Safety Manual for MPC5777M, Rev. 1.1
Functional safety requirements for application software
NXP Semiconductors16
(MC_RGM) increments a counter for each functional reset that occurs. When the number of functional
resets reaches the programmed value in the MC_RGM_FRET, the MC_RGM initiates a destructive reset.
The counter can be cleared by software, destructive reset or start-up reset.
A similar mechanism to detect a loop of continuous destructive resets is implemented in the MC_RGM.
When the destructive reset counter reaches the programmed value, the MCU will be held in reset until the
next power-on reset. The destructive reset counter can be cleared by software or by a power-on reset.
Assumption: [SCG18.028]Safety software will reset the functional and destructive reset counters every
time it has finished checking its environment (for example, before making the Fn pin active). [end] The
MC_RGM_FRET (functional reset counter) and MC_RGM_DRET (destructive reset counter) registers
allow the user to select the number of functional and destructive resets that can occur before action is taken
(see “Reset Generation Module (MC_RGM)” in the MPC5777M Reference Manual for details).
Assumption: [SM_FMEDA_022] Software shall enable functional reset escalation for the condition when
multiple functional resets occur consecutively. [end]
NOTE
Functional reset escalation is enabled by writing a non-zero value to the
MC_RGM_FRET register (see the MPC5777M Reference Manual’s ‘Reset
Generation Module (MC_RGM)).
Reset escalation is a hardware mechanism that provides protection against a loop of continuous resets. The
time between these loops can be so short that the application software doesn’t have time to take any action
to manage them. Longer reset cycles must be managed by application software.
Assumption: [SCG18.029]Before clearing the reset counters of the escalation mechanism, the safety
software shall ensure that longer reset cycles can be detected by the software. [end]
NOTE
There are various methods to implement this requirement. For example,
safety software, before clearing the reset counters, reads (and saves) the
FCCU error status indication (if any faults were found) and compares the
status with previous saved versions. If too many resets due to faults are
observed, software can react by triggering a destructive reset.
For some events, the MC_RGM can be configured to react not with a functional reset, but with a transition
to the SAFE mode (see the description of the MC_RGM_FEAR in the MPC5777M Reference Manual).
In such a case, one watchdog shall be kept enabled. If this watchdog times out, the FCCU shall move the
MCU into one of its safe states.
Assumption: [SCG18.030] If the MC_RGM is configured to react with a transition into SAFE mode, at
least one watchdog timer shall remain enabled. The FCCU shall be configured to react to a timeout of this
watchdog with a long functional reset or driving the error out signals to a fault condition. [end]
Assumption: [SM_FMEDA_023]Software will read the reset status after boot ensuring that the reset
cause is indicated. Then software will clear the register, and read back the value verifying that it is actually
cleared. [end]
To Next Page
Loading...
