# AN14247 FS24 attach to NXP devices guidelines Rev. 2.0 — 8 November 2024

**Application note** 

#### **Document information**

| Information | Content                                                                                                                                                                                                                                                                                              |
|-------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Keywords    | FS24, S32K1, microcontroller, system basis chip (SBC), ultra-wide band (UWB), Bluetooth Low Energy (BLE), near-field communication (NFC), automotive, secure, access                                                                                                                                 |
| Abstract    | This application note provides design guidelines on how to supply NXP's S32K1xx microcontrollers, ultra-wide band (UWB), Bluetooth Low Energy (BLE), and near-field communication (NFC) devices using NXP's FS24 system basis chip (SBC) family of devices for automotive secure car access systems. |



# 1 Introduction

This application note provides design guidelines on how to supply NXP's S32K1xx microcontrollers, UWB, BLE, and NFC devices using NXP's FS24 system basis chip (SBC) family of devices for automotive secure car access systems.

The document covers the following solutions:

- NXP UWB ranging anchor: FS24 + NCJ29D6AHN (Ranger 5)
- NXP UWB radar anchor: FS24 + NCJ29D6AHN (Ranger 5)
- NXP UWB ranging anchor: FS24 + S32K118 + NCJ29D5BHN (Ranger 4)
- NXP BLE key detection and UWB ranging anchor: FS24 + NCJ29D6AHN (Ranger 5) + KW45
- NXP BLE key detection and UWB ranging anchor: FS24 + NCJ29D5BHN (Ranger 4) + KW45
- NXP NFC key detection: FS24 + S32K144 + NCF3321
- NXP BLE/NFC key detection: FS24 + KW45 + NCF3321
- FS24 + Ranger 5 + KW45 + NCF3321
- FS24 + S32K1xx
- FS24 + S32K31x

## 1.1 General description

The FS24 SBC offers an expandable family of devices that is pin-to-pin and software compatible.

The FS24 SBC is scalable from QM to automotive safety integrity level (ASIL) B, includes a controller area network (CAN) transceiver, and a number of system and safety features for the latest generation of automotive electronic control units (ECU).

The FS24 SBC provides a high level of integration in order to optimize the bill of material (BOM) cost for the secure care access and body market.

The FS24 device is flexible and suitable for Ranger 5 (NCJ29D6), Ranger 4 (NCJ29D5), NCF3321, and KW45 devices, S32K processor-based applications, and multivendor processors.

Several device versions are available, offering choices of output-voltage settings, operating frequency, power-up sequencing, and input/output configuration to address multiple applications.

### **1.2 Features and benefits**

#### **Operating range**

- 40 V DC maximum input voltage
- Low-power off mode with very low sleep current and multiple wake-up sources
- Low-power on mode with HVBUCK (V1) active, HVLDO (V3) selectable by OTP and multiple wake-up sources

#### Power supplies

- V1: High-voltage synchronous buck converter with integrated FETs. Configurable output voltage (1.9 V to 5 V) and switching frequency, output DC current capability up to 400 mA and PFM mode for Low-power on mode operation
- V3: High-voltage LDO regulator for microcontroller I/O support with selectable output voltage between 3.3 V or 5 V and up to 150 mA current capability

#### System support

- One CAN FD supporting up to 5 Mbps communication following ISO 11898-2:2016 and SAE J2284 standards
- Four wake-up inputs (40 V capable): WAKEx pins, HVIO1 pin, CAN FD or SPI command
- Hardware ID detection capability
- One high-voltage I/O with wake-up capability (40 V capable): HVIO1
- · Device control via 32-bit SPI interface with CRC
- Integrated long duration timer (LDT) for system shutdown and wake-up control, programmable up to 194 days
- 12-channel analog multiplexer (AMUX) for system monitoring (temperature, battery voltage, internal voltages)

#### Functional safety

- Developed following ISO 26262:2018 standard to fit for ASIL B applications
- Internal monitoring circuitry with its own reference.
- Additional input for external voltage monitoring
- Window or timeout watchdog function to monitor the MCU software failure
- Analog built-in self-test (ABIST) on demand
- Safety outputs (RSTB, LIMP0)
- Safety input to monitor external IC state (ERRMON)

#### **Configuration and enablement**

- HVQFN32EP: QFN, 32 pins with exposed pad for optimized thermal management, wettable flanks, 5 mm x 5 mm x 0.85 mm, 0.5 mm pitch
- Permanent device customization via one time programmable (OTP) fuse memory
- OTP emulation mode for system development and evaluation

## 2 **Power architecture**

With its two integrated regulators, FS24 is a solution suitable for a large scope of applications and use cases. This section will introduce power architecture guidelines to supply devices and MCUs for both the secure car access and the body markets using FS24.

## 2.1 Secure car access supply

#### 2.1.1 NCJ29D6 in ranging/radar

The FS24 can be used to supply the NCJ29D6 UWB device using a single-supply architecture strategy. The strategy consists of using the V1 - HVBUCK regulator to supply all the rails from the device. V3 - HVLDO is used to supply the CAN transceiver.



Figure 1 shows the connections of the FS24 as an SBC to NCJ29D6.

#### 2.1.2 S32K1xx and NCJ29D5 in ranging

The FS24 can be used to supply the S32K1 family in addition to the NCJ29D6 UWB device using a singlesupply architecture strategy. The strategy consists of using the V1 - HVBUCK regulator to supply all the rails from the devices. V3 - HVLDO is used to supply the CAN transceiver.

Figure 2 shows the connections of the FS24 as an SBC to S32K1xx + NCJ29D5.



#### 2.1.3 KW45 and NCJ29D6 in key detection and ranging

The FS24 can be used to supply the KW45 BLE device in addition to the NCJ29D6 UWB device using a singlesupply architecture strategy. The strategy consists of using the V1 - HVBUCK regulator to supply all the rails from the devices. V3 - HVLDO is used to supply the CAN transceiver.

Figure 3 shows the connections of the FS24 as an SBC to KW45 + NCJ29D6 using the KW45 DC-DC converter to reduce the system power consumption.



FS24 attach to NXP devices guidelines



Figure 4 shows the connections of FS24 as an SBC to KW45 + NCJ29D6 without using the KW45 DC-DC converter.

#### 2.1.4 KW45 and NCJ29D5 in key detection and ranging

The FS24 can be used to supply the KW45 BLE device in addition to the NCJ29D5 UWB device using a singlesupply architecture strategy. The strategy consists of using the V1 - HVBUCK regulator to supply all the rails from the devices. V3 - HVLDO is used to supply the CAN transceiver.

<u>Figure 5</u> shows the connections of the FS24 as an SBC to KW45 + NCJ29D5 using the KW45 DC-DC converter to reduce the system power consumption.



FS24 attach to NXP devices guidelines



Figure 6 shows the connections of FS24 as an SBC to KW45 + NCJ29D5 without using the KW45 DC-DC converter.

#### 2.1.5 S32K1xx and NCF3321 in door handle key detection

The FS24 can be used to supply the S32K1 family in addition to the NCF3321 NFC device device using a dualsupply architecture strategy. The strategy consists of using the V1 - HVBUCK regulator to supply the NFC transmitter and the CAN transceiver. V3 - HVLDO regulator is used to supply the S32K1 core and I/Os and the NCF3321 I/Os.

Figure 7 shows the connections of the FS24 as an SBC to S32K1xx + NCF3321.



#### 2.1.6 KW45 and NCF3321 in key connection and door handle key detection

The FS24 can be used to supply the KW45 in addition to the NCF3321 NFC device device using a dual-supply architecture strategy. The strategy consists in using the V1 - HVBUCK regulator to supply the NFC transmitter and the CAN transceiver, V3 - HVLDO regulator is used to supply the S32K1 core and IOs and the NCF3321 IOs.

<u>Figure 8</u> shows the connections of FS24 as an SBC to KW45 + NCF3321 using the KW45 DC-DC converter to reduce the system power consumption.



FS24 attach to NXP devices guidelines



Figure 9 shows the connections of FS24 as an SBC to KW45 + NCF3321 without using the KW45 DC-DC converter.

#### 2.1.7 KW45, NCJ29D6, and NCF3321

By adding an external linear regulator, the FS24 can be used to attach the KW45 BLE device, the NCJ29D6 UWB device and the NCF3321 NFC device. There are two different strategies so supply all these devices together: the first uses a high-voltage linear regulator, the second uses a low-voltage linear regulator.

The high-voltage regulator strategy consists in using the linear regulator to convert the battery voltage to a 5 V rail. This rail will be exclusively used to supply the NFC analog and RF power. The V1 - HVBUCK regulator is used to supply the I/Os of the NFC device and all other rails of the UWB and BLE devices. V3 - HVLDO is used to supply the CAN transceiver. This strategy allows for simultaneous operation of the NFC and UWB. Figure 10 shows how to supply the UWB, BLE, and NFC devices using FS2400 and a high-voltage LDO.



The low-voltage regulator strategy consists in using V1 - HVBUCK regulator to create the 5V rail needed to supply the NFC analog and RF power and the CAN transceiver. V3 - HVLDO is used to supply the NFC I/Os and all the rails of the KW45 BLE device. Finally, the low-voltage regulator is used to convert the 5 V from the V1 - HVBUCK to a 3.3 V rail to supply the NCJ29D6. This architecture is limited by the current capability of the V1 - HVBUCK regulator, the current drained by the UWB and NFC devices should not exceed the converter maximum capability. Therefore, using the NFC and UWB devices at the same time will not be possible.

FS24 attach to NXP devices guidelines



Figure 11 shows how to supply the UWB, BLE and NFC devices using FS2400 and an low-voltage LDO.

Note: In both figures the KW45 is supplied using the integrated DC-DC converter to optimize the current consumption. It can also be supplied without using the DC-DC, by connecting the supply directly to VDD LDO CORE and VDD RF.

## 2.2 Body application supply

### 2.2.1 Single-supply architecture

The FS24 can be used to supply the S32K1xx and S32K31x devices using a single-supply architecture strategy. The strategy consists of using the V1 - HVBUCK regulator (3.3 V or 5.0 V) to supply all the rails from the MCU.

### MCUs with one main I/O and analog supply voltage

This single-supply architecture is applicable when the MCU has one main I/O and analog supply voltage VDD HV A. The compatible references are: S32K1xx devices for all packages, and S32K310 (48LQFP or100MAXQFP package), S32K311 (48LQFP or 100MAXQFP package), S32K312 (100MAXQFP or 172MAXQFP package), S32K314 (100MAXQFP package).

Figure 11. Low-voltage regulator strategy



Figure 12 shows the connections of the FS24 as an SBC to compatible S32K1/3 MCUs.

In this case, the 1.1 V high-current core logic supply is internally generated from the 5.0 V or 3.3 V connection to the VDD HV A pin.

#### MCUs with secondary I/O supply voltage and high-current logic supply

This single-supply architecture is also applicable to higher-performance MCUs with a secondary I/O supply voltage VDD\_HV\_B and a high-current logic supply V15. In this case, it requires an external NPN transistor to supply 1.5 V high-current logic.

The compatible reference is S32K314 (172MAXQFP or 257MBGA package)

Figure 13 shows the connections of the FS24 as an SBC to the S32K314.



In this case, the 1.1 V high-current core logic supply is internally generated from the V15 pin connection. The external NPN transistor's VC\_BJT pin can either be connected to VDD\_HV\_A or VDD\_HV\_B (3.3 V or 5.0 V). More information on supplying V15 from the NPN transistor option is available in section "Using a BJT for 1.5 V generation" of the <u>S32K3 Reference Manual</u> document.

#### 2.2.2 Dual-supply architecture

A dual-supply architecture is applicable to higher-performance MCUs with a secondary I/O supply voltage VDD\_HV\_B and a high-current logic supply V15. In this case, it requires an external NPN transistor to supply 1.5 V high-current logic.

The compatible reference is S32K314 (172MAXQFP or 257MBGA package)

FS24 attach to NXP devices guidelines



Figure 14 shows the connections of the FS24 as an SBC to S32K314.

In this case, the 1.1 V high-current core logic supply is internally generated from the V15 pin connection. The external NPN transistor's VC\_BJT pin can either be connected to VDD\_HV\_A or VDD\_HV\_B (3.3 V or 5.0 V). More information on supplying V15 from the NPN transistor option is available in section "Using a BJT for 1.5 V generation" of the <u>S32K3 Reference Manual</u> document.

# **3** Hardware implementation

This section describes the connection hardware interactions between the FS24 and the supplied device for both the secure car access and the body applications. This section also gives an overview of the BOM for the devices. For more detailed information on the components, refer to the FS2400 Product guidelines, the S32K1 and S32K3 Design Guidelines, the KW45 PCB design guidelines, the NCJ29D6 User Manual, the NCJ29D5 Hardware Design Guide, and the NCF3321 data sheet.

## 3.1 Secure car access devices

#### 3.1.1 NCJ29D6 in ranging/radar

Figure 15 shows the hardware connections to attach the NCJ29D6 using the FS2400.



### 3.1.2 S32K1xx and NCJ29D5 in ranging

Figure 16 shows the hardware connections to attach the S32K1xx and NCJ29D5 devices using the FS2400.



### 3.1.3 KW45 and NCJ29D6 in key detection and ranging

Figure 17 shows the hardware connections to attach the KW45 and NCJ29D6 devices using the FS2400.



Figure 17. KW45 and NCJ29D6 supplied by FS2400

**Note:** In this example, the KW45 is supplied using the integrated DC-DC converter to optimize the current consumption. It can also be supplied without using the DC-DC, by connecting V1 directly to VDD\_LDO\_CORE and VDD\_RF.

### 3.1.4 KW45 and NCJ29D5 in key detection and ranging

Figure 18 shows the hardware connections to attach the KW45 and NCJ29D5 devices using the FS2400.



Figure 18. KW45 and NCJ29D5 supplied by FS2400

**Note:** In this example, the KW45 is supplied using the integrated DC-DC converter to optimize the current consumption. It can also be supplied without using the DC-DC, by connecting V1 directly to VDD\_LDO\_CORE and VDD\_RF.

### 3.1.5 S32K1xx and NCF3321 in door handle key detection

Figure 19 shows the hardware connections to attach the S32K1xx and NCF3321 devices using the FS2400.



Figure 19. S32K1xx and NCF3321 supplied by FS2400

FS24 attach to NXP devices guidelines



Figure 20 shows the hardware connections to attach the KW45 and NCF3321 devices using the FS2400.



**Note:** In this example, the KW45 is supplied using the integrated DC-DC converter to optimize the current consumption. It can also be supplied without using the DC-DC, by connecting V1 directly to VDD\_LDO\_CORE and VDD\_RF.

### 3.2 Body devices

#### **Pins connection**

This section highlights specifically the safety-related SBC and MCU pin connections.

The terminals described in this section are safety related and must be connected to enhance the full functional safety features of the S32K1/3 and FS24 devices. Table 1 and Table 2 list all safety-related pin connections between the FS24 and S32K1/3.

#### Table 1. FS24 and S32K1 pins connections

| FS24 pin name        | FS24 pin description        | Connect with | S32K1 pin description                | S32K1 pin name |
|----------------------|-----------------------------|--------------|--------------------------------------|----------------|
| V1                   | V1 regulator output voltage | ⇔            | Main voltage supply                  | VDD            |
| V1                   | V1 regulator output voltage | ⇔            | Analog voltage supply                | VDDA           |
| V1                   | V1 regulator output voltage | ¢            | ADC high-voltage<br>reference supply | VREFH          |
| PGND, GND_IO, GNDCAN | Ground connections          | ⇔            | Supply ground                        | VSS            |
| RSTB                 | Reset input/output          | ⇔            | Reset input/output                   | RESET_b        |
| HVIO1 (ERRMON)       | External IC monitoring      | ⇔<br>[1]     | I/O port                             | PTxn           |

[1] S32K1 family does not provide a fault collection and control unit. Nonetheless, the ERRMON function on the FS24 can still be used as monitoring input, depending on system-safety requirements.

#### Table 2. FS24 and S32K3 pins connections

| FS24 pin name           | FS24 pin description        | Connect with      | S32K3 pin description                | S32K3 pin name |
|-------------------------|-----------------------------|-------------------|--------------------------------------|----------------|
| V1 or V3 <sup>[1]</sup> | V1 regulator output voltage | $\Leftrightarrow$ | Main I/O voltage supply              | VDD_HV_A       |
| V1 or V3 <sup>[1]</sup> | V1 regulator output voltage | <del>⇔</del>      | ADC high-voltage<br>reference supply | VREFH          |
| V1                      | V1 regulator output voltage | ⇔<br>[2]          | Other I/O domain<br>voltage supply   | VDD_HV_B       |
| V1                      | V1 regulator output voltage | ←NPN⇒<br>[3]      | 1.5 V high-current<br>logic supply   | V15            |
| PGND, GND_IO, GNDCAN    | Ground connections          | $\Leftrightarrow$ | Supply ground                        | VSS            |
| RSTB                    | Reset input/output          | ⇔                 | Reset input/output                   | RESET_b        |
| HVIO1 (ERRMON)          | External IC monitoring      | $\Leftrightarrow$ | I/O port                             | PTxn           |

Depends on chosen FS23 + S32K3 power supply architecture. [1]

[2] [3] Depends on S32K3 part number.

Depends on S32K3 part number, connected though an external NPN transistor.

#### Schematics examples

Figure 21 shows the hardware connections to implement the one-rail power architecture with an FS24xx and compatible S32K1/3 devices.

Figure 22 shows the hardware connections to implement the one-rail power architecture with external NPN transistor for an FS234xx and compatible S32K3 devices.

#### **BOM** examples

For the typical schematics BOM, please refer to FS24 product guidelines and S32K1/K3 design guidelines. See Section 5.

#### 3.2.1 Single-supply architecture

Figure 21 shows the hardware connections to implement the one-rail power architecture with an FS240x and an MCU from S32K1xx/K31x family.



### 3.2.2 Single-supply with external NPN for V15 architecture

<u>Figure 22</u> shows the hardware connections to implement the one-rail power architecture with external NPN transistor for an FS240x and compatible S32K3 devices.



Figure 22. One-rail power supply architecture with external transistor

#### 3.2.3 Dual-supply architecture

Figure 23 shows the hardware connections to implement the two-rail power architecture with external NPN transistor for an FS240x and compatible S32K3 devices.



# 4 Software implementation of safety features

### 4.1 Operation modes

The S32K1/S32K3 family safety concept is a system solution developed to ensure that the platform on which the application is running is protected against random hardware failures, as well as common mode failures.

The safety-concept solution relies on S32K1/S32K3 on-chip safety functions and an interface to the safety functions on an external device, in this case the Safety SBC FS24.

The FS24 SBC provides off-chip safety mechanisms, which can move the system to a safe state when the MCU is no longer functioning correctly. The FS24 also monitors its own functions and moves the system to a safe state when an internal failure occurs.

The following sub-sections provide an overview of the interactions between the MCU and the FS24 during the various modes of operation that ensure safe execution of the safety function(s).

#### 4.1.1 Start and boot

First, the FS24 starts up after the preconfigured sequence, then the S32K1 or the S32K3 starts up and undergoes an internal state transition until both the SBC and the MCU subsequently enter Boot mode. ABIST on demand can be run once the FS24 has entered Normal mode. The boot is a particular mode in which the initialization (INIT) configuration is entered, and watchdog can be disabled. For a more detailed sequence, refer to the "Power Management" section of the <u>S32K1</u> and <u>S32K3</u> reference manuals.

#### 4.1.1.1 Startup sequence

Start mode begins with the FS24 internal supply reaching regulation and the default OTP configuration being loaded. The system then switches on the output regulators based on the respective OTP configuration of the device. At this moment, the MCU starts up and undergoes an internal state transition. Once both the SBC and the MCU complete startup, Boot mode is entered.



#### 4.1.1.2 ABIST on demand

The ABIST included in the FS24 checks all the voltage comparators that are used to detect undervoltage and overvoltage faults. The ABIST is executed on demand, after a SPI request from the MCU.

On the FS24, the ABIST is not executed automatically at startup. It can be launched from Normal mode only. It is recommended to run ABIST after the power-up sequence to verify the correct functionality of the safety analog circuits. The status bit ABIST\_READY notifies that ABIST is available and ready to be launched.

ABIST can be launched for all the voltage monitoring channels at the same time (via LAUNCH\_ABIST bit), or individually (via ABIST\_VxMON or ABIST\_V1UVLP individual bits).

An individual diagnostic bit is available for each channel once the ABIST is done (ABIST\_DONE = 1). The diagnostic flags have no impact on the safety pins. The diagnostic flags must be cleared before launching the next ABIST, using the CLEAR\_ABIST bit.

If one of the concerned monitored voltages is out of range (OV or UV), the ABIST on-demand command is ignored. While the ABIST is running, the other monitoring functions are kept available.

FS24 attach to NXP devices guidelines



## 4.1.1.3 Protected INIT phase

At power-on reset (POR), the FS24 automatically enters INIT state. In this mode, the MCU can write the INIT registers (FS\_I\_xxxx) configuration of the device safety features and reactions, such as watchdog, OV/UV impacts, ERRMON, and miscellaneous safety behavior.

When the FS24 enters INIT state, the cyclic check that protects these registers is disabled. Cyclic redundancy check (CRC) of INIT registers comes in addition to CRC computation during SPI communication and must be

computed from INIT registers content. The <u>FS24 Product Guidelines</u> application note provides information on INIT CRC computation method.

To exit the INIT state, a good watchdog refresh must be sent. The INIT registers, as well as the possibility to select infinite watchdog period configuration, are then protected against write access. The CRC on the INIT registers is activated and occurs every 5 ms.

The device does not enter the INIT state when waking up from LPON or LPOFF states, or when restarting from Fail-safe state (if OTP register loading is not bypassed).

In Normal mode, the INIT state can be accessed again by sending a GO2INIT request by SPI. In this case, if the watchdog is enabled, it must be refreshed every watchdog period.

**Note:** If the FS24 goes into LPON, LPOFF, or Fail-safe mode while in INIT state, it stays in INIT state, which can lead to misconfiguration of the device. Therefore, it is recommended to read the INIT\_S status bit in *M\_STATUS* register before going to LPON or LPOFF mode, and to go only if the device is no longer in INIT state.

#### 4.1.1.4 Initialization procedure example

An example of FS24 software initialization is given in the <u>FS24 Product Guidelines</u> application note, with a flowchart and corresponding read and write sequence for SPI communication.

#### 4.1.1.5 Entry to runtime operation

Once the application software has gone through the boot phase, the MCU configures the safety features on both the MCU and the FS24.

Before entering normal operation, the MCU must carry out the following steps in the given order:

- 1. Configure the FCCU error out state to 'no fault'.
- 2. End the INIT state by a successful refresh of the FS24 watchdog.
- 3. Request the release of the LIMP0 output if it is asserted (it should be released by default).

When all these actions are completed, the system can enter Runtime mode and execute the application function.

#### 4.1.2 Runtime

All of the following safety mechanisms are active in the SBC and MCU when entering Runtime mode.

#### 4.1.2.1 Watchdog monitoring

The first good watchdog refresh closes the initialization phase (INIT\_FS) of the FS24. As soon as the initialization phase is closed, the watchdog monitors the software failures from the MCU by doing a periodic handshake with the FS24 through the SPI communication protocol.

The watchdog is refreshed by the MCU using two keys: 0x5AB2 (default value after POR) and 0xD564. The key is stored in the WD\_TOKEN register, and is changed alternatively after each good watchdog refresh. Then, the MCU must write the watchdog answer in the WD\_ANSWER register within the expected timing.

The watchdog error counter is incremented when the answer is wrong, not given at the right moment, or not given at all at the end of the watchdog period, as shown in <u>Table 3</u>.

|                | Window | Timeout watchdog |               |
|----------------|--------|------------------|---------------|
| SPI            | CLOSED | OPEN             | (always open) |
| BAD key        | WD_NOK | WD_NOK           | WD_NOK        |
| GOOD key       | WD_NOK | WD_OK            | WD_OK         |
| None (timeout) | N/A    | WD_NOK           | WD_NOK        |

#### Table 3. Watchdog answer and refresh validation

### 4.1.2.2 Fault collection and control unit monitoring

FS24 Error Monitoring function (ERRMON) allows to detect hardware failures from the MCU. It is active as soon as the FS24 enters Normal mode. In order to avoid a fault coming from the FCCU, pins must be put in the correct state, or the ERRMON should be disabled. ERRMON is deactivated when the device goes to LPON or LPOFF modes.

The ERRMON function is only compatible with a steady state input signal.

The fail-safe reaction on RSTB or LIMP0 to an ERRMON fault detection is configurable with the ERRMON\_FS\_REACTION bit during the INIT phase.

The fault polarity of the ERRMON can be configured using the ERRMON\_FLT\_POLARITY bit during INIT phase. The HVIO1 pin internal pull-up/pull-down has to be set accordingly: if falling edge is configured as a fault, then HVIO1 internal pull-down has to be enabled by default, if rise edge is configured as a fault, then HVIO1 internal pull-up has to be enabled by default. This allows to ensure that a fault will be detected in case of a HVIO1 pin lift. It also allows to make sure that no fault is detected before the MCU reset signal release, when the signal is not yet driven by the MCU.

<u>Figure 26</u> shows a signal example in reset, normal and error phases for the configuration: ERRMON\_FLT\_POLARITY = 0 (ERRMON low level is a fault), ERRMON\_ACK\_TIME = 0b00 (no acknolwedgment time allowed), HVIO1PUPD = 0b01 (HVIO1 internal pull-down enabled).



#### 4.1.2.3 Reset (RSTB) safety output

The FS24 RSTB pin is meant to be connected to the S32K1/S32K3 bidirectional RESET\_b pin. In addition, the RSTB pin is bidirectional, which means the FS24 can assert RSTB to bring the MCU under reset. Also, the MCU can maintain the RSTB asserted externally even if the FS24 is ready to release it.

When entering the Run mode, both reset pins should be high until a reset event happens.

Depending on the FS24 OTP configuration, the device transitions into Fail-safe mode when RSTB is stuck low for more than RSTB<sub>T8s</sub>.

#### 4.1.2.4 LIMP0 safety output

The LIMP0 safety output is meant to bring the whole system into a safe state when enabled, depending on the OTP configuration.

By default, the LIMP0 pin is released. When LIMP0 is asserted, a procedure has to be followed to release it. This procedure is detailed in the <u>FS24 Product Guideline</u> application note.

#### 4.1.3 Standby mode

In Standby mode, only a portion of the S32K3 is powered, therefore some rails must be supplied. The Verylow power run (VLPR) mode is the equivalent mode for S32K1 devices. When the MCU is in Standby mode, it performs no safety-related functions.

The Standby mode corresponds to LPON mode for the FS24 device. In this mode, the necessary regulators are kept on. The V1 regulator is always on in LPON. V3 is off by default, although V3 can be configured to stay on in LPON.

If Standby mode is considered safety related for the MCU by the application, then system-level checks must be implemented to ensure the desired safety level. This mode is assumed to be a safe state with no critical activity in the SBC. Before moving to Standby mode, the FCCU error-out signals must be asserted by software to transition the system to a safe state. The MCU's FCCU\_ERR0 must be asserted active low during standby.

The VLPR entry and exit for S32K1 is covered in section "System Mode Controller" of <u>S32K1</u>.

The Standby mode entry and exit sequences for S32K3 are covered in section "Mode Entry Module" of <u>S32K3</u>.

The SBC can wake up from LPON through any of the following wake-up mechanisms, which can be configured through SPI:

- WAKE2, WAKE3, and HVIO1 pins
- LDT expiration
- CAN via wake-up pattern
- GO2NORMAL SPI command via M\_SYS\_CFG

#### 4.1.4 Safe state

According to ISO 26262<sup>1</sup>, a safe state is an "... operating mode, in case of a failure, of an item without an unreasonable level of risk".

The S32K1/S32K3 is in a safe state when it is unpowered or is indicating a fault externally and/or in reset. While the MCU is indicating a fault on its error out (S32K3 only) or reset pins, the FS24 must be configured to provide a safe-state transition signal to ensure the system is in a safe state in the presence of a fault in the MCU.

The FS24 is an ASIL B device with a safe state ensured by a Fail-safe state in the main state machine (no failsafe state machine).

#### 4.1.4.1 Fault impact configuration

The FS24 has two safety outputs: RSTB and LIMP0. These safety output pins are used to guarantee the system safe state. All these safety outputs are active low. The assertion of the safety outputs depends on the device configuration during the initialization phase. RSTB is activated during power up and can only be released when the device is in Normal mode. LIMP0 will be released at startup and will only be asserted when a fault occurs.

AN14247

<sup>1</sup> International Standard ISO 26262-1, Road vehicles - Functional Safety, Part 1: Vocabulary

Some faults can be configured to assert (or not) RSTB and/or LIMP0, while some other faults assert safety pins without the possibility of being configured. For the complete list of configurable and non-configurable faults, refer to "Fault source and reaction" in the <u>FS2400 data sheet</u>

#### 4.1.4.2 Safe state entry because of a fault in FS24 or S32K

- The FS24 uses its fault error counter to bring the system into Safe state when a fault related to the FS24 occurs or when the fault is caused by external events. When the fault error counter reaches its maximum value, the system transitions into Fail-safe state.
- Fault indicated by inability to refresh the watchdog: The FS24 has a watchdog error counter to bring the system into Safe state when an incorrect watchdog refresh occurs. When the watchdog error counter reaches its maximum value, the fail-safe reaction is imposed on safety output(s). The watchdog refresh counter is used to decrement the fault error counter when the watchdog is continuously being serviced (maximum value is configurable) by the MCU, indicating its correct operation.

#### 4.1.5 System safe state

The system Safe state is ensured by safety output pins RSTB and LIMP0. All of those safety outputs are active low. RSTB is activated during power up and can only be released when the device is in Normal mode. LIMP0, on the contrary, will be released at startup and will only be asserted when a fault occurs. The two pins are managed independently in parallel of the main state machine.

Figure 27 gives and overview of the safety features implemented in the FS23 and their connection to the system Safe state.



AN14247 Application note

#### Safety pins and modes

In Fail-safe state, all safety pins are asserted to ensure system safe state.

In LPOFF, RSTB pin is asserted low and LIMP0 is released.

LPON mode is assumed to be a safe state with no critical activity, LIMP0 pin keeps the state that it had before the state machine transition to LPON.

In normal operation when all safety pins are released, the fault error counter is incremented each time a fault is detected by the FS24. Critical fault sources have a mandatory action on safety pins, and other fault sources can be configured to assert safety pins depending on desired behavior of the system. In the <u>FS2400 datasheet</u>, "Application related Fail-Safe fault list and reaction" lists all the faults and their impact on RSTB and LIMP0 pins with regard to the device configuration by OTP and/or by SPI.

# **5** References

#### Documentation

- 1. S32K1 Reference Manual
- 2. S32K1 product data sheet
- 3. S32K3 Reference Manual
- 4. S32K3 product data sheet
- 5. KW45 PCB Design Guidelines
- 6. KW45 Product data sheet
- 7. NCJ29D6 User Manual
- 8. NCJ29D6 product data sheet
- 9. NCJ29D5 Hardware Design Guide
- 10. <u>NCJ29D5 product datas sheet</u>
- 11. NCF3321 product data sheet
- 12. FS2400 Application Note: Product guidelines

# 6 Revision history

| Table 4. Revision history |               |                                                                                                         |
|---------------------------|---------------|---------------------------------------------------------------------------------------------------------|
| Document ID               | Release date  | Description                                                                                             |
| AN14247 v. 2.0            | 8 Nov 2024    | <ul><li>Changed security status from confidential to public</li><li>Updated legal information</li></ul> |
| AN14247 v.1.0             | 10 April 2024 | Initial version                                                                                         |

#### Table 4. Revision history

#### FS24 attach to NXP devices guidelines

# Legal information

## Definitions

**Draft** — A draft status on a document indicates that the content is still under internal review and subject to formal approval, which may result in modifications or additions. NXP Semiconductors does not give any representations or warranties as to the accuracy or completeness of information included in a draft version of a document and shall have no liability for the consequences of use of such information.

## Disclaimers

Limited warranty and liability — Information in this document is believed to be accurate and reliable. However, NXP Semiconductors does not give any representations or warranties, expressed or implied, as to the accuracy or completeness of such information and shall have no liability for the consequences of use of such information. NXP Semiconductors takes no responsibility for the content in this document if provided by an information source outside of NXP Semiconductors.

In no event shall NXP Semiconductors be liable for any indirect, incidental, punitive, special or consequential damages (including - without limitation - lost profits, lost savings, business interruption, costs related to the removal or replacement of any products or rework charges) whether or not such damages are based on tort (including negligence), warranty, breach of contract or any other legal theory.

Notwithstanding any damages that customer might incur for any reason whatsoever, NXP Semiconductors' aggregate and cumulative liability towards customer for the products described herein shall be limited in accordance with the Terms and conditions of commercial sale of NXP Semiconductors.

**Right to make changes** — NXP Semiconductors reserves the right to make changes to information published in this document, including without limitation specifications and product descriptions, at any time and without notice. This document supersedes and replaces all information supplied prior to the publication hereof.

**Applications** — Applications that are described herein for any of these products are for illustrative purposes only. NXP Semiconductors makes no representation or warranty that such applications will be suitable for the specified use without further testing or modification.

Customers are responsible for the design and operation of their applications and products using NXP Semiconductors products, and NXP Semiconductors accepts no liability for any assistance with applications or customer product design. It is customer's sole responsibility to determine whether the NXP Semiconductors product is suitable and fit for the customer's applications and products planned, as well as for the planned application and use of customer's third party customer(s). Customers should provide appropriate design and operating safeguards to minimize the risks associated with their applications and products.

NXP Semiconductors does not accept any liability related to any default, damage, costs or problem which is based on any weakness or default in the customer's applications or products, or the application or use by customer's third party customer(s). Customer is responsible for doing all necessary testing for the customer's applications and products using NXP Semiconductors products in order to avoid a default of the applications and the products or of the application or use by customer's third party customer(s). NXP does not accept any liability in this respect.

Terms and conditions of commercial sale — NXP Semiconductors products are sold subject to the general terms and conditions of commercial sale, as published at https://www.nxp.com/profile/terms, unless otherwise agreed in a valid written individual agreement. In case an individual agreement is concluded only the terms and conditions of the respective agreement shall apply. NXP Semiconductors hereby expressly objects to applying the customer's general terms and conditions with regard to the purchase of NXP Semiconductors products by customer.

**Hazardous voltage** — Although basic supply voltages of the product may be much lower, circuit voltages up to 60 V may appear when operating this product, depending on settings and application. Customers incorporating or otherwise using these products in applications where such high voltages may appear during operation, assembly, test etc. of such application, do so at their own risk. Customers agree to fully indemnify NXP Semiconductors for any damages resulting from or in connection with such high voltages. Furthermore, customers are drawn to safety standards (IEC 950, EN 60 950, CENELEC, ISO, etc.) and other (legal) requirements applying to such high voltages.

**Export control** — This document as well as the item(s) described herein may be subject to export control regulations. Export might require a prior authorization from competent authorities.

**HTML publications** — An HTML version, if available, of this document is provided as a courtesy. Definitive information is contained in the applicable document in PDF format. If there is a discrepancy between the HTML document and the PDF document, the PDF document has priority.

**Translations** — A non-English (translated) version of a document, including the legal information in that document, is for reference only. The English version shall prevail in case of any discrepancy between the translated and English versions.

Security — Customer understands that all NXP products may be subject to unidentified vulnerabilities or may support established security standards or specifications with known limitations. Customer is responsible for the design and operation of its applications and products throughout their lifecycles to reduce the effect of these vulnerabilities on customer's applications and products. Customer's responsibility also extends to other open and/or proprietary technologies supported by NXP products for use in customer's applications. NXP accepts no liability for any vulnerability. Customer should regularly check security updates from NXP and follow up appropriately. Customer shall select products with security features that best meet rules, regulations, and standards of the intended application and make the ultimate design decisions regarding its products and is solely responsible for compliance with all legal, regulatory, and security related requirements concerning its products, regardless of any information or support that may be provided by NXP.

NXP has a Product Security Incident Response Team (PSIRT) (reachable at <u>PSIRT@nxp.com</u>) that manages the investigation, reporting, and solution release to security vulnerabilities of NXP products.

Suitability for use in automotive applications (functional safety) -This NXP product has been qualified for use in automotive applications. It has been developed in accordance with ISO 26262, and has been ASIL classified accordingly. If this product is used by customer in the development of, or for incorporation into, products or services (a) used in safety critical applications or (b) in which failure could lead to death, personal injury, or severe physical or environmental damage (such products and services hereinafter referred to as "Critical Applications"), then customer makes the ultimate design decisions regarding its products and is solely responsible for compliance with all legal, regulatory, safety, and security related requirements concerning its products, regardless of any information or support that may be provided by NXP. As such, customer assumes all risk related to use of any products in Critical Applications and NXP and its suppliers shall not be liable for any such use by customer. Accordingly, customer will indemnify and hold NXP harmless from any claims, liabilities, damages and associated costs and expenses (including attorneys' fees) that NXP may incur related to customer's incorporation of any product in a Critical Application.

 $\ensuremath{\mathsf{NXP}}\xspace \mathsf{B.V.}$  — NXP B.V. is not an operating company and it does not distribute or sell products.

## Trademarks

Notice: All referenced brands, product names, service names, and trademarks are the property of their respective owners.

FS24 attach to NXP devices guidelines

NXP — wordmark and logo are trademarks of NXP B.V.

FS24 attach to NXP devices guidelines

# **Tables**

| Tab. 1. | FS24 and S32K1 pins connections | 24 |
|---------|---------------------------------|----|
| Tab. 2. | FS24 and S32K3 pins connections | 24 |

| Tab. 3. | Watchdog answer and refresh validation33 |
|---------|------------------------------------------|
| Tab. 4. | Revision history                         |

## FS24 attach to NXP devices guidelines

# Figures

| Fig. 1.  | Architecture to supply NCJ29D64            |
|----------|--------------------------------------------|
| Fig. 2.  | Architecture to supply S32K1 + NCJ29D55    |
| Fig. 3.  | Architecture to supply KW45 (using the     |
|          | DC-DC) + NCJ29D66                          |
| Fig. 4.  | Architecture to supply KW45 (without using |
|          | the DC-DC) + NCJ29D6 7                     |
| Fig. 5.  | Architecture to supply KW45 (using the     |
|          | DC-DC) + NCJ29D58                          |
| Fig. 6.  | Architecture to supply KW45 (without using |
|          | the DC-DC) + NCJ29D5 9                     |
| Fig. 7.  | Architecture to supply S32K1 + NCF332110   |
| Fig. 8.  | Architecture to supply KW45 (using the     |
|          | DC-DC) + NCJ29D611                         |
| Fig. 9.  | Architecture to supply KW45 (without using |
|          | the DC-DC) + NCJ29D6 12                    |
| Fig. 10. | High-voltage regulator strategy13          |
| Fig. 11. | Low-voltage regulator strategy14           |
| Fig. 12. | Single-supply architecture15               |
| Fig. 13. | Single-supply architecture with external   |
|          | transistor for V1515                       |

| Fig. 14. | Dual-supply architecture                   |    |
|----------|--------------------------------------------|----|
| Fig. 15. | NCJ29D6 supplied by FS2400                 |    |
| Fig. 16. | S32K1xx + NCJ29D5 supplied by FS2400       | 19 |
| Fig. 17. | KW45 and NCJ29D6 supplied by FS2400        | 20 |
| Fig. 18. | KW45 and NCJ29D5 supplied by FS2400        | 21 |
| Fig. 19. | S32K1xx and NCF3321 supplied by            |    |
|          | FS2400                                     | 22 |
| Fig. 20. | KW45 and NCF3321 supplied by FS2400        | 23 |
| Fig. 21. | One-rail power supply architecture with    |    |
| 0        | FS240x                                     | 25 |
| Fig. 22. | One-rail power supply architecture with    |    |
|          | external transistor                        | 26 |
| Fig. 23. | Two-rail power supply architecture with    |    |
|          | external transistor                        | 27 |
| Fig. 24. | Startup sequence                           | 29 |
| Fig. 25. | ABIST on-demand execution sequence         | 31 |
| Fig. 26. | Example of ERRMON reaction upon a fault    | 33 |
| Fig. 27. | FS24 safety features and system safe state | 35 |
|          |                                            |    |

## FS24 attach to NXP devices guidelines

## Contents

| 1       | Introduction                                      | 2 |
|---------|---------------------------------------------------|---|
| 1.1     | General description                               |   |
| 1.2     | Features and benefits                             | 3 |
| 2       | Power architecture                                |   |
| 2.1     | Secure car access supply                          |   |
| 2.1.1   | NCJ29D6 in ranging/radar                          |   |
| 2.1.2   | S32K1xx and NCJ29D5 in ranging                    | 5 |
| 2.1.3   | KW45 and NCJ29D6 in key detection and ranging     | 2 |
| 2.1.4   | KW45 and NCJ29D5 in key detection and             |   |
| 2.1.5   | ranging<br>S32K1xx and NCF3321 in door handle key | 3 |
|         | detection                                         | 0 |
| 2.1.6   | KW45 and NCF3321 in key connection and            |   |
|         | door handle key detection                         | 1 |
| 2.1.7   | KW45, NCJ29D6, and NCF332113                      | 3 |
| 2.2     | Body application supply14                         | 4 |
| 2.2.1   | Single-supply architecture 14                     |   |
| 2.2.2   | Dual-supply architecture1                         |   |
| 3       | Hardware implementation1                          |   |
| 3.1     | Secure car access devices18                       |   |
| 3.1.1   | NCJ29D6 in ranging/radar18                        |   |
| 3.1.2   | S32K1xx and NCJ29D5 in ranging19                  |   |
| 3.1.3   | KW45 and NCJ29D6 in key detection and             |   |
|         | ranging20                                         | 0 |
| 3.1.4   | KW45 and NCJ29D5 in key detection and             |   |
|         | ranging2                                          | 1 |
| 3.1.5   | S32K1xx and NCF3321 in door handle key detection  | 2 |
| 3.1.6   | KW45 and NCF3321 in key connection and            | - |
| 00      | door handle key detection                         | 3 |
| 3.2     | Body devices                                      |   |
| 3.2.1   | Single-supply architecture                        |   |
| 3.2.2   | Single-supply with external NPN for V15           | - |
| 0.2.2   | architecture                                      | 6 |
| 3.2.3   | Dual-supply architecture                          |   |
| 4       | Software implementation of safety                 |   |
| •       | features                                          | B |
| 4.1     | Operation modes                                   |   |
| 4.1.1   | Start and boot                                    |   |
| 4.1.1.1 | Startup sequence                                  |   |
| 4.1.1.2 | ABIST on demand                                   |   |
| 4.1.1.3 | Protected INIT phase                              |   |
| 4.1.1.4 | Initialization procedure example                  |   |
| 4.1.1.5 | Entry to runtime operation                        |   |
| 4.1.2   | Runtime                                           |   |
| 4.1.2.1 | Watchdog monitoring                               |   |
| 4.1.2.2 | Fault collection and control unit monitoring      |   |
| 4.1.2.3 | Reset (RSTB) safety output                        |   |
| 4.1.2.4 | LIMP0 safety output                               |   |
| 4.1.3   | Standby mode                                      |   |
| 4.1.4   | Safe state                                        |   |
| 4.1.4.1 | Fault impact configuration                        |   |
|         | r aan impaot oormgaration                         | r |

| 4.1.4.2 | Safe state entry because of a fault in FS24 |    |
|---------|---------------------------------------------|----|
|         | or S32K                                     | 35 |
| 4.1.5   | System safe state                           | 35 |
| 5       | References                                  |    |
| 6       | Revision history                            | 38 |
|         | Legal information                           |    |

Please be aware that important notices concerning this document and the product(s) described herein, have been included in section 'Legal information'.

#### © 2024 NXP B.V.

#### All rights reserved.

For more information, please visit: https://www.nxp.com

Document feedback Date of release: 8 November 2024 Document identifier: AN14247