AURIX TC3xx RAM Safety Mechanisms: Comprehensive Overview

The AURIX TC3xx family implements multiple layers of hardware-based RAM safety mechanisms to detect and manage random hardware faults, supporting ASIL-D compliance according to ISO 26262. This comprehensive overview covers the primary safety features for on-chip memory.

1. Error Detection and Correction (ECC)

Primary Memory Protection:

ECC Implementation: Single-bit error correction, double-bit error detection
Coverage: Local CPU-specific RAM (LCSR), Scratchpad RAM, DSPR, PSPR, Flash memories, and DMI
Automatic Operation: ECC errors are corrected transparently during read operations; detection triggers SMU alerts
Multi-Bit Error Tracking: Accumulates correctable errors to predict potential failures before they occur

Key ECC Registers:

Each memory with ECC has dedicated control/status registers for error monitoring
SMU integration ensures immediate fault response

2. Address Monitoring (MBAR)

Illegal Access Detection:

MBAR Functionality: Memory Background Access Register monitors for illegal addressing
Detection Logic: Detects multi-bit address faults that could access incorrect memory locations
Hardware Integration: Works with MPU to provide comprehensive address fault coverage
SMU Reporting: Triggers safety alerts when address violations occur

3. Address Error Monitor

Address Fault Detection:

Multi-Bit Address Fault Detection: Monitors address bus for multi-bit errors
Background Access Monitoring: Continuously checks address validity during background operations
Integration with MBAR: Works in conjunction with MBAR for comprehensive address fault coverage
Fault Containment: Prevents address errors from propagating to memory accesses

Key Features:

Detects address decoder faults
Identifies address line stuck-at faults
Monitors for transient address errors
Provides real-time address fault reporting to SMU

4. SMU Integration for RAM Safety

Safety Monitor Unit Integration:

Alarm Configuration: RAM safety mechanisms trigger SMU alarms on fault detection
Fault Response: Configurable responses including system reset, safe state entry, or notification
Alarm Priorities: Different RAM faults have different priority levels
Fault Collection: SMU collects and manages all RAM safety events

Common RAM-Related SMU Alarms:

ECC Single-Bit Error: Correctable error, logged for monitoring
ECC Multi-Bit Error: Uncorrectable error, typically triggers reset
Address Error: Illegal access detected, triggers protection trap
MBAR Violation: Memory background access violation detected

Detailed RAM Alarm Classification:

1. Correctable-Error Alarm (CE):

Trigger: ECC single-bit error correction performed
Severity: Non-critical, latent fault indication
Action: Logged for monitoring and trend analysis
Response: Typically notification only
Purpose: Predictive maintenance before failure occurs

2. Uncorrectable-Error Alarm (UCE):

Trigger: ECC double-bit error detection OR RAM address error detection
Severity: Critical, immediate fault indication
Action: Triggers configurable fault response
Response: System reset, safe state entry, or trap
Purpose: Prevent propagation of corrupted data

3. Miscellaneous Error Alarm (ME):

Trigger: Non-critical (latent) fault detection
Severity: Low, warning indication
Action: Logged for diagnostic purposes
Response: Notification or monitoring
Purpose: Early warning of potential degradation

/**
 * @brief Configure SMU alarms for RAM safety mechanisms
 */
void configure_ram_smu_alarms(void) {
    // ECC single-bit error alarm - notification only
    smu_configure_alarm(SMU_ALARM_ECC_1BIT, SMU_ACTION_NOTIFICATION);

    // ECC multi-bit error alarm - system reset
    smu_configure_alarm(SMU_ALARM_ECC_2BIT, SMU_ACTION_RESET);

    // Address error alarm - protection trap
    smu_configure_alarm(SMU_ALARM_ADDR_ERR, SMU_ACTION_TRAP);

    // MBAR violation alarm - safe state
    smu_configure_alarm(SMU_ALARM_MBAR_VIOL, SMU_ACTION_SAFE_STATE);
}

5. Port Protection for RAM

Bus-Level Access Control:

Port-Based Protection: Controls RAM access at the bus master level
SRI Tag ID Verification: Validates bus master IDs before granting RAM access
Multi-Core Isolation: Prevents unauthorized cores from accessing specific RAM regions
DMA Access Control: Restricts DMA channels to authorized memory regions

Protection Levels:

Read Protection: Controls read access per bus master
Write Protection: Controls write access per bus master
Execute Protection: Controls execution privileges for code regions

5.1 Safety Protection Regions (SPR)

Advanced Memory Access Control:

SPR_SPROT_RGNLAi: Defines lower address of protection region in PSPR/DSPR
SPR_SPROT_RGNUAi: Defines upper address of protection region
SPR_SPROT_RGNACCENi: Defines SRI tags allowed access to each region
Region-Based Isolation: Multiple protection regions can be configured
Fine-Grained Control: Individual access control per region and bus master

Access Enable Registers:

ACCEN0/ACCEN1: Control write access for transactions with specific TAG IDs
6-bit TAG ID Support: Prepared for 6-bit TAG ID encoding
Bit Mapping: EN0 → TAG ID 000000B through EN31 → TAG ID 011111B
Access Violation: Write accesses not permitted by register setting will error

6. Write/Read Compare Mechanisms

Soft Error Detection:

Write Compare: Verifies that data written matches what was intended
Read Compare: Background read operations to detect memory cell degradation
Automatic Execution: Performed by hardware without software intervention
Periodic Testing: Continuous monitoring for transient faults

7. Memory Control and Status Registers (MCSR)

Initialization and Monitoring:

RAM Initialization: MCSR bits indicate whether RAM has been properly initialized
Status Reporting: Provides visibility into memory initialization state
Safety Requirement: Uninitialized RAM detection prevents use of unreliable memory
Hardware Locking: MCSR.LOCK prevents accidental modification of initialization settings
RAM_INIT_RS: Bit indicating RAM initialization status after reset (0 = not initialized, 1 = initialized)

7.1 Data Integrity Error Tracking

Error Localization and Reporting:

DIETR (Data Integrity Error Trap Register): Captures error type and location
- IE_S: Error in Scratchpad RAM
- IE_C: Error in Cache RAM
- IE_T: Error in Tag RAM
- IE_LPB: Error in Local Peripheral Bus memory
- IE_DLMU: Error in Distributed Local Memory Unit
- IE_UNC: Indicates uncorrectable error condition
- E_INFO: Cache way information for cache errors
DIEAR (Data Integrity Error Address Register): Contains physical address of access that caused uncorrectable error
- Only updated when DIETR.IED is zero
- Enables precise error localization for debugging and recovery
- Critical for fault analysis and system recovery strategies

Error Handling Flow:

Error detected during memory read operation
DIETR registers updated with error type and location
DIEAR captures the failing address (if applicable)
IED bit set, other DIETR bits set to zero
Asynchronous DIE trap raised for uncorrectable errors
Trap handler responsible for recovery or system reset

8. Local Memory Management

CPU-Specific Memory Features:

LML (Local Memory Lock): Locks specific memory regions against unauthorized access
LSR (Local Sleep): Controls sleep modes for local memory to prevent access during inactive periods
Dual-Port RAM Support: Enables safe shared memory access between cores with built-in arbitration
Built-in Test Logic: Hardware self-test for memory integrity

8.1 Distributed LMU (DLMU) Protection

Enhanced Memory Safety:

ECC Protection Basis: 64-bit (double-word) basis for DLMU memory
SSH ECCS Register: Controls ECC enable/disable for DLMU
Error Detection: Uncorrectable error signal generated per double-word
Trap Response: Asynchronous DIE trap raised on error detection
Dual Access Paths: Protected access from both TriCore CPU and bus interface (PMI/SRI)

Error Handling for DLMU:

CPU Load Requests: ECC bits read with data, errors flagged to CPU
Bus Interface Access: Separate error detection for PMI and SRI accesses
Recovery Options: Trap handler can correct memory entry or initiate system reset

8.2 Scratchpad RAM (DSPR/PSPR) Protection

16-bit ECC Protection:

ECC Granularity: 16-bit data width for ECC protection
Read-Modify-Write: Byte writes performed as read-modify-write operations
Error Detection: Errors on read phase prevent write phase execution
Uninitialized Memory: Byte writes to uninitialized memory always detect ECC error

Memory Organization:

Tower Structure: DSPR organized as multiple memory “towers”
64-bit Access: CPU can access 64 bits from any 16-bit aligned address
SRI Slave Access: Supports multi-core access via SRI interface
Burst Transfers: Compatible with all SRI transaction types

8.3 Cache Memory Protection

Comprehensive ECC Coverage:

Data Cache (DCACHE): All cache SRAMs ECC protected
Tag SRAMs: All TAG SRAMs ECC protected
Cache Line Structure: 256 bits data + ECC bits per line
Error Signaling: Errors detected at ECC decoders signaled to EMM via SSH logic
Two-way Set Associative: LRU replacement algorithm with per-line valid/dirty bits

9. Safety Flip-Flops

Additional Protection Layer:

SFF Protection: Critical flip-flops in CPU and peripheral RAMs protected against transient faults
Automatic Detection: Hardware detects flip-flop state changes
Immediate Response: Triggers SMU alerts on detection

Safety Mechanism Classification

According to the functional safety documentation, RAM safety mechanisms are classified as:

Safety Mechanisms (SM):

Can be handled by MCU internal software or hardware
Include ECC, address monitoring, MBAR, address error monitor, write/read compare mechanisms

External Safety Mechanisms (ESM):

Require system-level software or hardware solutions
Include periodic memory tests and software-based integrity checks

This section provides detailed information about the key registers used for RAM safety in AURIX TC3xx.

10.1 Data Integrity Error Registers

CPUx_DIETR - Data Integrity Error Trap Register

Address: 0x19024 (Short: 0x9024)
Reset Value: 0x0000_0000
Access: Read/Write

Bit Fields:

Bits	Field	Description
[31:24]	-	Reserved
[23]	IE_MT	Error in Memory Test (not used in this context)
[22]	IE_S	Error in Scratchpad RAM (DSPR/PSPR)
[21]	IE_C	Error in Cache RAM
[20]	IE_T	Error in Tag RAM
[19]	IE_LPB	Error in Local Peripheral Bus memory
[18]	IE_DLMU	Error in Distributed Local Memory Unit
[17]	IE_UNC	Uncorrectable error condition detected
[16:12]	E_INFO	Cache way information (when IE_C is set)
[11:1]	-	Reserved
[0]	IED	Interrupt Error Detected - set when error captured, inhibits further updates until cleared

CPUx_DIEAR - Data Integrity Error Address Register

Address: 0x19020 (Short: 0x9020)
Reset Value: 0x0000_0000
Access: Read/Write

Bit Fields:

Bits	Field	Description
[31:0]	TA	Trap Address - Physical address of the access that caused the uncorrectable error

Usage Notes:

DIETR is only updated when IED bit is zero
Once IED is set, no further hardware updates occur until software clears it
DIEAR is only updated when DIETR.IED is zero
These registers enable precise error localization for debugging and recovery

10.2 Memory Protection Registers

SPR_SPROT_RGNLAi - Safety Protection Region Lower Address

Address: 0xE000 + i*0x4 (where i = 0-7)
Reset Value: Application dependent
Access: Read/Write, Supervisor mode only

Description: Defines the lower address boundary for safety protection regions in PSPR/DSPR memory.

SPR_SPROT_RGNUAi - Safety Protection Region Upper Address

Address: 0xE020 + i*0x4 (where i = 0-7)
Reset Value: Application dependent
Access: Read/Write, Supervisor mode only

Description: Defines the upper address boundary for safety protection regions in PSPR/DSPR memory.

SPR_SPROT_RGNACCENAi_W - Region Access Enable Register A (Write)

Address: 0xE040 + i*0x8 (where i = 0-7)
Reset Value: 0x0000_0000
Access: Read/Write, Supervisor mode only

Bit Fields:

Bits	Field	Description
[31:0]	EN	Enable bits for bus masters 0-31 (1 bit per master)

SPR_SPROT_RGNACCENBi_W - Region Access Enable Register B (Write)

Address: 0xE044 + i*0x8 (where i = 0-7)
Reset Value: 0x0000_0000
Access: Read/Write, Supervisor mode only

Bit Fields:

Bits	Field	Description
[31:0]	EN	Enable bits for bus masters 32-63 (1 bit per master)

DLMU_SPROT_RGNACCENAi_R - DLMU Region Read Access Enable

Address: 0xE288 + i*0x10 (where i = 0-7)
Reset Value: Application dependent
Access: Read/Write, Supervisor mode only

Description: Controls read access permissions for specific bus masters to DLMU protection regions.

10.3 Access Control Registers

ACCEN0 - Access Enable Register 0

Module: LMU, EMU, various peripherals
Reset Value: 0xFFFF_FFFF (all accesses enabled after reset)
Access: Read/Write, Safe Endinit protected

Bit Fields:

Bits	Field	Description
[31:0]	EN0-EN31	Enable bits for TAG IDs 0-31 (EN0 = TAG ID 000000B, EN31 = TAG ID 011111B)

ACCEN1 - Access Enable Register 1

Module: LMU, EMU, various peripherals
Reset Value: 0xFFFF_FFFF (all accesses enabled after reset)
Access: Read/Write, Safe Endinit protected

Bit Fields:

Bits	Field	Description
[31:0]	EN32-EN63	Enable bits for TAG IDs 32-63 (EN32 = TAG ID 100000B, EN63 = TAG ID 111111B)

Important Notes:

Write accesses not permitted by ACCEN settings will error
ACCEN registers are “Safe Endinit” protected
After reset, all ACCEN1/0 registers allow access to entire addressable space for all masters
Application must initialize protection ranges and permissions adapted to software architecture

10.4 ECC Control Registers

HF_ECCC - Flash ECC Control Register (DMU)

Module: DMU (Data Flash)
Address: 0x0000_0048 (offset from DMU base)
Access: Hardware Update, Software Read

HF_ECCW - Flash ECC Write Register (DMU)

Module: DMU (Data Flash)
Address: 0x0000_004C (offset from DMU base)
Access: Write

SSH ECCS - SRAM Support Hardware ECC Status Register

Module: CPU Subsystem (LMU, DSPR, PSPR)
Description: Controls ECC enable/disable for various memory regions
Access: Read/Write

10.5 RAM Initialization Registers

RAM_INIT_RS - RAM Initialization Status

Location: Various memory controllers
Description: Bit indicating RAM initialization status after reset
Values:
- 0: RAM is not initialized after reset
- 1: RAM is initialized after reset

MCSR - Memory Control and Status Registers

Module: Various memory blocks
Fields:
- INIT: Initialization status bit
- LOCK: Prevents modification of initialization settings
- READY: Indicates memory is ready for use

10.6 Register Access Protection Summary

Register Type	Protection	Access Mode	Notes
DIETR/DIEAR	None	U,SV,32	Application reset
SPR_SPROT	Supervisor only	U,SV,32	Requires PSW.S = 1
ACCEN0/1	Safe Endinit	SV,32	Protected initialization
MCSR.LOCK	Write-once	SV	Prevents runtime changes
SSH ECCS	Supervisor	SV	Memory-specific

Legend:

U: User mode access possible
SV: Supervisor mode required
32: 32-bit access
Safe Endinit: Special protection requiring write access enable

Best Practices for Implementation

Enable ECC by Default: ECC is enabled by default and should remain active for safety-critical applications
Configure SMU Alarms: Set up appropriate SMU alarm handlers for all RAM safety events
Monitor SMU Alerts: Implement appropriate handlers for ECC and address fault notifications
Initialize MCSR: Ensure all RAM segments are properly initialized before use
Implement Periodic Tests: Complement hardware mechanisms with software-based memory tests
Use Locking Mechanisms: Leverage LML and MCSR.LOCK to prevent runtime misconfiguration
Validate Port Protection: Ensure port protection is configured for multi-core systems
Handle DIETR/DIEAR: Implement trap handlers to process data integrity error information
Configure SPR Regions: Set up safety protection regions for memory isolation
Monitor Correctable Errors: Track CE alarms to predict potential failures before they become critical
Test Error Paths: Verify error handling mechanisms during integration testing
Document Recovery Strategies: Define clear recovery procedures for each error type

References and Further Reading

AURIX™ MCU Error Correction Code (ECC) Support
AURIX TC3xx Family User’s Manual Part 1
AURIX™ TC3xx Functional Safety in a Nutshell (Application Note AN0001)
Safety Software Enablement with AURIX™ TC3xx

Conclusion

The AURIX TC3xx RAM safety mechanisms provide comprehensive protection against memory faults through a multi-layered approach combining ECC, address monitoring, address error monitoring, SMU integration, port protection, write/read compare mechanisms, and hardware-based testing. Proper configuration and monitoring of these mechanisms is essential for achieving functional safety compliance in automotive applications.

Last Updated: January 27, 2026