Functions of external devices for ASIL D applications
Safety Manual for MPC5777M, Rev. 1.1
NXP Semiconductors 59
safe. Normally this requirement will be fulfilled by ensuring the error out pin(s) are pulled to the failure
state. Additionally, users may drive pins (for example, CAN Tx pins) to levels that prevent interference
with other parts of the system that are assumed to be independent.
Assumption: [SCG18.086]If a high impedance state on an output pin is not safe, pull-up or pull-down
resistors need to be added to outputs that are safety-critical depending on application requirements for the
MPC5777M during unpowered or reset conditions. [end]
4.3 External Watchdog (EXWD)
An external device, acting as supervisor of the operations, must provide a watchdog to cover
common-cause failures of MPC5777M for ASIL D applications.
Assumption: [SCG18.087]An external watchdog shall exist to detect failures completely disabling the
MPC5777M, including its safety mechanisms. [end]
The external watchdog will detect CCFs, such as failure of the power supply. If a failure is detected, the
external watchdog should move the system to a Safe state
system
within the FTTI.
Assumption: [SCG18.088]The EXWD shall be triggered periodically, either by the software providing
the safety function on the MPC5777M or by a toggling protocol on the error output pin(s). [end]
Implementation of the watchdog communication between MPC5777M and the external device is up to the
user (for example, communication via serial link, ethernet, via toggling pin, or via the FCCU error out
signals).
Assumption: [SM_FMEDA_119]To avoid undetected reset cycling under rare circumstances the external
watchdog will not be reset by the MCU reset output. [end]
NOTE
There must be a signalling path from the safety software to the external
system through which the software can confirm correct initialization. This
is not automatically guaranteed by the FI[n] signals which communicate the
status of the device independently from software. On the other hand, a
different communications interface (such as a serial link) can be used to
detect incorrect software initialization.
4.4 Power supply
Assumption: [SCG18.089]The device has been developed with the assumption that an external power
supply of appropriate voltage shall be supplied (see the MPC5777M Data Sheet’s for operating voltage
specifications). All internal and external supplies are considered safety critical and shall be monitored for
deviations beyond predefined thresholds. [end]
Assumption: [SCG18.090]External power supply shall be supervised for high and low voltage deviations
as shown in Table 2. Required monitors for each power supply can be found in column “External monitor
required”. [end]
To Next Page
Loading...
