Functional safety requirements for application software
Safety Manual for MPC5777M, Rev. 1.1
NXP Semiconductors 51
3.3.21 Reading analog inputs
Acquisition of safety related analog inputs can be performed using two independent ADCs modules
redundantly.
The dual read analog input uses two analog input channels provided by two separate ADC modules to
acquire a replicated analog input signal. Both ADC units acquire and digitize the two copies of a redundant
analog signal connected to the inputs. In this configuration (if applied to all possible analog inputs), only
half of the analog inputs are available to the applications.
Assumption: [SM_FMEDA_102] Software will read back the SIUL2 configuration once after
programming to assess the correct configuration and connectivity of the two analog inputs. [end]
Assumption: [SM_FMEDA_103] Software will compare the value sampled by the two ADCs and decide
on their consistency (comparison has to take into account conversion differences and tolerances). [end]
3.3.22 Software Watchdog Timer (SWT) usage
The objective of the Software Watchdog Timer (SWT) is to detect a defective program sequence when
individual elements of a program are processed in the wrong sequence or period of time. Once the SWT
is enabled, it requires periodic and timely execution of the watchdog servicing procedure. The service
procedure must be performed within the configured time window, before the service timeout expires.
It is in general to be expected that software uses the software watchdog timer (SWT) to detect lost clocks
or significantly slow clocks. Using the SWT to detect clock issues is a secondary measure since there are
primary means for checking the clock integrity (for example, CMU).
MPC5777M provides the hardware support (SWT) to implement both control flow and temporal
monitoring methods. If Windowed mode and Keyed Service mode (two pseudorandom key values used to
service the watchdog) are enabled, it is possible to reach a high effective temporal flow monitoring.
Assumption: [SCG18.045]It is the responsibility of the application software to insert the control-flow
checkpoints with the required granularity according to application needs. [end]
SWT can be configured to stop, or continue, running when the MCU is in STOP mode by configuring
SWT_CR[STP]. If this SWT feature doesn't work as expected due to a fault, the safety function could be
impaired (for example, SWT could trigger an unwanted reset while the device is in STOP mode).
Assumption: [SM_FMEDA_106]Current FMEDA assumes that STOP mode is not used in normal
operations. [end]
3.3.23 Communication peripherals
Assumption: [SCG18.082]Communication over the following interfaces shall be protected by a
fault-tolerant communication protocol (implemented by the operating system or the application):
•FlexRay
•FlexCAN
• Ethernet[end]
To Next Page
Loading...
