Functional safety requirements for application software
Safety Manual for MPC5777M, Rev. 1.1
NXP Semiconductors 11
3.2.2 MCU configuration
Assumption: [SCG18.051]Safety software running on the Safety Core shall check correct initialization of
the MPC5777M before activating the safety-relevant functionality. [end]
NOTE
See the “DCF Client List” table in the “Device Configuration Format (DCF)
Records” chapter of the MPC5777M Reference Manual for details.
See the “IOP applies device settings” section in the “Reset and Boot”
chapter of the MPC5777M Reference Manual for details on the IOP phase
of the boot
The MCU memory configuration and the JTAG Part ID number can be read in the SSCM_MEMCONFIG
register (JTAG Part ID = SSCM_MEMCONFIG[JPIN]).
This information is normally used for debugging purposes, and is not necessary for the safety function.
Assumption: [SM_FMEDA_006]Application software does not use the JTAG Part ID, nor does it affect
safety critical operations. [end]
With the System Status and Configuration Module (SSCM) it is possible to configure different MCU
behaviors (for example, determine primary and HSM boot vector, abort disable/enable).
Assumption: [SM_FMEDA_008]SSCM shall be configured to trigger an exception in case of any access
to a peripheral slot not used on the device (SSCM_ERROR register). [end]
Assumption: [SM_FMEDA_009]After boot has completed, the application should perform an access to
unimplemented memory space and check for the expected abort to occur. [end]
The FCCU can be configured to trigger a NMI to the Safety Core if a fault is detected. In the case of a
functional reset, this NMI is masked by hardware and is unmasked during BAF execution. The NMI
service routine is executed as soon as the Safety Core is activated.
In the worst case, this flow can cause an unwanted functional reset loop. For example, assume a situation
which can not be recovered by software, and the NMI service routine can only trigger a functional reset.
After the reset, the BAF unmasks the NMI which triggers the Safety Core. Which cause the NMI to
execute again.
Assumption: Pending FCCU faults shall be cleared before enabling the Safety Core after a functional
reset.
Assumption: [SM_FMEDA_005]FMEDA assumes that the device is properly configured by the DCF
records in the UTEST sector of the flash memory to enable the Hardware Security Module (HSM)
I/O Processor (Core 2) handshaking during the boot phase. [end]
NOTE
See the “Reset sequence flow based on initial device condition” section of
the “Reset and boot” chapter of the MPC5777M Reference Manual for
details.
To Next Page
Loading...
Need help?
General
