Safety Manual for MPC5777M, Rev. 1.1
Functional safety requirements for application software
NXP Semiconductors34
• Flash memory, instead of overlay RAM, read errors are not detected by E2E ECC as the access is
done with the correct (logical) address but can be detected by writing and reading back a few
patterns from the overlay RAM.
Assumption: [SM_FMEDA_070]Software shall run write and read-back patterns from overlay RAM to
check integrity of overlay read/write/selection path, and this test shall be executed every FTTI. [end]
When overlay, or flash memory, regions are programmed, data in the minicache can be stale (a missed hit
during write operations could lead to erroneously valid prefetched data). Reading back the data after each
programming operation ensures that prefetched data are invalidated.
Assumption: [SCG18.050]After write operations to overlay RAM, or flash, software shall read back the
data that was written and compare it with the expected data to check the integrity of the programmed data.
[end]
NOTE
These countermeasures apply only if the overlay RAM is used by the safety
function.
When software reads data that was programmed in the flash memory, or written to overlay RAM (to verify
contents), the minicache will be automatically refreshed.
Assumption: [SM_FMEDA_071]Overlay RAM is used only for a fraction of the time on a small number
of devices (assumed 5%, averaged considering all MCUs). [end]
3.3.6.2 Flash memory program and erase
Flash memory program/erase operations are stopped in the event of a fault event (for example, no flash
sector selected, or elevated current draw).
Assumption: [SM_FMEDA_072]For program operations, only the address specified by an interlock write
determines the partition being written. An interlock sequence is used to prevent accidental programming
of flash memory. [end]
Assumption: [SCG18.058]A software safety mechanism shall be implemented to ensure the correct
termination of any program/write operation of the flash memory. [end]
Even when flash memory signals the correct termination of programming operations, there is still the
chance that flash memory content is incorrect due to failures of the flash memory write path and
programming logic.
Assumption: [SCG18.061]To ensure that the content of a write operation to flash memory is correct,
software shall read back the data that was written and compare it with the expected data. This checks the
integrity of the programmed data. This test should execute after every program or erase operation. [end]
NOTE
In addition, this test prevents the return of stale data from the PFLASH
controller minicache.
To Next Page
Loading...
