.. # SPDX-FileCopyrightText: Copyright 2025 Arm Limited and/or its # affiliates # # SPDX-License-Identifier: MIT .. _aspen_design_ssu: ######################## Safety Status Unit (SSU) ######################## ************ Introduction ************ The SSU is another major component in the Safety Island, which reports the safety status information to the External Safety Management (ESM) based on the Critical Fault (CR_ERR) and Non-Critical Fault (NCR_ERR) from the root FMU (Fault Management Unit). It also supports detecting APB parity check faults and APB SW faults in the IP. The status of the system is reported as a 4-bit output. Features: * It provides an APB interface to access the registers. * It has safety mechanisms to detect systematic faults on the APB interface. * It provides the safety status as a 4-bit output, which can be used by an external safety manager. ******************* FMU-SSU Integration ******************* The SSU module reports the safety status of the subsystem based on Critical and Non-Critical Fault interrupts from the FMU (Fault Management Unit) of the Safety Island. * Critical faults directly change the SSU output to the External Safety Management (ESM) to indicate a Critical Error. * Non-Critical faults do not directly affect the SSU output to the ESM. The software determines whether a change is necessary and configures the SSU accordingly. The diagram below shows an interaction between FMU and SSU modules. .. image:: ../images/fmu_ssu_integration.* :align: center :alt: FMU - SSU Integration ************************** Finite State Machine (FSM) ************************** The SSU implements a state machine reflecting the current safety state of the Safety Island, which shall be one of the following four: * TEST: Under testing * Meaning the Safety Island is undergoing LBIST or software-based testing during boot. * Reachable only when the SSU is reset. * SAFE: Safe operation * Meaning the Safety Island is running without any active errors. * Reachable only from TEST or ERRN states, by a software-programmed event. * ERRN: Non-Critical error * Meaning the Safety Island has encountered a Non-Critical error. * Reachable only from TEST or SAFE states, when either a Non-Critical error is detected, or by a software-programmed event. * ERRC: Critical error * Meaning the Safety Island has encountered a Critical error. * Reachable only from TEST, SAFE or ERRN states, when either a Critical error is detected, or by a software-programmed event. The diagram below shows SSU FSM state diagram. .. image:: ../images/ssu_fsm_state.png :align: center :alt: SSU FSM ================== Module API Summary ================== .. list-table:: :widths: 30 50 :header-rows: 1 * - API - Description * - get_sys_status() - Provides current FSM state of SSU. * - set_sys_ctrl() - Triggers a state transition in the SSU finite state machine (FSM). ====================== Testing and Validation ====================== **Unit Testing**: Executed on host using Unity framework. Refer to :link_subs:`rd-aspen:scp-unit-test` for more information on this framework. **Integration Testing**: This will use the SCP-firmware debugger CLI. Refer to :ref:`rd-aspen_user_guide_reproduce` for more information on this framework. **OEQA Automation**: This will use the SCP-firmware debugger CLI. Refer to :ref:`rd-aspen_validation` for more information on this framework.