BOOT
Write all INIT_FS registers BOOT to Safety

With Reg/Reg_NOT procedure i) configure VR5510 FS Configure/recover safety mechanisms
Assign Vregx to ABIST2 Test safety configuration/mechanisms
Configure SVS if needed Select operating mode
ii) configure FCCU error out to OK Enable safety function
iii) end INIT_FS (refresh WDG)
Close INIT_FS
with 1x good WD refresh vi) safety function start
RUNTIME
ABIST2 is optional ABIST2 fail prevent the release of FS0B pin
No Normal Operation
ABIST2_OK == 1 Possibility to go back to INIT_FS by I2C
Start full application/safety function
and remove the falling regulator from
WD refresh required
Transparent recovery
ABIST2 list
Yes FCCU fault handler
Local recovery (FCCU alarm state, R1)
Decrease FLT_ERR_CNT to`0' iv) reduce watchdog fault

with WD_ERR_LIMIT error count to 0
good WD refresh
v) release FS0B
Release FS0B with
FS_RELEASE_FS0B[23.8]=
NOT_WD_SEED[8.23]
aaa-040950
Figure 18. Startup flow diagram
The VR5510 and S32G are held in reset until the supply voltages are stable and within
the safe operating mode for the S32G.
5.1.2 VR5510 LBIST and ABIST

The VR5510's Fail-safe state machine includes a Logical Built in Self-Test (LBIST) to
verify the correct functionality of the safety monitoring logic. The LBIST is performed after
each POR, or after each wake up from Standby. If the LBIST fails, RSTB and PGOOD
are released but FS0B remains stuck low and cannot be released.
2
The flag LBIST_PASS (FS_DIAG_SAFETY register) is available through I C for MCU
diagnostics.
The VR5510's Fail-safe state machine includes two Analog Built in Self-Tests (ABIST)
to verify the correct functionality of the safety analog monitoring. ABIST1 is executed
automatically after each POR, or after each wake up from Standby. Which regulator gets
2
checked during ABIST1 is determined by OTP. ABIST2 is executed by an I C request
after the INIT_FS phase. If one or both ABISTs fail, RSTB and PGOOD are released but
FS0B remains stuck low and cannot be released.
The flags ABIST1_OK and ABIST2_OK (both in FS_DIAG_SAFETY register) are
2
available through I C for MCU diagnostics.

21 / 33
NXP Semiconductors
AN13118
5.1.3 S32G LBIST and MBIST

Following a POR sequence, LBIST and MBIST are available on the S32G as part of the
initial BOOT sequence. The tests are optional and must be configured if required. MBIST
and LBIST are implemented in multiple partitions and run in parallel. Only validated
sequences of MBIST and LBIST tests can be run. See the S32G RM self-test control unit
section, which details the validated sequences.
Following the completion of the configured test sequences, a destructive reset is carried
out. Indication of the fault status of the LBIST and MBIST following the reset execution
is also configurable. Possible reactions include a further reset or fault indication on the
ERROUT pins. No indication of faults is a valid configuration, which assumes that the
handling of any faults detected by the test sequences is carried out by software.
5.1.4 RSTB release, S32G startup

It is assumed that the RESET_B input of the S32G is held low by the VR5510 until the
power supplies have stabilized. This is to prevent a glitch on the pin indicating the chip is
not in reset when it is (RESET_B is also an output) to the rest of the system.
5.1.5 INIT_FS in VR5510

When the ABIST1 of the VR5510 is completed, the device reaches the initialization stage
(INIT_FS). The RSTB and PGOOD pins are released and the initialization phase of the
device is opened. The initialization duration is a programmable window based on the
WD_INIT_TIMEOUT_OTP[1:0] bit field (CFG_ 2_OTP register).
During the initialization, the S32G can modify some default functions of the VR5510,
such as Watchdog, OV/UV impacts, ABIST2, FCCU monitoring, SVS, and Fail-safe State
Machine settings.
5.1.6 Entry to runtime normal operation

Once the software is started in the Boot to Safety phase, the S32G configures the safety
features on both the MCU and the VR5510.
Before entering normal operation, the S32G must carry out the following steps in the
order shown:
1. Configure the FCCU error out state to ‘no fault’
2. End the INIT_FS state by a first good watchdog refresh. This refresh must be sent
before the initialization duration expires.
3. Request the release of the FS0B output
Refer to VR5510 datasheet for more details on FS0B release.
When all these actions have been completed, the system can enter normal operation
phase and execute the application safety function.
The first good watchdog refresh closes the INIT_FS. This refresh must be sent before the
initialization duration expires.
5.1.7 Disabling watchdog and FCCU on INIT_FS

2
On the VR5510, the watchdog can only be disabled during the INIT_FS via I C.

22 / 33
NXP Semiconductors
AN13118
To disable the watchdog, modify the watchdog window period configuration bits of the
FS_WD_WINDOW register. WD_WINDOW[3:0] must be set to 0x00 and the opposite
data must be written in NOT_WD_WINDOW[3:0] bits of the FS_NOT_WD_WINDOW
register. Write the following commands:
FS_WD_WINDOW=0x020B //Disable watchdog
FS_NOT_WD_WINDOW=0xFDF4
When the device exits INIT_FS state, FCCU monitoring starts. In order to avoid a fault
coming from the S32G, FCCU pins must be put in the correct state, or FCCU monitoring
must be disabled. FCCU monitoring can be disabled with the FCCU_CFG[1:0] bits of the
FS_I_SAFE_INPUTS register. Write the following commands.
Write
FS_I_SAFE_INPUTS=0x01CA
FS_I_NOT_SAFE_INPUTS=0xFE35
A good watchdog refresh is needed to exit the Init_FS state. The good answer must be
written in WD_ANSWER[15:0] bitfield of the FS_WD_ANSWER register. Write one of the
following commands.
FS_WD_ANSWER= 0xA54D // Challenger watchdog refresh
FS_WD_ANSWER=0x5AB2 // Simple watchdog refresh
The list of commands are:
FS_WD_WINDOW=0x020B //Disable watchdog
FS_NOT_WD_WINDOW=0xFDF4
FS_I_SAFE_INPUTS=0x01CA
FS_I_NOT_SAFE_INPUTS=0xFE35
FS_WD_ANSWER= 0xA54D or FS_WD_ANSWER=0x5AB2 // Good watchdog to exit
INIT_FS
The watchdog refresh that enables exiting the INIT_FS state must be written before the
WD_INIT_TIMEOUT expires. The value of this timer is configurable by OTP with the
WD_INIT_TIMEOUT_OTP[1:0] bits of the CFG_2_OTP register. For the S32G OTP, this
timer is 1024 ms.
5.2 Runtime mode: WD refresh, FCCU monitoring safety output

In runtime, the safety context of the S32G for the safety function—the safety mechanisms
identified as necessary in the FMEDA—has been configured and tested, and the safety
function is being executed.
A key part of the safety context is the configuration of the fault collection and control unit
for each indicated fault from the configured safety mechanisms. Reactions can be:
• Alarm state software recovery – faults that do not lead to the violation of a safety goal
immediately can be handled by an interrupt service routine that allows the application
to attempt to fix the issue without resetting the S32G and returning it to normal
operation within a configured time. In this case, the fault is typically not indicated to the
VR5510.
• Fault state software recovery – allows application software to determine the source
of the fault and save the information before requesting a reset to recover the safety

23 / 33
NXP Semiconductors
AN13118
context in an NMI handler. In this case, the fault is usually indicated to the VR5510 prior
to the reset.
• Fault state hardware recovery – faults that lead to an immediate hardware reset without
any software execution. The fault is indicated to the VR5510.
In runtime, the watchdog refresh is normally carried out by the master safety core
2
(Cortex-M7 core 0) over the I C interface. This is done to ensure that the master safety
core is operating correctly and is able to react to faults reliably.
5.3 Safe state, safety reaction

The S32G is in a safe-state when it is unpowered, is indicating a fault externally, and/or is
in reset.
While the S32G is indicating a fault on its error out or reset pins, the VR5510 must be
configured to provide a safe-state transition signal to ensure the system is in a safe-state
in the presence of a fault in the S32G.
Where the reaction to a fault is a reset, the safe state is transitional and the safety
function restarts as a result of the reset.
5.3.1 Fault error counter

The VR5510 integrates a configurable Fault Error Counter that counts the number of
faults related to the device itself and the faults caused by external events.
The fault error counter starts at level 1 after a POR or after resuming from Standby.
The final value of the fault error counter is used to transition in Deep Fail-safe mode.
The maximum value of this counter is configurable between two and twelve with the
FLT_ERR_CNT_LIMIT[1:0] bits during the INIT_FS phase.
The fault error counter has two output values: Intermediate and Final. The intermediate
value can be used to force the FS0B activation or generate a RSTB pulse in addition to
the FS0B activation according to the FLT_ERR_IMPACT[1:0] register configuration.
5.3.2 VR5510 Deep Fail-safe state

The Deep Fail-safe state is part of the Main state machine.
If a VPRE_FB_OV or a Temperature Shutdown detection occurs on an enabled regulator
or if the Fail-safe state machine issues a Deep Fail-safe request (DFS = 1), the device
halts operation and goes directly to DEEP-FS mode without initiating the power-down
sequence.
The device exits Deep Fail-safe mode toward state 'Wake from DEEP_FS' when the
PWRON1 pin is set to zero. The VR5510 also exits Deep-Fail-safe when the auto-retry is
enabled.
The default configuration for the S32G enables the auto-retry timeout feature. The device
exits Deep Fail-safe mode after four seconds and the number of auto-retries is unlimited.
This configuration can be modified by OTP. The auto-retry can be disabled with the
AUTORETRY_EN_OTP bit in CFG_SM_ 2_OTP register . The timeout can be configured
as either 4 seconds or 100 ms with the AUTORETRY_TIMEOUT_OTP bit in CFG_
CLOCK_3_OTP register. The number of auto-retries can be set to 15 or unlimited with
the AUTORETRY_INFINITE_OTP bit in CFG_SM_ 2_OTP register.
The device restarts when VSUP > VSUP_UVH and PWRON1> PWRON1VIH.

24 / 33
NXP Semiconductors
AN13118
5.4 Shutdown/standby
The system shutdown or standby entry may include hardware mechanism self test
routines on the S32G chip under software control (typically using error injection). Those
tests should be carried out in a safe-state, which requires the S32G to indicate a fault on
the error out pins of the FCCU.
5.4.1 Shutdown flow diagram
RSTB release OFF Mode FS
No
LBIST_OK == 1
LBIST fail prevent the release of FS0B pin
Yes ABIST1 fail prevent the release of FS0B pin
INIT_FS window
Possibility to go back to OFF Mode FS

by I2C and restart the device
No
ABIST1_OK == 1
Yes
RUNTIME
Write all INIT_FS registers i) request VR5510 INIT_FS entry Normal Operation
With Reg/Reg_NOT procedure (default max. 1024 ms in INIT_FS) Start full application/safety function
Assign Vregx to ABIST2
Transparent recovery
Configure SVS if needed
FCCU fault handler
Local recovery (FCCU alarm state, R1)
iii) request shutdown/standby

Close INIT_FS ii) elective shutdown/standby entry request.
with 1x good WD refresh
ABIST2 is optional ABIST2 fail prevent the release of FS0B pin Shutdown (Standby)
No Possibility to go back to INIT_FS by I2C FCCU error out to `not fault-free'
ABIST2_OK == 1 Shutdown sCheck, results to NVM
and remove the falling regulator from
WD refresh required
ABIST2 list
Yes
Decrease FLT_ERR_CNT to`0'

with WD_ERR_LIMIT
good WD refresh
Release FS0B with

FS_RELEASE_FS0B[23.8]=
NOT_WD_SEED[8.23]
aaa-040946
Figure 19. Shutdown flow diagram
Prior to initiating shutdown tests on the S32G, a request must be sent to the VR5510 to
enter its INIT_FS state. This prevents the VR5510 from reacting to an error out indication
from the S32G and subsequently forcing the S32G into a reset.
Once the VR5510 is in its INIT_FS state, the default time threshold to be in that state
is 1024 ms and all tests must be complete before that time. At the end of that time, the
VR5510 forces a system reset.
Once tests are complete, the S32G requests the VR5510 to shutdown or enter standby
mode. For more details on standby mode entry, see Section 7 "Standby mode".

25 / 33
NXP Semiconductors
AN13118
6 Fault impact configuration

In normal operation, FS0B and RSTB are released. The impact of each fault on the
PGOOD, RSTB, and FS0B pins can be configured. Faults that are configured to assert
RSTB and FS0B increment the fault error counter.
If RSTB and FS0B are not asserted by a fault, the fault counter is not incremented. In
that case, only the flags are available for MCU diagnostics.
If a fault is present for a longer time (RSTB always asserted), the 8-second timer initiates.
Once the 8-second timer expires, the VR5510 transitions into Deep Fail-safe state.
[1]
Table 3. Fail-safe fault list and reaction
FLT_
Apps related FS0B RSTB PGOOD
ERR_CNT
Fail-safe faults assertion assertion assertion
increment
VCOREMON_OV +1 VCOREMON_OV_FS_IMPACT VCOREMON_OV_FS_IMPACT OTP config
VDDIO_OV +1 VDDIO_OV_FS_IMPACT VDDIO_OV_FS_IMPACT OTP config
HVLDO_OV +1 HVLDO_VMON_OV_FS_IMPACT HVLDO_VMON_OV_FS_IMPACT OTP config
VMONx_OV +1 VMONX_OV_FS_IMPACT VMONX_OV_FS_IMPACT OTP config
VCOREMON_UV +1 VCOREMON_UV_FS_IMPACT VCOREMON_UV_FS_IMPACT OTP config
VDDIO_UV +1 VDDIO_UV_FS_IMPACT VDDIO_UV_FS_IMPACT OTP config
HVLDO_UV +1 HVLDO_VMON_UV_FS_IMPACT HVLDO_VMON_UV_FS_IMPACT OTP config
VMONx_UV +1 VMONX_UV_FS_IMPACT VMONX_UV_FS_IMPACT OTP config
FCCU12 (pair) +1 FCCU12__FS_IMPACT FCCU12__FS_IMPACT No
FCCU1 (single) +1 FCCU1_FS_IMPACT FCCU1_FS_IMPACT No
FCCU2 (single) +1 FCCU2_FS_IMPACT FCCU2_FS_IMPACT No
WD error counter
+1 WD_FS_IMPACT WD_FS_IMPACT No
= max value
Fault Error Counter impact at
No FLT_ERR_IMPACT FLT_ERR_IMPACT No
intermediate Value
Wrong WD refresh
+1 Yes Yes No
in INIT_FS
No WD refresh in INIT_FS +1 Yes Yes No
External RESET
+1 No Yes (low externally) No
(out of extended RSTB)
RSTB pulse request by MCU No No Yes No
RSTB Short to high +1 Yes No (high externally) No
FS0B Short to high +1 No (high externally) BACKUP_SAFETY_PATH No
FS0B request by the MCU No Yes No No
Standby Timer Window error +1 No Yes No
REG_CORRUPT = 1 +1 Yes No No
OTP_CORRUPT = 1 +1 Yes No No
GOTO_INITFS request by
No Yes No No
MCU
[1] Orange cells indicate that the reaction is not configurable.

2
Green cells indicate that the reaction is configurable by OTP for PGOOD and by I C for RSTB/FS0B during INIT_FS.

26 / 33
NXP Semiconductors
AN13118
If RSTB2PGOOD_OTP = 0, RSTB and PGOOD pins work independently according to

the table above. If RSTB2PGOOD_OTP = 1 (default configuration for S32G), RSTB and
PGOOD pins work concurrently and all the faults asserting RSTB also assert PGOOD
except when an external RSTB or an external RESET is detected.
7 Standby mode
7.1 Standby description

In Standby mode, only a portion of the S32G is powered, and so, only some rails must be
supplied. PMIC regulators that are not necessary are disabled in Standby mode.
To enable standby requests, the PMIC_STBY_MODE_B pin of the S32G is connected
to the STBY pin of the VR5510. To communicate when Standby mode is entered and
exited, the PMIC_VDD_OK pin of the S32G must be connected to the STBY_PGOOD
pin of the VR5510.
7.2 Standby entry

Transition to the Standby mode from Run mode starts with the S32G.
Internal to the S32G, standby RAM is configured and a request is made for all activities
to cease. When all activities have ceased, the clocks running during shutdown are
configured and only then is standby mode entered. The S32G then requests the
transition of the PMIC to standby mode.
2
During the transition from Run mode to Standby mode, application software uses the I C
module to communicate to the VR5510 that the transition of the device to Standby mode
is in progress. This communication is achieved by writing to the standby time window
register.
The PMIC only transitions to Standby mode with a valid STBY request coming from the
S32G. To enable this request, the PMIC_STBY_MODE_B pin of the S32G is connected
to the STBY pin of the VR5510.
The VR5510 and S32G applications provide a safe transition to Standby mode (OTP
2
enabled). The Safe transition requires an I C request followed by a STBY pin transition
before the TIMING_WINDOW_STBY timer expires.
If the TIMING_WINDOW_STBY expires, the RSTB pin is asserted.
Figure 20 shows the standby transition of the VR5510.

27 / 33
NXP Semiconductors
AN13118
Figure 20. Standby entry
When the Safety Logic receives the VALID_STBY request, it sends the standby transition
request to the Main Logic and then turns off.
The Main Logic starts the STBY_TIMER. This timer prevents the device from getting
stuck in Standby mode. If the timer expires, the register STBY_TIMER_G reports a timer
expiration and the device goes into Off mode.
The Main Logic transitions to Standby mode by powering down the disabled regulators.
There is no power down sequencing for the disabled regulators when transitioning to
Standby mode.
In the VR5510, PF5300 and S32G3 applications, the PF5300 is powered off during
standby mode. Refer to AN12880, VR5510 low-power Standby mode for more details
about the standby mode.
The STBY_PGOOD function verifies that all the disabled regulators have an output
voltage below the programmed threshold. The STBY_PGOOD function indicates the
correct entry to Standby mode asserting STBY_PGOOD to its low level. The VR5510
uses dedicated pull-down resistors to discharge the regulators as quickly as possible.
PGOOD and RSTB are kept high during standby mode to avoid a reset of the S32G.
Both devices are now in Standby mode. The VR5510 waits for a wake up request from
the S32G.
7.3 Standby exit

Standby exit is requested from the S32G. In this case, only a STBY pin transition is
needed, and the PMIC transitions first from Normal mode to Normal mode.
Figure 21 shows the exit transition of VR5510.

28 / 33
NXP Semiconductors
AN13118
Figure 21. Standby exit
When a valid standby exit request comes from the MCU, the STBY Timer is stopped
and the device is powered on. The power-on sequence is done by slots in the order
configured by OTP. In the S32G3 solution, the PF5300 will be powered on as configured
in the power-on sequence.
When the device reaches Normal mode and all the voltage regulators are correct, a
STBY_PGOOD pin transition to high level indicates that the standby exit transition has
been done correctly. The S32G then exits Standby mode.
7.4 Standby fault reaction

The VR5510 can detect two faults in Standby mode: Standby timer expiration or a POR
trigger.
In Standby mode, an active standby timer in the main logic prevents the system from
getting stuck in Standby mode. If the STBY timer expires, the device goes to Off mode
and the STBY_TIMER_G in register M_FLAG is set to logic 1. The VR5510 powers down
completely causing the S32G to also turn off. A following power-on sequence is done by
slots, as configured by OTP. So, devices do a complete reset.

29 / 33
NXP Semiconductors
AN13118
In Normal and in Standby mode, the device monitors VSUP, VPRE, and VBOS.
If loss of VSUP (VSUP<VSUP_POR) or VPRE (VPRE<VPRE_POR) or VBOS
(VBOS<VBOS_POR) occurs, the system stops operation and goes directly to Off mode.
Refer to AN12880 for more example and details on Standby mode.

30 / 33
NXP Semiconductors
AN13118
8 Legal information
8.1 Definitions Applications — Applications that are described herein for any of these
products are for illustrative purposes only. NXP Semiconductors makes no
representation or warranty that such applications will be suitable for the
Draft — A draft status on a document indicates that the content is still specified use without further testing or modification.
under internal review and subject to formal approval, which may result
Customers are responsible for the design and operation of their
in modifications or additions. NXP Semiconductors does not give any
applications and products using NXP Semiconductors products, and NXP
representations or warranties as to the accuracy or completeness of
Semiconductors accepts no liability for any assistance with applications or
information included in a draft version of a document and shall have no
customer product design. It is customer’s sole responsibility to determine
liability for the consequences of use of such information.
whether the NXP Semiconductors product is suitable and fit for the
customer’s applications and products planned, as well as for the planned
application and use of customer’s third party customer(s). Customers should
8.2 Disclaimers provide appropriate design and operating safeguards to minimize the risks
associated with their applications and products.
Limited warranty and liability — Information in this document is believed NXP Semiconductors does not accept any liability related to any default,
to be accurate and reliable. However, NXP Semiconductors does not give damage, costs or problem which is based on any weakness or default
any representations or warranties, expressed or implied, as to the accuracy in the customer’s applications or products, or the application or use by
or completeness of such information and shall have no liability for the customer’s third party customer(s). Customer is responsible for doing all
consequences of use of such information. NXP Semiconductors takes no necessary testing for the customer’s applications and products using NXP
responsibility for the content in this document if provided by an information Semiconductors products in order to avoid a default of the applications
source outside of NXP Semiconductors. and the products or of the application or use by customer’s third party
In no event shall NXP Semiconductors be liable for any indirect, incidental, customer(s). NXP does not accept any liability in this respect.
punitive, special or consequential damages (including - without limitation -
lost profits, lost savings, business interruption, costs related to the removal Export control — This document as well as the item(s) described herein
or replacement of any products or rework charges) whether or not such may be subject to export control regulations. Export might require a prior
damages are based on tort (including negligence), warranty, breach of authorization from competent authorities.
contract or any other legal theory.
Notwithstanding any damages that customer might incur for any reason Translations — A non-English (translated) version of a document, including
whatsoever, NXP Semiconductors’ aggregate and cumulative liability the legal information in that document, is for reference only. The English
towards customer for the products described herein shall be limited in version shall prevail in case of any discrepancy between the translated and
accordance with the Terms and conditions of commercial sale of NXP English versions.
Semiconductors.
Security — Customer understands that all NXP products may be subject to
Right to make changes — NXP Semiconductors reserves the right to unidentified vulnerabilities or may support established security standards or
make changes to information published in this document, including without specifications with known limitations. Customer is responsible for the design
limitation specifications and product descriptions, at any time and without and operation of its applications and products throughout their lifecycles
notice. This document supersedes and replaces all information supplied prior to reduce the effect of these vulnerabilities on customer’s applications
to the publication hereof. and products. Customer’s responsibility also extends to other open and/or
proprietary technologies supported by NXP products for use in customer’s
applications. NXP accepts no liability for any vulnerability. Customer should
Suitability for use — NXP Semiconductors products are not designed,
regularly check security updates from NXP and follow up appropriately.
authorized or warranted to be suitable for use in life support, life-critical or
safety-critical systems or equipment, nor in applications where failure or Customer shall select products with security features that best meet rules,
malfunction of an NXP Semiconductors product can reasonably be expected regulations, and standards of the intended application and make the
to result in personal injury, death or severe property or environmental ultimate design decisions regarding its products and is solely responsible
damage. NXP Semiconductors and its suppliers accept no liability for for compliance with all legal, regulatory, and security related requirements
inclusion and/or use of NXP Semiconductors products in such equipment or concerning its products, regardless of any information or support that may be
applications and therefore such inclusion and/or use is at the customer’s own provided by NXP.
risk. NXP has a Product Security Incident Response Team (PSIRT) (reachable
at PSIRT@nxp.com) that manages the investigation, reporting, and solution
release to security vulnerabilities of NXP products.
8.3 Trademarks
Notice: All referenced brands, product names, service names, and
trademarks are the property of their respective owners.
NXP — wordmark and logo are trademarks of NXP B.V.
SafeAssure — is a trademark of NXP B.V.

31 / 33
NXP Semiconductors
AN13118
Tables
Tab. 1. S32G-VNP-RDB2 voltage monitor setting/ Tab. 2. S32G-VNP-RDB2 voltage monitor setting/
connections for the S32G2 and VR5510 connections ..................................................... 15
solution ............................................................ 15 Tab. 3. Fail-safe fault list and reaction ........................ 26
Figures
Fig. 1. S32G and VR5510 safety functions Fig. 11. Fault recovery strategy ....................................14
interface .............................................................4 Fig. 12. VCOREMON recommended connections ....... 16
Fig. 2. VR5510 functional block diagram ......................6 Fig. 13. VMON1 connections ....................................... 17
Fig. 3. PF5300 functional block diagram ...................... 7 Fig. 14. VMON1 connections for S32G3
Fig. 4. VR5510 and S32G2 solution .............................8 applications ......................................................18
Fig. 5. VR5510, PF5300 and S32G3 power supply Fig. 15. VMON2 connections ....................................... 19
solution ............................................................ 10 Fig. 16. VMON3 connections ....................................... 19
Fig. 6. FCCU bistable protocol ................................... 11 Fig. 17. VMON4 connections ....................................... 19
Fig. 7. S32G-VNP-RDB2 hardware connections ........ 11 Fig. 18. Startup flow diagram ....................................... 21
Fig. 8. Watchdog window error ...................................12 Fig. 19. Shutdown flow diagram ...................................25
Fig. 9. Challenger watchdog formula ..........................12 Fig. 20. Standby entry .................................................. 28
Fig. 10. Watchdog error counter and refresh Fig. 21. Standby exit .................................................... 29
counter .............................................................13

32 / 33
NXP Semiconductors
AN13118
Contents
1 Introduction ......................................................... 3 5.2 Runtime mode: WD refresh, FCCU
2 S32G Overview ....................................................3 monitoring safety output .................................. 23
2.1 S32G application processor .............................. 3 5.3 Safe state, safety reaction ............................... 24
2.2 S32G safety concept ......................................... 3 5.3.1 Fault error counter ..........................................24
2.3 S32G/VR5510 safety interface overview ........... 3 5.3.2 VR5510 Deep Fail-safe state ......................... 24
2.3.1 Chip supplies and voltage supervision .............. 4 5.4 Shutdown/standby ........................................... 25
2.3.2 Communication interface and alive 5.4.1 Shutdown flow diagram ................................... 25
supervision .........................................................4 6 Fault impact configuration .............................. 26
2.3.3 Reset control and supervision ........................... 4 7 Standby mode ................................................... 27
2.3.4 S32G error supervision ......................................5 7.1 Standby description ......................................... 27
3 VR5510 and PF5300 Power Management 7.2 Standby entry .................................................. 27
IC ...........................................................................6 7.3 Standby exit .....................................................28
3.1 VR5510 description ........................................... 6 7.4 Standby fault reaction ......................................29
3.2 VR5510 safety overview ....................................7 8 Legal information .............................................. 31
3.3 PF5300 description ............................................7
4 S32G and VR5510 Safety Functions ..................8
4.1 Safety hardware connections for VR5510
and S32G2 ........................................................ 8
4.2 Safety hardware connections for VR5510,
PF5300 and S32G3 solution ............................. 9
4.3 FCCU monitoring ............................................. 10
4.3.1 FCCU monitoring by pair .................................10
4.4 Watchdog ......................................................... 11
4.4.1 Simple Watchdog .............................................12
4.4.2 Challenger Watchdog ...................................... 12
4.4.3 Watchdog error counter ................................... 13
4.4.4 MCU fault recovery strategy ............................ 14
4.5 Voltage monitoring ........................................... 15
4.5.1 Voltage monitor connections ............................15
4.5.2 VCOREMON connection and settings for
S32G2 applications ..........................................15
4.5.3 VCOREMON connection and settings for
S32G3 applications ..........................................16
4.5.4 VMON1 connections and settings for
S32G2 applications ..........................................16
4.5.5 VMON1 connections and settings for
S32G3 applications ..........................................17
4.5.6 VMON2 connections and settings ................... 18
4.5.9 VDDIOMON connection and settings .............. 20
4.5.10 HVLDOMON connection and settings (not
S32G3) .............................................................20
5 Modes of Operation .......................................... 20
5.1 S32G and VR5510 startup sequence .............. 20
5.1.1 Startup flow diagram .......................................21
5.1.2 VR5510 LBIST and ABIST ............................. 21
5.1.3 S32G LBIST and MBIST ................................. 22
5.1.4 RSTB release, S32G startup .......................... 22
5.1.5 INIT_FS in VR5510 ........................................ 22
5.1.6 Entry to runtime normal operation ................... 22
5.1.7 Disabling watchdog and FCCU on INIT_FS .....22
Please be aware that important notices concerning this document and the product(s)
described herein, have been included in section 'Legal information'.
© 2022 NXP B.V. All rights reserved.

For more information, please visit: http://www.nxp.com
Date of release: 19 August 2022
Document identifier: AN13118

S32G VR5510 Safety Concept

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

S32G VR5510 Safety Concept

Uploaded by

Copyright:

Available Formats

AN13118

S32G VR5510 Safety Concept

Application note Rev. 3 — 19 August 2022

2.1 S32G application processor

2.2 S32G safety concept

2.3 S32G/VR5510 safety interface overview

Application note Rev. 3 — 19 August 2022

VR5510 (plus PF5300) S32G2/3

STATE DETECTION Comms interface SAFETY CORE SOFTWARE

RESET CONTROL AND Reset

System state indication 1 System state indication 2

Chip VR5510 PF5300

S32G3 Yes Yes (core supply only)

Figure 1. S32G and VR5510 safety functions interface

2.3.1 Chip supplies and voltage supervision

2.3.2 Communication interface and alive supervision

2.3.3 Reset control and supervision

Application note Rev. 3 — 19 August 2022

2.3.4 S32G error supervision

Application note Rev. 3 — 19 August 2022

3 VR5510 and PF5300 Power Management IC

3.1 VR5510 description

Figure 2. VR5510 functional block diagram

The VR5510 is divided into two domains:

Application note Rev. 3 — 19 August 2022

3.2 VR5510 safety overview

3.3 PF5300 description

PF53 - 12A Integrated FET Core Supply with AVP

Input Voltage: 3.0 V to 5.5 V

Temperature Current Limit

Analog Built-In Self Programmable OV/UV Clock Synchronization

Figure 3. PF5300 functional block diagram

Application note Rev. 3 — 19 August 2022

4 S32G and VR5510 Safety Functions

4.1 Safety hardware connections for VR5510 and S32G2

Figure 4. VR5510 and S32G2 solution

Application note Rev. 3 — 19 August 2022

4.2 Safety hardware connections for VR5510, PF5300 and S32G3

Application note Rev. 3 — 19 August 2022

POWER MANAGEMENT MAIN DOMAIN

LOAD SWITCH 0.8 V

MAIN LOGIC AND CONTROL I2C

LOW STBY_EXIT STBY

STBY_TIMING_WINDOW_ LOW POWER DOMAIN

SAFETY DOMAIN MAIN DOMAIN

SAFETY LOGIC RSTB RESET_B

STBY_ENTRY_TIMING FCCU FCCU

Figure 5. VR5510, PF5300 and S32G3 power supply solution

4.3 FCCU monitoring

4.3.1 FCCU monitoring by pair

Application note Rev. 3 — 19 August 2022

Figure 6. FCCU bistable protocol

R659 GND FCCU_ERR0

Figure 7. S32G-VNP-RDB2 hardware connections

Application note Rev. 3 — 19 August 2022

Figure 8. Watchdog window error

4.4.1 Simple Watchdog

4.4.2 Challenger Watchdog

WD_SEED[23:8] X + - NOT / WD_answer[23:8]

Figure 9. Challenger watchdog formula

Application note Rev. 3 — 19 August 2022

4.4.3 Watchdog error counter

WD OFF WD refresh OK WD refresh NOT OK/WD OFF

0 0 WD refresh NOT OK/