🚧 This document is still being actively worked on and is subject to change. 🚧
| Responsible |
|
| Last Updated | 10/12/2025, 12:48:54 PM |
| Last Author | Kai Berszin |
SPI during Redundancy Switchover
| Signals | Active MCU | Supervisor MCU | At peripheral | Note |
|---|---|---|---|---|
| SCLK | SCLK_A | SCLK_S | SCLK_P | |
| NCS | NCS_A | NCS_S | NCS_P | |
| IO0 | IO0_A | IO0_S | IO0_P | COPI |
| IO1 | IO1_A | IO1_S | IO1_P | CIPO |
| IO2 | IO2_A | IO2_S | IO2_P | |
| IO3 | IO3_A | IO3_S | IO3_P |
| SPI Mode | CPOL | CPHA |
|---|---|---|
| 0 | 0 | 0 |
| 1 | 0 | 1 |
| 2 | 1 | 0 |
| 3 | 1 | 1 |
| CPHA | Sample occurs |
|---|---|
| 0 | CPOL -> !CPOL |
| 1 | !CPOL -> CPOL |
Assuming Supervisor SPI stays in Idle
Note:
This might not be a valid assumption as a malfuctioning active MCU will be switched to 'supervisor'
While this happens after a reset it might continue to malfunction for some time afterwards.
What is the exact failure model here?
Considering the SPI states for both Supervisor and Active during a RSO:
| States | SPI_A Idle | SPI_A Transmitting |
|---|---|---|
| SPI_S Idle | No Issue | Maybe a Problem |
| SPI_S Transmitting | Illegal | Illegal |
The supervisor, because it is not connected to the SPI bus should really not be transmitting, the cases are included here for completeness.
SPI_S Idle, SPI_A Idle​
Both MCU's output the same signal on the BUS, a RSO does (likely) not change the Signal levels.
Note:
Likely because the switches actual behaviour during a RSO has not been classified yet.
TODO @spfeiler when FSTL Card is ready.
SPI_S Transmitting, SPI_A Idle​
SPI_P will see the tail end of a transaction.
SPI_S Idle, SPI_A Transmitting​
SPI_P will see the head end of a transaction.
Can an additional Data bit be sampled during an RSO?​
The NCS line will be asserted during the switchover. Likewise the SCLK line will also be returining to CPOL.
If SCLK_A != CPOL then the RSO results in a change in SCLK_P, because SCLK_S is held at CPOL. For CPHA = 1 this results in an additional sample triggering clock edge.
Depending on the arival/sampling of NCS_P this might be considered by the peripheral as an additional data bit being transmitted.
Note:
TODO @spfeiler tested on FSTL Card.
Relevance:
For the Flash QSPI interface 'one' additional sample means potentially introducing 4 incorrect bits. These are not detectable by the FLASH itself as the flash read them from the QSPI and calculates the ECC based on them. For software EDaC 4 error bits are detectable and correctable, which is made easier when we are aware that 4 lsb bits of the last word written to the flash might be incorrect.
SPI_S Transmitting, SPI_A Transmitting​
SPI_P will see a spliced Transaction, where the Head is from SPI_A and the tail is coming from SPI_S.