General information
Safety Manual for MPC5777M, Rev. 1.1
NXP Semiconductors 5
The MPC5777M is suitable to be used in safety-relevant applications including systems that are classified
as ISO 26262 ASIL A, ASIL B, ASIL C or ASIL D.
Assumption: [SCG18.202]The development process of the MPC5777M fulfills ASIL D requirements of
ISO 26262. [end]
2.3 Safety goals
The safety goals of the MCU are defined as follows:
• [SCG18.100]The primary safety goal is that the MPC5777M does not leave its safe states for
intervals equal or longer than the FTTI (10 ms) unless configured by the application software to do
so. [end]
• [SCG18.101]The secondary safety goal is that the MPC5777M, or the software running on the
MPC5777M, shall be able to detect the permanent unavailability of any safety mechanism that is
necessary to achieve the primary safety goal, and this shall be done at least once per driving cycle
(12 hours). [end]
The ASIL for the first goal is D, for the second it is B.
2.3.1 Safe state
A Safe state of the system is named Safe state
system
whereas the Safe state of the MPC5777M is named
Safe state
MCU
. A Safe state
system
of a system is an operating mode without an unreasonable probability of
occurrence of physical injury or damage to the health of persons.
Assumption: [SCG18.004]The safety goals are achieved by transitioning or holding the MPC5777M in
the following Safe state
MCU
:[end]
• Assumption: [SCG18.005]Completely unpowered [end]
• Assumption: [SCG18.006]In reset [end]
• Assumption: [SCG18.007]Operating correctly (See Section 2.4, Correct operation) [end]
• Assumption: [SCG18.008]Explicitly indicating an internal error [end]
If the MPC5777M continuously switches between a standard operating state and the reset state, without
any device shutdown, the MCU is not considered to be in a Safe state
MCU
(See Section 3.2.7, Reset
Generation Module (MC_RGM) for details).
Assumption: [SM_FMEDA_002] The application shall identify and signal such switching as a failure
condition. [end]
If the MPC5777M signals an internal failure via its error out signals (FI[0], FI[1]), the surrounding
subsystem should no longer use the MPC5777M outputs for safety functions since these signals are no
longer considered reliable. This means that if an error is indicated, the system must be able to remain in a
Safe state
system
without any additional actions by the MCU. Depending on its configuration, the system
may disable or reset the MCU as a reaction to the error signal.
Assumption: [SCG18.009]It is assumed that the system reacts safely to the MPC5777M being in or
entering all safe states shown in Section 2.3.1, Safe state. [end]
To Next Page
Loading...
