This document describes the exception handling / reset cause determination for microcontroller diagnostics. Note that the MCU handler is in place to parse / identify FE and EI exception sources (of the 43 shown). The MCU will call server functions in this FDD for FE type interrupts. EI based interrupts will call server functions directly to the FDD.

Additionally, any pre-OS type failures that are detected are “saved” using backup RAM until the reset cause functionality is performed. The reset cause algorithm uses the backup RAM (modified by both Exceptions and pre-OS start up tests) to set appropriate fault codes. For this FDD, NTCs are only set in the reset cause function.

Sub-Functions In This Document

Below is a linked list of all sub-functions owned by this document.

Sub-Function Name	Link
Exception Handling Configuration	4.1
Exception Handling Routine SYSERR	4.2
Exception Handling Routine Floating Point	4.3
Exception Handling Routine Misalignment	4.4
Exception Handling Routine Reserved Instruction	4.5
Server Routine FENMI PEG	4.6
Server Routine FENMI SPI 2 Bit ECC	4.7
Server Routine FENMI DMA Transfer Error	4.8
Server Routine FENMI DMA Access Violation Error	4.9
Server Routine FENMI Master Checker Compare	4.10
Server Routine FENMI Watchdog	4.11
Server Routine FENMI DTS Double Bit ECC	4.12
Server Routine FENMI Unknown	Error: Reference source not found
Server Routine Protection Hook	Error: Reference source not found
Server Routine Error Hook	4.14
Server Routine Shutdown Hook	4.19
Exception Handling Routine EIINT	Error: Reference source not found
Reset Source Determination	4.21

Critical Register Verification References

This table contains the information needed for critical register verification as configured or used in this document.

Register

Register No.

(regID, selID)

Access Permission

Init / Periodic

Verification

Masking

Expected Value

Protn Score From Eval Sheet

FPCFG

SR10, 0

CU0

Init

None

0x0000 001C

Sub-functions

Sub-Function: Exception Handling Configuration

Return to sub-function list link: Sub-Functions In This Document

NTCs

SAN Linkage

SAN-49: After reset the generation of SYSERR exception request due to the errors shown in the Error notification Control Register (SEGCONT) is disabled. This notification can be enabled by setting the related bits accordingly.

SAN-263: Generation of SYSERR exception in case of uncorrectable error (e.g. DED, Address parity) during instruction fetch cannot be masked for instruction fetch unit in SEGCONT. However, such errors shall be always handled by ECM within DTI.

SAN-278: Transition to the safe state shall take place when an ECC 2-bit error, or an overflow error has occurred. For this purpose, the ECM shall be configured accordingly.

SAN-342: Transition the MCU and the system to the safe state shall take place when an address parity error has occurred. For this purpose, the ECM shall be configured accordingly.

SAN-401: Transition to the safe state shall take place when 2-bits error, an error count overflow or an address error has been detected. For this purpose, configure the appropriate response in the ECM accordingly.

SAN-413: Upon detection of non-correctable bit error in the local RAM, a system error exception request will be sent to SEG to generate a SYSERR (FE-level) exception (if it is enabled).

Description

This sub-function configures or identifies the exception handling characteristics for the RH850 related to microcontroller diagnostics.

Rationale

The Nexteer approach planned for exception handling involves two types – those serious errors that will be handled by forcing a software reset of the microcontroller and those that do not. This sub-function is intended to show the list of exceptions and highlight those that will be configured to be a system error (SYSERR) via the use of the SEGCONT register. Floating point exceptions must also be configured.

Exception Handler assumes that the MCAL will configure the CVMREN register to cause a reset when the CVM Fails.

Implementation

Initialization (ExcpnHndlgInit1)

Register	Value	Comments	Access
Register	Value	Comments	SV	UM
FPCFG (Floating-point operation configuration)	FPCFG.XE.V = 1 (Validity) FPCFG.XE.Z = 1 (Divide by Zero) FPCFG.XE.O = 1 (Overflow) FPCFG.XE.U = 0 (Underflow) FPCFG.XE.I = 0 (Imprecise)	Only addresses configuring the exception bits	R/W	R/W
* SYSCVMDEW (CVM Detection Enable Register)	SYSCVMDEW. CVMDIAGMEW = 0	Enable CVM Diagnosis NOTE: This is a protected register. Can only be written to once.	R/W	R/W

*Denotes that no direct write is required as the default value meets the requirement.

NOTE: MCU configuration has a checkbox selection for the self-test – consider this in the future design.

// Configure floating point exceptions – note that other FPU configuration is done in the FBL

FPCFG = 0x0000 001C

Reference

FPSR (See boot loader CM110A for configuration function):

Bits 31 to 24: Status bits – NA for configuration – initialize to zero

Bit 23: FN Flush to Nearest: recommend setting this bit to 1 – along with the FS (Flush Subnormal) bit set to 1 and the RM bits set to RN (round to nearest) , this setting will cause subnormal numbers to be flushed to either zero or +/- the smallest magnitude normal number, whichever is closer to the subnormal result – essentially rounds the subnormal result rather than flushing to zero always. (See FS setting for EA3 comparison)

Bit 22: IF: status bit – NA for configuration – initialize to zero

Bit 21: PEM: recommend setting to 0 – for imprecise floating point exceptions. This does not allow resuming execution after the exception handler, which is ok since the expected design is to cause a reset. Precise exceptions would allow resuming execution but causes slower operation (different pipelining to allow for precise exceptions).

Bit 20: Reserved: must write a 0

Bits 19 and 18: RM, rounding mode, recommend setting is 00 for RN round to nearest. This matches the setting used in EA3.

Bit 17: FS flush subnormal – recommend setting this bit to 1 to enable flush subnormal. This is the default setting of this bit. The floating point coprocessor does not have hardware processing of subnormal numbers; therefore if FS is disabled, any subnormal operand or result causes an exception so that software processing can occur; recommend flush subnormal for throughput optimization. NOTE that this differs from the EA3 setting. The EA3 processor has hardware support for subnormal number processing and we do not flush subnormal numbers; not flushing is the default setting for the EA3 processor.

Bit 16: reserved: must write a 0

Bits 15 to 10: Status bits – NA for configuration – initialize to zero

Bits 9 to 5: Exception enable bits: recommend setting as in EA3 FDD (although no EA3 program has turned these settings on yet)

Bit 9 – V – invalid operation – set to 1 to enable exception

Bit 8 – Z – divide by zero – set to 1 to enable exception

Bit 7 – O – overflow – set to 1 to enable exception

Bit 6 – U – underflow – set to 0 to disable exception

Bit 5 – I – inexact – set to 0 to disable exception

Bits 4 to 0: Status bits – NA for configuration – initialize to zero

Diagnostic Verification Method

NA as this is a configuration sub-function

Sub-Function: Exception Handling Routine SYSERR

Return to sub-function list link: Sub-Functions In This Document

NTCs

None – NTCs are addressed in section 4.21 (Reset Source)

SAN Linkage

SAN-166: If SYSERR exception is generated, a reset of the device shall be issued.

SAN-278: Transition to the safe state shall take place when an ECC 2-bit error, or an overflow error has occurred. For this purpose, the ECM shall be configured accordingly.

SAN-342: Transition the MCU and the system to the safe state shall take place when an address parity error has occurred. For this purpose, the ECM shall be configured accordingly.

SAN-343: In case an address parity error has occurred, a system error (SYSERR) exception will be generated. This exception is terminating and a reset from the ECM or from the pin becomes necessary.

SAN-401: Transition to the safe state shall take place when 2-bits error, an error count overflow or an address error has been detected. For this purpose, configure the appropriate response in the ECM accordingly.

SAN-413: Upon detection of non-correctable bit error in the local RAM, a system error exception request will be sent to SEG to generate a SYSERR (FE-level) exception (if it is enabled).

Description

This sub-function handles the SYSERR exceptions (after the RBASE / EBASE Switch - refer to start up sequence).

Note that some errors are configured to generate a SYSERR based on the contents of the SEGCONT register (see CM110A for details). The design stores information into back up registers, generates a software reset and then the “Reset Source Determination” sub-function identifies the source of the reset and identifies the NTC.

SYSERRs occurring prior to the RTE initialization will result in an interrupt restarting the FBL.

Rationale

SYSERR approach was selected over ECM as it seems to be a more direct response in cases of serious failures. Note that the ECM error out pin is also configured to go the safe state as another redundant disabling mechanism; however, no EI or FE interrupts are configured as enabled.

Design assumes that if none of the SEGFLAG bits are set, then the assumption is an instruction fetch failure.

R7F701311 has 128KB of RAM with a Base address of 0xFEB8 0000 and the Offset starting at 0x0006 0000.

Implementation

The SYSERR exception has an offset of 0x010.

Event Driven (SysErrIrq)

Registers used

Register	Use	Register Access
Register	Use	SV	UM
SEGFLAG (Error Occurrence Retention Register)	Contains bits to indicate the source of the system error.	R/W	Read Only
SEGADDR (Error Address)	Contains the error address information that caused the system error.	R/W	Read Only
CF1STEADR0_PE1 (Code Flash 1st Error Address Register)	Register provides information on address of failure – used for debug purposes	R/W	R/W

TmpData = 0

// Determine source of error from the SEGFLAG bits and indicate in BRAMDAT0

If (SEGVPGF = 1) Then

TmpSrc = McuDiagc1.MCUDIAGC_PRPHLBUSGUARD

ElseIf (SEGVCRF = 1) Then

TmpSrc = McuDiagc1.MCUDIAGC_INTPRPHLGUARD

ElseIf (SEGTCMF = 1) Then

// Identify bank that failed to get address information from the correct register

If (ECCCPU1DEDF0 = 1) Then
// TmpData is the Offset Address of Local RAM ‘OR’ed with Base Addr (0xFEB8 0000) and Bank Addr (0x0)

TmpData = ((ECCCPU1LR1STEADR0_PE1 << 4) | 0xFEB8 0000)

Else If (ECCCPU1DEDF1 = 1)

// TmpData is the Offset Address of Local RAM ‘OR’ed with Base Addr (0xFEB8 0000) and Bank Addr (0x4)
TmpData = ((ECCCPU1LR1STEADR1_PE1 << 4) | 0xFEB8 0004)
Else If (ECCCPU1DEDF2 = 1)
// TmpData is the Offset Address of Local RAM ‘OR’ed with Base Addr (0xFEB8 0000) and Bank Addr (0x8)
TmpData = ((ECCCPU1LR1STEADR2_PE1 << 4) | 0xFEB8 0008)
Else
// TmpData is the Offset Address of Local RAM ‘OR’ed with Base Addr (0xFEB8 0000) and Bank Addr (0xC)
TmpData = ((ECCCPU1LR1STEADR3_PE1 << 4) | 0xFEB8 000C)
EndIf
TmpSrc = McuDiagc1.MCUDIAGC_LCLRAMDBLBIT

ElseIf ((SEGROMF = 1) or (SEGVCIF = 1)) Then // Both bits have code flash ECC

If (CF1STERSTR_PE1 & 0x0000 0004 !=0) Then

TmpSrc = McuDiagc1.MCUDIAGC_ADRPAR

TmpData = ECCFLICF1STEADR0_PE1

Else If (CF1STERSTR_PE1 & 0x0000 0002 !=0) Then

TmpSrc = McuDiagc1.MCUDIAGC_CODFLSDBLBIT

TmpData = ECCFLICF1STEADR0_PE1

Else

// Other VCIE cause
TmpSrc = McuDiagc1.MCUDIAGC_VCIE

End If

Else

// Assume instruction fetch error drove SYSERR

TmpSrc = McuDiagc1.MCUDIAGC_INSTRFETCH

End If

NxtrSwRstFromExcpn (TmpSrc, TmpData)

Reference

Verification Method

At 2ms rate:

// Invokes a double bit ECC code flash fault

If ((McuDiagcTest = McuDiagcTestTyp.CODFLSDBLBIT)

Temp = Read from Code Flash Test Address 0x0100 A8B0 // invokes a double bit ECC

McuDiagcTest = McuDiagcTestTyp.NoTest

EndIf

// Check on section 8.4.2 in SAN for address parity fault injection options

// Need to find other ways to invoke a SYSERR

Sub-Function: Exception Handling Routine Floating Point

Return to sub-function list link: Sub-Functions In This Document

NTCs

None – NTCs are addressed in section 4.21 (Reset Source)

SAN Linkage

None identified

Description

This sub-function is used to handle the exceptions configured for the floating point unit (FPU). Based on the configurations, the handler can identify / discriminate faults for overflow, divide by zero and invalid operations.

Rationale

The FPU “E bit” functionality is a function of the FPU configuration.

Page 173/174 of the software user manual (R01UH0436EJ0100 Rev.1.00) states - "If the FS bit of the FPSR register is set to 1, an unimplemented operation exception (E) will not occur under any circumstances."

Nexteer is setting the FS bit to 1, therefore, there is no need to check for the “E Bit” failure in the FSPR register. Should it set for some reason, it will be swept into the “unknown” category.

Implementation

The Floating Point exception has an offset of 0x070.

Event Driven (FpuErrIrq)

Registers used

Register	Use	Register Access
Register	Use	SV	UM
FPSR	This register is used to control and monitor the cause of floating point exceptions	R/W	No
FPEPC	This register stores the program counter value where the exception occurs.	R/W	No

// Get data relating to the fault

TmpData = FPEPC

If (FPSR & 0x0000 4000 != 0) Then

TmpSrc = McuDiagc1.MCUDIAGC_ FPUERRINVLDOPER // Invalid Operation

Else If (FPSR & 0x0000 2000 != 0)

TmpSrc = McuDiagc1.MCUDIAGC_FPUERRDIVBYZERO // Divide by Zero

Elseif (FPSR & 0x0000 1000 != 0)

TmpSrc = McuDiagc1.MCUDIAGC_FPUERROVF // Overflow

Elseif

TmpSrc = McuDiagc1.MCUDIAGC_FPUERRUKWN // Unknown (not expected)

EndIf

NxtrSwRstFromExcpn (TmpSrc, TmpData)

Reference

Verification Method

Sub-Function: Exception Handling Routine Misalignment

Return to sub-function list link: Sub-Functions In This Document

NTCs

None – NTCs are addressed in section 4.21 (Reset Source)

SAN Linkage

SAN-148: When a MPU violation is detected, the access is not granted, but the related information such as access type (read, write), data size, and instruction type are stored in the memory error information register MEI. The memory error address register is used to store the address when a MAE (misaligned) or MPU exception occurs. Both registers can be accessed in the CPU supervisor mode only.

Description

This sub-function handles exceptions generated by a memory misalignment error.

Rationale

TBD

Implementation

The memory misalignment exception has an offset of 0x0C0.

Event Driven (AlgnErrIrq)

Registers used

Register	Use	Register No. (regID,selID)	Register Access
Register	Use	Register No. (regID,selID)	SV	UM
MEI	Memory error information register – used to indicate if the misalignment was caused during read or write	SR8, 2	Yes	No (via SAN)
MEA	Memory error address register - These bits store an address when a MAE (misaligning) or MPU violation occurs.	SR6, 2	Yes	No (via SAN)

// Determine source of error and indicate in BRAMDAT0

TmpData = MEA

If (MEI & 0x0000 0001 = 0x0000 00001) Then

TmpSrc = McuDiagc1.MCUDIAGC_ALGNWR

Else

TmpSrc = McuDiagc1.MCUDIAGC_ALGNREAD

End If

NxtrSwRstFromExcpn (TmpSrc, TmpData)

Reference

Verification Method

Sub-Function: Exception Handling Routine Reserved Instruction

Return to sub-function list link: Sub-Functions In This Document

NTCs

N/A

SAN Linkage

None

Description

Rationale

This is basically an exception generated by processing an illegal opcode function.

Implementation

The Reserved Instruction exception has an offset of 0x060.

Event Driven (ResdOperIrq)

Registers used

Register	Use	Register Access
		SV	UM
None

// Identify reset cause and reset

NxtrSwRstFromExcpn (McuDiagc1.MCUDIAGC_RESDOPER, 0)

Verification Method

N/A

Sub-Function: Server Routine FENMI PEG

Return to sub-function list link: Sub-Functions In This Document

NTCs

None – NTCs are addressed in section 4.21 (Reset Source)

SAN Linkage

SAN-183: For PE guard violations, a proper error handling shall be performed. For this the ECM shall be configured accordingly.

Description

This server function is called by the MCU handler and is responsible for responding to a PEG (Processor Element Guard) error. The Nexteer design has this configured in the ECM to be an exception of type FENMI. The design notes the source of the error (for later use in the reset cause function), clears the ECM status registers and issues a software reset.

Rationale

FENMI Interrupts are used to represent serious failures within the microcontroller or it’s peripherals that are critical to the overall design. As a result, the Nexteer strategy is to indicate the fault type in backup memory (data retained through a software reset) and force a software reset where the reset type is then indicated and the fault is set (assuming the system can operate to that point).

Note that the function FeNmiPeg is called from the MCU handler.

Implementation

Event Driven (FeNmiPeg)

Registers used

Register	Use	Register Access
		SV	UM
None

// Identify reset cause and reset

NxtrSwRstFromExcpn(McuDiagc1.MCUDIAGC_PROCRELMGUARD, 0)

Verification Method

Sub-Function: Server Routine FENMI SPI 2 Bit ECC Error

Return to sub-function list link: Sub-Functions In This Document

NTCs

None – NTCs are addressed in section 4.21 (Reset Source)

SAN Linkage

None

Description

This server routine is called from the MCU handler and is responsible for responding to a SPI RAM peripheral 2 Bit ECC Error. The Nexteer design has this configured in the ECM to be an exception of type FENMI. The design notes the source of the error (for later use in the reset cause function), clears the ECM status registers and issues a software reset.

Rationale

FENMI Interrupts are used to represent serious failures within the microcontroller or it’s peripherals that are critical to the overall design. SPI use in the design applies to several critical functions (motor position, gate drive and power supply control) thus the FE designation.

Note that the function FeNmiSpiDblBit is called from the MCU handler.

Implementation

Event Driven (FeNmiSpiDblBit)

Registers used

Register	Use	Register Access
Register	Use	SV	UM
ECCCSIH0CTL (ECC Control / Status Register for SPI 0)	Indicates a SPI double bit error in SPI 0	Yes	Yes
ECCCSIH1CTL (ECC Control / Status Register for SPI 1)	Indicates a SPI double bit error in SPI 1	Yes	Yes
ECCCSIH2CTL (ECC Control / Status Register for SPI 2)	Indicates a SPI double bit error in SPI 2. Note that SPI3 is not considered and is assumed the default if 0, 1 or 2 are not detected.	Yes	Yes

TmpData = 0

// Identify which SPI peripheral is at fault (Data0), identify and save address (Data1)

If (ECCCSIH0ECDEDF0 = 1) Then

TmpData = ECCCSIH0EAD0

TmpSrc = McuDiagc1.MCUDIAGC_SPIRAMDBLBIT0

Else If (ECCCSIH1ECDEDF0 = 1)

TmpData = ECCCSIH1EAD0

TmpSrc = McuDiagc1.MCUDIAGC_ SPIRAMDBLBIT1

Else If (ECCCSIH2ECDEDF0 = 1)

TmpData = ECCCSIH2EAD0

TmpSrc = McuDiagc1.MCUDIAGC_ SPIRAMDBLBIT2

Else

TmpData = ECCCSIH3EAD0

TmpSrc = McuDiagc1.MCUDIAGC_ SPIRAMDBLBIT3

End If

NxtrSwRstFromExcpn(TmpSrc, TmpData)

Reference

Verification Method

Sub-Function: Server Routine FENMI DMA Transfer Error

Return to sub-function list link: Sub-Functions In This Document

NTCs

None – NTCs are addressed in section 4.21 (Reset Source)

SAN Linkage

SAN-723: When a data parity error is detected, a flag will be set in P-Bus data parity status register APDPERRST_xx (xx stands for the module name) and an internal error signal is propagated towards ECM. In this case the MCU should move to safe state.

SAN-724: If a data parity error has occurred during DMA transfer, a DMA transfer error will be notified.

Description

This server routine is called from the MCU handler and is responsible for responding to DMA transfer errors. The Nexteer design has this configured in the ECM to be an exception of type FENMI. The design notes the source of the error (for later use in the reset cause function), clears the ECM status registers and issues a software reset.

Rationale

N/A

Implementation

Event Driven (FeNmiDmaTrf)

Registers used

Register	Use	Register Access
		SV	UM
DMASSDMACER	Indicates the status of the two DMAC channels	Yes	Yes

// Indicate data for reset cause (Data0) and information on the responsible DMA channel (Data1)

NxtrSwRstFromExcpn(McuDiagc1.MCUDIAGC_DMATRFERR, DMASSDMACER)

Reference

Verification Method

Sub-Function: Server Routine FENMI DMA Access Violation Error

Return to sub-function list link: Sub-Functions In This Document

NTCs

None – NTCs are addressed in section 4.21 (Reset Source)

SAN Linkage

SAN-100: When the CPU makes an illegal access to the global DMA registers (e.g. access in user mode), then an access violation flag will be set in the related transfer module and an internal error signal will be propagated to the ECM to take the proper action.

Description

This server routine is called from the MCU handler and is responsible for responding to DMA privileged access errors. The Nexteer design has this configured in the ECM to be an exception of type FENMI. The design notes the source of the error (for later use in the reset cause function), clears the ECM status registers and issues a software reset.

Rationale

Note that the function ExcpnHndlgFeNmiDMAREGACSPROTECNERR is called from the MCU handler.

In future versions of this document we may want to consider using the registers DM0CMV, DM1CMV and DTSCMV to provide more information when the fault is triggered. Note that these registers require supervisor mode to be accessed – note that the exceptions are already be in SV mode. Initial design will not include them.

Implementation

Event Driven (FeNmiDmaRegAcsProtnErr)

Registers used

Register	Use	Register Access
		SV	UM
DMASSDMACER	Indicates the status of the two DMAC channels	Yes	Yes

// Indicate data for reset cause (Data0) and information on the responsible DMA channel (Data1)

NxtrSwRstFromExcpn (McuDiagc1.MCUDIAGC_DMAREGACSPROTECNERR, DMASSDMACER)

Reference

Verification Method

Sub-Function: Server Routine FENMI ECM Master/Checker Compare

Return to sub-function list link: Sub-Functions In This Document

NTCs

None – NTCs are addressed in section 4.21 (Reset Source)

SAN Linkage

SAN-656: If there is a mismatch between ECM master and checker an ECM compare error will be set in the ECMmESSTR0/1 register. In that case, the safe state shall be entered.

Description

This server routine is called from the MCU handler and is responsible for responding errors in which the master and checker compare error. The Nexteer design has this configured in the ECM to be an exception of type FENMI. The design notes the source of the error (for later use in the reset cause function), clears the ECM status registers and issues a software reset.

Rationale

N/A

Implementation

Event Driven (FeNmiEcmMstChkrCmp)

Registers used

Register	Use	Register Access
		SV	UM
None

// Identify reset cause and reset

NxtrSwRstFromExcpn (McuDiagc1.MCUDIAGC_ECMMSTCHKRERR, 0)

Verification Method

Sub-Function: Server Routine FENMI Watchdog

NTCs

None – NTCs are addressed in section 4.21 (Reset Source)

SAN Linkage

None

Description

This server routine is called from the MCU handler and is responsible for responding internal watchdog failures. Note that the design is intended to use this server function to also sort to see if the timing failure can be further discriminated to a watchdog, program flow, alive monitor or a deadline monitor failure It is assumed that the MCU will provide the capability to allow Nexteer to select / direct unused features in the design to this routine.

The Nexteer design has configured in the ECM to be an exception of type FENMI without a Reset. The design notes the source of the error (for later use in the reset cause function), clears the ECM status registers and issues a software reset.

Rationale

The SAN recommends a reset when using the ECM for watchdog failures. The Nexteer design will defeat the reset and replace the functionality with a software reset – this is to allow the capability to store parse the fault into watchdog, program flow, alive monitoring and deadline monitoring and provide more information for debug purposes. The ECM configuration as a reset would not allow this to be done.

Note that the function FeNmiWdg is called from the MCU handler.

Implementation

Event Driven (FeNmiWdg)

Registers used

Register	Use	Register Access
		SV	UM
EntityStatusGRef (not a register, but key part of this design)	This is a structure contained within the AutoSAR module that will provide the means to discriminate different failures that result in a watchdog timeout.	NA	NA

Pseudo Code

TmpSrc = McuDiagc1.MCUDIAGC_FENMIWDG

TmpData = 0

For Each SupervisedEntityID

If (EntityStatusGRef🡪ProgramFlowViolationCnt != 0) Then // Program Flow

TmpSrc = McuDiagc1.MCUDIAGC_FENMIPROGFLOW

TmpData = SupervisedEntityID

End the For Loop

ElseIf (EntityStatusGRef🡪FailedSupervisionRefCycles !=0) // Alive Monitor

TmpSrc = McuDiagc1.MCUDIAGC_FENMIALVMONR

TmpData = SupervisedEntityID

End the For Loop

ElseIf (EntityStatusGRef🡪DeadlineViolationCnt !=0) // Deadline Monitor

TmpSrc = McuDiagc1.MCUDIAGC_FENMIDEADLINEMONR

TmpData = SupervisedEntityID

End the For Loop

Else

End If

End For

// Store data for reset cause use and reset

NxtrSwRstFromExcpn (TmpSrc, TmpData)

Verification Method

Sub-Function: Server Routine FENMI DTS Double Bit ECC

Return to sub-function list link: Sub-Functions In This Document

NTCs

None – NTCs are addressed in section 4.21 (Reset Source)

SAN Linkage

None

Description

This server routine is called from the MCU handler and is responsible for responding to DTS ECC failures.

The Nexteer design has configured this in the ECM to be an exception of type FENMI without a Reset. The design notes the source of the error (for later use in the reset cause function), clears the ECM status registers and issues a software reset.

Rationale

Note that the function FeNmiDts is called from the MCU handler.

Implementation

Event Driven (FeNmiDtsDblBit)

Registers used

Register	Use	Register Access
		SV	UM
None

Event Driven (ProcNonCritOsErr)

// Update error code variable that is polled in periodic function

ExcpnHndlgOsErrCod_C = McuDiagcData1_Arg

Verification Method

Periodic (ExcpnHndlgPer1)

** NOTE: variable ExcpnHndlgOsErrCod must reside in global shared memory **

If (ExcpnHndlgOsErrCod != 0x0000) then

// Set code for non-fatal OS error – Error Code is on the data ExcpnHndlgOsErrCod

SetNtcSts(NtcNr1.NTCNR_0x031, 1, NtcSts1.NTCSTS_FAILD, 0)

End If

Verification Method

Sub-Function: Server Routine Shutdown Hook

Call EcuM_Shutdown()

Sub-Function: Exception Handling Routine EIINT

Return to sub-function list link: Sub-Functions In This Document

It is assumed that the MCU configuration will directly provide a client/server call to the necessary FDDs to accomplish their tasks. It would be redundant to place them within this document only to call out another document, so this is the chosen approach.

Please refer to other microcontroller diagnostic FDDs to see their specific exception handler functionality.

Sub-Function: Reset Source Determination

Return to sub-function list link: Sub-Functions In This Document

NTCs

003.0 Code Flash ECC Single Bit (Hard Fault)

003.1 Code Flash ECC Double Bit Detection

003.2 Code Flash ECC Address Parity Fault

010.0 MBIST Startup Test Failure

013.0 Local RAM ECC Single Bit (Hard Fault)

013.1 Local RAM ECC Double Bit (Hard Fault)

016.1 DTS ECC Double Bit (Hard Fault)

017.1 CSHI0 RAM ECC Double Bit (Hard Fault)

018.1 CSHI1 RAM ECC Double Bit (Hard Fault)

019.1 CSHI2 RAM ECC Double Bit (Hard Fault)

01A.1 CSHI3 RAM ECC Double Bit (Hard Fault)

021.0 BIST Code 2-Bit ECC Failure

021.2 LBIST Startup Test Failure

021.4 BIST Not Complete

021.5 CPU Lock Step Error Forcing Startup Test Failure

021.6 DMA Lock Step Error Forcing Startup Test Failure

022.0 Lock Step Compare Fault

022.1 System VCIE Bit Error

022.2 Reserved Instruction (Illegal Op Code) Fault

022.3 Memory Misalignment - Read

022.4 Memory Misalignment - Write

022.5 Instruction Fetch Error

025.0 Data Protection Violation (MDP Exception)

025.1 Execution Protection Violation (MIP Exception)

026.0 ECM Status Bit Set Prior to ECM Init

026.2ECM Startup Master nERROR Output Control Fault

026.3 ECM Startup Checker nERROR Output Control Fault

026.7 ECM Runtime Master-Checker Compare Fault

028.1 FPU Invalid Operation (V Bit)

028.2 FPU Divide by Zero (Z Bit)

028.3 FPUOverflow (O Bit)

028.4 FPU Unknown Error

029.0 Unknown Reset Reason

029.1 Unknown ECM Reset Reason

029.4 Unknown Software Reset

029.5 Failed Backup RAM Read Write Test

029.6 FBL Pre-OS Startup Exception

029.7 Corrupt Start up / Reset Information

02A.0 Program Flow

02A.1 Deadline Monitoring

02A.2 Alive Monitoring

02C.0 Watchdog Timeout

02D.1 PEG Runtime Fault

02D.3 IPG RunTime Fault

02D.5 PBG Runtime Fault

030.0 Operating System Fatal Fault

030.1 Unhandled Exception

031.0 Operating System Non-Fatal Fault

036.0 DMA Transfer Error

036.1 DMA Register Access Protection Violation

048.0 CVM Over Voltage Startup Test Failure

048.1 CVM Under Voltage Startup Test Failure

049.0 Internal CVM Over Voltage Monitor Fault

049.1 Internal CVM Under Voltage Monitor Fault

049.7 External Over Voltage Monitor Fault

SAN Linkage

SAN-621: Upon detection of under/overvoltage of the core power supply, the signal at the CVMOUT pin changes its state to low and a dedicated flag will be set in the CVMF register. It is also possible to generate a reset if the software has enabled it. In that case, transition the MCU into the safe state shall be entered.

SAN-1024: As the usage of backup registers is strongly application dependents, the user should judge whether or not to apply the proposed write verify check. Moreover, if the data retained in the back-up register will be frequently used in the safety related application, then the contain should be moved to LRAM as it is protected by ECC and thus provide a high fault coverage.

SAN-1094: As the usage of backup registers is strongly application dependents, the user should judge whether or not to apply the proposed write verify check. Moreover, if the data retained in the back-up register will be frequently used in the safety related application, then the contain should be moved to LRAM as it is protected by ECC and thus provide a high fault coverage.

SAN-1096: Detected failures during the execution of the test shall be handled at application level.

Description

This function processes information from pre-OS tests and resets to determine the cause of anything unexpected and log the correct Nexteer Trouble Code. Backup RAM data is used to provide this information to the function.

Rationale

In order to log Nexteer Trouble Code information, the Diagnostic Manager must be initialized prior to setting or clearing NTCs.

Implementation

Initialization (ExcpnHndlgInit2)

SetNtcSts(NtcNr1.NTCNR_0x003, 0, NtcSts1.NTCSTS_PASSD, 0)

SetNtcSts(NtcNr1.NTCNR_0x010, 0, NtcSts1.NTCSTS_PASSD, 0)

SetNtcSts(NtcNr1.NTCNR_0x013, 0, NtcSts1.NTCSTS_PASSD, 0)

SetNtcSts(NtcNr1.NTCNR_0x016, 0, NtcSts1.NTCSTS_PASSD, 0)

SetNtcSts(NtcNr1.NTCNR_0x017, 0, NtcSts1.NTCSTS_PASSD, 0)

SetNtcSts(NtcNr1.NTCNR_0x018, 0, NtcSts1.NTCSTS_PASSD, 0)

SetNtcSts(NtcNr1.NTCNR_0x019, 0, NtcSts1.NTCSTS_PASSD, 0)

SetNtcSts(NtcNr1.NTCNR_0x01A, 0, NtcSts1.NTCSTS_PASSD, 0)

SetNtcSts(NtcNr1.NTCNR_0x021, 0, NtcSts1.NTCSTS_PASSD, 0)

SetNtcSts(NtcNr1.NTCNR_0x022, 0, NtcSts1.NTCSTS_PASSD, 0)

SetNtcSts(NtcNr1.NTCNR_0x025, 0, NtcSts1.NTCSTS_PASSD, 0)

SetNtcSts(NtcNr1.NTCNR_0x026, 0, NtcSts1.NTCSTS_PASSD, 0)

SetNtcSts(NtcNr1.NTCNR_0x028, 0, NtcSts1.NTCSTS_PASSD, 0)

SetNtcSts(NtcNr1.NTCNR_0x029, 0, NtcSts1.NTCSTS_PASSD, 0)

SetNtcSts(NtcNr1.NTCNR_0x02A, 0, NtcSts1.NTCSTS_PASSD, 0)

SetNtcSts(NtcNr1.NTCNR_0x02C, 0, NtcSts1.NTCSTS_PASSD, 0)

SetNtcSts(NtcNr1.NTCNR_0x02D, 0, NtcSts1.NTCSTS_PASSD, 0)

SetNtcSts(NtcNr1.NTCNR_0x030, 0, NtcSts1.NTCSTS_PASSD, 0)

SetNtcSts(NtcNr1.NTCNR_0x031, 0, NtcSts1.NTCSTS_PASSD, 0)

SetNtcSts(NtcNr1.NTCNR_0x036, 0, NtcSts1.NTCSTS_PASSD, 0)

SetNtcSts(NtcNr1.NTCNR_0x048, 0, NtcSts1.NTCSTS_PASSD, 0)

SetNtcSts(NtcNr1.NTCNR_0x049, 0, NtcSts1.NTCSTS_PASSD, 0)

// Confirm state of backup data is valid

If (((BRAMDAT0 & 0xFFFF 0000) >> 16) XOR (BRAMDAT0 & 0x0000 FFFF)) != 0x0000 FFFF) Then

// Set fault – BRAMDAT0 data is corrupt and cannot be trusted

SetNtcSts(NtcNr1.NTCNR_0x029, 128, NtcSts1.NTCSTS_FAILD, 0)

Else If ((BRAMDAT0 = McuDiagc1.MCUDIAGC_PWRONRST) or (BRAMDAT0 = McuDiagc1.MCUDIAGC_FLSPROGMCMPL)) Then

// No checks needed – normal power on start up or flash programming event

Else If ((SYSBSEQ0ST.DEBUGMODE = 1) AND (SYSBSEQ0STB. DEBUGMODEB = 0))

// No checks needed in debug mode

Else If (BRAMDAT0 = McuDiagc1.MCUDIAGC_ECMRST)

ProcEcmRst() // Reset from ECM

ElseIf (BRAMDAT0 = McuDiagc1.MCUDIAGC_PINRST)

ProcPinRst() // Reset from External Pin (Power Supply)

ElseIf (BRAMDAT0 = McuDiagc1.MCUDIAGC_COREVLTGMONRHI) // Overvoltage internal to uC

SetNtcSts(NtcNr1.NTCNR_0x049, 1, NtcSts1.NTCSTS_FAILD, 0)

ElseIf (BRAMDAT0 = McuDiagc1.MCUDIAGC_COREVLTGMONRLO) // Low voltage internal to uC

SetNtcSts(NtcNr1.NTCNR_0x049, 2, NtcSts1.NTCSTS_FAILD, 0)

Else

ProcStrtUpOrSwRst() // Check for start-up, non-reset faults

End If

FunctionCall ProcEcmRst

//Check for lock step fault in either core

// By design, lock step is the only ECM fault resulting in a reset - confirm

If ((ECMMSSE001 = 1) or (ECMCSSE001 = 1)) Then

// Set lock step fault

SetNtcSts(NtcNr1.NTCNR_0x022, 1, NtcSts1.NTCSTS_FAILD, 0)

Else

// Set unknown ECM reset fault

SetNtcSts(NtcNr1.NTCNR_0x029, 2, NtcSts1.NTCSTS_FAILD, 0)

End If

// Clear all the bits of ECMmESSTR0

ECMESSTC0_Desired = 0xFDFF DFF3;

WrProtdRegEcm_u32 (ECMESSTC0_Desired, Address of ECMESSTC0);

// Clear all the bits of ECMmESSTR1

ECMESSTC1_Desired = 0x6000 07F7;

WrProtdRegEcm_u32 (ECMESSTC1_Desired, Address of ECMESSTC1);

FunctionCall ProcStrtUpOrSwRst

Switch: BRAMDAT0

// Pre-OS failures, (non-sw reset)

Case: McuDiagc1.MCUDIAGC_MEMBISTERR
SetNtcSts(NtcNr1.NTCNR_0x010, 1, NtcSts1.NTCSTS_FAILD, 0) // MBIST Proof
Break

Case: McuDiagc1.MCUDIAGC_BIST2BITERR

SetNtcSts(NtcNr1.NTCNR_0x021, 1, NtcSts1.NTCSTS_FAILD, 0) //BIST 2 bit ECC

Break

Case: McuDiagc1.MCUDIAGC_LOGLBISTERR

SetNtcSts(NtcNr1.NTCNR_0x021, 4, NtcSts1.NTCSTS_FAILD, 0) //LBIST Proof
Break

Case: McuDiagc1.MCUDIAGC_BISTNOTCMPLERR

SetNtcSts(NtcNr1.NTCNR_0x021, 16, NtcSts1.NTCSTS_FAILD, 0) //BIST not complete
Break
Case: McuDiagc1.MCUDIAGC_CPULOCKSTEPERR
SetNtcSts(NtcNr1.NTCNR_0x021, 32, NtcSts1.NTCSTS_FAILD, 0) //CPU Lock Step Proof
Break

Case: McuDiagc1.MCUDIAGC_DMALOCKSTEPERR

SetNtcSts(NtcNr1.NTCNR_0x021, 64, NtcSts1.NTCSTS_FAILD, 0) //DMA Lock Step Proof
Break

Case: McuDiagc1. MCUDIAGC_ECMSTSSTRTUPFLT

SetNtcSts(NtcNr1.NTCNR_0x026, 1, NtcSts1.NTCSTS_FAILD, 0) // ECM Status Prob
Break
Case: McuDiagc1.MCUDIAGC_MSTERROUTPCTRLFLT
SetNtcSts(NtcNr1.NTCNR_0x026, 4, NtcSts1.NTCSTS_FAILD, 0) //Master Control Proof
Break

Case: McuDiagc1.MCUDIAGC_CHKRERROUTPCTRLFLT

SetNtcSts(NtcNr1.NTCNR_0x026, 8, NtcSts1.NTCSTS_FAILD, 0) //Checker Control Proof

Break

Case: McuDiagc1. MCUDIAGC_BACKUPRAMTSTFAILR

SetNtcSts(NtcNr1.NTCNR_0x029, 32, NtcSts1.NTCSTS_FAILD, 0) //Back-Up Test Fail
Break
Case: McuDiagc1.MCUDIAGC_PREOSEXCPN
SetNtcSts(NtcNr1.NTCNR_0x029, 64, NtcSts1.NTCSTS_FAILD, 0) //Pre-OS Exception
Break

Case: McuDiagc1.MCUDIAGC_STRTUPCOREVLTGMONROVER

SetNtcSts(NtcNr1.NTCNR_0x048, 1, NtcSts1.NTCSTS_FAILD, 0) //CVM OV Proof
Break
Case: McuDiagc1.MCUDIAGC_STRTUPCOREVLTGMONRUNDER
SetNtcSts(NtcNr1.NTCNR_0x048, 2, NtcSts1.NTCSTS_FAILD, 0) //CVM UV Proof
Break

Case: McuDiagc1.MCUDIAGC_RSTUKWN

SetNtcSts(NtcNr1.NTCNR_0x029, 1, NtcSts1.NTCSTS_FAILD, 0) // Unknown Rst to FBL

Break

// Software Resets

Case: McuDiagc1.MCUDIAGC_CODFLSSNGBITHARDFLT

SetNtcSts(NtcNr1.NTCNR_0x003, 1, NtcSts1.NTCSTS_FAILD, 0)

Break

Case: McuDiagc1.MCUDIAGC_CODFLSDBLBIT

SetNtcSts(NtcNr1.NTCNR_0x003, 2, NtcSts1.NTCSTS_FAILD, 0)

Break

Case: McuDiagc1.MCUDIAGC_ADRPAR

SetNtcSts(NtcNr1.NTCNR_0x003, 4, NtcSts1.NTCSTS_FAILD, 0)
Break

Case: McuDiagc1. MCUDIAGC_LCLRAMECCSNGBITHARDFAILR

SetNtcSts(NtcNr1.NTCNR_0x013, 1, NtcSts1.NTCSTS_FAILD, 0)

Break

Case: McuDiagc1.MCUDIAGC_LCLRAMDBLBIT

SetNtcSts(NtcNr1.NTCNR_0x013, 2, NtcSts1.NTCSTS_FAILD, 0)

Break

Case: McuDiagc1.MCUDIAGC_DTSDBLBIT

SetNtcSts(NtcNr1.NTCNR_0x016, 2, NtcSts1.NTCSTS_FAILD, 0)

Break

Case: McuDiagc1.MCUDIAGC_SPIRAMDBLBIT0

SetNtcSts(NtcNr1.NTCNR_0x017, 2, NtcSts1.NTCSTS_FAILD, 0)
Break

Case: McuDiagc1.MCUDIAGC_SPIRAMDBLBIT1

SetNtcSts(NtcNr1.NTCNR_0x018, 2, NtcSts1.NTCSTS_FAILD, 0)
Break

Case: McuDiagc1.MCUDIAGC_SPIRAMDBLBIT2

SetNtcSts(NtcNr1.NTCNR_0x019, 2, NtcSts1.NTCSTS_FAILD, 0)
Break

Case: McuDiagc1.MCUDIAGC_SPIRAMDBLBIT3

SetNtcSts(NtcNr1.NTCNR_0x01A, 2, NtcSts1.NTCSTS_FAILD, 0)
Break

Case: McuDiagc1.MCUDIAGC_VCIE

SetNtcSts(NtcNr1.NTCNR_0x022, 2, NtcSts1.NTCSTS_FAILD, 0)

Break

Case: McuDiagc1.MCUDIAGC_RESDOPER

SetNtcSts(NtcNr1.NTCNR_0x022, 4, NtcSts1.NTCSTS_FAILD, 0)

Break

Case: McuDiagc1.MCUDIAGC_ALGNREAD

SetNtcSts(NtcNr1.NTCNR_0x022, 8, NtcSts1.NTCSTS_FAILD, 0)

Break

Case: McuDiagc1.MCUDIAGC_ALGNWR

SetNtcSts(NtcNr1.NTCNR_0x022, 16, NtcSts1.NTCSTS_FAILD, 0)

Break

Case: McuDiagc1.MCUDIAGC_INSTRFETCH

SetNtcSts(NtcNr1.NTCNR_0x022, 32, NtcSts1.NTCSTS_FAILD, 0)

Break

Case: McuDiagc1.MCUDIAGC_ MPU

SetNtcSts(NtcNr1.NTCNR_0x025, 1, NtcSts1.NTCSTS_FAILD, 0)

Break

Case: McuDiagc1.MCUDIAGC_ PRVLGDINSTREXCPN

SetNtcSts(NtcNr1.NTCNR_0x025, 2, NtcSts1.NTCSTS_FAILD, 0)

Break

Case: McuDiagc1.MCUDIAGC_ ECMMSTCHKRERR

SetNtcSts(NtcNr1.NTCNR_0x026, 128, NtcSts1.NTCSTS_FAILD, 0)

Break

Case: McuDiagc1.MCUDIAGC_FPUERRINVLDOPER

SetNtcSts(NtcNr1.NTCNR_0x028, 2, NtcSts1.NTCSTS_FAILD, 0)
Break

Case: McuDiagc1.MCUDIAGC_FPUERRDIVBYZERO

SetNtcSts(NtcNr1.NTCNR_0x028, 4, NtcSts1.NTCSTS_FAILD, 0)
Break

Case: McuDiagc1.MCUDIAGC_FPUERROVF

SetNtcSts(NtcNr1.NTCNR_0x028, 8, NtcSts1.NTCSTS_FAILD, 0)
Break

Case: McuDiagc1.MCUDIAGC_FPUERRUKWN

SetNtcSts(NtcNr1.NTCNR_0x028, 16, NtcSts1.NTCSTS_FAILD, 0)
Break

Case: McuDiagc1.MCUDIAGC_FENMIPROGFLOW

SetNtcSts(NtcNr1.NTCNR_0x02A, 1, NtcSts1.NTCSTS_FAILD, 0)

Break

Case: McuDiagc1.MCUDIAGC_FENMIDEADLINEMONR

SetNtcSts(NtcNr1.NTCNR_0x02A, 2, NtcSts1.NTCSTS_FAILD, 0)

Break

Case: McuDiagc1.MCUDIAGC_FENMIALVMONR

SetNtcSts(NtcNr1.NTCNR_0x02A, 4, NtcSts1.NTCSTS_FAILD, 0)

Break

Case: McuDiagc1.MCUDIAGC_FENMIWDG

SetNtcSts(NtcNr1.NTCNR_0x02C, 1, NtcSts1.NTCSTS_FAILD, 0)

Break

Case: McuDiagc1.MCUDIAGC_PROCRELMGUARD

SetNtcSts(NtcNr1.NTCNR_0x02D, 2, NtcSts1.NTCSTS_FAILD, 0)

Break

Case: McuDiagc1.MCUDIAGC_INTPRPHLGUARD

SetNtcSts(NtcNr1.NTCNR_0x02D, 8, NtcSts1.NTCSTS_FAILD, 0)

Break

Case: McuDiagc1.MCUDIAGC_PRPHLBUSGUARD

SetNtcSts(NtcNr1.NTCNR_0x02D, 32, NtcSts1.NTCSTS_FAILD, 0)

Break

Case: McuDiagc1.MCUDIAGC_PRMNTOSERR

SetNtcSts(NtcNr1.NTCNR_0x030, 1, NtcSts1.NTCSTS_FAILD, 0)

Break

Case: McuDiagc1.MCUDIAGC_UKWNEXCPN

SetNtcSts(NtcNr1.NTCNR_0x030, 2, NtcSts1.NTCSTS_FAILD, 0)

Break

Case: McuDiagc1.MCUDIAGC_DMATRFERR

SetNtcSts(NtcNr1.NTCNR_0x036, 1, NtcSts1.NTCSTS_FAILD, 0)

Break

Case: McuDiagc1.MCUDIAGC_DMAREGACSPROTECNERR

SetNtcSts(NtcNr1.NTCNR_0x036, 2, NtcSts1.NTCSTS_FAILD, 0)

Break

Default:

SetNtcSts(NtcNr1.NTCNR_0x029, 16, NtcSts1.NTCSTS_FAILD, 0) // unknown SW Reset

Break

End Switch

FunctionCall ProcPinRst

SetNtcSts(NtcNr1.NTCNR_0x049, 128, NtcSts1.NTCSTS_FAILD, 0) // External Pin Reset

Verification Method

Special Functions

For this design, some special functions are used to identify the first failure of data and respond. Once data is changed from its known, good states (power on reset or flash programming complete) the BRAMDAT0 will not be updated until a valid power up process occurs or a flash program event is requested.

Data 1 is ONLY updated by the reset cause in the case of a back-up register corruption. This is done to not “lose” data following an NTC event.

// SetMcuDiagcIdnData(Microcontroller Diagnostic Identification Data)

SetMcuDiagcIdnData (McuDiagcData0, McuDiagcData1)

// Update data if different from PwrOnRst or FlsProgmCmpl – OR if flash prog is requested
If ((McuDiagcData0 = McuDiagc1.MCUDIAGC_FLSPROGMREQ) Or
(BRAMDAT0 = McuDiagc1.MCUDIAGC_PWRONRST) Or
(BRAMDAT0 = McuDiagc1.MCUDIAGC_FLSPROGMCMPL)) Then
BRAMDAT0 = McuDiagcData0
BRAMDAT1 = McuDiagcData1
End If

Done

Revision Record & Change Approval

Rev	Date	Change Control #	Drw	Change Description
1.0.0	10/20/2015	EA4#1831	MK	Initial Release
1.1.0	11/19/2015	EA4#2536	SK	Removed CVMREN Initialization. Refer Anomaly EA4#2522
1.2.0	01/08/16	EA4#3186	LWW	Replaced Os Protection and Error Hook

2 - CM101A_ExcpnHndlr_FDD_Checklist

Nexteer_Template_V1.0

Overview

Peer Review Instructions
Technical Review Checklist
Template Change Log

Sheet 1: Peer Review Instructions

Instructions for Functional Design Package Peer Review

PRE-MEETING
	Function Owner	Confirm that requirements are reviewed and approved PRIOR to the FDP peer review
	Function Owner	Start with latest version of the template for any "first reviews" - Continue to use existing temmplate for re-reviews
	Function Owner	Provide the functional design package (changed documents) to the invited attendees 1-2 working days in advance of review
	Function Owner	Notify the assigned peer reviewer and make sure they are prepared to do their function in the meeting
	Function Owner	Identify necessary attendance and invite to meeting
	Function Owner	Complete the "Author" column information for sections 1 through 3 prior to the review
	Function Owner	Complete the attendance invitation list in section 5
	Function Owner	For Re-reviews only: Complete the column "remarks by author" to identify actions taken to address items found in earlier reviews.

DURING MEETING
	Function Owner	Present document changes to the review team
	Peer Reviewer	Capture attendance of the review
	Peer Reviewer	Capture actions and issues in section 4. Identify issue summary, Document type, Reference (Requirement ID, section number, etc), Defect Type and indicate status as "OPEN"

POST MEETING
	Function Owner	Follow up on all "open" items. Update "Summary of Resolution" to indicate what was done or decided.
	Function Owner	Schedule follow up review OR review open items with peer reviewer and obtain agreement to close
	Peer Reviewer	Close change request in system and confirm all associated tasks are complete. Upload peer review checklist (this document) with any FDP updates

Sheet 2: Technical Review Checklist

Technical Review Checklist - Template Version 01.00.07

Product Name

Electric Power Steering

Electrical Arch.

Review Scope

Defect Type

Numbers

Yes

Closed

Function Name

CM101A Exception Handling

Version

1.2.0

CR EA4#3186

Requirement

Rejected

FDD

Author

Lucas Wendling

Interface

Open

Model

Effort

Design

FMEA

Review Effort(Hrs.)

0.50

Standards

*.m File

Corr+Verf effort(Hrs.)

Documentation

Cal Process

Total Effort (Hrs.)

0.50

Others

Total

Checklist No.

Description of Check

Author: This column is for Self review. Author shall fill Yes/No/NA against each point in checklist. Author

Author: This column is for reviewer. Reviewer shall fill Yes/No/NA against each point in checklist. Reviewer

Author: Detailed Description of the finding shall be provided by the reviewer. Description of finding by reviewer

Author: Defect type to be selected. Defect Type

Author: What action is taken to fix the comment & other remarks need to be filled by author. Remarks By Author

Author: Data in this column shall be filled by reviewer after checking whether the rework is completed. Status

Section 1: TECHNICAL CHECK

1.1

Confirm that all signal inputs into the FDP (Functional Design Package) are contained within and exactly named as the "Available_Nexteer_Signals.m" states.

1.2

Confirm any removed signal inputs from the design have been removed from the "Available_Nexteer_Signals.m" file.

1.3

Confirm all signals and parameters (outputs, calibrations, constants, non-volatile memory) used in the *.m file and the design conform to the AutoSAR naming convention documentation.

Yes

1.4

Confirm *.m file has been provided to the "Available_Signal_Names" Author.

Yes

1.5

Confirm Electrical Systems interface map is updated to reflect the FDP (signal IO)

Section 2: Safety CHECK

Author: This column is for Self review. Author shall fill Yes/No/NA against each point in checklist. Author

Author: This column is for reviewer. Reviewer shall fill Yes/No/NA against each point in checklist. Reviewer

Author: Detailed Description of the finding shall be provided by the reviewer. Description of finding by reviewer

Author: Defect type to be selected. Defect Type

Author: What action is taken to fix the comment & other remarks need to be filled by author. Remarks By Author

Author: Data in this column shall be filled by reviewer after checking whether the rework is completed. Status

2.1

Confirm that the functional DFMEA is up to date based on the design in the current package.

2.2

Confirm that Safety requirements (ASIL A - D) are referenced in the design documents.

Requirements need to be created, currently referencing SAN

Open

Section 3: Lessons Learned

Author: This column is for Self review. Author shall fill Yes/No/NA against each point in checklist. Author

Author: This column is for reviewer. Reviewer shall fill Yes/No/NA against each point in checklist. Reviewer

Author: Detailed Description of the finding shall be provided by the reviewer. Description of finding by reviewer

Author: Defect type to be selected. Defect Type

Author: What action is taken to fix the comment & other remarks need to be filled by author. Remarks By Author

Author: Data in this column shall be filled by reviewer after checking whether the rework is completed. Status

3.1

Have functions depending upon system state been reviewed for need to be executed at the 2ms rate to avoid system lag issues?

3.2

Have all diagnostics (NTCs) been confirmed to show logic to invoke a diagnostic "PASS" for control of the status byte at the customer level.

Yes

3.3

Has the requirements traceability steps used the RMI steps as defined in the FDD authoring spec to generate the traceability report?

Not a model so RMI steps do not apply

3.4

Has the requirements traceability report been verified to only contain ONLY requirements from the FR.

Not a model so RMI steps do not apply

3.5

Confirm that all PIM that does NOT have an initialization value of zero is initialized in an INIT function.

Yes

3.6

Confirm if NVM is used, the NVM is defined in structures

3.7

If the function uses NVM, confirm that the m file uses the SetBlockStatus to indicate a write at powerdown

3.8

Confirm NTCs are not set within an IRQ (not related to the typical periodic OS)

Yes

3.9

Confirm NTCs are not set or read in a periodic rate faster than 2 ms (ex. Motor Control Loop)

Yes

Section 4: Issues / Actions Identified

Document

Reference

Summary of resolution

Author: Defect type to be selected. Defect Type

Author: What action is taken to fix the comment & other remarks need to be filled by author. Remarks By Author

Author: Data in this column shall be filled by reviewer after checking whether the rework is completed. Status

4.1

Enum has value that is not used today "FEUKWN" - why not removed from definition?

*.m File

McuDiagc1

TBD

Open

4.2

NTC 0x02Dbit4 and NTC0x049bit4 are defined in .m file but are not yet implmented in FDD… why not add when the get added to FDD?

FDD

TBD

Open

4.3

Need to consider adding logic in the BRAMDAT0 pattern failed to indicate that BRAMDAT0 failed startup test (look at BRAMDAT1,2,3)

FDD

TBD

Open

4.4

SEGTCMF processing in SysErrIrq handler may need to be looked at user manual implies that more than just double bit ECC errors will set bit

FDD

TBD

Open

4.5

4.6

4.7

4.8

4.9

4.10

4.11

Section 5: APPROVALS

Role

First Review

Date

Attendance

Approval?

Function Owner*

Lucas Wendling

1/19/2016

Yes

Peer Reviewer*

Kathleen Creager

Yes

EPDT Engineer

ES Engineer

Software Lead

Hardware Lead

Test Lead

Safety Lead

Role

Second Review (if required)

Date

Attendance

Approval?

Function Owner*

Peer Reviewer*

<Name>

EPDT Engineer

ES Engineer

Software Lead

Hardware Lead

Test Lead

Safety Lead

Role

Third Review (if required)

Date

Attendance

Approval?

Function Owner*

Peer Reviewer*

<Name>

EPDT Engineer

ES Engineer

Software Lead

Hardware Lead

Test Lead

Safety Lead

Role

Fourth Review (if required)

Date

Attendance

Approval?

Function Owner*

Peer Reviewer*

<Name>

EPDT Engineer

ES Engineer

Software Lead

Hardware Lead

Test Lead

Safety Lead

Role

Add more if necessary

Date

Attendance

Approval?

P.S.:

Yes indicates adherence

No indicates non-adherence, reviewer shall provide suitable comments at the end of this document for each point.

NA indicates not applicable

Sheet 3: Template Change Log

Rev	Change	Author
01.00.05	Added lesson learned #3.5	MDK
01.00.06	Added lesson learned #3.6, 3.7 - Structure and writing of NVM in mfiles and models.	MDK
01.00.07	Clarified 3.6 and 3.7 Added lessons learned for NTCs not being set in IRQs or periodics faster than 2ms/	MDK