TPS65381A-Q1: About the Diagnostic states.

Hi Kengo,

Please see below for the answers.

Q1, DIAGNOSTIC state time-out

• Q1a: According to the data sheet, this time is 512ms (typ). Do you have a minimum value?
• A1a: The minimum is would be derived from the devices system clock tolerance, +/- 5%, plus internal unspecified digital synchronization so the minimum would be ~ 486 ms and the maximum would be ~ 538 ms.
• Q1b:   Is there a way to extend it?
• A1b: DIAGNOSTIC state timeout cannot be changed, however if the MCU needs more time to boot or for software development the DIAGNOSTIC state timeout timer can be “paused” by using DIAG_EXIT_MASK bit in the SAFETY_CHECK_CTRL register. Setting this bit to 1 while clearing the DIAG_EXIT bit keeps the device indefinitely in the DIAGNOSTIC state and the DIAGNOSTIC state timeout timer is essentially paused. Thus the below recommendation, if the device will later be transitioned into ACTIVE state the DIAG_EXIT_MASK bit should be cleared to 0 and the DIAG_EXIT bit set to 1 at the same register write (both are in SAFETY_CHECK_CTRL) to avoid potentially having the timer for DIAGNOSTIC state timeout re-start from where it was and then cause SAFE state transition due to DIAGNOSTIC state timeout before the DIAG_EXIT bit could be set to 1 if separate writes to the register are made. All other register bits should be masked and updated accordingly during the write to the register.  

 Q2, When transitioning from Diagnostic state to Active,

• Q2a: Is this the correct register to set? SAFETY_ERR_STAT Register : Reset ⇒ DIAG_EXIT_MASK : 0⇒ DIAG_EXIT : 1
• A2a:   These configuration bits are in the SAFETY_CHECK_CTRL register. Please refer to the register map starting on page 73 of the datasheet for the register map to find the correct register for bits.
• Q2b: Should we separate ''DIAG_EXIT_MASK'' from ''DIAG_EXIT''? Is it okay to put them together in one register?
• A2b: Since these two bits are in the same register, SAFETY_CHECK_CTRL, it is recommended to write them as a pair to the states each bit needs with respect to the desired impact to the device state, see note on page 67 of the datasheet for example if DIAG_EXIT_MASK bit was used for example for software debug, that both DIAG_EXIT_MASK bit should be cleared and DIAG_EXIT bit set within the SAFETY_CHECK_CTRL register. Make sure to mask and consider the other bit levels as necessary in this register when the DIAG_EXIT_MASK and DIAG_EXIT bits are written.

Q3, Is it possible to operate only in the diagnostic mode when CFG_LOCK : 1 ?   When the CFG_LOCK is 1, can we write DIAG_EXIT?

A3: Yes, it is possible to operate only in the DIAGNOSTIC state. Using the configuration lock, CFG_LOCK set to 1 locks most of the same registers against write updates similar to ACTIVE state, however it is possible for the MCU to unlock them simpler. There are also a few other monitoring and reaction paths in the device that behave differently between DIAGNOSTIC state and ACTIVE state, such as a detected fault by the MCU ESM. In DIAGNOSTIC state the device will not change to SAFE state on a detected MCU ESM fault or a NRES_ERR (while DIS_NRES_MON = 0). These differences should be reviewed with respect to the safety goals of the system to ensure the device operated in this way provides the coverages needed to help the system meet its safety goals.   Once the CFG_LOCK bit has been set the SW_UNLOCK command must be used to clear it so registers can be written again (only in DIAGNOSTIC state).

Hi Kengo,

Please see below for the answers to your additional questions.

Follow up about Q2:

A:   "pair" means both bits at the same time. If you do not set and clear the DIAG_EXIT_MASK bit and DIAG_EXIT bit together in a single write the following could happen.

• If the DIAG_EXIT_MASK bit has been set to 1 to keep the device in DIAGNOSTIC state and only the DIAG_EXIT_MASK bit is then cleared in one register write and the DIAG_EXIT is left as 0

  • the device will remain in DIAGNOSTIC state and the DIAGNOSTIC state timeout timer will start running from where it left off before DIAG_EXIT_MASK bit was set.

  • If the DIAGNOSTIC state timeout timer reaches the final count before the next SPI write sets the DIAG_EXIT bit to 1, the device transitions to SAFE state because of the DIAGNOSTIC state timeout.

To ensure a clean transition to ACTIVE state clear DIAG_EXIT_MASK bit to 0 and set DIAG_EXIT bit to 1 in the same write to the register.

Q:  Should I reset SAFETY_ERR_STAT Register to 0 when returning from Diagnostic state to Active ?

A:  SAFETY_ERR_STAT Register could be cleared to 0 to ensure the DEV_ERR_CNT[2:0] starts from 0 or a preferred value at the start of application run time. The various thresholds that use DEV_ERR_CNT should be set according to application needs.

About Q3.

Q1. Is CFG_LOCK the same as SW_LOCK ?

     If it is NO, please tell me about difference.

A1: CFG_LOCK bit locks only the SAFETY_ERR_CFG register. This bit can be changed only DIAGNOSTIC state while SW_LOCK is not used. SW_LOCK is a more global lock on all the lockable registers in DIAGNOSTIC state. The ACTIVE and SAFE state locks have the highest global priority.

Q2. Can SW_LOCK and SW_UNLOCK be changed at any time?

A2: These only have impact in DIAGNOSTIC state, during ACTIVE and SAFE state the registers that can be locked are locked automatically by the state.

Q3. Is there a way to check if it can be changed?

A3: By “it” I assume you mean the LOCK/UNLOCK. You can check this by reading the device state in the SAFETY_STAT_5 register FSM[2:0] to know if the device is in DIAGNOSTIC state or not. The manual control over locking and unlocking is available in DIAGNOSTIC state.

Q4. Can DIAG_EXIT_MASK and DIAG_EXIT switch to Active states at own timing ofT ?

A4: Please see first answer.

Hi Kengo,

There is no command to read if the registers are locked or unlocked while in DIAGNOSTIC state.  For ACTIVE and SAFE states the state itself will inform you that the registers are locked.  During DIAGNOSTIC state a test trial to write the registers would need to be done to confirm if the register lock/unlock command was successful.

Hi Kengo,

Please see below for the questions copied and new answers provided.

Q: Should I reset SAFETY_ERR_STAT Register to 0 when returning from Diagnostic state to Active ?

A: SAFETY_ERR_STAT Register could be cleared to 0 to ensure the DEV_ERR_CNT[2:0] starts from 0 or a preferred value at the start of application run time. The various thresholds that use DEV_ERR_CNT should be set according to application needs.

->Q' : Is it OK to process SAFETY_ERR_STAT and DEV_ERR_CNT at same register ?

           I think DEV_ERR_CNT is [3:0] . Should I use DEV_ERR_CNT[2:0] at this time?

A': DEV_ERR_CNT[3:0] bits are part of the SAFETY_ERR_STAT register. All bits in that register can be updated in one register write.

Q4. Can DIAG_EXIT_MASK and DIAG_EXIT switch to Active states at own timing ofT ?

A4: Please see first answer.

-> Q' : Is it possible to operate DIAG_EXIT_MASK and DIAG_EXIT even in SW_LOCK state?

A':   The DIAG_EXIT_MASK and DIAG_EXIT bits are in SAFETY_CHECK_CTRL register. SAFETY_CHECK_CTRL register is not locked against writes by the SW_LOCK command. The register map of the device shows which registers are write locked and not in the tables.

If SW_LOCK command has been used while in DIAGNOSTIC state the SAFETY_ERR_STAT register which holds the bits will be locked against writes, so the SW_UNLOCK command must be used to make a change to the register.

           Is bellow operation correct?

           SAFETY_ERR_STAT Resister/Clear ⇒ SW_LOCK ⇒ DIAG_EXIT_MASK and DIAG_EXIT /to ACTIVE

A'': For SAFETY_ERR_STAT Resister if SW_LOCK command has been used while in DIAGNOSTIC state the SAFETY_ERR_STAT register which holds the bits will be locked against writes, so the SW_UNLOCK command must be used to make a change to the register (this one holds DEV_ERR_CNT[3:0] bits. The sequence would be SW_UNLOCK ⇒ write to SAFETY_ERR_STAT xxxx xxxx b. If the question is for the DIAG_EXIT_MASK and DIAG_EXIT to ACTIVE this is in the SAFETY_CHECK_CTRL register where there is no lock. The sequence would be write to SAFETY_CHECK_CTRL xxxx xx01 b. Where the last two bits are the DIAG_EXIT_MASK (0) and DIAG_EXIT (1) and the other bits are the values needed for the application.

Q : Do you have the command for read ''the LOCK/UNLOCK'' ?

A : There is no command to read if the registers are locked or unlocked while in DIAGNOSTIC state. For ACTIVE and SAFE states the state itself will inform you that the registers are locked. During DIAGNOSTIC state a test trial to write the registers would need to be done to confirm if the register lock/unlock command was successful.

-> Q' : What kind of inform will be given for ACTIVE and SAFE states?

A’: In SAFETY_STAT_5 are the FSM[2:0] bits which can be read to know the device state. The software can read and decode the FSM[2:0] to determine the device is in the ACTIVE or SAFE state. Depending on the state, the s/w will know that the registers that have write locks except in DIAGNSOTIC State cannot be written since they are locked in ACTIVE or SAFE state.

Hi Kengo,

Please see below for answers to your new questions.

->Q'' : You said '' SAFETY_ERR_STAT Register could be cleared to 0 to ensure the DEV_ERR_CNT[2:0] starts from 0''.

             However other your answer is using DEV_ERR_CNT[3:0] bits.

             Which one is correct answer?

             And then, what different is the DEV_ERR_CNT[3:0] and [2:0]?

A'': DEV_ERR_CNT[2:0] is a typo and should be DEV_ERR_CNT[3:0].

A'': For SAFETY_ERR_STAT Resister if SW_LOCK command has been used while in DIAGNOSTIC state the SAFETY_ERR_STAT register which holds the bits will be locked against writes, so the SW_UNLOCK command must be used to make a change to the register (this one holds DEV_ERR_CNT[3:0] bits. The sequence would be SW_UNLOCK ⇒ write to SAFETY_ERR_STAT xxxx xxxx b. If the question is for the DIAG_EXIT_MASK and DIAG_EXIT to ACTIVE this is in the SAFETY_CHECK_CTRL register where there is no lock. The sequence would be write to SAFETY_CHECK_CTRL xxxx xx01 b. Where the last two bits are the DIAG_EXIT_MASK (0) and DIAG_EXIT (1) and the other bits are the values needed for the application.

     ->Q''' : If I don't use SW_LOCK command , does it need use SW_UNLOCK command?

A''':  If the SW_LCOK command is not used, SW_UNLOCK command is not needed to be used.

Q : If SW_LOCK is executed, will it remain locked after rebooting?

A: rebooting is something the MCU does, not the TPS65381A-Q1. The SW_LOCK will remain executed until the device either goes through a power on reset (NPOR) itself (detected NPOR event or STANDBY state), or returns back to DIAGNOSTIC state where the SW_UNLOCK command could be used to unlock the device for register writes again.

Hi Kengo,

To answer this new question:

 Q' : Is the setting memorized(SW_LOCK) even when the power is turned off?

 A' : No the setting is not "memorized".  All configurations including SW_LOCK will be re-initialized (default) after the power is lost (VBATx supply pins are unpowered) or the device has been transitioned to STANDBY state (OFF state) because from either of those conditions the device will go through its power on reset (NPOR).