Safety Manual for MPC5777M, Rev. 1.1
Functional safety requirements for application software
NXP Semiconductors30
Assumption: [SM_FMEDA_155] Before the safety application starts, functional ADCs shall run a
conversion cycle of known signals together with the supervisor ADC. The acquired values shall be
compared by software. [end]
NOTE
During the self-test conversion cycle, the configuration of both functional
and monitor (supervisor) ADCs shall be the same. After the self-test and
during normal acquisitions, the configurations may be modified.
3.2.23 Temperature sensor (TSENS)
The MPC5777M includes a temperature sensor that monitors device temperature. The temperature sensor
only has an analog output that can be used.
Assumption: [SM_FMEDA_156]Before the safety application starts, software shall configure the ADC
measurement of the analog output of the temperature sensor to trigger an event if the temperature is outside
of the permitted range. [end]
3.3 Runtime checks
During the execution of the safety function, application software is assumed to perform a set of tasks to
support the detection of random hardware failures and transition the device to a Safe state
MCU
in case of
a failure. This section collects the assumptions software has to fulfill during runtime.
3.3.1 General requirements
The safety concept does not protect against spurious subtle timing changes (for example, due to the XBAR
not parking on the safety relevant master due to other accesses). Thus, such subtle timing must not be relied
on.
Assumption: [SCG18.079]During the development of safety-relevant software, counting clock cycles
will not be used (for example, relying on the execution time of core assembler instructions to measure
time). [end]
Assumption: [SCG18.080]If independent data paths to or from any ViMos classified module exists,
software shall use them redundantly to read or write safety related data. [end]
An independent data path exists to access the two PBRIDGEs and application software should use the
peripheral set redundantly. In this case, failures in one of the data paths will be detected by application
level checks (for example, by comparing data provided by two redundantly used peripherals when each is
attached to a different PBRIDGE).
NOTE
The “Periphery allocation” figure in the MPC5777M Reference Manual
shows the peripheral split between the two peripheral bridges (PBRIDGEA,
PBRIDGEB). Section 3.3.17, I/O and Peripheral Bridge gives additional
detail about using safety relevant I/Os.
To Next Page
Loading...
Need help?
General
