Functional safety requirements for application software
Safety Manual for MPC5777M, Rev. 1.1
NXP Semiconductors 39
This mechanism provides access to all bits in the RAM arrays, therefore allows reading and manipulating
of ECC check bits. In general, the core mechanism needs to be used for core accessible RAM, whereas the
IMA module is responsible for granting direct access to other RAMs (typical peripheral).
Accesses via the IMA module are not controlled by the MPU, but the MPU controls access to this module.
Direct accesses using the core mechanism are normally controlled by the MPU.
Assumption: [SCG18.064]Software shall ensure that no other RAM access occurs to a certain array while
the IMA module is used to access the contained RAM cells directly. [end]
Assumption: [SCG18.065]Software shall check that ECC bypassing mechanisms are executed only when
the ECC manipulation is really expected and not due to some software control flow problem. [end]
3.3.10 Decorated Storage Memory Controller (DSMC)
DSMC gives the hardware support to have atomic read-modify-write memory operations in the
MPC5777M microcontroller. These capabilities are called decorated storage.
FMEDA assumes some limitations on the usage of the DSMC.
Assumption: [SM_FMEDA_079]Safety analysis assumes the following usage of the DSMC:
1. Safety Application (running on Safety core) can access the DSMC_SysRam and
DSMC_SafetyCore for both read and write operations.
2. Safety Application (running on Safety core) can only write to Non ViMos DSMCs. It should not
read decorated data unless application level safety measures are put in place to ensure accuracy of
read data at the destination (point of usage).
3. NoSaMos Cores should not write to DSMC_SafetyCore and DSMC_SysRAM. They are allowed
to read. The read/write restriction should be managed inside the SMPU. [end]
3.3.11 Interrupt management
No specific hardware protection is provided against spurious or missing interrupt requests (for example,
caused by EMI on the interrupt lines or bit flips in the interrupt registers of the peripherals). The Interrupt
Controller (INTC) can drop, delay or create interrupts.
[SCG18.951]To detect these unwanted events different software measure need to be considered: [end]
• Assumption: [SM_FMEDA_080]Periodically check for effects of lost interrupts (for example,
buffer overflow or underflow). [end]
• Assumption: [SM_FMEDA_081]Periodically check that interrupt flags in peripherals are cleared.
[end]
— This works specifically well if done outside an IRQ routine or with very low IRQ priority. If a
flag for an interrupt (with higher priority) is set, this is an error. No IRQs shall be blocked while
this test is executed.
• Assumption: [SM_FMEDA_083]The ISR will check that the triggering module actually shows a
requested interrupt (for example, reading the interrupt request or status register in the peripheral).
[end]
To Next Page
Loading...
Need help?
General
