Functional safety requirements for application software
Safety Manual for MPC5777M, Rev. 1.1
NXP Semiconductors 31
Assumption: [SCG18.081]A safety mechanism will be implemented at application level to detect critical
timing failures leading to violation of application timeouts. [end]
NOTE
Implementation Hint: The SWT module can be used to satisfy the above
requirement.
Machine check exceptions of the Safety Core are directly forwarded to the FCCU’s “Safety Core
Exception” input.
Recommendation: Due to the more comprehensive information available in the exception handler it is
recommended to handle machine check exceptions in the exception handler and not use the FCCU
mechanism.
Assumption: [SM_FMEDA_061]Other exceptions, which are not directly forwarded to the FCCU (for
example, Data Storage, Alignment), must be handled by the core itself. [end] This assumption shall be
considered only for exception considered safety relevant by the application.
NOTE
MPC5777M Reference Manual’s “Core e200z425n3Description” and “Core
e200z420n3 Description” chapters and the “Exceptions” sections of each
chapter for details on core exceptions.
3.3.2 CRC of configuration registers
The CRC unit offloads the core in computing a CRC checksum. There are three sets of CRC registers to
allow concurrent CRC computations in the MPC5777M device. The CRC unit should be used to detect
accidental modifications of data in configuration registers by calculating its CRC signature and comparing
it against a pre-calculated CRC.
NOTE
Some configuration registers, as those for clock and MCU mode
configuration, are copied to the corresponding internal registers only when
an event (for example, mode change) is triggered. The values of those
configuration registers themselves have no effect. Additional measures are
needed, along with CRCing, to ensure correct operation of the MCU.
Assumption: [SM_FMEDA_062]A periodic scan of the safety relevant configuration registers, which are
not covered by other safety mechanisms, shall be executed once per FTTI to ensure that the configuration
has not changed due to a bit flip. [end]
NOTE
Implementation hint: The CRC checksum of the configuration registers of
the modules involved with the safety function should be calculated offline.
At run time, the same CRC value must be calculated by the CRC module
within the FTTI. To avoid overloading a core, the DMA module can be used
to support the data transfer from the registers under check to the CRC
module.
To Next Page
Loading...
