Functional safety requirements for application software
Safety Manual for MPC5777M, Rev. 1.1
NXP Semiconductors 49
NOTE
The safety concept for high bandwidth communication controllers (for
example, FlexRay, FlexCAN, FEC (Ethernet)) is not based on the redundant
use of multiple modules, but rather on the implementation of a fault tolerant
protocol. This is the reason they are typically not split over the PBRIDGEs.
Section 3.3.23, Communication peripherals discusses in more detail the
usage of these types of communication controllers.
Assumption: [SCG18.085]Comparison of redundant operation is the responsibility of the application
software. [end]
NOTE
Additional details can be found in the “I/O peripherals” section in the
“Functional Safety” chapter of the MPC5777M Reference Manual.
There are modules, particularly on-platform peripherals as INTC and eDMA, with a single peripheral
interface. For these modules, the integrity of accesses to their register interface is not guaranteed by the
PBRIDGE replication, and the following assumptions are required to cover failures affecting the value of
data read from or written to their register interface.
Assumption: [SM_FMEDA_091]Software periodically checks the contents of configuration registers,
and more than 10 registers of modules attached to PBRIDGEn are part of the countermeasure described in
Section 3.3.2, CRC of configuration registers. [end]
Assumption: [SCG18.132] To ensure safe usage of modules which do not exist redundantly and are
connected to only one PBRIDGE, one of the following shall be true for each user-visible (via the
PBRIDGEn) register:
• The register is not relevant for the safety goal of the application.
• The register has a constant value (typically a configuration register) which is periodically checked
for correct value (for example, by CRCing).
• Wrong values written into the register are detected by other safety measures.
Furthermore, for reading such registers the following is obviously true (due to the single nature of the data
source):
• Values read from such registers are not guaranteed to be free of SPFs[end]
NOTE
[SM_FMEDA_092]The FMEDA assumes that the above condition holds
for at least 99% of the respective registers, but it is recommended to ensure
it for 100% to reduce documentation complexities. [end]
Assumption: [SM_FMEDA_093]Software shall read back the values written to registers of
non-redundant peripherals. [end]
NOTE
Not necessary for configuration registers which are under
CONF_REG_CRC_SCAN (as described in SM_FMEDA_063 (on page
50)) as that serves as a read-back on its own.
To Next Page
Loading...
Need help?
General
