Safety Manual for MPC5777M, Rev. 1.1
Functions of external devices for ASIL D applications
NXP Semiconductors58
Assumption: [SM_FMEDA_115]No more than 20% of the entire address space contains writable
safety-relevant modules or data. [end]
Assumption: [SM_FMEDA_116]To avoid excessive accesses to shared resources, the NoSaMo cores
(Core_1 and Core_2) have lower XBAR priority than the Safety Core (Master Core and Checker Core).
[end]
Assumption: [SM_FMEDA_123]The local memories of the NoSaMo cores must not be used to store
safety-relevant data, or only if software protection against spurious changes by the NoSaMo cores exists.
[end]
Assumption: [SM_FMEDA_117]To avoid unwanted software interrupts triggered by the Peripheral Core
(Core_2) and Computational Core (Core_1) which are handled by the Safety Core, one of the following
holds: [end]
• Accidental access to the triggering registers of these interrupts is prevented (typically by SMPU
and/or AIPS_PACR)
• There exists an additional indicator (in addition to the triggering register, for example, a variable
in RAM) which can be used to execute an ISR_CHECK_TRIGGER_SET (on page 39) like
functionality.
Alternatively, the Safety Core could be configured to ignore software triggered interrupts.
Assumption: [SCG18.953] Safety-relevant software will enable the INTC_MPROT lock bit. [end]
4 Functions of external devices for ASIL D applications
This section describes the external components needed to use with MPC5777M in a system for ASIL D
applications. It is assumed that the system reacts safely to MPC5777M being in or entering all Safe
state
MCU
.
It should be noted that the failure rates of external services are not included in the FMEDA of MPC5777M
and have to be included in the system FMEDA by the user himself.
4.1 External reset output
MPC5777M has pin named external reset output (ESR0). The signal on this pin can be used as input to
one, or more, external devices. It is possible that an unwanted or spurious assertion of ESR0 may not be
detected by the MPC5777M. This could cause the external device to get reset without any automatic
detection by MPC5777M. Assumption is that countermeasures against this failure mode must be
considered at system level.
Assumption: [SM_FMEDA_118]System level I/O safety measures have at least 99% DC against joint
spurious reset of all external devices. [end]
4.2 High impedance outputs
System-level countermeasures have to be placed in order to bring the safety-critical outputs to their safe
state (for example, by pull-up or pull-down resistors) when an output high-impedance is not considered
To Next Page
Loading...
