This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

[FAQ] TDA4VH-Q1: Details on the MCU_SAFETY_ERRORn and SOC_SAFETY_ERRORn pins

Part Number: TDA4VH-Q1
Other Parts Discussed in Thread: TDA4VH

Tool/software:

Please provide details on the functionality of the MCU_SAFETY_ERRORn and SOC_SAFETY_ERRORn pins and how they can be triggered by the application.

  • Hi,

    SOC_SAFETY_ERRORn is the output from the Main domain ESM module and MCU_SAFETY_ERRORn is the output pin from the MCU domain ESM module.

    Please find below the details from the TDA4VH TRM: explained in Section 5.5.14.2 ESM Integration Details -

    "The ERR_O output of the MAIN Domain ESM0 drives the SOC_SAFETY_ERRORn pin directly to indicate a MAIN Domain safety error condition to an external device. The ESM0 ERR_O error output is also connected to the MCU_ESM0 as an error event input. Both Level and PWM Mode are supported on the SOC_SAFETY_ERRORn output signal if the ESM0 ERR_O is not monitored by MCU_ESM0. However, only Level Mode is allowed if the ESM0 ERR_0 error signal is actively monitored by the MCU_ESM0 module.

    The MCU_ESM0 ERR_O error output is connected to the WKUP_ESM0 as an error event input, but it is not directly connected to a Device pin. Only Level Mode is allowed for the MCU_ESM0 ERR_0 error output.

    The ERR_O output of WKUP_ESM0 drives the MCU_SAFETY_ERRORn pin directly to indicate a WKUP Domain safety error condition to an external device. This pin can also indicate MCU Domain and MAIN Domain safety error conditions via daisy-chaining of the Device ESM modules, provided that the Events corresponding to those daisy-chained ERR_O outputs are enabled."

    ESM acts as the fault reporting module for the entire SoC and can bring the device back to the safe state as defined by the system design engineers prior to violating any safety goals. So this act as a diagnostic logic and expected to be used in all functional safety application use-cases. When a fault is reported to the ESM module, it will generate an interrupt to the corresponding processing core and at the same time assert an external error I/O pin to indicate an error has occurred.

    Example for a low priority event include single bit errors in memories which are corrected by memory ECC, but an interrupt will be generated to inform the processor that an error has occurred. High priority interrupts will be generated in case of 2 bit errors in memories with are not correctable and would require immediate intervention by the processor. The error I/O pin can either operate in level or PWM mode. The external I/O pin will be asserted low for a minimum period of time when the error is reported. The interrupts generated from the ESM module are routed to the processing cores in the SoC which allows the device itself to analyze the error/fault and recover from it. If the processor has not handled the error and is not cleared with in that time frame, the external monitoring agent should intervene as the error is not recoverable and bring the device to the safe state.

    Safe states are generally defined by the system integrator at the system level. There are separate error output pins from the Main domain and the MCU domain which can be connected to the external monitoring devices like the Power Management ICs. TI's recommendation will be to connect both these output pins to the PMIC IC and that will enable to reset the Main domain and MCU domain separately in case of unrecoverable errors. 

    In regards to examples using the SBL bootflow, the TI SDL documentation has an example for triggering the MCU_SAFETY_ERRORn, documented in SDL installation at: https://software-dl.ti.com/jacinto7/esd/processor-sdk-rtos-j784s4/08_06_00_14/exports/docs/sdl/sdl_docs/userguide/j784s4/examples/esm.html. A similar approach can be used for the MAIN domain ESM.

    Regards,

    Josiitaa