# Integrating the MPC5643L and MC33907/08 for Safety Applications

by: Gene Fortanely and Barbara Johnson

## 1 Introduction

This application note provides design guidelines for integrating the Freescale MPC5643L microcontroller unit (MCU) and Freescale MC33907/08 System Basis Chip in automotive electric and electronic systems that target the ISO 26262 functional safety standard. It provides an overview of the MPC5643L and the MC33907/08 feature set and covers the functional safety requirements that are satisfied to achieve ASIL D level of safety.

Integrating the MPC5643L and MC33907/MC33908 in a system provides many advantages for the customer. Freescale’s ISO 26262 solutions, that form part of the Freescale SafeAssure program, help system manufacturers more easily achieve system compliance with functional safety standards by simplifying the system architecture.

## 2 MPC5643L Overview

This section describes the MPC5643L features that are of interest when integrating the device with the MC33907/08.
2.1 Safety concept

The MPC5643L is built around a dual e200z4d core Sphere of Replication (SoR) safety platform with a safety concept targeting ISO 26262 ASIL D integrity level. In order to minimize additional software and module level features to reach this target, on-chip redundancy is offered for the critical components of the MCU:

- CPU core
- DMA controller
- interrupt controller
- crossbar bus system
- memory protection unit
- flash memory and RAM controllers
- peripheral bus bridge
- system timers
- watchdog timer

A Redundancy control and checker unit (RCCU) is implemented at each output of this SoR. ECC is available for on-chip RAM and flash memories. The programmable Fault Collection and Control Unit (FCCU) monitors the integrity status of the device and provides flexible safe state control.

2.2 Power supply requirements

The on-chip voltage regulator module provides the following features: Single high supply requires nominal 3.3 V. An external ballast transistor is used to reduce dissipation capacity at high temperature, but an embedded transistor can be used if power dissipation is maintained within package dissipation capacity (lower frequency of operation). All I/Os are at same voltage as external supply (3.3 V nominal). The core voltage supplies are not under user control. The core supplies are generated by the on-chip voltage regulator.

See Table 1 for a list of MPC5643L power supplies.

<table>
<thead>
<tr>
<th>MPC5643L Supplies</th>
<th>Minimum</th>
<th>Maximum</th>
<th>Unit</th>
</tr>
</thead>
<tbody>
<tr>
<td>VDD_HV_REG</td>
<td>3.3 V regulator supply</td>
<td>3.0</td>
<td>3.6</td>
</tr>
<tr>
<td>VDD_HV_IOx</td>
<td>3.3 V I/O supply</td>
<td>3.0</td>
<td>3.6</td>
</tr>
<tr>
<td>VDD_HV_FLA</td>
<td>3.3 V Flash supply</td>
<td>3.0</td>
<td>3.6</td>
</tr>
<tr>
<td>VDD_HV_ADR0</td>
<td>5 V ADC_0 and ADC_1 reference</td>
<td>4.5</td>
<td>5.5</td>
</tr>
<tr>
<td>VDD_HV_ADR1</td>
<td>3.3 V ADC_0 and ADC_1 reference</td>
<td>3.0</td>
<td>3.6</td>
</tr>
<tr>
<td>VDD_HV_ADV</td>
<td>3.3 V ADC supply</td>
<td>3.0</td>
<td>3.6</td>
</tr>
<tr>
<td>VDD_HV_OSC</td>
<td>3.3 V oscillator supply</td>
<td>3.0</td>
<td>3.6</td>
</tr>
</tbody>
</table>

1. The user may select 3.3V or 5V as the ADC reference voltage
2. The user may select 3.3V or 5V as the ADC reference voltage

2.3 Communication interfaces

The FlexCAN module is a communication controller implementing the CAN Protocol Specification version 2.0B.

The LINFlexD module supports LIN Master mode, LIN Slave mode and UART mode. The LIN state machine is compliant to LIN1.3, 2.0, and 2.1 specifications.
The Deserial Serial Peripheral Interface (DSPI) module provides a synchronous serial bus for communication between the MCU and an external peripheral device, for example, the MC33907/08.

### 2.4 Fault Collection and Control Unit (FCCU)

The Fault Collection and Control Unit (FCCU) offers a programmable hardware channel to collect errors and to lead the device in a controlled way to a safe state when a failure is present in the device. No CPU intervention is requested for collection and control operation. The FCCU also has configurable and graded fault control with both internal reaction (no internal reaction, IRQ, Functional Reset, or Destructive Reset) and external reaction (failure is reported to the external and surrounding system via configurable output pins). The external reaction via output pins is the aspect of interest when integrating with MC33907/08.

### 3 MC33907/08 Features

The MC33907 and MC33908 are multi-output power supply integrated circuits dedicated to the automotive market. The MC33907/08 simplifies system implementation by providing the ISO 26262 system solutions and documentation to save customer cost and complexity through an optimized interfacing with an MCU. This device also reduces system complexity and increases functional robustness by integrating EMC and ESD protection.

#### 3.1 Voltage regulators

- **Vpre VOLTAGE PRE-REGULATOR**

  The Vpre voltage pre-regulator is a flexible switched-mode power supply (SMPS). The SMPS pre-regulator can be configured in 2 topologies: Non-inverting buck-boost or standard buck configuration. The output voltage Vpre is regulated between 6.25 V and 6.75 V in buck mode. The output current capability is up to 2 A. The SMPS pre-regulator also keeps power dissipation down and eliminates the need for bulky heat sinks compared to linear regulators.

- **Vcore VOLTAGE REGULATOR**

  The Vcore voltage regulator is a step-down DC-DC converter with a PWM frequency of 2.4 MHz. The high-side MOSFET is integrated in the device. The output voltage can be configured around 1.2 V or 3.3 V through an external resistor divider (a minimum of 1% accuracy resistors are recommended) connected between Vcore and the feedback pin. The expected accuracy is ±2%. The output current is up to 1.5 A for the MC33908 and up to 0.8 A for the MC33907.

- **Vcca VOLTAGE REGULATOR**

  The Vcca linear voltage regulator is mainly dedicated to supply the MCU I/Os, especially the ADC. The output voltage is selectable at 5 V or 3.3 V. The expected accuracy is ±1%. The output current capability is up to 100 mA.

  An external PNP transistor can be used to boost the current capability up to 300 mA, but the output voltage accuracy becomes ±3% if an external PNP is used.

- **Vaux VOLTAGE REGULATOR**

  The Vaux auxiliary voltage regulator is a dedicated supply for additional devices in the ECU or for sensors outside the ECU. The Vaux output voltage is selectable between 5 V and 3.3 V.

- **5V-CAN VOLTAGE REGULATOR**

  The Vcan is a linear voltage regulator fully dedicated to the embedded HSCAN interface.
3.2 **Built-in CAN and LIN transceivers**

The built-in enhanced high speed CAN interface fulfills the ISO11898-2 and -5 standards. Local and bus failure diagnostics, protection and fail safe operation mode are provided. The HSCAN exhibits also wakeup capability with a very low current consumption.

3.3 **Watchdog function**

The MC33907/08 implements a windowed watchdog using a “challenger” to ensure a question/answer with the MCU. The challenger must be continuously triggered by the MCU in the open watchdog window to prevent an error indication from being generated by the MC33907/08.

3.4 **Fail safe machine**

To fulfill the safety critical applications, a dedicated Fail Safe Machine (FSM) is provided. The FSM is composed of 4 main sub-blocks:

- Voltage Supervisor (VS)
- Fail Safe State Machine (FSSM)
- Fail Safe Output driver (FSO)
- Built-In Self Test (BIST)

The FSM is as independent as possible from the rest of the circuitry to avoid common cause failure. For this reason, the FSM has its own voltage regulators (analog and digital), dedicated bandgap and oscillator. Moreover, this block is also, physically, as much independent as possible from the rest of the circuitry by doing dedicated layout and placement.

3.5 **Error indication**

Digital inputs are available for monitoring the MCU error signals as well as for error handling of external ICs.

3.6 **Analog multiplexer**

The analog multiplexer allows multiplexing of the following voltages to be output from the MC33907/08 and input to one of the MCU’s ADC channel. The MCU can use the information for monitoring purposes.

- 2.5 V Internal reference voltage with a ±1 % accuracy
- Battery sense
- Analog inputs IO_0 and IO_1
- Die temperature

3.7 **Low Power OFF mode**

In LPOFF mode, all the voltage regulators are turned off which means that the MCU connected to Vcore is unsupplied. The MC33907/08 monitors external events to wakeup and leave the LPOFF mode. Wakeup events can be generated via the CAN interface and I/O inputs. A wakeup event triggers the Vcore regulator to turn on.
4 MPC5643L and MC33907/08 Alignment

A typical application electronic power steering application that integrates the MPC5643L with the MC33907/08 is shown below. The MC33907/08 provides power generation and voltage monitoring to the MCU and provides external watchdog supervision to detect failures of the MCU. The MC33907/08 also monitors the error signals coming from the MCU and provides fail-safe mechanisms to maintain the system in a safe state, in case a failure occurs. This section provides design guidelines when integrating the MPC5643L with the MC33907/08 to achieve ASIL D safety level.

![Diagram of MPC5643L and MC33907 electronic power steering application](image)

**Figure 1. MPC5643L and MC33907 electronic power steering application**

4.1 Power supply connectivity

- **MC33907/08 power supply**
  
  Power to the MC33907/08 is supplied via the Vsup1, Vsup2, and Vsup3 supply pins. An external reverse battery protection diode must be connected between the external battery input Vbat and the capacitor-input filter. The battery sense Vsense pin must be connected between the battery power and the diode through a filter. Up to 40 V can be supplied to the Vsup and Vsense pins. The MC33907/08 power connection is shown in **Figure 2**.
• **MC33907/08 pre-regulator**
The MC33907/08 pre-regulator output Vpre is between 6.25 V and 6.75 V in the buck converter configuration. In this mode, the Gate_LS pin is tied to GND. A 22 µH inductor and four output ceramic capacitors in parallel, 10 µF, are connected to Vpre as shown in Figure 3. It is recommended that the capacitors have low equivalent series resistance (ESR) of less than 100 mΩ. A minimum of 100 nF capacitor must be connected to the Boot_pre pin.

![Figure 2. MC33907/08 supply connections](image)

• **MPC5643L 3.3 V regulator supply**
The MPC5643L requires 3.3 V for the VDD_HV_REG regulator, which can be supplied by the MC33907/08 Vcore voltage regulator. The Vcore provides a selectable output voltage around 1.2 V or 3.3 V. The MC33908 is capable of supplying 1.5 A from the Vcore regulator in normal mode, while the MC33907 can output 0.8 A from Vcore. For the MPC5643L, the MC33907 current capability is sufficient. The Vcore value is adjusted using a voltage divider connected between the regulated Vcore output and the voltage feedback pin FB_core, which has a typical voltage of 0.8 V.

  a. **Vcore voltage selection**

    High precision 1% resistor values 24.9 KΩ and 8.06 KΩ can be used in a voltage divider circuit to adjust the Vcore to 3.3 V.
The connection between the Vcore output from the MC33907/08 and the MPC5643L VDD_HV_REG is shown in Figure 5. The Vcore can also be used to power the MCU’s Flash (VDD_HV_FLA), IOs (VDD_HV_IOx) and oscillator (VDD_HV_OSC) supplies. An optional external NPN transistor can be connected to the 3.3 V supply to generate the supply for the MPC5643L core logic (VDD_LV_COR0). Note that the decoupling capacitors on the MPC5643L side are not shown in the diagram. Refer to the MPC5643L Reference Manual for details on the required bypass capacitors and the external ballast transistor.

b. **Vcore ripple voltage**

Since the Vcore provides the main power source to the MPC5643L, it is important that proper filtering is implemented at the Vcore output to ensure a clean voltage at the MPC5643L supply input.

The current through the inductor, ∆I\textsubscript{INDUCTOR}, can be calculated based on the known parameters:

- Input voltage \( V_{IN} = 6.5 \) V
- Output voltage \( V_{OUT} = 3.3 \) V
- V\textsubscript{CORE} regulator switching frequency \( F_{SW} = 2.4 \) MHz
- Inductor \( L = 2.2 \mu H \)
- \( I_{OUTMAX} = 1.5 \) A for MC33908 (0.8 A for MC33907)

Equation 2 shows the current flow through the inductor which yields 0.31 A.

\[
\Delta I_{INDUCTOR} = V_{OUT} \frac{(V_{IN} - V_{OUT})}{F_{SW}} \frac{1}{L}
\]

Equation 3 yields a voltage overshoot of 97 mV for MC33908 (30 mV for MC33907) when a single \( CO = 10 \mu F \) output capacitor is used.

\[
\Delta V = \sqrt{V_{OUT}^2 + \frac{\Delta I_{INDUCTOR}^2}{C_O}} - V_{OUT}
\]

The voltage ripple across the output capacitor is the sum of the ripple voltage due to the output capacitor’s ESR and the voltage due to the capacitance.

The output capacitor will have a ripple voltage that is proportional to its ESR, therefore, it should have a low ESR value to minimize the ripple voltage. For example, a 10 \( \mu F \) with a 100 m\( \Omega \) ESR is an available capacitor from an electronic parts vendor. The ripple voltage due to the output capacitor ESR \( VOUTESR \) is shown Equation 4 which yields 31 mV.

\[
V = \Delta I_{INDUCTOR} \times ESR \times C_O
\]

The other component of the voltage ripple is the voltage due to the capacitance which is shown in Equation 5 which yields 3 mV.

\[
V_{OUTCAP} = \frac{1}{2 \times C_O} \times \frac{V_{IN} - V_{OUT}}{F_{SW}} \times \left( \frac{V_{OUT}}{V_{IN}} \times \frac{1}{F_{SW}} \right)^2
\]

Both voltage ripple components add up to about 34 mV, which is roughly 1% of the 3.3 V output. Note that selecting a capacitor with a higher ESR can exceed the target output voltage ripple so careful consideration must be made.

It is also critical that the MPC5643L includes proper decoupling capacitors between the VDD pins and the nearest corresponding GND pins. Refer to the MPC5643L Reference Manual for more details. Note that the MCU-side decoupling capacitors are not shown in Figure 2.
Figure 4 shows the Vcore output voltage ripple as measured from the 10 µF decoupling capacitor on the MCU side. The measured peak-to-peak voltage is approximately 40 mV.

A compensation bridge consisting of two resistors and two capacitors as shown in Figure 5 is required to ensure stability of the buck converter. The component values shown are selected based on the 3.3 V Vcore output and load capacitance.

**Figure 4. Voltage Ripple on Vcore**
• MPC5643L ADC Voltage and Reference Supplies

The MPC5643L ADC voltage (VDD_HVADV) requires a 3.3 V supply. The ADC reference voltages (VDD_HV_ADR0 and VDD_HV_ADR1) can be 3.3 V or 5 V. Both voltages VDD_HV_ADR0 and voltages VDD_HV_ADR1 are required to be supplied by the same voltage source.

With a selectable voltage of 3.3 V or 5 V, the MC33907/08 Vcca linear regulator can be used to supply the MPC5643L ADC reference voltages. If the ADC reference voltage is selected to be 3.3 V, the Vcca regulator can also be used to supply the MPC5643L ADC voltage.

Depending on the power requirements of the system, an external PNP transistor can be connected to Vcca. With the external transistor, Vcca is accurate up to ±3% and can output up to 300 mA. The MC33907/08 automatically detects the external transistor during its startup sequence. If only the internal ballast is used, Vcca outputs up to 100 mA with a ±1% accuracy.

The value of the external resistor connected between the SELECT and GND pins determine the Vcca and Vaux voltage. Table 2 shows the required resistor value for the selected voltage.
### Table 2. Vcca and Vaux voltage selection

<table>
<thead>
<tr>
<th>Vcca (V)</th>
<th>Vaux (V)</th>
<th>Resistor 1% Accuracy</th>
</tr>
</thead>
<tbody>
<tr>
<td>3.3</td>
<td>3.3</td>
<td>5 KΩ</td>
</tr>
<tr>
<td>3.3</td>
<td>5</td>
<td>24 KΩ</td>
</tr>
<tr>
<td>5</td>
<td>3.3</td>
<td>50 KΩ</td>
</tr>
<tr>
<td>5</td>
<td>5</td>
<td>12 KΩ</td>
</tr>
</tbody>
</table>

**Figure 6** shows the connection between the MC33907/08 Vcca and the MPC5643L ADC voltage and reference supplies when both require 3.3 V. A 5 KΩ resistor between the SELECT and GND pins will configure the Vcca and Vaux pins to 3.3 V. A ferrite bead is used to isolate the digital and analog supplies. Note that the decoupling capacitors on the MPC5643L side are not shown in the diagram. Refer to the reference manual titled *Qorivva MPC5643L Microcontroller Reference Manual* (document number MPC5643L) for details on the required bypass capacitors.

![Figure 6. MC33907/08 + MPC5643L Vcca supply connections](image)

**Figure 6. MC33907/08 + MPC5643L Vcca supply connections**

Alternatively, if the ADC reference supply is 5 V, the Vcca regulator can be used to generate the 5 V ADC reference supply while the Vcore regulator can be used to generate 3.3 V to the ADC voltage supply.

- Auxiliary Voltage Supply
The MC33907/08 auxiliary Vaux voltage regulator provides a selectable output of 5 V or 3.3 V to supply power to additional devices in the ECU. It can also be used as a sensor supply outside the ECU. The Vaux is accurate up to ±3% and can output up to 300 mA.

4.2 Ground separation

Three grounds are available on the PC33907_08: AGND (analog ground), GND_COM (Physical layer ground), and DGND (logic ground).

On the printed-circuit board (PCB), two grounds must be clearly separated—locally for power components involved in the high transient current loops, called PGND in this document. Other components must be connected to GND. Connections from PC33907_08 grounds and PCB grounds are shown in

On the PCB, the connection between PGND and GND must be made as far as possible from the local PGND ground. It is not necessary to connect the exposed pad to a ground as there are no electrical connections internally.
4.3 Power-up sequence

To provide a safe and well known start-up sequence, the MC33907/08 devices include an undervoltage lock-out. When the MC33907/08 supply voltage Vsup is below the lock-out voltage of 2.7 V, the device is under power-on-reset condition. In all the other conditions, the MC33907/08 is able to operate down to this lock-out voltage. When Vsup rises to 5.3 V, the pre-regulator voltage Vpre starts to activate, which then turns on the different voltage rails if configured in buck-boost. The Vcore, Vcca, and Vaux automatically ramp-up at the same time to provide power to the MPC5643L as shown in Figure 8. With the built-in self-test (BIST) disabled, the MPC5643L de-asserts the RESET_B signal approximately 3 ms after the 3.3 V supplies are active to signal the end of the power-up sequence as shown in Figure 9 Reset De-Assertion.
4.4 CAN connectivity

The CAN_5V linear regulator provides the 5 V CAN transceiver supply. A 1 µF capacitor must be connected to between CAN_5V and GND. The MC33907/08 transmit and receive data pins TXD and RXD connect to the MPC5643L FlexCAN 0 TXD and RXD pins, respectively. The physical CAN bus interface connects to the CANH and CANL pins on the MC33907/08 side.

The MC33907/08 CAN interface is connected to the MPC5643L as shown in Figure 10.
4.5 SPI connectivity

The Serial Peripheral Interface (SPI) allows bi-directional communication between the MPC5643L and the MC33907/08. The MPC5643L, which acts as the master, accesses the MC33907/08 configuration registers through SPI registers. The watchdog refresh is also communicated via SPI.

4.6 Error management connectivity

The MC33907/08 IO_2 and IO_3 pins can be configured as safety inputs from the MPC5643L for continuous monitoring of the MPC5643L FCCU output pins FCCU_F[0] and FCCU_F[1]. The MC33907/08 asserts the INTb when an interrupt condition occurs. This pin connects to the EIRQ[11] pin in the MPC5643L to trigger an external interrupt.

In case a failure occurs, the MC33907/08 asserts the RSTb to reset the MPC5643L. This pin connects to the RESET_B pin in the MPC5643L. It is recommended that the fail-safe output FS0b is connected to an external circuit that disconnects the power to the electrical motor in a power steering application when FS0b is asserted to indicate a fault. This mechanism ensures that power to the critical circuits of the application is cut off to prevent potential damage of the system.
The error management connection between the MC33907/08 and the MPC5643L is shown in Figure 12.

![Figure 12. MC33907/08 + MPC5643L error management connections](image)

5 **MPC5643L Safety Requirements**

The MPC5643L requires several external measures to allow safe operation in a system targeting ASIL D functional safety level:

- External power supply and monitor
- External watchdog timer
- Error output monitor

The MC33907/08 provides the above functions to ensure that the MPC5643L is brought to a safe state in the event of a failure. Refer to the safety application guide titled *Safety Application Guide for MPC5643L* (document number MPC5643LSAG) for additional details about the safety requirements when using the MPC5643L with external components.

5.1 **Power supply and monitor**

The MPC5643L includes internal monitors which continuously check the various voltage supplies. The Low-Voltage Detector (LVD) and the High-Voltage Detector (HVD) monitor the operating voltages to ensure the device works within the correct voltage range. The operating voltages are supervised by the following voltage monitors:

- Duplicated LVD_DIG blocks to monitor the 1.2 V core supply
Duplicated HVD_DIG blocks to monitor the 1.2 V core supply
Three LVD_MAIN blocks to monitor the 3.3 V VDDIO, VDDREG and VDDFLASH supplies

When the core voltage drops below the LVD_DIG threshold level, a 1.2 V low-voltage detection event occurs. Similarly, when the core voltage exceeds the HVD_DIG threshold level, a 1.2 V high-voltage detection event occurs. If the voltage is not in the proper range, the system responds with a reset.

When the main 3.3 V supply drops below the LVD_MAIN threshold level, a 2.7 V low-voltage detection event occurs and the system responds with a reset. The MPC5643L does not include a high-voltage monitor for the 3.3 V supplies, therefore, for ASIL D applications the overvoltage monitor for the 3.3 V supplies, in addition to the undervoltage monitor, must be provided by an external device.

Safety Requirement [SAG_MPC5643L_076] — To fully monitor all voltage supplies, an external device must provide overvoltage and undervoltage monitors for the MPC5643L external 3.3 V supplies.

This safety requirement is satisfied by the MC33907/08 which provides voltage regulation and over and undervoltage monitors for the 3.3 V supplies. As mentioned in Power supply connectivity, the regulated Vcore output is adjusted to 3.3 V using resistors connected between Vcore and the voltage feedback pin FB_core. The MC33907/08 monitors the undervoltage and overvoltage on the FB_core node which has a typical value of 0.8 V.

Table 3 shows the MC33907/08 undervoltage and overvoltage detection thresholds of the regulator outputs. If the FB_core pin drifts to the minimum FB_core overvoltage of 0.84 V, then the regulated Vcore output gets adjusted to 3.43 V and an overvoltage event is detected. As a reaction to the fault condition, the MC33907/08 can be configured to assert the RSTb pin to trigger a reset to the MPC5643L or it can assert the FS0b pin to control a fail-safe circuitry to shut off the power supply to the actuator in the system. When the MC33907/08 is deactivated, the power to the MPC5643L is also shut off to prevent permanent damage to the device. These two error-handling mechanisms will place the MPC5643L in a safe state when an overvoltage event is detected. The MC33907/08 INIT SUPERVISOR1 register must be configured in the INIT phase to select the reaction to Vcore feedback overvoltage and undervoltage events, that is, whether the RSTb or FS0b are asserted upon overvoltage and undervoltage detection.

The same over and undervoltage protection is provided for the ADC and I/O power supplies when the MPC5643L’s analog power is supplied from the Vcca and the I/O power is supplied from the Vaux regulated output.

| Table 3. MC33907/08 Overvoltage and Undervoltage Detection Thresholds |
|---------------------------|---------------------------|
| **MC33907/08 Parameters** | **Minimum (V)** | **Maximum (V)** |
| Vcore_FB_ov               | Vcore feedback overvoltage detection threshold | 0.84 | 0.905 |
| Vcore_FB_uv               | Vcore feedback undervoltage detection threshold | 0.67 | 0.773 |
| Vcca_ov_5                 | Vcca overvoltage detection threshold (5 V config) | 5.25 | 5.5 |
| Vcca_uv_5                 | Vcca undervoltage detection threshold (5 V config) | 4.5 | 4.75 |
| Vcca_ov_33                | Vcca overvoltage detection threshold (3.3 V config) | 3.4 | 3.6 |
| Vcca_uv_33                | Vcca undervoltage detection threshold (3.3 V config) | 3.0 | 3.2 |
| Vaux_ov_5                 | Vaux overvoltage detection threshold (5 V config) | 5.25 | 5.5 |
| Vaux_uv_5                 | Vaux undervoltage detection threshold (5 V config) | 4.5 | 4.75 |
| Vaux_ov_33                | Vaux overvoltage detection threshold (3.3 V config) | 3.4 | 3.6 |
| Vaux_uv_33                | Vaux undervoltage detection threshold (3.3 V config) | 3.0 | 3.2 |
| Vcan_ov                   | 5 V CAN overvoltage detection threshold | 5.25 | 5.5 |
| Vcan_uv                   | 5 V CAN undervoltage detection threshold | 4.25 | 4.75 |
5.2 **External watchdog**

Some common causes of failure (CCF), such as a complete failure of the power supply are detected because the software running on the MPC5643L no longer triggers the watchdog (WD). To detect critical failures that could completely disable the MPC5643L, an external WD device must be connected to the MPC5643L for ASIL D applications.

**Safety Requirement [SAG_MPC5643L_075]** — An external device, acting as the supervisor of operations, must provide a watchdog to cover CCFs of the MPC5643L for ASIL D applications. It shall be triggered periodically by the safety-relevant software running on the MPC5643L.

This MPC5643L safety requirement is satisfied by the windowed time WD feature of the MC33907/08. The windowed time WD concept is shown in Figure IV 1. This feature requires the MPC5643L to refresh the WD during each open window. The duration of the window is selectable through SPI during the MC33907/08 initialization phase. The window duration is configurable to be 1 ms, 2 ms, 3 ms, 4 ms, 8 ms, 16 ms, 32 ms, 64 ms, 128 ms, 256 ms, 512 ms, or 1024 ms in the WD_Window register. The window duty cycle is 50%.

The default window duration is 256 ms, which can then be configured to a different value during configuration by the MPC5643L. The selected window duration should be longer than the maximum duration of an MPC56543L reset sequence which is impacted by the reset type and whether BIST is to be performed. Refer to the data sheet titled **MPC5643L Microcontroller Data Sheet** to determine the maximum durations for the various reset sequences.

![Diagram of windowed watchdog](image)

**Figure 13. MC33907/08 windowed watchdog**

The WD is based on a question and answer principle. The MPC5643L sends an 8-bit seed to the MC33907/08 through the SPI during the INIT phase. This seed initializes the MC33907/08’s Linear Feedback Shift Register (LFSR). The MPC5643L then runs a pre-defined calculation using the same seed. The MPC5643L sends the result of the calculation to the MC33907/08 during the open WD window and the result is verified by the MC33907/08. If the result is correct, the LFSR is incremented to generate a new pseudo-random word and the WD window is restarted. However, if the result is incorrect, the WD error counter is incremented, the WD window is restarted and the MC33907/08 asserts INTb.

For each wrong WD refresh, the WD error counter is incremented by 2 (maximum of 6). For each correct WD refresh, the WD error counter is decremented by 1 (minimum of 0). When the WD error counter reaches 6, a reset is generated and the RST error counter is incremented by 1. The WD error and the RST error counters can be read by the MPC5643L via SPI from the WD_Counter register and the Diag_FS2 registers, respectively.

The RST error counter can only be decremented by 1 if the WD is correctly refreshed 7 consecutive times. When the RST error counter reaches 3, the MC33907/08 activates the FS pins (FS0b) and if the WD continues to be incorrectly refreshed and if the RST error counter reaches 6, then the MC33907/08 turns off all the regulators and enters a deep reset state. At this point, a new power-up sequence or a key off/on (if the signal is connected on IO_0) is needed to recover. Alternatively, the MC33907/08 can be configured to activate the FS pins when the RST error counter reaches 1 and to enter a deep reset state when the RST error counter reaches 3.
When the MPC5643L detects a falling edge on the RESET_B signal, the external reset triggers the start of the reset sequence.

5.3 Error output monitor

The MPC5643L Fault Collection and Control Unit (FCC) supports two external pins FCCU_F[0] and FCCU_F[1] for error indication. When the FCCU receives a fault signal, it reports the failure to the external world via the FCCU_F[1:0] signals. If an error is indicated, the system may disable or reset the MPC5643L as a reaction to the error signal.

Safety Requirement [SAG_MPC5643L_078] — An external device must be connected to the FCCU via FCCU_F[0] and optionally FCCU_F[1] to continually monitor the error output pins of the FCCU.

The MC33907/08 satisfies this safety requirement by providing FCCU monitoring of the error output signals from the MPC5643L. The MC33907/08 IO_2 and IO_3 pins are by default configured as safety inputs for continuous monitoring of the MPC5643L FCCU outputs.

When the IO_2 and IO_3 pins are configured as inputs for FCCU monitoring, only the bi-stable protocol can be used. In this mode, the second output FCCU_F[1] is the inverted signal of the first output FCCU_F[0]. In the reset or self-test phase, the FCCU_F[1:0] pins are set as high-impedance. In the normal state, when no FCCU faults are triggered, the FCCU_F[1:0]=01. A fault condition is indicated by FCCU_F[1:0]=10.

When a failure is signaled through the IO_2 and IO_3 pins, the MC33907/08 then handles the error by one of the following ways:

- Assert RSTb (active low) to reset the MPC5643L
- Assert FS0b (active low) to power off the system

The MC33907/08 allows the user to configure how the RSTb and FS0b pins react to overvoltage conditions.

6 Conclusion

This application note has described the hardware aspects on integrating the Freescale MPC5643L and MC33907/08. Further information on the material in this application note can be found by referring to the MPC5643L Reference Manual and Data Sheet for the two products.


For more information, visit www.freescale.com/SafeAssure.

7 References

- Data Sheet — MPC5643L Microcontroller Data Sheet (document number MPC5643L)
- Product Brief — MPC5643L Microcontroller Product Brief (document number MPC5643LPB)

8 Revision history
<table>
<thead>
<tr>
<th>Revision</th>
<th>Description of changes</th>
</tr>
</thead>
<tbody>
<tr>
<td>0</td>
<td>Initial release</td>
</tr>
<tr>
<td>1</td>
<td>• <strong>Voltage regulators</strong> : changed the output voltage values for Vpre, Vcore, and Vaux.</td>
</tr>
<tr>
<td></td>
<td>• <strong>Built-in CAN and LIN transceivers</strong> : removed text about supported standards.</td>
</tr>
<tr>
<td></td>
<td>• <strong>Low Power OFF mode</strong> : revised section to only describe only low power off mode.</td>
</tr>
<tr>
<td></td>
<td>• <strong>Power supply connectivity</strong> : changed power supply capacitor value, pre-regulator</td>
</tr>
<tr>
<td></td>
<td>capacitor quantity and value, Vcore output value, and resistor values.</td>
</tr>
<tr>
<td></td>
<td>• <strong>Ground separation</strong> : new section.</td>
</tr>
<tr>
<td></td>
<td>• <strong>Figure 5</strong> changed resistor and capacitor values.</td>
</tr>
<tr>
<td></td>
<td>• <strong>Table 2</strong> : removed or changed voltage and resistor values.</td>
</tr>
<tr>
<td></td>
<td>• <strong>Power-up sequence</strong> : clarified Vpre buck-boost behavior.</td>
</tr>
<tr>
<td></td>
<td>• <strong>CAN connectivity</strong> : Removed LIN content.</td>
</tr>
<tr>
<td></td>
<td>• <strong>External watchdog</strong> : Added 3 ms to the list of WD window durations. Added key off/</td>
</tr>
<tr>
<td></td>
<td>on as a method to perform deep reset state recovery.</td>
</tr>
<tr>
<td></td>
<td>• Removed references to FS1 pin throughout.</td>
</tr>
<tr>
<td>2</td>
<td><strong>Updated Figure 5</strong></td>
</tr>
</tbody>
</table>
Information in this document is provided solely to enable system and software implementers to use Freescale products. There are no express or implied copyright licenses granted hereunder to design or fabricate any integrated circuits based on the information in this document. Freescale reserves the right to make changes without further notice to any products herein.

Freescale makes no warranty, representation, or guarantee regarding the suitability of its products for any particular purpose, nor does Freescale assume any liability arising out of the application or use of any product or circuit, and specifically disclaims any and all liability, including without limitation consequential or incidental damages. “Typical” parameters that may be provided in Freescale data sheets and/or specifications can and do vary in different applications, and actual performance may vary over time. All operating parameters, including “typicals,” must be validated for each customer application by customer's technical experts. Freescale does not convey any license under its patent rights nor the rights of others. Freescale sells products pursuant to standard terms and conditions of sale, which can be found at the following address: freescale.com/SalesTermsandConditions.

Freescale, the Freescale logo, and Qorivva are trademarks of Freescale Semiconductor, Inc., Reg. U.S. Pat. & Tm. Off. SafeAssure and the SafeAssure logo are trademarks of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. The Power Architecture and Power.org word marks and the Power and Power.org logos and related marks are trademarks and service marks licensed by Power.org.