SPRADF6A December   2023  – May 2024 AM2432 , AM2434 , AM6421 , AM6422 , AM6441 , AM6442

 

  1.   1
  2.   Abstract
  3. 1Functional Safety Goals and Safety Concepts
  4. 2HARA and Safety Concept Assessment Stage
  5. 3SIL and ASIL Classification
  6. 4Random and Systematic Faults
  7. 5AM243x and AM64x: Safety Diagnostics and Examples
  8. 6AM243x and AM64x: Safety MCU With FFI Support
  9. 7Safety Element Out of Context
  10. 8Functional Safety Resources and Examples

6 AM243x and AM64x: Safety MCU With FFI Support

Both AM243x and AM64x have an on-chip isolated Arm® Cortex®-M4F processor with dedicated memory and peripherals. When configured as a safety MCU, the M4F can be used to monitor the main processing domain in support of the system SIL rating.

When combined with a second safety MCU, the AM243x and AM64x can help support up to SIL-3 HFT = 1 rated systems. The addition of a second safety MCU is what adds the hardware fault tolerance to the system. The two safety MCUs perform cross-check calculations on each other. If the results do not match, one of the two processors can be used to place the system in a safe state.

Integrating a safety MCU versus using two external safety MCUs reduces system cost and board space. Figure 6-1 shows a SIL-3 HFT = 1 system with two external safety MCUs. Figure 6-2 shows that same system, but with one of the safety MCUs integrated into the AM243x or AM64x controller.

AM6442 SIL-3 HFT = 1 System With Two External Safety MCUs Figure 6-1 SIL-3 HFT = 1 System With Two External Safety MCUs
AM6442 SIL-3 HFT = 1 System With Integrated and External Safety MCUs Figure 6-2 SIL-3 HFT = 1 System With Integrated and External Safety MCUs

Integrating the safety MCU requires the use of Freedom From Interference (FFI) techniques to isolate the safety MCU domain from the main processing domain. FFI is defined as the absence of cascading failures and dependencies between two or more elements in the system; FFI is a form of isolation.

A firewall and time-out gaskets are used to isolate the AM243x and AM64x safety domains, insuring events occurring in the main domain do not affect the safety domain. Time-out gaskets protect the safety domain from faults in the main domain during inter-domain communication. When the safety domain initiates a transaction with the main domain, a watchdog timer is set. If the timer expires before the transaction is complete (due to an issue in the main domain) the bus transaction is canceled, preventing the safety domain from locking up. In the event of the main domain becoming unresponsive, the safety domain has the ability to reset the main domain while remaining active.

In addition to the firewall and safety gaskets, additional safety features in the safety domain include loss of clock detection circuitry, a dual-clock comparator to detect incorrect clock frequencies, parity on the bus transactions, dedicated I/O power rail, and built-in self-test (BIST) support.

Figure 6-3 shows the AM243x and AM64x safety domain, main domain reset, safety error flag, and device reset pin. Upon a catastrophic error, the error flag can signal the Power Management IC (PMIC) or other device to initiate a reset of the AM243x|AM64x.

AM6442 AM64x and AM243x On-Chip Safety MCU Figure 6-3 AM64x and AM243x On-Chip Safety MCU