Safety Manual for MPC5777M, Rev. 1.1
Functional safety requirements for application software
NXP Semiconductors12
From an application standpoint this means:
1. Do not activate the Safety Core automatically during or after the BAF.
2. Initialize the FCCU (may be preceded by a software reset of the FCCU).
3. Activate the Safety Core.
3.2.3 Mode Entry (MC_ME)
To overcome faults in the wakeup and interrupt inputs to the MC_ME, the following is assumed if the
application uses Low Power mode (LP):
• Assumption: [SM_FMEDA_010] The duration in LP mode is monitored. If the system does not
wake up within a specified time frame, the system will be reset by the monitor (for example, SWT
can provide the time monitoring). [end]
• Assumption: [SM_FMEDA_011]Software will perform a test of entry and exit to and from LP
mode at startup. [end]
An incorrect clock source as the system clock could be selected due to faults, resulting in multiple faults.
In order to improve detection of such faults, and the effect by the clock monitors:
• Assumption: [SM_FMEDA_012]It is assumed that the nominal frequency of different clock
sources that are available as the system clock have different frequencies. [end]
The mode configuration registers of MC_ME take effect only when the mode transition request is initiated.
Thus, instead of the configuration registers the global status register should be CRCed (if configuration
register CRCing is done) as that represents the current state.
Assumption: [SM_FMEDA_013] Application software shall check the target mode configuration
immediately before issuing a mode transition request. [end]
Assumption: [SM_FMEDA_014] In order to check that a mode transition has been correctly executed,
after initiating a mode transition request, software shall verify the mode transition status within the
expected completion delay. Also, the new configuration is compared with the intended configuration. This
does not apply if the target mode transition is to LP mode. [end]
NOTE
The MC_ME implements a register to request a mode transition and
registers that report the status of the transition (for example,
MC_ME_MCTL to request mode transitions, MC_ME_IMTS to provide
the cause of an invalid mode interrupt, and MC_ME_DMTS to show the
status of the mode transition).
The monitoring and types of reactions can be enabled in the FCCU for the following fault inputs
1
:
• [SM_FMEDA_015]Compensation disable (FCCU ch 53)[end]
• [SM_FMEDA_016]SAFE mode (FCCU ch 52)[end]
1.See the “Module classification” table in the MPC5777M Reference Manual’s “Functional Safety” chapter for spe-
cific module safety classification.
To Next Page
Loading...
