Safety Manual for MPC5777M, Rev. 1.1
Functional safety requirements for application software
NXP Semiconductors18
be due to faults affecting the reporting path for MEMU or STCU2 logic. (notice that STCU2 is not part of
any LBIST partition and only a pass/fail flag is available). [end]
Assumption: [SCG18.031]After start-up and before the safety application starts, application software
shall confirm that all LBISTs and MBISTs finished successfully, MISRs contain the expected values, and
no critical failure is flagged. The critical failures may include LBIST failures, MBIST MBEs, MBIST
SBEs exceeding the maximum tolerated number (<= 8 due to MEMU buffer size) and self-test failures.
[end]
NOTE
See the “Off-Line Self-Test Sequence” section in the MPC5777M Reference
Manual for details about test sequencing and completion validation.
The STCU2, as well as LBIST and MBIST controllers, are themselves subject to failures, which may
prevent self-tests from executing correctly (for example, no self-test execution, or execution of the wrong
algorithm). For latent faults affecting LBIST execution, checking the MISR register upon LBIST
completion is considered sufficient. For MBIST only a pass/fail flag is provided (besides the collection of
detected MBIST errors in the MEMU).
The following must be followed to improve the detection of latent faults, particularly those affecting
correct MBIST execution:
• Recommendation: LBIST should be scheduled before MBIST since LBISTs also cover the logic
running memory self-tests and the MEMU BIST error collection logic/buffers; this will help to
detect latent faults responsible for the wrong or incomplete execution of memory self tests or
wrong reporting of their results.
• Recommendation: The STCU2 CRC feature should be enabled to check that the signals
exchanged between the STCU2 and MBIST/LBIST controllers are correct (for example, STCU2
commands and LBIST/MBIST responses).
NOTE
The expected signature depends on the sequence of tests. Customers can
determine the expected signature by running the desired sequence of tests
and reading the resulting CRC upon test completion. One signature must be
computed for each test sequence (for example, one for the start-up test
sequence and one for each on-line test performed).
As far as the STCU2 error reaction path is concerned, the following are given:
• Assumption: [SM_FMEDA_027] SW will check the integrity of the STCU2 Unrecoverable
Fault/Recoverable Fault (UF/RF) error lines that signal the FCCU and the MC_RGM (UF only)
via the fake error injection register interface provided by STCU2. Before running the test, FCCU
and MC_RGM shall be configured in order not to cause undesired reaction. [end]
• Recommendation: During the execution of the safety function, and when no on-line self-test is
requested, software should disable the FCCU and MC_RGM reactions to STCU2 UF/RF error
indications to avoid false trip to the safe state or interference in case of unexpected error
indications.
To Next Page
Loading...
