SPRUJ28F November 2021 – August 2025 AM68 , AM68A , TDA4AL-Q1 , TDA4VE-Q1 , TDA4VL-Q1
In a system with a mixture of ASIL-D and non-ASIL-D process running in parallel, it is important to isolate the impact of a fault from the non-ASIL-D process spreading to ASIL-D domain. When there is unrecoverable fault in the non-ASIL-D domain, the safety software should either have the capability to diagnose the fault and/or reset the fault components.
When the fault happens on the target interface side, the Target Time out Gasket (STOG) provides the capability to gracefully terminate the transactions and return error status back to the initiator, so the interconnect is not stalled due to the fault at the target side.
When the fault happens on the initiator interface side, the Initiator Time out Gasket (MTOG) shall provide the capability to flush out all the pending transactions while preventing the faulty initiator interface from issuing more transactions. It also has logic to track the idle state when all the pending transactions are completed. The IP can’t be brought down or reset unless the initiator time out gaskets enters idle state. All the control mechanisms for the initiator side time out gasket come from chip level MMR. By default, the time out gasket is disabled. It requires safety software to enable it.
All the time out gaskets assert interrupts when there is a time out event. These events are be routed to ESM. MCU Pulsar manages timeout events for the gaskets inserted in WKUP/MCU domain and MAIN Pulsar manages time out events for the gaskets inserted in the MAIN domain, including the ones inserted inside MAIN NAVSS and compute cluster.