Functional safety requirements for application software
Safety Manual for MPC5777M, Rev. 1.1
NXP Semiconductors 21
Assumption: [SCG18.151] A margin read test should be executed after a new single-bit error correction
has occurred in flash memory. The margin read test does not need immediate execution, but it needs to be
run within the next few trip cycles. Multiple single-bit errors can be the first indications of a data retention
problem that could have the potential of causing multi-bit errors. [end] The MEMU can be used to store
the address of the location reporting the error event.
NOTE
Implementation hint: Refer to the MPC5777M Reference Manual’s “User
margin read” section of the “Embedded Flash Memory (c55fmc)” chapter
for details.
3.2.11 Voltage monitor configuration
To assist in maintaining functional safety, the Power Management Controller (PMC) monitors various
supply voltages of the MPC5777M device. The “POR and voltage monitors description” table in the
“Power management” chapter of the MPC5777M Reference Manual shows a detailed list of the LVDs and
HVDs embedded in the MPC5777M.
Apart from the self-test, the use of the PMC for ASIL D applications is transparent to the user because the
operation of the PMC is automatic (see SM_FMEDA_037 below, on page 21).
PMC failures primarily report to the MC_RGM. Since safety-relevant voltages have the potential to
disable the failure indication mechanisms of the MPC5777M (the FCCU and its error out signals), their
error indication directly causes a transition into a Safe state
MCU
by reset. Additionally, LVDs and HVDs
also report errors to the FCCU, but under the recommended configuration (MCU reset by MC_RGM
enabled) this is irrelevant.
Assumption: Software shall not disable the direct transition into a safe state due to an overvoltage or
undervoltage indication.
The customer can, at their own risk, disable the direct triggering of resets by the MC_RGM and rely on
the FCCU reactions to overvoltage and undervoltage, even when FCCU is configured for IRQs as the
reaction. In general, the FCCU reaction (clocked by the IRCOSC) will take more time than the MC_RGM
reaction (asynchronous). So, if the FCCU is to trigger an IRQ reaction, there is an increased probability
that a fast voltage drop could cause a brownout condition on the device before a reaction occurs. If IRQs
are selected as the FCCU reaction, there will be no guarantee that Diagnostic Coverage of overvoltage or
undervoltage will be properly detected, and the safety analysis (FMEDA) of the MCU, will not be valid
with respect to this failure mode.
To check the LVDs and HVDs for latent faults, which could impact their ability to correctly trigger when
an undervoltage or overvoltage situation occurs, it is assumed there will be two software self-tests that will
be executed by during startup.
Assumption: [SM_FMEDA_037]Reference voltages, and input voltages of LVDs/HVDs, shall be
acquired using the ADC. The conversion values shall be compared with the expected ADC values. The
application software shall initiate the hardware assisted self-test to detect LVD/HVD failures after start-up.
[end]
To Next Page
Loading...
Need help?
General
