Functional safety requirements for application software
Safety Manual for MPC5777M, Rev. 1.1
NXP Semiconductors 9
Assumption: [SM_FMEDA_004] Boot-time failure handling shall be handled before the safety function
starts execution. Typically, the reaction is to not let the safety function start and give a failure indication to
the user. [end]
3 Functional safety requirements for application
software
This section gives an overview of the necessary or recommended measures when using the individual
components of the MPC5777M. If a module in the MPC5777M is used without following the required
actions, there is a risk that the safety certificate for the entire MCU, or other modules if the failure
interferes with their operation, may be invalidated.
It is possible to ignore the required measures if equivalent measures to manage the same failures are
alternatively included.
Modules not explicitly covered by this document do not require any safety specific software measures.
To assist continuous product improvement, it is recommended to report field failures which occur despite
following these measures to NXP Semiconductors in accordance with ISO 26262-7 Chapter 6.4.2.1.
3.1 Disabled modes of operation
The system and application software must ensure that the functions described in this section are not
activated while running safety-relevant operations.
3.1.1 Debug mode
The debugging facilities of the MPC5777M are a potential source of failure when activated during the
operation of safety-relevant applications. They can halt the cores, cause breakpoint hits, write to core
registers and the address space, and activate boundary scan. The MCU must therefore not enter debug
mode to avoid interference with the normal operation of the application software.
The state of the JCOMP pin determines whether the system is being debugged or whether the system
operates in normal operating mode. When the JCOMP pin is logic low, the JTAGC TAP controller is kept
in reset for normal operating mode. When it is logic high, the JTAGC TAP controller is enabled and the
system can enter debug mode if requested. The system must ensure that it does not attempt to enable debug
mode by externally asserting the JCOMP pin during boot up. Otherwise, a fault condition signal will be
sent to the FCCU.
Assumption: [SCG18.023]Debugging will be disabled in the field while the device is being used for
safety-relevant functions. [end]
Assumption: [SCG18.024]For normal operation, software needs to configure any module that is safety
relevant (such as SWT) to continue execution during debug mode and to not freeze the module operation
if debug mode is entered. [end]
To Next Page
Loading...
