Professional Documents
Culture Documents
S32G VR5510 Safety Concept
S32G VR5510 Safety Concept
Document information
Information Content
Keywords VR5510, PF5300, S32G2, S32G3, S32G, Safety, Monitoring, Fault
management
Abstract This document describes the safety concept of the S32G processor and the
VR5510 PMIC.
NXP Semiconductors
AN13118
S32G VR5510 Safety Concept
Revision history
Rev Date Description
v.3 20220819 • Inserted mandatory revision history into the document to conform with NXP document
content guidelines.
• Section 2.3, Figure 1, updated the image.
• Section 4.5.2, Figure 12, updated the image.
• Section 4.5.5, Figure 14, updated the image.
v.2 20220304 • Global changes:
– Performed minor grammatical and/or typographic corrections throughout.
– Revised the keywords in the Document information table.
– Removed the Revision history.
– Revised "S32G" to "S32G2" throughout.
– Included information for S32G3.
• Section 1, inserted second paragraph starting with "This application note.…"
• Section 2.1, revised the bullet "Automotive safety integrity level...."
• Section 2.3, Figure 1, updated the image.
• Section 2.3.1, inserted "This statement is valid for S32G2 and S32G3 applications" to
the end of the second paragraph.
• Section 3, inserted "and PF5300" in the section title.
• Section 3.3, inserted new section.
• Section 4, revised "S32G-VNP-RDB2" to "S32G-VNP-RDB3" in the first sentence.
• Section 4.1, inserted "for VF5510 and S32G2" in the section title, and revised the first
two paragraphs.
• Section 4.2, inserted new section.
• Section 4.3.1, Figure 6, revised the image.
• Section 4.5.1, revised the first paragaph, inserted a new paragraph after Table 1,
inserted Table 2, and inserted a note after the table.
• Section 4.5.2, inserted "for S32G2 applications" in the section title, revised "S32G" to
"S32G2" in the first paragraph, inserted three paragraphs to the end of the section.
• Section 4.5.3, inserted new section.
• Section 4.5.4, inserted "for S32G2 applications" in the section title, revised the
second paragraph, inserted two recommendations after the second paragraph, and
revised the image in Figure 13.
• Section 4.5.5, inserted new section.
• Section 4.5.10, inserted "(not S32G3)" in the section title, and inserted new paragraph
at the section end starting with "For the S32G3 solution.…"
• Section 7.2, inserted new paragraph starting with "In the VR5510, PF5300 and
S32G3 applilcations...."
• Section 7.3, inserted new sentence to the paragraph below Figure 21 that starts with
"In the S32G3 solution.…"
v.1 20210303 Initial version
AN13118 All information provided in this document is subject to legal disclaimers. © 2022 NXP B.V. All rights reserved.
1 Introduction
This application note describes the safety concepts related to the S32G processor and
the VR5510 PMIC. The document covers the S32G and VR5510 safety functions and
how they interact to ensure system-level coverage of the ASIL D safety integrity level.
This application note covers the VR5510 and PF5300 PMIC’s solution for the S32G3
applications. All the specific modifications and updates are described in Section 4.2.
2 S32G Overview
AN13118 All information provided in this document is subject to legal disclaimers. © 2022 NXP B.V. All rights reserved.
PMIC_Sense
Core supply
Vehicle supply VOLTAGE GENERATION
Other chip supplies SPD
VOLTAGE SUPERVISION
Error indication
ERROR SUPERVISION FCCU
S32G2 Yes No
AN13118 All information provided in this document is subject to legal disclaimers. © 2022 NXP B.V. All rights reserved.
• the VR5510 to force the S32G into a safe-state in the presence of a fault that could
lead to the violation of a safety goal
Whenever the VR5510 forces the S32G into a safe-state, it simultaneously indicates a
system safe-state that is independent of the S32G state indication.
AN13118 All information provided in this document is subject to legal disclaimers. © 2022 NXP B.V. All rights reserved.
AN13118 All information provided in this document is subject to legal disclaimers. © 2022 NXP B.V. All rights reserved.
These domains are electrically independent and physically isolated. The Fail-safe
domain is supplied by its own reference voltages and current, has its own oscillator, has
duplicated analog paths to minimize the common cause failures, and has LBIST/ABIST
to cover latent faults.
Watchdog Timer
aaa-043897
The application with the S32G3 processor includes the PF5300 PMIC in QM version. The
safety features are managed by the VR5510 PMIC. See Section 4.2 "Safety hardware
connections for VR5510, PF5300 and S32G3 solution" for more details about the
hardware connections.
AN13118 All information provided in this document is subject to legal disclaimers. © 2022 NXP B.V. All rights reserved.
• RSTB: Used to reset the application processor when needed. Reset can be requested
by the S32G or applied by the VR5510 when a fault occurs.
AN13118 All information provided in this document is subject to legal disclaimers. © 2022 NXP B.V. All rights reserved.
• PGOOD: Connected to the PORB pin of the S32G. Used to indicate that all power
outputs are correct.
• FS0B: Safety pin used to transition the system into a safe-state (can be connected to a
CAN PHY, for example).
• FCCU1/2: In charge of monitoring the S32G hardware error outputs. Bi-stable protocol
is used.
• Watchdog: Monitors software failures on the S32G.
• Standby connections
– STBY: This pin is internally connected to both domains (Main and Safety) on the
VR5510. The Safety domain manages the standby entry.
AN13118 All information provided in this document is subject to legal disclaimers. © 2022 NXP B.V. All rights reserved.
VR5510 S32G3
HV BUCK 3.3 V
VBAT VDD_IO_B
3.3 V to 5.4 V
PF5300
POWER MANAGEMENT VDD_IO_STBY
DOMAIN
BUCK1 1.8 V
BUCK1 0.8 V
0.4 V to 1.8 V VDD_CORE
0.5 V to 1.2 V
BUCK1 FB PMIC_SENSE
PWRON PGOOD
BUCK2 1.1 V
0.4 V to 1.8 V
BUCK3 1.1 V
VDD_IO_DDR0
0.4 V to 1.8 V
LDO1 1.8 V
VDD_V1P8_ANA
1 V to 5 V
LDO2 1.8 V
VDD_IO_QSPI
1.5 V to 5 V
BOOST
LPDDR4 VDD_IO_USB
5V
LDO3 3.28 V
VDD_IO_A
LOAD SWITCH
PSYNC
aaa-044845
AN13118 All information provided in this document is subject to legal disclaimers. © 2022 NXP B.V. All rights reserved.
Reset phase
Normal phase Error phase Config phase
FCCU1
FCCU2
aaa-040941
The polarity of the FCCU fault signals is configurable with FCCU12_FLT_POL bit during
the INIT_FS phase. By default FCCU12_FLT_POL=0 (FCCU1=0 or FCCU2=1 level is
fault).
When a FCCU fault is detected, there is a fail-safe reaction on RSTB and/or FS0B
according to the configuration. The configuration must be done by FCCU12_FS_IMPACT
bit during the INIT_FS phase.
The S32G-VNP-RDB2 hardware connections are shown in Figure 7.
BUCK2_FB
32
FCCU1/WD1 VR5510_FCCU0
31
FCCU2 VR5510_FCCU1
30
PSYNC
29
R291 R285
5.1 kΩ 22 kΩ
VR5510 VDDIO
R663 FCCU_ERR1
P6 VR5510_FCCU1 AA14
0Ω
aaa-040942
During the INIT_FS state, the S32G must properly configure the FCCU pin levels to avoid
a fault when the INIT_FS state is exited.
4.4 Watchdog
The VR5510 features a watchdog that must be refreshed periodically by the processor.
This requires a watchdog service routine from the S32G. The VR5510 can detect a
software failure on the S32G if the watchdog is not correctly refreshed.
The watchdog is a windowed watchdog for the Simple and the Challenger watchdog.
A good watchdog refresh is a correct watchdog response during the OPEN window. A
bad watchdog refresh is an incorrect watchdog response during the OPEN window, no
watchdog refresh during the OPEN window, or a correct watchdog response during the
CLOSED window.
AN13118 All information provided in this document is subject to legal disclaimers. © 2022 NXP B.V. All rights reserved.
After a good or a bad watchdog refresh, a new window period starts immediately so that
the MCU stays synchronized with the windowed watchdog.
Figure 8 shows the watchdog window error possibilities
WD_Window
Closed Opened
Closed window Opened window
Bad data WD_failure WD_failure
Watchdog
Answer Good data WD_failure WD_OK
(from MCU) WD window period
None No issue WD_failure with DC configurable
aaa-039390
The duration of the watchdog window and the duty cycle are configurable.
In the VR5510, the watchdog can only be disabled during the initialization phase
INIF_FS. A good watchdog refresh is needed to close the INIT_FS even if the watchdog
has been disabled during this phase. If the watchdog has been disabled during the
INIT_FS phase, the watchdog disable takes effect once INIT_FS closes. If the watchdog
is enabled, the MCU must refresh the watchdog periodically.
Refer to the VR5510 datasheet for more details on INIT_FS and the watchdog.
4 6 4 4
aaa-039391
AN13118 All information provided in this document is subject to legal disclaimers. © 2022 NXP B.V. All rights reserved.
WD refresh OK WD refresh OK
WD refresh 2 2
NOT OK
WD refresh OK
WD refresh OK
WD refresh 3 3
NOT OK
WD refresh OK WD refresh OK
WD refresh 4 4
NOT OK WD refresh NOT OK/
WD refresh OK WD_OFF
WD refresh OK
WD refresh 6 6
NOT OK
WD refresh OK WD_RFR_LIMIT = 00
WD refresh 7
NOT OK
WD_ERR_LIMIT = 00 aaa-040886
The watchdog error counter is implemented in the device to filter an incorrect watchdog
refresh. Each time a watchdog failure occurs, the device increments this counter by two.
The watchdog error counter is decremented by one each time the watchdog is properly
refreshed. This principle ensures that a cyclic ’OK/NOK’ behavior converges on a failure
detection.
To allow flexibility in the application, the maximum value of this counter is configurable
with the WD_ERR_LIMIT[1:0] register during the INIT_FS phase.
The watchdog error counter can be read by the MCU for diagnostic purposes from the
WD_ERR_CNT[3:0] bitfield.
The watchdog refresh counter is used to decrement the fault error counter. Each time
the watchdog is properly refreshed, the watchdog refresh counter is incremented by
one. Each time the watchdog refresh counter reaches its maximum value (6 by default)
and if the next WD refresh is also good, the fault error counter is decremented by one.
Regardless of the position the watchdog refresh counter is in, each time there is a wrong
refresh watchdog, the watchdog refresh counter is reset to zero.
AN13118 All information provided in this document is subject to legal disclaimers. © 2022 NXP B.V. All rights reserved.
To allow flexibility in the application, the maximum value of this watchdog refresh counter
is configurable with the WD_RFR_LIMIT[1:0] register during the INIT_FS phase.
The watchdog refresh counter value can be read by the MCU for diagnostic purposes
with the WD_RFR_CNT[2:0] bits.
RSTB
aaa-040943
AN13118 All information provided in this document is subject to legal disclaimers. © 2022 NXP B.V. All rights reserved.
Table 1. S32G-VNP-RDB2 voltage monitor setting/connections for the S32G2 and VR5510 solution
Monitor Regulator Voltage UV OTP setting OV OTP setting
VCOREMON BUCK12 0.8 V −4.5% 6.0%
VMON1 LDO2 1.8 V −5.0% 5.0%
VMON2 BUCK3 1.1 V −2.5% 4.5%
VMON3 VPRE 3.3 V −4.5% 6.0%
VMON4 LDO1 1.8 V −5.0% 5.0%
VDDIOMON LDO3 3.3 V −5.0% 5.0%
HVLDOMON HVLDO 0.8 V −7.0% 7.0%
Table 2 shows all the settings/connections on the voltage monitors used on the S32G-
VNP-RDB3 for the S32G3, VR5510 and PF5300 solution.
Note: See Section 4.2 for details about the monitoring connections for this solution.
2
For all the voltage monitors, the OV/UV safety reaction can be programmed via I C
on the dedicated OV/UV_FS_IMPACT registers. Refer to Section 6 " Fault impact
configuration" for more details on safety reactions.
By default, the fault reaction is:
• UV: Only the FS0B pin is asserted,
• OV: FS0B and RSTB are asserted, regulator is switched OFF.
AN13118 All information provided in this document is subject to legal disclaimers. © 2022 NXP B.V. All rights reserved.
VR5510 S32G2
R1 VDD
BUCK1_SW
BUCK2_SW
VCOREMON
BUCK2_FB PMIC_SENSE
BUCK1_FB
LV_HVLDO_IN VDD_CORE_STBY
HVLDO
aaa-040944
AN13118 All information provided in this document is subject to legal disclaimers. © 2022 NXP B.V. All rights reserved.
R295
22 kΩ
GND
aaa-044133
AN13118 All information provided in this document is subject to legal disclaimers. © 2022 NXP B.V. All rights reserved.
PF5300 S32G3
VDD
BUCK_SW
BUCK_FB PMIC_SENSE
PGOOD
VR5510
SYNC
1.8 V
BUCK1_SW
VCOREMON
BUCK1_FB
LV_HVLDO_IN
HVLDO
VMON1
aaa-045620
The VR5510 monitors the discharge of the PF5300 output in the standby
entry. The external discharge monitoring should be enabled by setting the bit
EXT_STBY_DISCH_OTP to 1.
The recommended setting for the OV OTP threshold is 6%.
The recommended setting for the UV OTP threshold is –4.5%.
AN13118 All information provided in this document is subject to legal disclaimers. © 2022 NXP B.V. All rights reserved.
R296
22 kΩ
GND
aaa-040947
R297
22 kΩ
GND
aaa-040948
R287
22 kΩ
GND
aaa-040949
AN13118 All information provided in this document is subject to legal disclaimers. © 2022 NXP B.V. All rights reserved.
5 Modes of Operation
AN13118 All information provided in this document is subject to legal disclaimers. © 2022 NXP B.V. All rights reserved.
No
LBIST_OK == 1
LBIST fail prevent the release of FS0B pin
ABIST1 fail prevent the release of FS0B pin HSE BOOT
Yes
Upload image (HSE core)
INIT_FS window
Close INIT_FS
with 1x good WD refresh vi) safety function start
RUNTIME
ABIST2 is optional ABIST2 fail prevent the release of FS0B pin
No Normal Operation
ABIST2_OK == 1 Possibility to go back to INIT_FS by I2C
Start full application/safety function
and remove the falling regulator from
WD refresh required
Transparent recovery
ABIST2 list
Yes FCCU fault handler
Local recovery (FCCU alarm state, R1)
v) release FS0B
Release FS0B with
FS_RELEASE_FS0B[23.8]=
NOT_WD_SEED[8.23]
aaa-040950
The VR5510 and S32G are held in reset until the supply voltages are stable and within
the safe operating mode for the S32G.
AN13118 All information provided in this document is subject to legal disclaimers. © 2022 NXP B.V. All rights reserved.
AN13118 All information provided in this document is subject to legal disclaimers. © 2022 NXP B.V. All rights reserved.
To disable the watchdog, modify the watchdog window period configuration bits of the
FS_WD_WINDOW register. WD_WINDOW[3:0] must be set to 0x00 and the opposite
data must be written in NOT_WD_WINDOW[3:0] bits of the FS_NOT_WD_WINDOW
register. Write the following commands:
FS_WD_WINDOW=0x020B //Disable watchdog
FS_NOT_WD_WINDOW=0xFDF4
When the device exits INIT_FS state, FCCU monitoring starts. In order to avoid a fault
coming from the S32G, FCCU pins must be put in the correct state, or FCCU monitoring
must be disabled. FCCU monitoring can be disabled with the FCCU_CFG[1:0] bits of the
FS_I_SAFE_INPUTS register. Write the following commands.
Write
FS_I_SAFE_INPUTS=0x01CA
FS_I_NOT_SAFE_INPUTS=0xFE35
A good watchdog refresh is needed to exit the Init_FS state. The good answer must be
written in WD_ANSWER[15:0] bitfield of the FS_WD_ANSWER register. Write one of the
following commands.
FS_WD_ANSWER= 0xA54D // Challenger watchdog refresh
FS_WD_ANSWER=0x5AB2 // Simple watchdog refresh
The list of commands are:
FS_WD_WINDOW=0x020B //Disable watchdog
FS_NOT_WD_WINDOW=0xFDF4
FS_I_SAFE_INPUTS=0x01CA
FS_I_NOT_SAFE_INPUTS=0xFE35
FS_WD_ANSWER= 0xA54D or FS_WD_ANSWER=0x5AB2 // Good watchdog to exit
INIT_FS
The watchdog refresh that enables exiting the INIT_FS state must be written before the
WD_INIT_TIMEOUT expires. The value of this timer is configurable by OTP with the
WD_INIT_TIMEOUT_OTP[1:0] bits of the CFG_2_OTP register. For the S32G OTP, this
timer is 1024 ms.
context in an NMI handler. In this case, the fault is usually indicated to the VR5510 prior
to the reset.
• Fault state hardware recovery – faults that lead to an immediate hardware reset without
any software execution. The fault is indicated to the VR5510.
In runtime, the watchdog refresh is normally carried out by the master safety core
2
(Cortex-M7 core 0) over the I C interface. This is done to ensure that the master safety
core is operating correctly and is able to react to faults reliably.
5.4 Shutdown/standby
The system shutdown or standby entry may include hardware mechanism self test
routines on the S32G chip under software control (typically using error injection). Those
tests should be carried out in a safe-state, which requires the S32G to indicate a fault on
the error out pins of the FCCU.
No
LBIST_OK == 1
LBIST fail prevent the release of FS0B pin
Yes ABIST1 fail prevent the release of FS0B pin
INIT_FS window
Yes
RUNTIME
Write all INIT_FS registers i) request VR5510 INIT_FS entry Normal Operation
With Reg/Reg_NOT procedure (default max. 1024 ms in INIT_FS) Start full application/safety function
Assign Vregx to ABIST2
Transparent recovery
Configure SVS if needed
FCCU fault handler
Local recovery (FCCU alarm state, R1)
ABIST2 is optional ABIST2 fail prevent the release of FS0B pin Shutdown (Standby)
No Possibility to go back to INIT_FS by I2C FCCU error out to `not fault-free'
ABIST2_OK == 1 Shutdown sCheck, results to NVM
and remove the falling regulator from
WD refresh required
ABIST2 list
Yes
aaa-040946
Prior to initiating shutdown tests on the S32G, a request must be sent to the VR5510 to
enter its INIT_FS state. This prevents the VR5510 from reacting to an error out indication
from the S32G and subsequently forcing the S32G into a reset.
Once the VR5510 is in its INIT_FS state, the default time threshold to be in that state
is 1024 ms and all tests must be complete before that time. At the end of that time, the
VR5510 forces a system reset.
Once tests are complete, the S32G requests the VR5510 to shutdown or enter standby
mode. For more details on standby mode entry, see Section 7 "Standby mode".
AN13118 All information provided in this document is subject to legal disclaimers. © 2022 NXP B.V. All rights reserved.
AN13118 All information provided in this document is subject to legal disclaimers. © 2022 NXP B.V. All rights reserved.
7 Standby mode
AN13118 All information provided in this document is subject to legal disclaimers. © 2022 NXP B.V. All rights reserved.
When the Safety Logic receives the VALID_STBY request, it sends the standby transition
request to the Main Logic and then turns off.
The Main Logic starts the STBY_TIMER. This timer prevents the device from getting
stuck in Standby mode. If the timer expires, the register STBY_TIMER_G reports a timer
expiration and the device goes into Off mode.
The Main Logic transitions to Standby mode by powering down the disabled regulators.
There is no power down sequencing for the disabled regulators when transitioning to
Standby mode.
In the VR5510, PF5300 and S32G3 applications, the PF5300 is powered off during
standby mode. Refer to AN12880, VR5510 low-power Standby mode for more details
about the standby mode.
The STBY_PGOOD function verifies that all the disabled regulators have an output
voltage below the programmed threshold. The STBY_PGOOD function indicates the
correct entry to Standby mode asserting STBY_PGOOD to its low level. The VR5510
uses dedicated pull-down resistors to discharge the regulators as quickly as possible.
PGOOD and RSTB are kept high during standby mode to avoid a reset of the S32G.
Both devices are now in Standby mode. The VR5510 waits for a wake up request from
the S32G.
AN13118 All information provided in this document is subject to legal disclaimers. © 2022 NXP B.V. All rights reserved.
When a valid standby exit request comes from the MCU, the STBY Timer is stopped
and the device is powered on. The power-on sequence is done by slots in the order
configured by OTP. In the S32G3 solution, the PF5300 will be powered on as configured
in the power-on sequence.
When the device reaches Normal mode and all the voltage regulators are correct, a
STBY_PGOOD pin transition to high level indicates that the standby exit transition has
been done correctly. The S32G then exits Standby mode.
AN13118 All information provided in this document is subject to legal disclaimers. © 2022 NXP B.V. All rights reserved.
In Normal and in Standby mode, the device monitors VSUP, VPRE, and VBOS.
If loss of VSUP (VSUP<VSUP_POR) or VPRE (VPRE<VPRE_POR) or VBOS
(VBOS<VBOS_POR) occurs, the system stops operation and goes directly to Off mode.
Refer to AN12880 for more example and details on Standby mode.
AN13118 All information provided in this document is subject to legal disclaimers. © 2022 NXP B.V. All rights reserved.
8 Legal information
8.1 Definitions Applications — Applications that are described herein for any of these
products are for illustrative purposes only. NXP Semiconductors makes no
representation or warranty that such applications will be suitable for the
Draft — A draft status on a document indicates that the content is still specified use without further testing or modification.
under internal review and subject to formal approval, which may result
Customers are responsible for the design and operation of their
in modifications or additions. NXP Semiconductors does not give any
applications and products using NXP Semiconductors products, and NXP
representations or warranties as to the accuracy or completeness of
Semiconductors accepts no liability for any assistance with applications or
information included in a draft version of a document and shall have no
customer product design. It is customer’s sole responsibility to determine
liability for the consequences of use of such information.
whether the NXP Semiconductors product is suitable and fit for the
customer’s applications and products planned, as well as for the planned
application and use of customer’s third party customer(s). Customers should
8.2 Disclaimers provide appropriate design and operating safeguards to minimize the risks
associated with their applications and products.
Limited warranty and liability — Information in this document is believed NXP Semiconductors does not accept any liability related to any default,
to be accurate and reliable. However, NXP Semiconductors does not give damage, costs or problem which is based on any weakness or default
any representations or warranties, expressed or implied, as to the accuracy in the customer’s applications or products, or the application or use by
or completeness of such information and shall have no liability for the customer’s third party customer(s). Customer is responsible for doing all
consequences of use of such information. NXP Semiconductors takes no necessary testing for the customer’s applications and products using NXP
responsibility for the content in this document if provided by an information Semiconductors products in order to avoid a default of the applications
source outside of NXP Semiconductors. and the products or of the application or use by customer’s third party
In no event shall NXP Semiconductors be liable for any indirect, incidental, customer(s). NXP does not accept any liability in this respect.
punitive, special or consequential damages (including - without limitation -
lost profits, lost savings, business interruption, costs related to the removal Export control — This document as well as the item(s) described herein
or replacement of any products or rework charges) whether or not such may be subject to export control regulations. Export might require a prior
damages are based on tort (including negligence), warranty, breach of authorization from competent authorities.
contract or any other legal theory.
Notwithstanding any damages that customer might incur for any reason Translations — A non-English (translated) version of a document, including
whatsoever, NXP Semiconductors’ aggregate and cumulative liability the legal information in that document, is for reference only. The English
towards customer for the products described herein shall be limited in version shall prevail in case of any discrepancy between the translated and
accordance with the Terms and conditions of commercial sale of NXP English versions.
Semiconductors.
Security — Customer understands that all NXP products may be subject to
Right to make changes — NXP Semiconductors reserves the right to unidentified vulnerabilities or may support established security standards or
make changes to information published in this document, including without specifications with known limitations. Customer is responsible for the design
limitation specifications and product descriptions, at any time and without and operation of its applications and products throughout their lifecycles
notice. This document supersedes and replaces all information supplied prior to reduce the effect of these vulnerabilities on customer’s applications
to the publication hereof. and products. Customer’s responsibility also extends to other open and/or
proprietary technologies supported by NXP products for use in customer’s
applications. NXP accepts no liability for any vulnerability. Customer should
Suitability for use — NXP Semiconductors products are not designed,
regularly check security updates from NXP and follow up appropriately.
authorized or warranted to be suitable for use in life support, life-critical or
safety-critical systems or equipment, nor in applications where failure or Customer shall select products with security features that best meet rules,
malfunction of an NXP Semiconductors product can reasonably be expected regulations, and standards of the intended application and make the
to result in personal injury, death or severe property or environmental ultimate design decisions regarding its products and is solely responsible
damage. NXP Semiconductors and its suppliers accept no liability for for compliance with all legal, regulatory, and security related requirements
inclusion and/or use of NXP Semiconductors products in such equipment or concerning its products, regardless of any information or support that may be
applications and therefore such inclusion and/or use is at the customer’s own provided by NXP.
risk. NXP has a Product Security Incident Response Team (PSIRT) (reachable
at PSIRT@nxp.com) that manages the investigation, reporting, and solution
release to security vulnerabilities of NXP products.
8.3 Trademarks
Notice: All referenced brands, product names, service names, and
trademarks are the property of their respective owners.
NXP — wordmark and logo are trademarks of NXP B.V.
SafeAssure — is a trademark of NXP B.V.
AN13118 All information provided in this document is subject to legal disclaimers. © 2022 NXP B.V. All rights reserved.
Tables
Tab. 1. S32G-VNP-RDB2 voltage monitor setting/ Tab. 2. S32G-VNP-RDB2 voltage monitor setting/
connections for the S32G2 and VR5510 connections ..................................................... 15
solution ............................................................ 15 Tab. 3. Fail-safe fault list and reaction ........................ 26
Figures
Fig. 1. S32G and VR5510 safety functions Fig. 11. Fault recovery strategy ....................................14
interface .............................................................4 Fig. 12. VCOREMON recommended connections ....... 16
Fig. 2. VR5510 functional block diagram ......................6 Fig. 13. VMON1 connections ....................................... 17
Fig. 3. PF5300 functional block diagram ...................... 7 Fig. 14. VMON1 connections for S32G3
Fig. 4. VR5510 and S32G2 solution .............................8 applications ......................................................18
Fig. 5. VR5510, PF5300 and S32G3 power supply Fig. 15. VMON2 connections ....................................... 19
solution ............................................................ 10 Fig. 16. VMON3 connections ....................................... 19
Fig. 6. FCCU bistable protocol ................................... 11 Fig. 17. VMON4 connections ....................................... 19
Fig. 7. S32G-VNP-RDB2 hardware connections ........ 11 Fig. 18. Startup flow diagram ....................................... 21
Fig. 8. Watchdog window error ...................................12 Fig. 19. Shutdown flow diagram ...................................25
Fig. 9. Challenger watchdog formula ..........................12 Fig. 20. Standby entry .................................................. 28
Fig. 10. Watchdog error counter and refresh Fig. 21. Standby exit .................................................... 29
counter .............................................................13
AN13118 All information provided in this document is subject to legal disclaimers. © 2022 NXP B.V. All rights reserved.
Contents
1 Introduction ......................................................... 3 5.2 Runtime mode: WD refresh, FCCU
2 S32G Overview ....................................................3 monitoring safety output .................................. 23
2.1 S32G application processor .............................. 3 5.3 Safe state, safety reaction ............................... 24
2.2 S32G safety concept ......................................... 3 5.3.1 Fault error counter ..........................................24
2.3 S32G/VR5510 safety interface overview ........... 3 5.3.2 VR5510 Deep Fail-safe state ......................... 24
2.3.1 Chip supplies and voltage supervision .............. 4 5.4 Shutdown/standby ........................................... 25
2.3.2 Communication interface and alive 5.4.1 Shutdown flow diagram ................................... 25
supervision .........................................................4 6 Fault impact configuration .............................. 26
2.3.3 Reset control and supervision ........................... 4 7 Standby mode ................................................... 27
2.3.4 S32G error supervision ......................................5 7.1 Standby description ......................................... 27
3 VR5510 and PF5300 Power Management 7.2 Standby entry .................................................. 27
IC ...........................................................................6 7.3 Standby exit .....................................................28
3.1 VR5510 description ........................................... 6 7.4 Standby fault reaction ......................................29
3.2 VR5510 safety overview ....................................7 8 Legal information .............................................. 31
3.3 PF5300 description ............................................7
4 S32G and VR5510 Safety Functions ..................8
4.1 Safety hardware connections for VR5510
and S32G2 ........................................................ 8
4.2 Safety hardware connections for VR5510,
PF5300 and S32G3 solution ............................. 9
4.3 FCCU monitoring ............................................. 10
4.3.1 FCCU monitoring by pair .................................10
4.4 Watchdog ......................................................... 11
4.4.1 Simple Watchdog .............................................12
4.4.2 Challenger Watchdog ...................................... 12
4.4.3 Watchdog error counter ................................... 13
4.4.4 MCU fault recovery strategy ............................ 14
4.5 Voltage monitoring ........................................... 15
4.5.1 Voltage monitor connections ............................15
4.5.2 VCOREMON connection and settings for
S32G2 applications ..........................................15
4.5.3 VCOREMON connection and settings for
S32G3 applications ..........................................16
4.5.4 VMON1 connections and settings for
S32G2 applications ..........................................16
4.5.5 VMON1 connections and settings for
S32G3 applications ..........................................17
4.5.6 VMON2 connections and settings ................... 18
4.5.7 VMON3 connections and settings ................... 19
4.5.8 VMON4 connections and settings ................... 19
4.5.9 VDDIOMON connection and settings .............. 20
4.5.10 HVLDOMON connection and settings (not
S32G3) .............................................................20
5 Modes of Operation .......................................... 20
5.1 S32G and VR5510 startup sequence .............. 20
5.1.1 Startup flow diagram .......................................21
5.1.2 VR5510 LBIST and ABIST ............................. 21
5.1.3 S32G LBIST and MBIST ................................. 22
5.1.4 RSTB release, S32G startup .......................... 22
5.1.5 INIT_FS in VR5510 ........................................ 22
5.1.6 Entry to runtime normal operation ................... 22
5.1.7 Disabling watchdog and FCCU on INIT_FS .....22
Please be aware that important notices concerning this document and the product(s)
described herein, have been included in section 'Legal information'.