Functional safety requirements for application software
Safety Manual for MPC5777M, Rev. 1.1
NXP Semiconductors 53
Assumption: [SM_FMEDA_157]Analog inputs, which are safety relevant, shall be acquired redundantly
by the functional and supervisor ADCs. The acquired values shall be compared by software.
1
[end]
NOTE
Other types of redundancy can be implemented at application level. For
example, information can be acquired redundantly by the MCU using
analog data, i.e. via ADC, and digital data, i.e. via a communication
protocol. Choosing the best strategy depends on the application.
This assumption is the main measure to be implemented. Some additional measures have been considered
during the safety analysis to guarantee the integrity of all modules involved with the analog acquisition.
The SD ADC is expected to convert fast signals. The redundant acquisitions may not be effective if the
frequency of the input analog signal is too high compared to conversion time and the time between the 2
redundant acquisitions. In such a case other mechanisms can be implemented, for example plausibility
checks.
Assumption: [SM_FMEDA_158]In case analog input signal is expected to have certain
dynamic/transient characteristics which make the redundant acquisition ineffective, the acquired data shall
analyzed for such characteristics to verify the plausibility of the conversion. [end]
NOTE
This measure mainly applies on the SDADC which is supposed to convert
fast signals. User is expected to implement such a mechanism whether the
redundant acquisition is not effective, for example due to the dynamic of the
input signal.
An example of this mechanism is to verify if the FFT of the input signal is compatible with the expected
one.
Assumption: [SM_FMEDA_159]Software periodically checks the contents of configuration registers of
ADCs to ensure that the configuration has not accidentally changed. [end]
NOTE
This counter-measure is part of the one described in Section 3.3.2, CRC of
configuration registers.
ADCs embed an analog watchdog mechanism to trigger automatically DMA/interrupt request in case the
converted value is outside configurable thresholds. The integrity of this hardware mechanism and the
proper generation of DMA and interrupt from ADC can be verified by software.
Assumption: [SM_FMEDA_160] Once every FTTI, The ADC shall trigger a DMA/interrupt request by
manipulating the thresholds of the analog watchdog with respect to a reference conversion. [end]
1.Functional and supervisor ADCs share the same bias; a specific software mechanism to detect failures affecting the
bias is presented (for example, SELFTEST_SARB_FTTI).
To Next Page
Loading...
