Functional safety requirements for application software
Safety Manual for MPC5777M, Rev. 1.1
NXP Semiconductors 13
3.2.4 Start-up configuration check
During boot, start-up software is not executed on the Safety Core.
Assumption: [SM_FMEDA_017]Safety software running on the Safety Core shall check correct
initialization of the MPC5777M before activating the safety-relevant functionality. This check shall not be
executed on the core executing the start-up software. [end]
3.2.5 Dual core lockstep mode
The MPC5777M device operates in delayed lockstep mode (LSM) to allow the highest safety level to be
reached. The Checker Core will receive all inputs delayed by two clock cycles. Outputs of the
Checker Core will be compared with outputs of the Master Core. Any differences will be flagged as an
error which will be processed by the FCCU.
For safety operation, the LOCKSTEP_EN bit in the flash memory UTEST miscellaneous DCF client must
not be set to disabled. If the LSM is disabled, the Checker Core and the Redundancy Checker Control
Units (RCCUs) are disabled. This triggers a fault indication to the FCCU. The Checker Core will not work
independently from the Master Core. No dynamic switching is possible between LSM on and LSM off
(any change to the LOCKSTEP_EN bit will only take effect after the next reset).
Before starting safety-relevant operations, the application software shall check that lockstep mode is
enabled (confirm MC_ME_CS[S_CORE1] = 1 (master) and MC_ME_CS[S_CORE2] = 1 (checker),
confirm that no failure is signalled on alarm #51, for example) and configure the FCCU to react to lockstep
disablement.
Assumption: [SCG18.027]Before starting safety-relevant operations, the application software shall check
that lockstep mode is enabled (for example, confirm MC_ME_CS[S_CORE1] = 1 (core_0, master) and
MC_ME_CS[S_CORE2] = 1 (core_0s, checker), and no failure is signalled on FCCU fault 51 (Lockstep
mode)), then configure the FCCU to react to lockstep disablement. [end]
3.2.6 FCCU fault reaction configuration
The Fault Collection and Control Unit (FCCU) collects faults and manages the reaction to these faults. A
mechanism is usually provided to allow software to check the integrity of the different error paths. Most
reactions are disabled at boot time so software configuration is required. Refer to Section 2.7, Failure
handling for the valid FCCU fault reactions.
Assumption: [SM_FMEDA_018]Application software shall check the FCCU configuration once after
programming. [end]
The FCCU is checked by the FCCU Output Supervision Unit (FOSU) which provides a secondary path
for the failure indication and reports to the Reset Generation Module (MC_RGM). The FOSU only causes
a reset if the FCCU fails to react to an enabled incoming enabled fault within a fixed time interval
(8000 IRCOSC cycles). The FOSU does not require software configuration. While the FCCU is in its
CONFIG state, the FOSU does not monitor the FCCU for faults or the resulting reaction.
Assumption: Application software shall check and clear any pending faults when it moves the FCCU out
of the CONFIG state.
To Next Page
Loading...
