1 Introduction

Functional Safety Diagnostic Tests:  

Test Name: CPU_SELF_TEST_LIB  

 

Purpose of Test: Verify functional correctness of all CPU instructions/core features.  

 

Acceptable Measure: Functional Test.  

 

Initialization/Setup: Disable interrupts completely during the execution of each test subset function.

Description: The CPU Self-Test is intended to periodically verify that all CPU core features are working correctly during run-time. The test is divided into three subsets and each subset tests different parts of the CPU core. During test execution, each subset will store register context to SRAM, perform a series of tests and results are stored in the CPU registers R0-R31. At certain points, the registers are tested if they contain the expected values.  

 

If this test passes, the 16-bit passing signature is incrementally built and the test continues to the next part of the subset until it reaches the end of the test. If the registers do not contain the expected values, the test is aborted and will skip the rest of the subset. At the end of each subset, register context is restored so that the application can continue. This happens even if the subset fails.

Error Reporting: Each test subset generates a unique 16-bit numerical test result, which can be compared to the corresponding expected result value. Any mismatch between the generated and expected result can be flagged by the application software as an error condition for that specific test subset.  

 

If the entire subset was executed as anticipated, the 16-bit passing signature will be finalized and the test will conclude under normal conditions, signifying a passed test.  

If the test encounters a failure at any stage, it will be aborted. Consequently, the passing signature will remain incomplete upon exit, denoting a failed test.  

 

Refer to the AVR® Instruction Set Manual for a complete list of instructions available for the device.  

Refer to the device Safety Manual for more details of the test.  

 

Notes:  

  1. The SLEEP and SPM instructions are not tested due to not being recommended for use in a safety application.  

  2. The functionality of the Watchdog Timer Reset (WDR) instruction is tested by the Watchdog Timer (WDT) simple and WDT window test.  

  3. Interrupt functionality is not tested in the CPU_SELF_TEST_LIB, but is covered by the INTERRUPT_FREQUENCY_TEST.

API Documentation:  

CPU Self-Test Subset-1  

CPU Self-Test Subset-2  

CPU Self-Test Subset-3  

 

  • AoU-CPU_SELF_TEST-01: The values for the DIAG_FLASH_ARRAY_HIGH_ADDRESS and DIAG_FLASH_ARRAY_LOW_ADDRESS macros, used in Subset-1, shall be chosen so that the difference between the two addresses toggles as many bits on the address bus as possible, and shall not interfere with any bootloader and/or critical data stored in the data section of the Flash.  

    Reason: These arrays are used for verifying correct Load Program Memory (LPM) instruction execution and will uncover stuck-at Faults on the address bus.

  • AoU-CPU_SELF_TEST-02: When using a device with Flash size greater than 64 KB, the DIAG_FLASH_ARRAY_HIGH_ADDRESS shall be placed at an address greater than 64 KB.  

    Reason: Extended instructions can only be performed on data located in addresses greater than 64 KB.

Example AVR128DA48 The AVR128DA48 has 128 KB of Flash which goes up to address 0x20000, also known as PROGMEM_SIZE.  

For ease of use between the different devices within the AVR DA family, DIAG_FLASH_ARRAY_HIGH_ADDRESS can be derived from using PROGMEM_SIZE - FLASH_ARRAY_LOW_ADDRESS and will consequently apply for all memory variations within the AVR DA family of devices.  

 

Note: This formula is only valid when there are no restrictions on the Flash, i.e., having a bootloader and/or a defined data section.  

 

Writing DIAG_FLASH_ARRAY_LOW_ADDRESS to 0x7FE (0b0 0000 0111 1111 1110) and DIAG_FLASH_ARRAY_HIGH_ADDRESS to PROGMEM_SIZE - DIAG_FLASH_ARRAY_LOW_ADDRESS = 0x1F802 (0b1 1111 1000 0000 0010) will ensure that these addresses are placed sufficiently apart in the memory space for extended instruction execution and will additionally toggle all bits on the address bus, except bit 0 and 1.