Functional safety requirements for application software
Safety Manual for MPC5777M, Rev. 1.1
NXP Semiconductors 25
NOTE
The frequency range of the CMU must be increased before switching clock
modes. The requirement is to program the CMU with the correct minimum
and maximum values for the new frequency soon after the switch.
Recommendation: The application may run the IOSC_A001_SW (on page 24) once per FTTI to verify
proper IRCOSC operation.
3.2.14 System clock availability
At start-up, the CMUs are not initialized and the IRCOSC is the default system clock. Stuck-at faults on
the external oscillator (XOSC) are not detected by the CMUs at start-up since the monitoring units are not
initialized and the MPC5777M is still running on the IRCOSC.
Assumption: [SM_FMEDA_047]The software shall verify that the clocks are valid by checking the state
of the following:[end]
1. MC_ME_GS[S_XOSC] = 1, verifies valid XOSC
2. MC_ME_GS[S_IRC] = 1, verifies valid IRCOSC
3. The quality of the IRCOSC frequency is determined by clock metering and measuring the IRCOSC
against the XOSC (see the MPC5777M Reference Manual’s “Clock Monitoring Unit (CMU)”
chapter for details)
4. Based on measurement from 3, software shall update the user trim bits of the internal oscillator
(IRCOSC_CTL[USER_TRIM]).
5. Enable CMUs since we have valid XOSC and IRCOSC
6. MC_ME_GS[S_PLL0] = 1 and MC_ME_GS[S_PLL1] = 1, verifies valid PLL0 and PLL1 outputs
Assumption: [SM_FMEDA_048] Software shall check that the system clock is available, and sourced by
the FMPLL (PLL1), before running any safety element function or setting the FCCU into the operational
state. [end]
3.2.15 Clock Generation Module (MC_CGM)
The CMUs are the main mechanism used to check the integrity of MCU clocks, but other indirect measures
like delayed lockstep, fault tolerant communication protocols and replicated usage of peripherals may also
be used. The following assumptions are necessary to cover the clock failures that escape these safety
mechanisms which can potentially lead to the failure of specific modules.
Assumption: [SM_FMEDA_049]The sample time for the SARADC will be at least one clock cycle
longer than the minimum time required. This avoids clock glitches on the SAR clock from affecting
sampling. [end]
Assumption: [SM_FMEDA_050]Detecting failures of either CLKOUT0 or CLKOUT1 is the sole
responsibility of user application software. [end]
Assumption: [SM_FMEDA_051]To detect PSI5 reception failures due to a clock glitch, PSI5 will use the
three bit CRC included in the protocol. [end]
To Next Page
Loading...
Need help?
General
