SafeSPI-CTRL
SafeSPI Controller

The SafeSPI-CTRL implements a versatile and highly reliable Serial Peripheral Interface (SPI) controller compliant with the SafeSPI specification. Offering maximum flexibility to the host system, a single instance of the SafeSPI-CTRL can be programmed to act as a SafeSPI master, slave, or monitor, or as master or slave controller for conventional SPI. The core supports all SafeSPI frame formats and addressing modes and allows extended configuration options for conventional SPI, so it can communicate with any SafeSPI-compliant device as well as with devices implementing a wide range of SPI protocol variants or over-SPI protocols, such as xSPI.

The SafeSPI-CTRL imposes minimum overhead on the host system. As a SafeSPI interface controller, it automatically generates and checks CRCs and implements the fault management processes provisioned by the SafeSPI specification. Furthermore, the core can automatically filter traffic based on address and CSN when operating as a monitor. The core can also be programmed to operate in autonomous bridging mode, where it will translate transactions on the local AXI4-Lite bus to transactions on the SafeSPI bus and vice versa without any firmware assistance.

The core can satisfy the requirements of the most stringent functional safety assurance levels by optionally implementing a series of hardware mechanisms. These include spatial redundancy for critical modules, data protection by CRC or parity in buffers and registers, and self-diagnostics with a real-time fault injection facility. A certification data package consisting of an FMEDA, and Safety Manual documents is also optionally available.

Consistent with CAST’s quality standards, the SafeSPI-CTRL core adheres to the industry’s best coding and verification practices to ensure easy integration and trouble-free implementation in ASIC or FPGA technologies. The interface controller core is highly configurable at synthesis time, allowing tuning of its supported features and size to each design’s needs. It uses 32-bit AXI4-Lite interfaces, which can optionally operate on a clock domain asynchronous to the serial clock. Technology mapping, constraining, and scan insertion are straightforward, as the LINT-clean RTL design contains no multi-cycle or false paths and uses only rising-edge-triggered D-type flip-flops, no tri-states, an asynchronous reset line per clock domain, and clean clock domain crossing modules. Its reliability and low risk have been proven through rigorous verification and FPGA validation.

The core as delivered is warranted against defects for ninety days from purchase. Thirty days of phone and email technical support are included, starting with the first interaction. Additional maintenance and support options are available.

The core is available in synthesizable RTL and FPGA netlist forms. It ships with everything required for successful implementation, including:

  • System Verilog RTL source code
  • Post-synthesis EDIF (netlist licenses)
  • System Verilog Testbenches
  • Simulation & Synthesis Scripts
  • Documentation

To facilitate ISO 26262 certification, the optional Functional Safety version also includes:

  • the Failure Modes, Effects and Diagnostic Analysis (FMEDA) report, and
  • the Safety Assessment Methodology (SAM) document.

 

The SafeSPI-CTRL can be mapped to any ASIC technology or FPGA device. The following table provides sample silicon resource utilization data for different configurations on 7nm technology. Please contact CAST to get characterization data for your target configuration and technology.

Configuration Logic Resources (eq. Gates) Memory Resources (SRAM bits)
Monitor-only, min: no autonomous, no redundancy, no fault injection, no CDC: 32-bit frames, 1 CSN, 2-word FIFOs 3,658
Monitor-only, max: autonomous, redundancy, fault injection, CDC, mode, 32- and 48-bit frames, 16 CSN, 256-word FIFOs 11,201
Slave-only, min: no autonomous, no redundancy, no fault injection, no CDC: 32-bit frames, 1 CSN, 2-word FIFOs 3,640
Slave-only, max/no CDC: autonomous, full redundancy, fault injection, no CDC: 32- and 48-bit frames, 16 CSN, 256-word FIFOs 15,619
Master-only, min: no autonomous, no redundancy, no fault injection, no CDC: 32-bit frames, 1 CSN, 2-word FIFOs 4,029
Master-only, max/no CDC: autonomous, full redundancy, fault injection, no CDC: 32- and 48-bit frames, 16 CSN, 256-word FIFOs 12,843
Master & Slave & Monitor, max/no CDC: autonomous (all modes), full redundancy, fault injection, no CDC: 32- and 48-bit frames, 16 CSN, 256-word FIFOs 14,029
Master & Slave & Monitor, max: autonomous (all modes), full redundancy, fault injection, CDC: 32- and 48-bit frames, 16 CSN, 256-word FIFOs 37,393

The SafeSPI-CTRL can be mapped to any Altera FPGA device. The following table provides sample resource utilization data for different configurations on an Agilex™ 5 device. Please contact CAST to get characterization data for your tar-get configuration and technology.

Configuration Logic Resources (ALMs) Memory Resources (BRAMs)
Monitor-only, min: no autonomous, no redundancy, no fault injection, no CDC: 32-bit frames, 1 CSN, 2-word FIFOs 344 2
Monitor-only, max: autonomous, redundancy, fault injection, CDC, mode, 32- and 48-bit frames, 16 CSN, 256-word FIFOs 1,348 1
Slave-only, min: no autonomous, no redundancy, no fault injection, no CDC: 32-bit frames, 1 CSN, 2-word FIFOs 366 1
Slave-only, max: autonomous, redundancy, fault injection, CDC, mode, 32- and 48-bit frames, 16 CSN, 256-word FIFOs 1,958 2
Master-only, min: no autonomous, no redundancy, no fault injection, no CDC: 32-bit frames, 1 CSN, 2-word FIFOs 546
Master-only, max: autonomous, full redundancy, fault injection, no CDC: 32- and 48-bit frames, 16 CSN, 256-word FIFOs 1,965 4
Master & Slave & Monitor, max/no-CDC: autonomous (all modes), full redundancy, fault injection, no CDC: 32- and 48-bit frames, 16 CSN, 256-word FIFOs 3,302 4
Master & Slave & Monitor, max: autonomous (all modes), full redundancy, fault injection, CDC: 32- and 48-bit frames, 16 CSN, 256-word FIFOs 3,919 4

The SafeSPI-CTRL can be mapped to any AMD FPGA device. The following table provides sample resource utilization data for different configurations on an Artix™ UltraScale+™ device. Please contact CAST to get characterization data for your target configuration and technology.

Configuration Logic Resources (LUTs) Memory Resources (RAMBs)
Monitor-only, min: no autonomous, no redundancy, no fault injection, no CDC: 32-bit frames, 1 CSN, 2-word FIFOs 442
Monitor-only, max: autonomous, redundancy, fault injection, CDC, mode, 32- and 48-bit frames, 16 CSN, 256-word FIFOs 1,907 1
Slave-only, min: no autonomous, no redundancy, no fault injection, no CDC: 32-bit frames, 1 CSN, 2-word FIFOs 428
Slave-only, max: autonomous, redundancy, fault injection, CDC, mode, 32- and 48-bit frames, 16 CSN, 256-word FIFOs 3,089 2
Master-only, min: no autonomous, no redundancy, no fault injection, no CDC: 32-bit frames, 1 CSN, 2-word FIFOs 623
Master-only, max: autonomous, full redundancy, fault injection, no CDC: 32- and 48-bit frames, 16 CSN, 256-word FIFOs 3,210 2
Master & Slave & Monitor, max/no-CDC: autonomous (all modes), full redundancy, fault injection, no CDC: 32- and 48-bit frames, 16 CSN, 256-word FIFOs 4,647 2
Master & Slave & Monitor, max: autonomous (all modes), full redundancy, fault injection, CDC: 32- and 48-bit frames, 16 CSN, 256-word FIFOs 5,145 2

The SafeSPI-CTRL can be mapped to any Lattice FPGA device. The following table provides sample resource utilization data for different configurations on a CertusPro™-NX device.Please contact CAST to get characterization data for your target configuration and technology.

Configuration Logic Resources (LUTs) Memory Resources (Block RAM)
Monitor-only, min: no autonomous, no redundancy, no fault injection, no CDC: 32-bit frames, 1 CSN, 2-word FIFOs 585
Monitor-only, max: autonomous, redundancy, fault injection, CDC, mode, 32- and 48-bit frames, 16 CSN, 256-word FIFOs 2,429 2
Slave-only, min: no autonomous, no redundancy, no fault injection, no CDC: 32-bit frames, 1 CSN, 2-word FIFOs 730
Slave-only, max/no-CDC: autonomous, redundancy, fault injection, CDC, mode, 32- and 48-bit frames, 16 CSN, 256-word FIFOs 3,477 2
Master-only, min: no autonomous, no redundancy, no fault injection, no CDC: 32-bit frames, 1 CSN, 2-word FIFOs 1,016
Master-only, max: autonomous, full redundancy, fault injection, no CDC: 32- and 48-bit frames, 16 CSN, 256-word FIFOs 4,245 4
Master & Slave & Monitor, max/no-CDC: autonomous (all modes), full redundancy, fault injection, no CDC: 32- and 48-bit frames, 16 CSN, 256-word FIFOs 7,297 4
Master & Slave & Monitor, max: autonomous (all modes), full redundancy, fault injection, CDC: 32- and 48-bit frames, 16 CSN, 256-word FIFOs 8,048 4

The SafeSPI-CTRL can be mapped to any Microchip FPGA device. The following table provides sample resource utilization data for different configurations on a Polarfire® device. Please contact CAST to get characterization data for your target configuration and technology.

Configuration Logic Resources (4LUTs/DFF) Memory Resources (uSRAM/LSRAM)
Monitor-only, min: no autonomous, no redundancy, no fault injection, no CDC: 32-bit frames, 1 CSN, 2-word FIFOs 634/422 3/0
Monitor-only, max: autonomous, redundancy, fault injection, CDC, mode, 32- and 48-bit frames, 16 CSN, 256-word FIFOs 2,243/1,491 4/0
Slave-only, min: no autonomous, no redundancy, no fault injection, no CDC: 32-bit frames, 1 CSN, 2-word FIFOs 636/358 0/2
Slave-only, max/no-CDC: autonomous, redundancy, fault injection, CDC, mode, 32- and 48-bit frames, 16 CSN, 256-word FIFOs 3,293/1,117 0/2
Master-only, min: no autonomous, no redundancy, no fault injection, no CDC: 32-bit frames, 1 CSN, 2-word FIFOs 962/424 6/0
Master-only, max: autonomous, full redundancy, fault injection, no CDC: 32- and 48-bit frames, 16 CSN, 256-word FIFOs 4,163/1,585 3/4
Master & Slave & Monitor, max/no-CDC: autonomous (all modes), full redundancy, fault injection, no CDC: 32- and 48-bit frames, 16 CSN, 256-word FIFOs 7,136/1,915 0/4
Master & Slave & Monitor, max: autonomous (all modes), full redundancy, fault injection, CDC: 32- and 48-bit frames, 16 CSN, 256-word FIFOs 7,717/4,362 0/4

The Serial Peripheral Interface for Automotive Safety (SafeSPI) is an open standard based on the de-facto SPI industry standard. SafeSPI protocol incorporates additional features to ensure safety and reliability in critical automotive systems.

The first version of SafeSPI specification was released in 2016, and the second version in 2021. SafeSPI has seen wide adoption and has been used in automotive microcontrollers, electronic control units (ECUs), sensors, actuators, recorders, and diagnostics devices.

Learn more at SafeSPI official web page.

Related Content

Features List

SafeSPI Features

  • Compliant to SafeSPI Rev 2.0.
  • Master, slave, or monitor roles
  • All frame formats
    • 32-bit and 48-bit frames
    • In-Frame or Out-of-Frame communication
    • Both fixed frames and flexible frames
  • Slave selection options
    • Chip-select pin(s), or
    • 10-bit source/target address
  • Automatic CRC inclusion and checking
  • Fault Management

Conventional SPI Features

  • Master or slave roles
  • Programmable parameters
    • Serial clock phase and polarity
    • Frame size (1 to 32 bits); multiple frames can be merged into a single frame exceeding 32 bits
    • Chip-select and inter-frame gap

Functional Safety Features (Optional)

  • Redundancy for critical modules
  • Data protection by means of CRC (for buffers) and parity (registers)
  • Self-diagnostics via fault injection and loop-back mode
  • FMEDA, SAM documents
  • Ready for certification up to ISO 26262 ASIL-D

Easy to Use & Integrate

  • Run-time configuration options include
    • Autonomous SafeSPI-to-AHB bridge, or firmware-assisted, interface controller function
    • SafeSPI role (master, slave, or monitor) role and parameters
    • SafeSPI or conventional SPI
  • Standardized AMBA interfaces
    • AXI4-Lite or AXI5 Lite-Subordinate for register access
    • AXI4-Lite Manager (for autonomous/bridging operation for Slave or Monitor)
  • Independent clock for serial bus oversampling in Slave or Monitor mode
  • Fully synchronous, scan-ready, LINT-clean design
  • Synthesis-time configuration limits operation modes and features to optimize silicon resources usage

Resources

Learn more about SafeSPI at the official web page.

Let's talk about your project and our IP solutions

Request Info