20.3.5 Functional Safety
- Machine Check Reset Flag (RSTFR.MCRF) for unrecoverable HW faults
- Error Controller Reset Flag (RSTFR.ECRF) for HW faults reported by the Error Controller
The Reset controller is essential for initiating a Safe State when the microcontroller (MCU) diagnostics detect a Functional Safety-related failure. Safe State requires the tristating of I/O pins. To avoid having RSTCTRL as a source of latent failures, the Machine Check Reset request is routed both to RSTCTRL and the Error Controller, where it will cause the Error Controller to assert its “Float IO” signal that is routed to each I/O pad, see the figure below.
The Voltage Monitor will detect a failure of VDDCORE and reset the system by requesting a Machine Check Reset. The appropriate Machine Check Reset flag will be set. All the logic in the figure below is powered by VDDCORE, except the VREG flag in MCFLAGSA. Even if there is a VDDCORE failure, the VREG flag will keep its value and receive power from the VDDIO domain.