Safety Manual for MPC5777M, Rev. 1.1
Functional safety requirements for application software
NXP Semiconductors52
— Typically such a layer would contain an E2E CRC, a sequence counter, a sender ID, and an
acknowledgement mechanism (if a transmission loss needs to be detected).
Assumption: [SCG18.083]If safety relevant, FlexRay and FlexCAN shall not be clocked directly by the
XOSC. [end]
NOTE
Directly using the XOSC as the source can expose the FlexRay or FlexCAN
engines to glitches that would otherwise be filtered by the PLL.
Customers can use the XOSC provided they implement safety mechanisms
to detect the effects of glitches. These mechanisms can be part of the fault
tolerant protocol.
An appropriate safety software protocol should be utilized for any communication peripheral employed to
meet ASIL D application requirements
FlexRay, FlexCAN and Ethernet don’t have special safety mechanisms other than what is included into
them by their protocol specs. The application software or operating system needs to provide the safety
measures on top of the IP modules to meet safety requirements.
3.3.24 Temperature sensor (TSENS)
The MPC5777M includes an on-board temperature sensor that monitors device temperature and delivers
an analog output signal.
The analog output signal is internally connected to an ADC input to acquire a value which is proportional
to the temperature. Starting from this value, software can measure the current device temperature.
This analog path requires some software steps (for example, acquiring the value and applying a formula
to obtain the temperature).
Assumption: [SM_FMEDA_039] Software shall read the analog output of the temperature sensor via the
ADC and check for temperature violations at least once per FTTI. [end]
NOTE
If only the analog output indicates undertemperature or overtemperature
(but no digital indication), a TSENS failure might be indicated.
3.3.25 Analog to Digital Converters
The basic idea to verify the integrity of the functional ADCs is to implement software redundancy. This
redundancy is supported by the hardware which allows acquiring analog inputs using independent ADC
modules
1
.
To decrease the probability of common cause of failure supervisor ADC and functional one don't share the
same analog multiplexer.
1.Simultaneous sampling of two ADCs on the same analog input is not allowed (see the MPC5777M Reference Man-
ual for details).
To Next Page
Loading...
Need help?
General
