Safety Status Unit (SSU)

Introduction

The SSU is another major component in the Safety Island, which reports the safety status information to the External Safety Management (ESM) based on the Critical Fault (CR_ERR) and Non-Critical Fault (NCR_ERR) from the root FMU (Fault Management Unit). It also supports detecting APB parity check faults and APB SW faults in the IP. The status of the system is reported as a 4-bit output.

Features:

  • It provides an APB interface to access the registers.

  • It has safety mechanisms to detect systematic faults on the APB interface.

  • It provides the safety status as a 4-bit output, which can be used by an external safety manager.

FMU-SSU Integration

The SSU module reports the safety status of the subsystem based on Critical and Non-Critical Fault interrupts from the FMU (Fault Management Unit) of the Safety Island.

  • Critical faults directly change the SSU output to the External Safety Management (ESM) to indicate a Critical Error.

  • Non-Critical faults do not directly affect the SSU output to the ESM. The software determines whether a change is necessary and configures the SSU accordingly.

The diagram below shows an interaction between FMU and SSU modules.

FMU - SSU Integration

Finite State Machine (FSM)

The SSU implements a state machine reflecting the current safety state of the Safety Island, which shall be one of the following four:

  • TEST: Under testing

    • Meaning the Safety Island is undergoing LBIST or software-based testing during boot.

    • Reachable only when the SSU is reset.

  • SAFE: Safe operation

    • Meaning the Safety Island is running without any active errors.

    • Reachable only from TEST or ERRN states, by a software-programmed event.

  • ERRN: Non-Critical error

    • Meaning the Safety Island has encountered a Non-Critical error.

    • Reachable only from TEST or SAFE states, when either a Non-Critical error is detected, or by a software-programmed event.

  • ERRC: Critical error

    • Meaning the Safety Island has encountered a Critical error.

    • Reachable only from TEST, SAFE or ERRN states, when either a Critical error is detected, or by a software-programmed event.

The diagram below shows SSU FSM state diagram.

SSU FSM

Module API Summary

API

Description

get_sys_status()

Provides current FSM state of SSU.

set_sys_ctrl()

Triggers a state transition in the SSU finite state machine (FSM).

Testing and Validation

Unit Testing: Executed on host using Unity framework. Refer to System Control Processor (SCP) Unit Test for more information on this framework.

Integration Testing: This will use the SCP-firmware debugger CLI. Refer to Reproduce for more information on this framework.

OEQA Automation: This will use the SCP-firmware debugger CLI. Refer to Validation for more information on this framework.