Functional safety requirements for application software
Safety Manual for MPC5777M, Rev. 1.1
NXP Semiconductors 15
The FCCU together with the INTC, can lead to cyclic reset. For example consider the following situation:
1. Error indication arrives at FCCU
2. FCCU triggers IRQ
3. SW analyzes fault and causes a reset
4. MCU comes out of reset and hands over to SW
5. SW configures INTC
6. SW gets the same IRQ again (because FCCU still holds the IRQ line), analyzes fault and causes a
reset ad infinitum (or rather till the reset escalator engages and causes a destructive reset).
To avoid this situation the following assumption is considered.
Assumption: [SCG18.500]It is assumed that FCCU pending fault status should be cleared before the
INTC is configured. [end]
Since the NMI is edge triggered, even if it is kept active during a functional reset until the fault status is
cleared, it will not interrupt the Safety Core and the described cyclic reset can't be seen.
Assumption: [SCG18.900]If the clock driving the FCCU (IRCOSC) fails, software must find other ways
to signal an error other than using the FCCU control of the error output pin(s) (FI[n]). [end]
NOTE
There are different methodologies that could be used to satisfy this
assumption. For example, issuing a reset, or switching FI[n] pin control to a
GPIO and using it to drive an error signal instead of using FI[n].
Assumption: [SCG18.901] If the FCCU uses NMI as a failure reaction, the Safety Core will not be
enabled after a reset during the first mode transition of the MC_ME module but earliest at the second
transition which will initiated earliest several IRCOSC cycles after the first. [end]
Unwanted activation of LBIST/MBIST causes a violation of the safety goal.
Assumption: [SM_FMEDA_028] Software shall always enable FCCU reactions to error events indicating
unexpected STCU2 activations. [end]
3.2.7 Reset Generation Module (MC_RGM)
The MC_RGM is the central point for resetting the MCU. One of its tasks is to prevent reset cycling caused
by reset escalation. It also can transition to SAFE mode. The SAFE mode has not been considered a Safe
state
MCU
during safety analysis.
Permanent cycling through otherwise safe states or permanent cycling between a safe state and an unsafe
state is considered a violation of the safety goal. Specifically, this scenario relates to a continuous
Reset – Start, Operation – Reset or Reset – Self-test – Reset sequence. Allowing such cycles would be
problematic as it would allow an unlimited number of attempts of the test that is causing the cycle which
could possibly endanger its ability to detect device failures.
To detect a loop of continuous functional resets, the MPC5777M supports functional reset escalation
which can be used to generate a destructive reset if the number of functional resets reaches the
programmed value. Once the functional reset escalation is enabled, the Reset Generation Module
To Next Page
Loading...
