This function configures and starts the PE’s clock monitor logic. This logic will cause a signal to the ECM if the monitored clocks exceed their low or high limit thresholds over their sample intervals.

Each of four clock monitor circuits compares the number of rising clock edges which occur on two clock signals. In the time required for each “sampling clock” to produce 16 rising edges (after each reference rising edge) the rising edges of the corresponding “monitored clock” are counted and compared to programmed low and high limits for that monitor circuit. A comparison outside the range defined by the limits causes a signal to the ECM.

Per HWUM 31.5.3.2 and 31.5.3.3, each clock monitor channel’s enable bit, when set to one, locks that channel’s low and high limit registers until any reset occurs. Each clock monitor channel’s enable bit can be controlled by writing to the respective control register CLMAnCTL0.

Rationale

The sample and monitor clocks of CLMA1 and CLMA3 are both derived from the same basic oscillator. For this reason, variation in these sources will occur in both sample and monitor clock circuit inputs and the resulting counts will not show the variation that will occur with CLMA0 and CLMA2 where the two oscillator inputs have independent variations. Instead of adding the two tolerances which is appropriate with independent error sources, a fraction of the total tolerance should be used by MCAL with the positively correlated errors of CLMA1 and CLMA3. Unless Renesas describes new sources of frequency error it may be desirable to tighten the tolerances of CLMA1 and CLMA3.

Assumption:

A programmable “option byte” OPBT0 value affects the values used with the Renesas formulae here. The assumption used here are that OPBT0[21:20] is either 0b00 or 0b11. These two values yield identical upper and lower limit values for the clock monitor circuits. Currently CM106A documents the use of OPBT0[21:20] = 0b00.

All four monitor circuits will be initialized and armed since, in addition to the existence of a reasonable frequency pulse stream from the two oscillators, the additional channels each verifies that some distinct frequency divider flip-flops are functioning.

Implementation

The following table lists the values available from different sources which may be used to initialize the clock monitor circuits.

Clock monitor	OPBT0 [21:20]	monitored clock	sampling clock	Renesas formula min hex (%tol.)	Renesas formula max hex (%tol.)	Derived Tolerance for MCAL (+/-%)
CLMA0	Don’t Care	Main Osc	HS intOsc / 4	73 (-10.16)	8F (11.72)	(10, -10), (1, -1)
CLMA1	Don’t Care	Peripheral clk /2	Main Osc / 8	9E (-1.25)	A1 (0.625)	(1, -1) (1, -1)
CLMA2	00	WDTCLKI = 8Mhz	Main Osc / 16	72 (-10.94)	8D (10.16)	(10, -10), (1, -1)
CLMA3	Don’t Care	Clk CPU	Main Osc / 2	13E (-0.625)	141 (0.313)	(1, -1) (1, -1)

Note: Renesas also documents a hardware requirement that each clock monitor lower limit be larger than zero and that each upper limit must be greater than or equal to the corresponding lower limit plus three.

The use of “Don’t Care“ in this table means that the value has no impact on the circuit behavior.

The Renesas formulae compute clock monitor limit values assuming that the two clocks of each monitor have independent variation from nominal. While this is completely true for CLMA0 and CLMA2, it is wrong for CLMA1 and CLMA3 which use the same oscillator as the source of both inputs. Those channels’ limits are likely wider than they need to be but the digital hardware design limits on how close the two limit values of each monitor can be to each other prevents those tolerances from being very much tighter.

Renesas’ MCAL provides an input tolerance for each of the clocks involved with each monitor circuit. MCAL accepts input tolerance quantized to whole percentage so the minimum non-zero tolerance of one percent is used for CLMA1 and CLMA3 inputs. The minimum crystal oscillator tolerance (one percent) is used with the ten percent tolerance of the “high-frequency” oscillator for CLMA0 and CLMA2.

A snapshot of the spreadsheet used to evaluate clock monitor limit values has been included in the “reference data” section below.

MCAL Input:

In the McuGeneralConfiguration container

McuClm0Operation true

McuClm0MonitoringClockAccuracy 1

McuClm0SamplingClockAccuracy 10

McuClm1Operation true

McuClm1MonitoringClockAccuracy 1

McuClm1SamplingClockAccuracy 1

McuClm2Operation true

McuClm2MonitoringClockAccuracy 1

McuClm2SamplingClockAccuracy 10

McuClm3Operation true

McuClm3MonitoringClockAccuracy 1

McuClm3SamplingClockAccuracy 1

Reference

Verification Method

N/A

Revision Record & Change Approval

Rev	Date	Change Control #	Drw	Change Description
01.00.00	03/02/2016	2475	EC	Initial release

2 - CM109A Review Checklist

Nexteer_Template_V1.0

Overview

Peer Review Instructions
Technical Review Checklist
Template Change Log

Sheet 1: Peer Review Instructions

Instructions for Functional Design Package Peer Review

PRE-MEETING
	Function Owner	Confirm that requirements are reviewed and approved PRIOR to the FDP peer review
	Function Owner	Start with latest version of the template for any "first reviews" - Continue to use existing temmplate for re-reviews
	Function Owner	Provide the functional design package (changed documents) to the invited attendees 1-2 working days in advance of review
	Function Owner	Notify the assigned peer reviewer and make sure they are prepared to do their function in the meeting
	Function Owner	Identify necessary attendance and invite to meeting
	Function Owner	Complete the "Author" column information for sections 1 through 3 prior to the review
	Function Owner	Complete the attendance invitation list in section 5
	Function Owner	For Re-reviews only: Complete the column "remarks by author" to identify actions taken to address items found in earlier reviews.

DURING MEETING
	Function Owner	Present document changes to the review team
	Peer Reviewer	Capture attendance of the review
	Peer Reviewer	Capture actions and issues in section 4. Identify issue summary, Document type, Reference (Requirement ID, section number, etc), Defect Type and indicate status as "OPEN"

POST MEETING
	Function Owner	Follow up on all "open" items. Update "Summary of Resolution" to indicate what was done or decided.
	Function Owner	Schedule follow up review OR review open items with peer reviewer and obtain agreement to close
	Peer Reviewer	Close change request in system and confirm all associated tasks are complete. Upload peer review checklist (this document) with any FDP updates

Sheet 2: Technical Review Checklist

Technical Review Checklist - Template Version 01.00.09

Product Name

Electric Power Steering

Electrical Arch.

Review Scope

Defect Type

Numbers

Yes

Closed

Function Name

CM109A_ClkCfgAndMon

Version

Requirement

Rejected

FDD

Author

Ed Cory

Interface

Open

Model

Effort

Design

FMEA

Review Effort(Hrs.)

1.00

Standards

*.m File

Corr+Verf effort(Hrs.)

2.00

Documentation

Cal Process

Total Effort (Hrs.)

3.00

Others

Total

Checklist No.

Description of Check

Author: This column is for Self review. Author shall fill Yes/No/NA against each point in checklist. Author

Author: This column is for reviewer. Reviewer shall fill Yes/No/NA against each point in checklist. Reviewer

Author: Detailed Description of the finding shall be provided by the reviewer. Description of finding by reviewer

Author: Defect type to be selected. Defect Type

Author: What action is taken to fix the comment & other remarks need to be filled by author. Remarks By Author

Author: Data in this column shall be filled by reviewer after checking whether the rework is completed. Status

Section 1: TECHNICAL CHECK

1.1

Confirm that all signal inputs into the FDP (Functional Design Package) are contained within and exactly named as the "Available_Nexteer_Signals.m" states.

1.2

Confirm any removed signal inputs from the design have been removed from the "Available_Nexteer_Signals.m" file.

1.3

Confirm all signals and parameters (outputs, calibrations, constants, non-volatile memory) used in the *.m file and the design conform to the AutoSAR naming convention documentation.

1.4

Confirm *.m file has been provided to the "Available_Signal_Names" Author.

1.5

Confirm Electrical Systems interface map is updated to reflect the FDP (signal IO)

1.6

Confirm that Static Register evaluation has been completed and updated for any register data that is written to.

1.7

Have calibration default values been reviewed for correctness?

Section 2: Safety CHECK

Author: This column is for Self review. Author shall fill Yes/No/NA against each point in checklist. Author

Author: This column is for reviewer. Reviewer shall fill Yes/No/NA against each point in checklist. Reviewer

Author: Detailed Description of the finding shall be provided by the reviewer. Description of finding by reviewer

Author: Defect type to be selected. Defect Type

Author: What action is taken to fix the comment & other remarks need to be filled by author. Remarks By Author

Author: Data in this column shall be filled by reviewer after checking whether the rework is completed. Status

2.1

Confirm that the functional DFMEA is up to date based on the design in the current package.

2.2

Confirm that Safety requirements (ASIL A - D) are referenced in the design documents.

Section 3: Lessons Learned

Author: This column is for Self review. Author shall fill Yes/No/NA against each point in checklist. Author

Author: This column is for reviewer. Reviewer shall fill Yes/No/NA against each point in checklist. Reviewer

Author: Detailed Description of the finding shall be provided by the reviewer. Description of finding by reviewer

Author: Defect type to be selected. Defect Type

Author: What action is taken to fix the comment & other remarks need to be filled by author. Remarks By Author

Author: Data in this column shall be filled by reviewer after checking whether the rework is completed. Status

3.01

Have functions depending upon system state been reviewed for need to be executed at the 2ms rate to avoid system lag issues?

3.02

Have all diagnostics (NTCs) been confirmed to show logic to invoke a diagnostic "PASS" for control of the status byte at the customer level.

3.03

Has the requirements traceability steps used the RMI steps as defined in the FDD authoring spec to generate the traceability report?

3.04

Has the requirements traceability report been verified to only contain ONLY requirements from the FR.

3.05

Confirm that all PIM that does NOT have an initialization value of zero is initialized in an INIT function.

3.06

Confirm if NVM is used, the NVM is defined in structures

3.07

If the function uses NVM, confirm that the m file uses the SetBlockStatus to indicate a write at powerdown

3.08

Confirm NTCs are not set within an IRQ (not related to the typical periodic OS)

3.09

Confirm NTCs are not set or read in a periodic rate faster than 2 ms (ex. Motor Control Loop)

3.10

Constants check: Do all constants have the correct scope (local, global) and are they defined in the correct location (this FDD, ES/SF/AR999)?

3.11

Confirm all calibrations are required (ie they cannot be constants)

Section 4: Issues / Actions Identified

Document

Reference

Summary of resolution

Author: Defect type to be selected. Defect Type

Author: What action is taken to fix the comment & other remarks need to be filled by author. Remarks By Author

Author: Data in this column shall be filled by reviewer after checking whether the rework is completed. Status

4.1

Rename file - should be named with module short name

FDD

rename file using short name

Standards

4.2

Remove all of section 3 in FDD. Once static register verification strategy is better defined, we will have to come back into this FDD and update accordingly.

FDD

removed high and low limits from section 3, left CTL regs to comply with SAN's "The
control register shall be also read back once after configuration to ensure the CLM is enable."

Standards

4.3

Remove setAndVerify function/logic and replace with just standard writes.

FDD

Removed setAndVerify function/logic and replaced with just standard writes.

Design

4.4

Remove setProtectedRegister8andVerify and replace with direct call to WrProtdReg function

FDD

Removed setProtectedRegister8andVerify and replaced with direct calls to WrProtdReg function

Design

4.5

If you call out in rationale sections in another document, make sure to call out the version of the document somehow being referenced

FDD

added references to HWUM & SAN, versions and dates

Documentation

4.6

Re-review as a team all Cautions listed in FDD

FDD

re-reviewed with entire team 2/3/2016

Others

4.7

Maybe embed spreadsheet with logic used for determining tolerances on clock monitoring. Review this with the larger team for agreement (including Renesas)

FDD

embedded spreadsheet.

Documentation

4.8

See about updating and running latest data dictionary creation and verification tools.

*.m File

set up latest tools, verified DD

Standards

4.9

Need to add something about Init2 into your FDD document

FDD

added Init2 into FDD fn list

Interface

4.10

Talk about MCAL MCU driver clock monitor function and redundancy with this function

FDD

MCAL MCU driver clock monitor function ??? Mentioned whole percentage monitoring, added paragraph about the lack of redundancy in the clock monitor system.

Others

4.11

Fix NTC State Info Bits (not aligning with master NTC list)

FDD

matched to master NTC list

Standards

4.12

Change to tightest defensible tolerances for MCAL, use Renesas's Formula values for non-MCAL

FDD

changed to tightest defensible tolerances for MCAL, use Renesas's Formula values for non-MCAL, embedded updated spreadsheet into FDD

Design

4.13

remove cautions except for Option byte, change option byte reference to statement of an assumption

FDD

removed cautions, added option byte assumption

Documentation

4.14

Delete high level description

FDD

deleted it.

Others

4.15

Check with SAN 1.20 to update SAN requirement

FDD

verified that there was no change in SAN 1.20, updated FDD entry to indicate that the listed reqt was from 1.20

Documentation

4.16

Remove the implementation details because we are using the MCAL

FDD

removed them.

Others

4.17

remove the comments about MCAL MCU driver clock monitor function and redundancy

FDD

removed them.

Others

4.18

4.19

4.20

4.21

4.22

4.23

4.24

4.25

Section 5: APPROVALS

Role

First Review

Date

Attendance

Approval?

Function Owner*

Ed Cory

3/2/2016

Yes

Peer Reviewer*

Samanth Kumaraswamy

Yes

EPDT Engineer

ES Engineer

Software Lead

Hardware Lead

Test Lead

Safety Lead

Role

Second Review (if required)

Date

Attendance

Approval?

Function Owner*

Peer Reviewer*

<Name>

EPDT Engineer

ES Engineer

Software Lead

Hardware Lead

Test Lead

Safety Lead

Role

Third Review (if required)

Date

Attendance

Approval?

Function Owner*

Peer Reviewer*

<Name>

EPDT Engineer

ES Engineer

Software Lead

Hardware Lead

Test Lead

Safety Lead

Role

Fourth Review (if required)

Date

Attendance

Approval?

Function Owner*

Peer Reviewer*

<Name>

EPDT Engineer

ES Engineer

Software Lead

Hardware Lead

Test Lead

Safety Lead

Role

Add more if necessary

Date

Attendance

Approval?

P.S.:

Yes indicates adherence

No indicates non-adherence, reviewer shall provide suitable comments at the end of this document for each point.

NA indicates not applicable

Sheet 3: Template Change Log

Rev	Change	Author
01.00.05	Added lesson learned #3.5	MDK
01.00.06	Added lesson learned #3.6, 3.7 - Structure and writing of NVM in mfiles and models.	MDK
01.00.07	Clarified 3.6 and 3.7 Added lessons learned for NTCs not being set in IRQs or periodics faster than 2ms/	MDK
01.00.08	Added section 1.6 to look for critical static register analysis	MDK
01.00.09	Added two checks - default cals and are all cals really required to be a calibration	MDK