The SMU is a central component for handling safety and security alarms. Based on the safety concept several hardware and software-based safety mechanisms are implemented within the microcontroller to detect presence of faults. These faults are signaled to SMU as safety alarms. Please refer to the Safety Manual for a detailed description of which safety mechanisms trigger which alarms.

Based on the security concept, several hardware and software-based security mechanisms are implemented within the microcontroller to detect presence of security events. These security events are signaled to SMU as security alarms. Certain alarms can be categorized to be safety or security relevant only based on usage of microcontroller. These alarms are categorized as shared alarms and configured during start-up.

SMU_CS is a security alarm handler. Within SMU_CS each security alarm can be individually configured to trigger certain reactions. These reactions will be discussed in detail in section SMU_CS. An independent access protection mechanism is present to protect the configuration of SMU_CS. SMU_CS is implemented within core domain, that is, provided by core voltage and

f

SPB

clock (refer to the PMS and Clocking chapter of the UM for more details).

Two safety alarm handlers instances SMU_SAFE0 and SMU_SAFE1 are also present in core domain. The architectural design of both of the instances are exactly the same. All safety alarms are mapped to both instances. Within each instance each safety alarm can be individually configured to trigger certain reactions. These reactions will be discussed in detail in section SMU_SAFE. A separate access protection mechanism is present to protect the configuration of SMU_SAFE0 and SMU_SAFE1 individually.

A shared alarm selector is present which can be configured during start-up to map shared alarm to either Security Alarm Handler SMU_CS or to Safety Alarm Handlers SMU_SAFE0 and SMU_SAFE1.

In order to mitigate the potential common cause faults inside the MCU, an independent alarm handler SMU_STDBY is present in standby domain. SMU_STDBY is provided by back-up voltage and

f

BACK

clock (refer to the PMS and Clocking chapter of the user manual for more details). Each safety alarm which is mapped to SMU_STDBY can be individually configured to trigger error notification on the external Fault Signaling Protocol (FSP) error pins. All power and temperature related alarms are processed in a diverse way since they are mapped to core domain alarm handlers (SMU_SAFE0 and SMU_SAFE1) and standby domain alarm handler SMU_STDBY. The clock alive monitor alarms are processed in the same clock domain as they are generated. Moreover in order to detect errors in the core domain alarm handlers, SMU_SAFE0 Alive Alarm, SMU_SAFE1 Alive Alarm and SMU_CS Alive Alarm are sent from the corresponding SMU_SAFE0, SMU_SAFE1 and SMU_CS to the SMU_STDBY upon the detection of error.

SMU Global Control and Configuration (SMU_GCC) is present to handle certain configuration of the SMU globally which cannot be performed by individual alarm handlers. SMU_GCC takes care of global configuration for SMU alarm handlers (SMU_SAFE0, SMU_SAFE1 and SMU_CS) in the core domain. Emergency Stop Unit, which triggers port emergency stop request to port, and Register Monitor Unit, to test the safety flip-flops, are also present in SMU_GCC. SMU_GCC is also having independent access protection mechanism.

Figure 1. SMU block diagram

For the alarm description please refer to the '

SMU alarm mapping tables' subchapter and to the Safety Manual.