Safety Manual for MPC5777M, Rev. 1.1
Functional safety requirements for application software
NXP Semiconductors26
3.2.16 PLL generated clocking
MPC5777M provides dual PLLs (PLL0 and PLL1) for separate system and peripheral clocks.
[SCG18.145]Each PLL provides a glitch-free and fast clock to the MPC5777M and provides a loss of lock
signal that is routed to the FCCU. [end]
To reduce the impact of glitches stemming from the XOSC, the FMPLL (PLL1) should be used as the
system clock.
Assumption: [SM_FMEDA_052] Application software shall ensure that the system is using the FMPLL
(PLL1) clock as the system clock before running any safety functions, or before the FCCU indicates a
system that is functioning correctly (for example, on FI[n]). [end]
Assumption: [SM_FMEDA_053] Application shall configure the FCCU to react to both PLL loss of
locks. [end]
Both FlexRay and CAN feature modes in which they are directly clocked from the XOSC. For applications
targeting ASIL D, using these clocking modes increases the risk of a communication failures.
Assumption: [SM_FMEDA_054] Application software will not use FlexRay or CAN modules directly
clocked by the XOSC, or the used fault-tolerant communication layer will be capable of handling failures
induced by clock glitches (for example, timing errors, sampling errors and complete failure of logic due
to setup/hold time violations). [end]
3.2.17 XBAR configuration
The multi-port XBAR switch allows for concurrent transactions from any master (cores, DMA, FlexRay)
to any slave (memories, peripheral bridge). The XBAR module includes a set of configuration registers
for arbitration parameters, including priority, parking and arbitration algorithm. Faults in the configuration
registers affect slave arbitration so software countermeasures must detect these faults.
Assumption: [SCG18.042]Masters of the XBAR which are not ViMos or SuMos shall have a lower
arbitration priority on the XBAR than safety-relevant masters. [end]
Assumption: [SM_FMEDA_055] In cases where it is not possible to set the XBAR arbitration
appropriately, a failure probability shall be estimated for such cases. An example case is when FlexRay,
which is a PeMo, needs highest priority. [end]
XBAR data and address lines are covered by E2E ECC. Some failures, particularly those affecting muxing
logic, might introduce multi-bit errors on data and addresses. Though ECC coverage is limited on a single
transaction the probability of detecting the fault is higher when multiple transactions are affected.
3.2.18 Platform flash memory controller
PFLASH controller configuration controls aspects related to flash memory remapping. It can remap
logical flash accesses to on-chip calibration RAM, extended off-chip calibration RAM or on-chip system
RAM.
Assumption: [SM_FMEDA_056] To prevent spurious XBAR accesses by the HSM to stall or delay the
safety function, the XBAR will be configured assigning low priority to the HSM. [end]
To Next Page
Loading...
Need help?
General
