Safety Manual for MPC5777M, Rev. 1.1
Functional safety requirements for application software
NXP Semiconductors14
Assumption: [SM_FMEDA_019] Before starting safety-relevant operations, software must configure the
fault reactions to each fault that is safety-relevant for the application. [end]
To configure the fault reaction to each fault, the FCCU state machine is placed in the CONFIG state. Safety
analysis assumes that the CONFIG state of the FCCU is not a Safe state
MCU
.
To avoid a stuck condition in the CONFIG state due to a failure, the FCCU implements an internal
watchdog which, in case of a timeout condition, automatically transitions the FCCU state machine from
CONFIG to NORMAL state and restores default values of the configuration registers (see section “FCCU
CFG Timeout Register (FCCU_CFG_TO)” in the MPC5777M Reference Manual).
NOTE
Implementation hint: Software must program the FCCU configuration
registers (for example, FCCU_RFS_CFGn, FCCU_NMI_ENn,
FCCU_EOUT_SIG_ENn) to configure the fault reaction of each fault.
These registers are writable only if the FCCU is in the CONFIG state.
Assumption: [SM_FMEDA_020] The integrity of the entire error reaction path shall be verified at least
once after the boot. [end]
NOTE
Different approaches to verify the functionality of the error reaction paths
can be used. Some error reaction paths are checked during LBIST and don’t
require the development of additional software, whereas others require
application software.
The table “FCCU failure inputs” from in the “Functional Safety” chapter of
the MPC5777M Reference Manual shows the suggested approach for each
FCCU failure input.
The FCCU will come out of reset with most of the failure inputs disabled. Failures which occur during
boot will, for the most part, not be acknowledged by the FCCU as a failure. To check whether such errors
have occurred, SW can read the FCCU failure status registers for any latched error and act on the status of
those bits accordingly (FCCU_RF_S[0:3]).
NOTE
The MPC5777M Reference Manual’s “FCCU failure inputs” table in the
“Functional Safety” chapter lists failure sources, associated FCCU channels
and how they can be tested.
The error indication on pins, FI[0] and FI[1], are controlled by the SIUL2 and FCCU. The field
SIUL2_MSCR[SMC] can be configured to have the output buffer disabled when the MPC5777M enters
Safe mode (for example, for FI[0], SIUL2_MSCR27[SMC] = 0, and for FI[1],
SIUL2_MSCR34[SMC] = 0). The FCCU_CFG register is used to configure other FI[n] options like signal
polarity, switching mode, software control, and so on.
Assumption: [SM_FMEDA_124] It is assumed that whenever error indication is enabled on FI[n], the
SMC bit in associated MSCR register are always programmed to 1 with register access protection enabled.
[end]
To Next Page
Loading...
