Technical Page 1 / 16

Specification
V0.15
All rights including industrial property rights and all rights of disposal such as copying and passing to third parties reserved.

SafeSPI - Serial Peripheral Interface

for Automotive Safety

Technical Specification SafeSPI_specification_v0.15_published.doc 30 July 2015

 Technical Page 2 / 16
Specification
V0.15

1 INTRODUCTION 3

1.1 Requirement specification types 3

1.2 Scope 3

2 OVERVIEW ABOUT SPI COMMUNICATION 4

3 PHYSICAL LAYER SPECIFICATION 6

3.1 Voltage levels and capacitances 6

All rights including industrial property rights and all rights of disposal such as copying and passing to third parties reserved.

3.2 Timing specifications 7

4 LOGICAL LAYER 10

4.1 General layer description 10

4.2 Bit encoding 10

4.2.1 Minimum Frame Format (out-of-frame) 10
4.2.2 Minimum Frame Format (in-frame) 11
4.2.3 Description of frame bits (out-of-frame and in-frame) 11

4.3 CRC protection 13

4.4 Example for the use of the target and source address 13

5 CHANGE HISTORY 16

Technical Specification SafeSPI_specification_v0.15_published.doc 30 July 2015

 Technical Page 3 / 16
Specification
V0.15

1 Introduction

INFO_001 The serial peripheral interface (SPI) is a synchronous serial communication interface used for
short distance communication, usually between devices on a printed board assembly. The
interface was developed by Motorola and is now a de-facto standard for several automotive
applications.
Because there is no formal SPI standard, a wide variety of protocol options exist. This flexibility
means every device defines its own protocol, increasing the development effort of new systems,
devices and software.
In automotive safety applications, there is often an independent monitoring device (often termed
“safing”) which listens to sensor data on the SPI bus. This monitoring device is usually
implemented in hardware, and imposes constraints on the SPI protocol.
This specification describes a standard for a target SPI interface used in automotive
All rights including industrial property rights and all rights of disposal such as copying and passing to third parties reserved.

applications. Its main focus is the transmission of sensor data between different devices.
1.1 Requirement specification types

DEF_002 Each requirement within this specification is marked with a unique identification. The
identification consists of a classifier and a unique number. The number is unique over all
versions of this specification. The classifiers are the following:
INFO: The following content has informative character.
DEF: The following content represents a definition. A definition itself cannot be fulfilled
alone. However, other requirements refer to this definition and to fulfil these
requirements, this definition must be followed
REQ: The following content is a requirement to the slaves and the masters
REQM: The following content applies only to SPI masters
REQS: The following content applies only to SPI slaves
Headings do not present any kind of requirement.
REQ_003 A device may call itself SafeSPI compatible if it fulfils all requirements (REQ).
1.2 Scope

DEF_004 This SafeSPI standard targets automotive SPI devices. The main focus is sensors, interface
integrated circuits (ICs), system application specific ICs (ASICs) and microcontrollers.
INFO_005 Other devices may call themselves “SafeSPI compatible” according to REQ_002 if wished.

Technical Specification SafeSPI_specification_v0.15_published.doc 30 July 2015

 Technical Page 4 / 16
Specification
V0.15

2 Overview about SPI communication

INFO_006 A standard SPI interface consists of 4 ports as shown in Error! Reference source not found..

SCK

SPI CS SPI
Master MOSI Slave

MISO

Figure 1 SPI-Interface
All rights including industrial property rights and all rights of disposal such as copying and passing to third parties reserved.

The Serial ClocK (SCK) represents the master clock signal. This clock determines the speed of
data transfer and all receiving and sending is done synchronously to this clock. The Chip Select
(CS) activates the SPI interface. As long as the CS signal is at high level, the SPI Slave will not
accept the SCK signal or the Master-Out-Slave-In input (MOSI), and the Master-In-Slave-Out
output (MISO) is in high impedance. When the CS signal is at low level, data can be transferred
from the SPI Master to the SPI Slave and vice versa. Commands are transmitted through the
MOSI to the SPI Slave and the SPI Slave returns its response through the MISO.
INFO_007 SPI bus systems support several slave devices on one bus by using either multiple chip select
lines, one for each slave, or by a logical addressing. For several airbag and safety systems a
monitor device is connected as listener to the bus. This device is often an ASIC which needs a
dedicated SPI format. An example configuration is depicted in Error! Reference source not
found.

Slave 1 Slave 2 Slave 3

SPI

Master Monitor

Figure 2 Typical SafeSPI system configuration

Technical Specification SafeSPI_specification_v0.15_published.doc 30 July 2015

 Technical Page 5 / 16
Specification
V0.15

INFO_008 The power supplies for each device on the SafeSPI bus are not specified, and can be
independent, as shown in the figure below.

V1 V2

Internal
Supply

SPI I/F SPI I/F SPI I/F

All rights including industrial property rights and all rights of disposal such as copying and passing to third parties reserved.

SPI I/F

V3

Figure 3 Example of different power domains V1, V2 & V3

REQ_tb9 In case of a slave supply failure (internally or from external) the slave shall not disturb any SPI
signals (i.e. MOSI, MISO, CS).

Technical Specification SafeSPI_specification_v0.15_published.doc 30 July 2015

 Technical Page 6 / 16
Specification
V0.15

3 Physical layer specification

INFO_010 The following chapter describes the physical layer of the SafeSPI specification. Besides voltage
and current levels, capacitances of pins, the timings of the different communication lines are
described.
3.1 Voltage levels and capacitances

INFO_011 Each of the masters and slaves of the SafeSPI interfaces can be powered from an independent
supply. The power supply range has to be the same for all connected devices also the power is
not supplied from the same rail. So all slaves and masters have to have 3.3V compatible inputs /
outputs. All devices have to work with different voltage levels within specification.
DEF_012 VIO defines the supply voltage of the SPI interface of the device. All voltage levels are defined to
the actual supply voltage. Positive current flows into the device.
All rights including industrial property rights and all rights of disposal such as copying and passing to third parties reserved.

Parameter Symbol Condition Min Max Unit

REQ_001 Mode 3.3V: Supply voltage of VIO 3.0 3.6 V
SPI interface (to be provided
and required respectively at
the VIO pin)

Technical Specification SafeSPI_specification_v0.15_published.doc 30 July 2015

 Technical Page 7 / 16
Specification
V0.15

DEF_013 The following requirements apply to all four communication PINs, namely MISO, MOSI, CS and
SCK if not noted otherwise.

ID Parameter Symbol Condition min Max Unit

REQ_014 Input / output CIO 6 pF
capacitance
REQ_015 Total signal load CLOAD 6 100 pF
capacitance
REQ_016 Input low voltage VIL 0.8 V
REQ_017 Input high voltage VIH 2.4 VIO V
REQ_018 Output low voltage VOL ILOA D= 1 mA 0.4 V
REQ_019 Output high voltage VOH ILOAD = -1 mA VIO-0.4 VIO V
All rights including industrial property rights and all rights of disposal such as copying and passing to third parties reserved.

REQ_020 Input voltage VHYST 0.2 V

hysteresis
REQS_021 Output leakage ILEAK MISO only -10 10 µA
current
REQS_022 Input pull-up current IIL CS only @ VCS -70 -20 µA
0,8 .. 2.0V
REQS_023 Input pull-down IIH MOSI and SCK 20 70 µA
current @ VSI/SCK 0,8 ..
2.0V

3.2 Timing specifications

INFO_024 The timings are specified to allow an operation of up to 10 MHz on the SPI. All timings are valid
for the full range of specified voltage levels, input capacitances and current levels. The different
parameters are defined in the following graphic.

Technical Specification SafeSPI_specification_v0.15_published.doc 30 July 2015

 Technical Page 8 / 16
Specification
V0.15

DEF_025
SafeSPI Timing Diagram for out-of-frame format
CPHA = 0
9
VOHmin
CS
VOLmax

1 7
2 4 6
VOHmin
SCK
PLE

PLE

PLE
SH

SH

SH
SAM

SAM

SAM
IFT

IFT

IFT
(CPOL = 0) VOLmax

3 5
3
11 12 11
VOHmin
MOSI undefined undefined
VOLmax
10 B
All rights including industrial property rights and all rights of disposal such as copying and passing to third parties reserved.

A
C
E
kink
VOHmin
MISO High impedance X High impedance
VOLmax
kink

DEF_025a
SafeSPI Timing Diagram for in-frame format
CPHA = 1
9
VIHmin
CS
VILmax

1 7
2 4 6
VIHmin
SCK
SAM

SAM

SAM
IFT

IFT

IFT
SH

SH

SH
PLE

PLE

PLE

(CPOL = 0) VILmax

3 5
3
11 12
VIHmin
MOSI undefined undefined
VILmax

10

B C
E
VIHmin
MISO High impedance undefined High impedance
VILmax
D

DEF_026 All timings are specified from VIHmin to VILmax or vice versa.
DEF_027 All timings are specified over full voltage range of VIO, unless specified otherwise
DEF_028 All timings are specified over full range of bus load CLOAD, unless specified otherwise
DEF_029 All timings are specified over full temperature range, unless specified otherwise

Technical Specification SafeSPI_specification_v0.15_published.doc 30 July 2015

 Technical Page 9 / 16
Specification
V0.15

INFO_030 The following requirements are to the slave from master-point of view:
ID Parameter Symbol Condition Min Max Unit
REQS_031 MISO data valid time (CS) A * 40 ns
REQS_032 MISO data valid time (SCK) B * 30 ns
REQS_033 MISO data hold time C X * ns
REQS_034 MISO rise/fall time D 5 15 ns
REQS_035 MISO data disable lag time E * 50 ns

DEF_036 X: MISO data is guaranteed to be stable until the next SCK shift edge
INFO_037 Parameter A, B do not include the rise/fall time of CS and SCK
All rights including industrial property rights and all rights of disposal such as copying and passing to third parties reserved.

INFO_038 The following requirements are given to the master from the slave-point of view
INFO_039 To achieve the Parameter D min/max time for the specified signal load capacitance range, a
drive strength configuration of the MISO may be required

ID Parameter Symbol Condition Min Max Unit

REQM_040 SCK disable lead time 1 10 ns
REQM_041 SCK enable lead time 2 40 ns
REQM_042 SCK rise and fall time 3 5 15 ns
REQM_043 SCK high time 4 40 ns
REQM_044 SCK low time 5 40 ns
REQM_045 SCK enable lag time 6 10 ns
REQM_046 SCK disable lag time 7 10 ns
REQM_047 Sequential transfer delay 9 450 ns
(Out-Of-Frame)
REQM_048 Sequential transfer delay 9 200 ns
(IN-Frame)
REQM_049 MOSI rise and fall time 10 5 15 ns
REQM_050 MOSI data setup time 11 10 ns
REQM_051 MOSI data hold time 12 20 ns

INFO_052 To achieve the parameter 3 and 10 min/max times for the specified signal load capacitance
range, a drive strength configuration of the SCK and MOSI may be required
INFO_053 To achieve the parameter 9 it takes more time for an Out-Of-Frame protocol since it has to
prepare the correct data in between two frames.

Technical Specification SafeSPI_specification_v0.15_published.doc 30 July 2015

 Technical Page 10 / 16
Specification
V0.15

4 Logical layer

4.1 General layer description

DEF_054 There are two possible logical frame dependencies within SPI logical layers. One is called in-
frame since the data of the slave response is within the same time slot as the masters’ request.
As out-of-frame the communication is called if the logical response of the slave is within the next
frame of the master. Figure 3 depicts both options

in-frame out-of-frame
All rights including industrial property rights and all rights of disposal such as copying and passing to third parties reserved.

Figure 4 in-frame and out-of-frame communication

REQ_055 The number of bits is fixed to 32.

REQ_056 The MSB is transferred first within a frame.
INFO_057 The SafeSPI supports an out-of-frame as well as an in-frame protocol. Both have the same CRC
polynomial and two separate response frames, one for sensor data (identified by S=1) and one
for other data (S=0). Sensor data can have up to 16bits.
4.2 Bit encoding

INFO_058 This section describes the logical encodings for different protocol options.
DEF_059 Bits within the master request (MOSI) or the slave response (MISO) which are marked as ‘*’ can
be freely defied and are not specified within this specification.
DEF_060 A bit which is marked as ‘$’ within the slave response (MISO) represents a tri-state of the output
pin (high impedance).

4.2.1 Minimum Frame Format (out-of-frame)

REQ_061 The following table show the command frame format for the out of frame protocol

Bit 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
MOSI TA9:0 * C2:0
value 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1

Only bits 9:7 of the TA are mandatory in the request.

REQ_062 The following table show the response frame format for the out-of-frame protocol in case of
sensor data is transferred.

Bit 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
MISO D SA9:0 S1 DATA15:0 S0 C2:0
value 1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1

Technical Specification SafeSPI_specification_v0.15_published.doc 30 July 2015

 Technical Page 11 / 16
Specification
V0.15

REQ_063 The following table show the response frame format for the out of frame protocol for all other
data.

Bit 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
MISO D SA9:0 * C2:0
value 0 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1

Only bits 9:7 of the SA are mandatory in the response.

REQ_064 In case a slave receives a frame he could not “understand” / decode, the slave should not
respond with any output (high impedance) to avoid collisions in a multiple slave environment.
All rights including industrial property rights and all rights of disposal such as copying and passing to third parties reserved.

4.2.2 Minimum Frame Format (in-frame)

REQ_065 The following table show the command frame format for the in-frame protocol.

Bit 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
MOSI TA9:5 * CC2:0 *
value 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1

Only bits 9:7 of the TA are mandatory in the request.

REQ_066 The following table show the response with sensor data from a slave in the in-frame protocol.

Bit 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
MISO $ * D SA9:5 DATA15:0 S0 CR2:0
0/
value 0/1 1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1
1
0/1

REQ_067 The following table show the other responses from a slave in the in-frame protocol.

Bit 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
MISO $ * D SA9:5 * CR2:0
0/
value 0/1 0 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1
1
0/1

Only bits 9:7 of the SA are mandatory in the response

4.2.3 Description of frame bits (out-of-frame and in-frame)

ID Symbol Name
REQ_068 TA9:0 The target address (TA) is the command which defines the command
to the sensor.
TA9:7 are mandatory
TA9:8 shall correspond to the programmable slave address, if the
slave supports the use of common CS for up to four slaves
TA6:0 are optional and can be used also for other purposes

Technical Specification SafeSPI_specification_v0.15_published.doc 30 July 2015

 Technical Page 12 / 16
Specification
V0.15

REQ_069 SA9:0 The source address (SA) is the address uniquely identifying the content
of the response data (data15:0).
SA9:8 are mandatory and shall correspond to the device individual
programmable slave address to allow unique addresses on one SPI
bus with up to four slaves.
SA7 is mandatory
SA6:0 are optional and can be used also for other purposes
Example for the use of SA7:0 for a PSI5 transceiver:
SA7:5 PSI5 channel
SA4:3 PSI5 time slot
SA2:0 PSI5 frame (see PSI5 V2.1 substandard Chassis and
Safety)
All rights including industrial property rights and all rights of disposal such as copying and passing to third parties reserved.

Note: In frame uses only SA9:5.

REQ_070 D The sensor data bit identifying if response contains sensor data or not
(i.e. identifying frame format for response.
S=0: no sensor data
S=1: sensor data format
REQ_071 S1:0 The sensor status bit describes the status of the sensor data within a
data frame response.
00b: valid sensor data
01b: Sensor in any error state or non sensor data available;
Data15:0 may contain any kind of data
11b: sensor in init state; Data15:0 still contains sensor data
10b: free to use, sensor data has to be valid
Note: in frame uses only E0 to distinguish between valid and non valid
sensor data.
REQ_071 DATA15:0 Up to 16bit of sensor data given in 2nd complement. If sensor data is
less than 16bit, data should be aligned on MSB. Unused bits are free to
use.
REQ_072 C2:0 CRC for out-of-frame command and response frames calculated over
bit 31 to 3. See section 4.3 for details.
REQ_073 CC2:0 CRC for in-frame command frames calculated over bit 31 to 5. See
section 4.3 for details.
REQ_074 CR2:0 CRC for in-frame response frames calculated over bit 26 to 3. See
section 4.3 for details.

Technical Specification SafeSPI_specification_v0.15_published.doc 30 July 2015

 Technical Page 13 / 16
Specification
V0.15

4.3 CRC protection

REQ_075 For the in-frame format a 3bit CRC with the polynomial 0x5 (x3 + x1 + x0) is used with a start
value of 111b and a target value of 000b.
REQ_076 For the out-of-frame format a 3bit CRC with the polynomial 0x5 (x3 + x1 + x0) is used with a start
value of 101b and a target value of 000b.
INFO_077 Note that the bits over which the CRC is calculated is not equal for all frame formats. The
following test cases can be used to verify the implementation.

ID protocol 32bit frame CRC result

INFO_078 out-of frame, command/response 0x 00 00 00 03 OK

INFO_079 out-of frame, command/response 0x FF FF FF F8 OK
All rights including industrial property rights and all rights of disposal such as copying and passing to third parties reserved.

INFO_080 out-of frame, command/response 0x 0F 0F 0F 0A OK

INFO_081 out-of frame, command/response 0x 0F F2 C8 FE OK

INFO_082 in-frame, command 0x 00 00 00 04 OK

INFO_083 in-frame, command 0x FF FF FF F7 OK
INFO_084 in-frame, command 0x 0F 0F 0F 13 OK
INFO_085 in-frame, command 0x 0F F2 C8 E7 OK

INFO_086 in-frame, response 0x 00 00 00 06 OK

INFO_087 in-frame, response 0x FF FF FF FC OK
INFO_088 in-frame, response 0x 0F 0F 0F 0A OK
INFO_089 in-frame, response 0x 0F F2 C8 FE OK

INFO_090 all responses & commands 0x 00 00 00 00 FAIL

INFO_091 all responses & commands 0x FF FF FF FF FAIL
INFO_092 all responses & commands 0x 0F 0F 0F 0F FAIL
INFO_093 all responses & commands 0x 0F F2 C8 FA FAIL

4.4 Example for the use of the target and source address

DEF_094 The following example shows four slaves on a SPI bus, where two support a common CS

Technical Specification SafeSPI_specification_v0.15_published.doc 30 July 2015

 Technical Page 14 / 16
Specification
V0.15

Sensor Module 2 Sensor Module 1

Demanding unique CS Supporting common CS
Programmed slave addr: 01b Programmed slave addr: 00b
Addr. Sensor 1 Addr. Sensor 2
DataReg: xx000b DataReg: xx001b

Addr. Sensor 1 Addr. Sensor 2 Addr. Sensor 3 Addr. Sensor 4

DataReg: 000b DataReg: 001b DataReg: xx010b DataReg: xx011b
CS1
CS2

MOSI / MISO / SCK

SPI Master
CS4

CS3

ASIC 1 ASIC 2 ASIC x

Demanding unique CS Supporting common CS
All rights including industrial property rights and all rights of disposal such as copying and passing to third parties reserved.

Programmed slave addr: 10b Programmed slave addr: 11b

PSI5 I/F 1

PSI5 I/F 2

PSI5 I/F 3

PSI5 I/F 4

PSI5 I/F 1

PSI5 I/F 2

PSI5 I/F 3

PSI5 I/F 4
Monitoring device

PSI5 Module 1 PSI5 Module 3

P10P-500/3L P20CRC-500/2L
Sensor 1 Sensor 1
TimeSlot: 1 Slot: 1 / Frame 1
Sensor 2 Sensor 2
TimeSlot: 2 Slot: 2 / Frame 1

Sensor 3
PSI5 Module 2 Slot: 1 / Frame 2
P10P-500/3L
Sensor 4
Sensor 1 Slot: 2 / Frame 2
TimeSlot: 3

The following table shows the SPI transfers, which are required to read the sensor data.

Request Response
TA CS D + SA
1 01 000x
Sensor Module 2: Sensor 1 000b CS1 xxxxb Slave 2; channel 0

1 00 000x
Sensor Module 1: Sensor 1 00 000b CS2 xxxxb Slave 1; channel 0
Sensor Module 1: Status 0 00 1011
Register 00 10110b CS2 0xxxb Slave 1; Non sensor data

ASIC 1: Sensor Data PSI5 I/F 1 10 000 00 Slave 3; PSI5 I/F 1; TimeSlot 1; Frame
1 000x xxxx xxb CS3 xxxb n/a
ASIC 1: Sensor Data PSI5 I/F 1 10 000 01 Slave 3; PSI5 I/F 1; TimeSlot 2; Frame
1 000x xxxx xxb CS3 xxxb n/a
ASIC 1: Sensor Data PSI5 I/F 1 10 000 10 Slave 3; PSI5 I/F 1; TimeSlot 3; Frame
1 000x xxxx xxb CS3 xxxb n/a

ASIC 2: Sensor Data PSI5 I/F 11 000x 1 11 000 00

1 xxxxb CS2 000b Slave 4; PSI5 I/F 1; TimeSlot 1; Frame 1
ASIC 2: Sensor Data PSI5 I/F 11 000x 1 11 000 01
1 xxxxb CS2 000b Slave 4; PSI5 I/F 1; TimeSlot 2; Frame 1
ASIC 2: Sensor Data PSI5 I/F 11 000x 1 11 000 00
1 xxxxb CS2 001b Slave 4; PSI5 I/F 1; TimeSlot 1; Frame 2

Technical Specification SafeSPI_specification_v0.15_published.doc 30 July 2015

 Technical Page 15 / 16
Specification
V0.15

ASIC 2: Sensor Data PSI5 I/F 11 000x 1 11 000 01

1 xxxxb CS2 001b Slave 4; PSI5 I/F 1; TimeSlot 2; Frame 2
All rights including industrial property rights and all rights of disposal such as copying and passing to third parties reserved.

Technical Specification SafeSPI_specification_v0.15_published.doc 30 July 2015

 Technical Page 16 / 16
Specification
V0.15

5 Change History

Rev.N° Chapter Description / Changes Date

0.15 All Initial version of this specification for industry review July 30, 2015
All rights including industrial property rights and all rights of disposal such as copying and passing to third parties reserved.

Technical Specification SafeSPI_specification_v0.15_published.doc 30 July 2015