Software Safety Components

Safety Extension Package (SEP) Developer Guide

There are four major hardware components in the NVIDIA IGX Orin Developer Kit.

  1. CCPLEX (Orin) – CPU Complex. Uses Linux kernel provided by the K5.15 optimized kernel present in BSP along with the error propagation library.

  2. FSI (Orin) – Functional Safety Island. Runs a Vector Safety certified operating system [Product page], which provides a list of safety features to monitor the safety aspects of the Orin SOC.

  3. SMCU – Safety MCU from Infineon which runs a Vector Safety certified operating system [Product page] that monitors the safety aspects of the platform.

  4. BMC – Board Management Controller. Runs Linux kernel K5.15 with Yocto Rootfs to control SMCU (reset/flashing). [BMC User Guide]

Error Propagation

The error propagation library (EPL) demonstrates how a safety app running on CCPLEX can send error codes to FSI using the kernel driver.

The EPL contains the following software components.

  1. nvDemoAppSwErr

    1. Responsible for preparing error frames.

    2. Two ways to execute the application:

    • With 3 command line arguments, or

    • Without the arguments.

    1. It either takes command line arguments which can later be used to prepare error frames, or it asks you with the menu options for the same if invoked without any argument.

    2. Call NvEpl_ReportError to send the error code.

  2. shared library.

    1. Provides definition for the NvEpl_ReportError function call.

    2. Responsible for low-level communication with the kernel driver.

  3. Kernel driver

    1. Used to communicate to FSI using 128-bit hardware primitives.

    2. Further discussion of this component is out of scope for this document.

The below block diagram can help visualize the data flow and involved software components.


BMC-SMCU Communication

BMC and SMCU hardware have 3 GPIOs which are used for triggering various power states for the NVIDIA IGX Orin Developer Kit. The interaction and state machines are described below.

Below are the GPIO connections between SMCU and BMC hardware.

  • Poweron (P23.7) - This is used to relay a “power on” signal from BMC to SMCU. Based on the GPIO toggle period and the current state of the NVIDIA IGX Orin Developer Kit, the next state is defined. (Active low)


  • Recovery (P33.1) - Relay recovery signal to Orin on/off. (Active Low)

  • Reset (P33.10) - Relay reset signal to Orin on/off. (Active Low)

SMCU-CCPLEX Communication

SMCU will behave as SPI-Master (SPI3) and will initiate data transmission. SPI3 will be initialized during Aurix boot, and each application will initiate data transmission as per the below data-structure with their APP_ID in the SPI-Packet. Each application will have to call exported API with their APP_ID in the SPI-Packet in the header field (API internally calls fills spi_setupEB() and then calls spi_sync_transmit()). Since the transmission is synchronous, each application will get the received spi-data once transmission completes.

If the response doesn’t match with SPI_Major/Minor and if there is any failure code, the API will throw an error message and return to the application. The application can then initiate another transmission. The below diagram can be referred for SPI data transmission details:



Below is the spi-data format, which can be used by applications to send data to ccplex-application.


typedef enum _spi_client_err_code { SPI_CL_ACK = 0, SPI_CL_WRONG_VER, SPI_CL_NO_APP, SPI_CL_WRONG_APP, SPI_CL_UNKWN_ERR, SPI_CL_RETRY, SPI_CL_ACK_CODE_END } spi_cl_err_code; /** * @brief Header common to all messages sent between SMCU and CCPLEX SPI * * @member major_version: SPI protocol major version * @member minor_version: SPI protocol minor version * @member app_id: need to route the message to appropriate app * @member err_code: Error code, one from spi_cl_err_code */ typedef struct client_msg_hdr { uint8 major_version; uint8 minor_version; uint8 app_id; uint8 err_code; } client_msg_hdr_t; /** * @brief Header common to all messages sent between SMCU and CCPLEX SPI * * @member header * @member data */ typedef struct client_msg { client_msg_hdr_t hdr; uint8 data[MAX_DATA_SZ]; } client_msg_t; typedef enum _safety_client_id { IST_CLIENT = 1, CCPLEX_APP, SAFE_CLIENT_ID_END } safety_client_id;


FSI-SMCU SPI communication is used for error propagation. To test the SPI communication, we need to inject an error in CCPLEX using the DemoAppSwErr application.


Whenever FSI receives a critical error reported and the safety of the system is compromised, the FSI-FW asserts the SOC_SAFESTATE GPIO, which informs the SMCU about the criticality of the error. SMCU then takes appropriate action based on the error info it receives via the SPI data.


Previous Setup
Next Safety Features
© Copyright © 2024, NVIDIA Corporation. Last updated on May 30, 2024.