Safety Manual for MPC5777M, Rev. 1.1
Functional safety requirements for application software
NXP Semiconductors50
Assumption: [SM_FMEDA_094]When software reads a safety-relevant value from a peripheral, that
value is read twice in a row, then the two read values are compared. This helps detect transient errors in
the PBRIDGE for non-redundant peripherals. [end]
3.3.18 System Integration Unit Lite (SIUL2)
Since the SIUL2 PBRIDGE interface is unique, its failure, and particularly of its register protection
module, may impact redundant I/O functionalities leading to CCF.
Assumption: [SM_FMEDA_095]When the SIUL2 is used for the implementation of safety related I/O
functionality, application level redundancy is such that it covers at least 60% of failures introduced by the
REG_PROT module that can result in blocked writes (lost updates) to non-locked registers (mostly GPO
data registers). An additional software test shall run to detect such a failure mode. [end]
NOTE
A read-back after each write to the SIUL registers is sufficient to cover this
failure mode.
Assumption: [SM_FMEDA_096]To detect wrong or multiple addressing failures, the startup read-back
of SIUL configuration registers shall be executed after all SIUL2 registers have been written. [end]
Assumption: [SM_FMEDA_097]If the SIUL2 is used to perform a redundant digital input or output (read
two GPIs or write two GPOs), the application will execute a periodic CRC of configuration registers that
will be used to detect decoder hard faults that lead to CCF on data reads or writes. [end]
3.3.19 GTM Wrapper
Assumption: [SM_FMEDA_098]To detect if the GTM stops running due to a fault, application software
shall periodically verify the GTM is running by reading the GTM status register (GTMDI_DS). [end]
Assumption: [SM_FMEDA_170] Application software shall check the configuration of the GTM
Wrapper once per FTTI (for example, reading back the GTM configuration registers and compare them
against the expected values). [end]
Assumption: [SM_FMEDA_099] Safety analysis assumes that failures in data registers (other than
configuration failures), as well as in the GTM logic, are covered by application measures. [end]
3.3.20 External Bus Interface (EBI)
Assumption: [SM_FMEDA_100]Neither EBI nor LFAST are used in safety related applications. If used,
it is the responsibility of the application software to recognize and detect failures caused by internal FIFO
overflow or underflow (incorrect write or read operations), which may lead to wrong command, data or
message loss. [end]
Assumption: [SM_FMEDA_101]IRQs from the LFAST module should be disabled on the Safety Core to
prevent faulty LFAST communication from interfering with the execution of a safety related task. If not
disabled, other measures shall be implemented to detect possible IRQ flooding. [end]