NXP Semiconductors MPC5777M Safety Manual

NXP Semiconductors MPC5777M Safety Manual

Safe assure
Hide thumbs Also See for MPC5777M:
Table of Contents

Advertisement

NXP Semiconductors
Document Number: MPC5777M_GMSM
Rev. 1.1, 10 Apr 2017
Safety Manual
Safety Manual for MPC5777M

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the MPC5777M and is the answer not in the manual?

Questions and answers

Summary of Contents for NXP Semiconductors MPC5777M

  • Page 1 NXP Semiconductors Document Number: MPC5777M_GMSM Rev. 1.1, 10 Apr 2017 Safety Manual Safety Manual for MPC5777M...
  • Page 2: Table Of Contents

    Document revision history ......93 3.3.9 ECC Bypass using core registers and Indirect Safety Manual for MPC5777M, Rev. 1.1 NXP Semiconductors...
  • Page 3: Preface

    What this means for designers using the MPC5777M is that if they don’t fulfill a specific Safety Manual (SM) assumption they have to show that their alternative solution is similarly efficient concerning the...
  • Page 4: General Information

    NXP Semiconductors NDA (contact your NXP Semiconductors representative). General information Mission profile Lifetime for a MPC5777M is 20 years which is equivalent to 20000 hours of active operation for the MCU. The assumed mission profile is: • Lifetime: 20 years •...
  • Page 5: Safety Goals

    Assumption: [SM_FMEDA_002] The application shall identify and signal such switching as a failure condition. [end] If the MPC5777M signals an internal failure via its error out signals (FI[0], FI[1]), the surrounding subsystem should no longer use the MPC5777M outputs for safety functions since these signals are no longer considered reliable.
  • Page 6: Correct Operation

    If bi-stable protocol is selected, it is possible to use only one of the two error output pins on the MPC5777M. Since the pin multiplexing that is utilized for each of the error output signals works differently, FI[0] should be the signal used in this configuration.
  • Page 7: Failure Indication Time

    The failure indication time of the MPC5777M is finite. It must be taken into account when determining application safety strategies since failure indication time plus reaction time on this indication by the system must be less than the FTTI.
  • Page 8: Failure Handling

    • External failure input (via FI[0] pin) The different failure sources, as represented by the FCCU failure inputs, are shown in “FCCU failure inputs” table in the “Functional Safety” chapter of the MPC5777M Reference Manual. Available failure reactions include: •...
  • Page 9: Functional Safety Requirements For Application Software

    This section gives an overview of the necessary or recommended measures when using the individual components of the MPC5777M. If a module in the MPC5777M is used without following the required actions, there is a risk that the safety certificate for the entire MCU, or other modules if the failure interferes with their operation, may be invalidated.
  • Page 10: Test Mode

    [SCG18.121]To determine whether two functions on two package balls are adjacent to each other, refer to the mechanical drawings of the packages (see the MPC5777M Data Sheet) together with the spheres (balls) number information of the packages as seen in the MPC5777M Reference Manual’s “System Integration Unit Lite2 (SIUL2)”...
  • Page 11: Mcu Configuration

    Records” chapter of the MPC5777M Reference Manual for details. See the “IOP applies device settings” section in the “Reset and Boot” chapter of the MPC5777M Reference Manual for details on the IOP phase of the boot Assumption: [SM_FMEDA_005]FMEDA assumes that the device is properly configured by the DCF records in the UTEST sector of the flash memory to enable the Hardware Security Module (HSM) I/O Processor (Core 2) handshaking during the boot phase.
  • Page 12: Mode Entry (Mc_Me)

    The monitoring and types of reactions can be enabled in the FCCU for the following fault inputs • [SM_FMEDA_015]Compensation disable (FCCU ch 53)[end] • [SM_FMEDA_016]SAFE mode (FCCU ch 52)[end] 1.See the “Module classification” table in the MPC5777M Reference Manual’s “Functional Safety” chapter for spe- cific module safety classification. Safety Manual for MPC5777M, Rev. 1.1 NXP Semiconductors...
  • Page 13: Start-Up Configuration Check

    3.2.5 Dual core lockstep mode The MPC5777M device operates in delayed lockstep mode (LSM) to allow the highest safety level to be reached. The Checker Core will receive all inputs delayed by two clock cycles. Outputs of the Checker Core will be compared with outputs of the Master Core. Any differences will be flagged as an error which will be processed by the FCCU.
  • Page 14 The error indication on pins, FI[0] and FI[1], are controlled by the SIUL2 and FCCU. The field SIUL2_MSCR[SMC] can be configured to have the output buffer disabled when the MPC5777M enters Safe mode (for example, for FI[0], SIUL2_MSCR27[SMC] = 0, and for FI[1], SIUL2_MSCR34[SMC] = 0).
  • Page 15: Reset Generation Module (Mc_Rgm)

    To detect a loop of continuous functional resets, the MPC5777M supports functional reset escalation which can be used to generate a destructive reset if the number of functional resets reaches the programmed value.
  • Page 16 For some events, the MC_RGM can be configured to react not with a functional reset, but with a transition to the SAFE mode (see the description of the MC_RGM_FEAR in the MPC5777M Reference Manual). In such a case, one watchdog shall be kept enabled. If this watchdog times out, the FCCU shall move the MCU into one of its safe states.
  • Page 17: Self-Test Completion

    Control Unit (STCU2). The STCU2 will execute automatically after a power-on reset (POR), external reset and destructive reset, and will also execute when initiated by software (online self-test). The MPC5777M logic is grouped into ten LBIST partitions used for both production testing and self-test.
  • Page 18 SBEs exceeding the maximum tolerated number (<= 8 due to MEMU buffer size) and self-test failures. [end] NOTE See the “Off-Line Self-Test Sequence” section in the MPC5777M Reference Manual for details about test sequencing and completion validation. The STCU2, as well as LBIST and MBIST controllers, are themselves subject to failures, which may prevent self-tests from executing correctly (for example, no self-test execution, or execution of the wrong algorithm).
  • Page 19 (for example, by supervising test execution time or periodically polling STCU2 status (checking STCU2_RUNSW[RUNSW], or STCU2_INT_FLG[MBIFLG] (for MBIST) and STCU2_INT_FLG[LBIFLG] (for LBIST)). [end] Safety Manual for MPC5777M, Rev. 1.1 NXP Semiconductors...
  • Page 20: Memu Initial Checks

    3.2.10 Flash memory configuration and tests MPC5777M provides 8.7 MB of programmable non-volatile (NVM) flash memory with ECC which can be used for instruction and/or data storage. Assumption: [SM_FMEDA_036]To detect failures where a wrong or multiple selection targets a different block while programming, application SW shall configure flash memory blocks as read only when not the target of a write operation.
  • Page 21: Voltage Monitor Configuration

    To assist in maintaining functional safety, the Power Management Controller (PMC) monitors various supply voltages of the MPC5777M device. The “POR and voltage monitors description” table in the “Power management” chapter of the MPC5777M Reference Manual shows a detailed list of the LVDs and HVDs embedded in the MPC5777M.
  • Page 22 LVD/HVD threshold. The LVDs/HVDs are monitored by SARADC_B input channels 96 to 101 and 112 to 119(see the MPC5777M Reference Manual’s “Analog-to-Digital Converters (ADC) Configuration”...
  • Page 23: Temperature Monitoring Configuration

    SARB input channel 120. To set a proper threshold the customer must consider the maximum operating junction temperature (see the MPC5777M Data Sheet for the temperature sensor accuracy and maximum junction temperatures). Safety Manual for MPC5777M, Rev. 1.1 NXP Semiconductors...
  • Page 24: Clock Monitoring Configuration

    If a supervised clock leaves the specified range for the device, an error signal is sent to the FCCU. MPC5777M includes the CMUs as shown in the “Clocking” chapter of the MPC5777M Reference Manual. It is the responsibility of the software to verify that the IRCOSC and XOSC are valid before starting the CMUs.
  • Page 25: System Clock Availability

    2. MC_ME_GS[S_IRC] = 1, verifies valid IRCOSC 3. The quality of the IRCOSC frequency is determined by clock metering and measuring the IRCOSC against the XOSC (see the MPC5777M Reference Manual’s “Clock Monitoring Unit (CMU)” chapter for details) 4. Based on measurement from 3, software shall update the user trim bits of the internal oscillator (IRCOSC_CTL[USER_TRIM]).
  • Page 26: Pll Generated Clocking

    PLL generated clocking MPC5777M provides dual PLLs (PLL0 and PLL1) for separate system and peripheral clocks. [SCG18.145]Each PLL provides a glitch-free and fast clock to the MPC5777M and provides a loss of lock signal that is routed to the FCCU. [end] To reduce the impact of glitches stemming from the XOSC, the FMPLL (PLL1) should be used as the system clock.
  • Page 27: Wake-Up Unit (Wkpu) / External Nmi

    PFCRCR[SAFE_CAL]. After reset, calibration overlay regions are considered to be safety-relevant (PFCRCR[SAFE_CAL] = 0, see section “e2eECC and Calibration Accesses” of chapter “e2eECC and Calibration Accesses” in the MPC5777M Reference Manual for details). 3.2.19 Wake-Up Unit (WKPU) / External NMI Assumption: [SM_FMEDA_167] NMI will only be used for error notifications or other uses where all dangerous failures are latent failures.
  • Page 28: Analog To Digital Converters

    ADCs (both SD and SAR), are connected to the supervisor ADC. 1.Simultaneous sampling of two ADCs on the same analog input is not allowed (see the MPC5777M Reference Man- ual for details).
  • Page 29 • Internal analog voltages listed in section “Internal reference” of the “Analog-to-Digital Converters (ADC) Configuration” chapter of the MPC5777M Reference Manual. A similar procedure shall be applied on the functional ADCs that will be used for acquiring safety relevant data as described hereafter.
  • Page 30: Temperature Sensor (Tsens)

    3.2.23 Temperature sensor (TSENS) The MPC5777M includes a temperature sensor that monitors device temperature. The temperature sensor only has an analog output that can be used. Assumption: [SM_FMEDA_156]Before the safety application starts, software shall configure the ADC measurement of the analog output of the temperature sensor to trigger an event if the temperature is outside of the permitted range.
  • Page 31: Crc Of Configuration Registers

    The CRC unit offloads the core in computing a CRC checksum. There are three sets of CRC registers to allow concurrent CRC computations in the MPC5777M device. The CRC unit should be used to detect accidental modifications of data in configuration registers by calculating its CRC signature and comparing it against a pre-calculated CRC.
  • Page 32: Xbar Usage

    On the other hand, SMPU failures resulting in missing memory protection are considered critical only if coupled with other failures causing the undesired access to protected data (notice that systematic failures, besides random HW failures, can lead to this scenario). Safety Manual for MPC5777M, Rev. 1.1 NXP Semiconductors...
  • Page 33: Platform Flash Memory Controller

    3.3.6.1 Overlay operations Overlay SRAM is included in the MPC5777M family of devices as part of a comprehensive set of calibration and debug features. It is recommended that overlay SRAM be used only for these tasks and not for wide scale general functionality in production since the safety mechanisms have only limited CCF protection.
  • Page 34 This test should execute after every program or erase operation. [end] NOTE In addition, this test prevents the return of stale data from the PFLASH controller minicache. Safety Manual for MPC5777M, Rev. 1.1 NXP Semiconductors...
  • Page 35: Pramc Configuration

    3.3.6.4 EEPROM emulation The MPC5777M provides eight blocks (8 × 64 KB) of the flash memory for EEPROM emulation. ECC events detected on accesses to the EEPROM flash memory blocks are not reported to the MEMU. Single-bit corrections (SBCs) are performed, but not signaled to the MEMU. MBEs are replaced by a fixed word (for example, an illegal instruction) and are also not forwarded to the MEMU.
  • Page 36: Ram

    In such a case if a data is read out of the RAM, an event should be detected by the ECC which perceives All-X code-word as invalid code. But in the MPC5777M there are some RAMs whose address is included in the ECC checksum calculation to increase the diagnostic coverage in case of addressing failures.
  • Page 37 Single-bit error in the data part that is detected via ECC for a system RAM, peripheral RAM or flash memory • Single-bit error in the data part that is detected via MBIST on any RAM Safety Manual for MPC5777M, Rev. 1.1 NXP Semiconductors...
  • Page 38: Ecc Bypass Using Core Registers And Indirect

    During test, or development, the need for direct access to all RAM bits that is not filtered through the ECC logic may arise. Memory locations can be accessed directly either via processor core access or the IMA module (see the MPC5777M Reference Manual’s “Indirect Memory Access (IMA)” chapter). Safety Manual for MPC5777M, Rev. 1.1...
  • Page 39: Decorated Storage Memory Controller (Dsmc)

    Decorated Storage Memory Controller (DSMC) DSMC gives the hardware support to have atomic read-modify-write memory operations in the MPC5777M microcontroller. These capabilities are called decorated storage. FMEDA assumes some limitations on the usage of the DSMC. Assumption: [SM_FMEDA_079]Safety analysis assumes the following usage of the DSMC: 1.
  • Page 40: Edma Usage

    MC_RGM_FERD and MC_RGM_FEAR register contents). [end] NOTE If the MC_RGM triggers a transition request to SAFE mode, no interrupt is triggered by the MC_RGM. An interrupt will be triggered by the MC_ME. Safety Manual for MPC5777M, Rev. 1.1 NXP Semiconductors...
  • Page 41: Detection Of Unwanted Resets

    Registers (RGM_PRST[n]). This can be prohibited by using the access control mechanisms of the MPC5777M such as the MPU or PAC. In case those are not used, and also to detect spurious resets caused by SEE, the following describes how such spurious resets can be detected.
  • Page 42 Table 1. Effects of reset Receiving module Software control Detection Software action required? Peripheral core_2 ME_CCTL[0] non safety related Main core_0 (Safety Core) ME_CCTL[1] RCCU Main core_0s (Checker Core) ME_CCTL[2] RCCU Main core_1 (Computational Core) ME_CCTL[3] non safety related ME_CCTL[4] non safety related dspi_0 RGM_PRST[99]...
  • Page 43 Table 1. Effects of reset (continued) Receiving module Software control Detection Software action required? psi5_0 RGM_PRST[111] Disable mode is the default state after module reset is NO, after reset RX,TX, common time released (GCR[GLOBAL_DISABLE_REQ]rst = 1). Also, any base are disabled psi5_1 RGM_PRST[239] channel is individually disabled (PSI5_CH_Enrst=0).
  • Page 44 Table 1. Effects of reset (continued) Receiving module Software control Detection Software action required? RGM_PRST[128] This is the AEI (CPU interface hardware) reset. After the reset YES, application dependent the MDIS bit becomes active removing the clocks from GTM (MDISrst=1). All outputs will stop at the present value when the clock is just removed.
  • Page 45 Table 1. Effects of reset (continued) Receiving module Software control Detection Software action required? adcsd_dig_0 RGM_PRST[60] For SDADCDig the conversion start sequence steps are the NO, after reset no ADCSD conversion following: can be started adcsd_dig_1 RGM_PRST[188] 1)After System Reset Deassertion, Enable SDADC by writing MCR.EN Bit adcsd_dig_2 RGM_PRST[59]...
  • Page 46 Table 1. Effects of reset (continued) Receiving module Software control Detection Software action required? lfast_0 RGM_PRST[9] Module enable DRFENrst=0 After reset LFAST is immediately disabled. All current/pending requests are terminated and the Tx and Rx data FIFOs are flushed. If a reset occurs in the middle of a transmit/receive operation, then that operation is terminated immediately and nothing is transmitted/received further.
  • Page 47: Periodic Interrupt Timer (Pit)

    (for example, DSPI or LINFlex). Assumption: [SCG18.952] Different data coding or message transfer timing is used for redundant communication over DSPI_4 and DSPI_5. [end] Users can choose the approach that better fits their needs. Safety Manual for MPC5777M, Rev. 1.1 NXP Semiconductors...
  • Page 48 (PBRIDGE). The arrangement of the I/O peripherals onto two PBRIDGEs allows redundant use of peripherals while limiting CCFs. The MPC5777M architecture allows making redundant use of the communication peripherals like LINFlexD, DSPI and PSI5.
  • Page 49 NOTE Additional details can be found in the “I/O peripherals” section in the “Functional Safety” chapter of the MPC5777M Reference Manual. There are modules, particularly on-platform peripherals as INTC and eDMA, with a single peripheral interface. For these modules, the integrity of accesses to their register interface is not guaranteed by the PBRIDGE replication, and the following assumptions are required to cover failures affecting the value of data read from or written to their register interface.
  • Page 50: System Integration Unit Lite (Siul2)

    Assumption: [SM_FMEDA_101]IRQs from the LFAST module should be disabled on the Safety Core to prevent faulty LFAST communication from interfering with the execution of a safety related task. If not disabled, other measures shall be implemented to detect possible IRQ flooding. [end] Safety Manual for MPC5777M, Rev. 1.1 NXP Semiconductors...
  • Page 51: Reading Analog Inputs

    Using the SWT to detect clock issues is a secondary measure since there are primary means for checking the clock integrity (for example, CMU). MPC5777M provides the hardware support (SWT) to implement both control flow and temporal monitoring methods. If Windowed mode and Keyed Service mode (two pseudorandom key values used to service the watchdog) are enabled, it is possible to reach a high effective temporal flow monitoring.
  • Page 52: Temperature Sensor (Tsens)

    To decrease the probability of common cause of failure supervisor ADC and functional one don't share the same analog multiplexer. 1.Simultaneous sampling of two ADCs on the same analog input is not allowed (see the MPC5777M Reference Man- ual for details).
  • Page 53 [end] 1.Functional and supervisor ADCs share the same bias; a specific software mechanism to detect failures affecting the bias is presented (for example, SELFTEST_SARB_FTTI). Safety Manual for MPC5777M, Rev. 1.1 NXP Semiconductors...
  • Page 54 In case of SDADC the register showing status information is the SFR. Please check the SDADC section in the MPC5777M Reference Manual to have all details. Assumption: [SM_FMEDA_163]In case the DMA is used to transfer the converted data from ADC...
  • Page 55: Mode Entry (Mc_Me)

    3.3.26 Mode Entry (MC_ME) The MPC5777M can be configured in different functional modes. Each mode has its own unique configuration (for example, enabled peripherals and clock). The mode configurations and the transition between different modes is controlled by the MC_ME. The correct execution of a mode transition shall be verified by application software.
  • Page 56: System Memory Protection Unit (Smpu)

    AIPS protection mechanism The peripheral bridges (PBRIDGEn) translate accesses on the switched AMBA bus (XBAR) to point-to-point accesses to the majority of peripherals on the MPC5777M. The peripherals connected to the PBRIDGEs are PBRIDGE slaves. The PBRIDGEs implement an additional protection mechanism to support the requirement that non-safety relevant masters and safety relevant masters do not interfere with one another.
  • Page 57: Register Protection (Reg_Prot)

    Some hardware resources are shared between Core_1, Core_2 and the Safety Core (Master Core and Checker Core). It is required that interference between Core_1 and Core_2 with safety relevant modules is avoided. Safety Manual for MPC5777M, Rev. 1.1 NXP Semiconductors...
  • Page 58: Functions Of External Devices For Asil D Applications

    It is assumed that the system reacts safely to MPC5777M being in or entering all Safe state It should be noted that the failure rates of external services are not included in the FMEDA of MPC5777M and have to be included in the system FMEDA by the user himself.
  • Page 59: External Watchdog (Exwd)

    Assumption: [SCG18.088]The EXWD shall be triggered periodically, either by the software providing the safety function on the MPC5777M or by a toggling protocol on the error output pin(s). [end] Implementation of the watchdog communication between MPC5777M and the external device is up to the user (for example, communication via serial link, ethernet, via toggling pin, or via the FCCU error out signals).
  • Page 60: Error Out Monitor (Errm)

    High Voltage Detect (HVD) monitors. Safety relevant voltages are supervised for voltages that are out of these ranges. Since safety relevant voltages have the potential to disable the failure indication mechanisms of the MPC5777M (such as FCCU, Pads, and so on) their error indication directly causes a transition into the Safe state (for example, reset assertion).
  • Page 61: Both Fccu Pins Connected To External Device

    Two pins are not out of phase NOTES: See “EOUT interface” section in the “Fault Collection and Control Unit (FCCU)” chapter of the MPC5777M Reference Manual for details. If Error phase is accompanied by a functional reset, FI[1]/EOUT1 becomes high-z with weak pull-up, while FI[0]/EOUT0 behaves as described.
  • Page 62 Assumption: [SM_FMEDA_122] If the system is using the MPC5777M in a single error output pin mode, the application software shall configure the pins and pads neighboring the FI[0] to use a lower drive strength.
  • Page 63: Address Decoding Coverage

    Faults impacting the addressing logic (for example, addressing faults) generally cause Multi Bit Errors (MBEs). The MPC5777M does not embed a specific hardware mechanism to manage this type of fault, but these MBEs can be interpreted by the modified Hamming code algorithm as Single Bit Errors (SBEs).
  • Page 64 Table 4. Address decoding Word address predecoding bits Column Row selection selection Number Bits Shall be Number of Block Location Memory Dec D Dec C Dec B Dec A Dec E tested? words address address word bits I-Mem 2048 — A<12>...
  • Page 65 Table 4. Address decoding (continued) Word address predecoding bits Column Row selection selection Number Bits Shall be Number of Block Location Memory Dec D Dec C Dec B Dec A Dec E tested? words address address word bits not mandatory A<9:7>...
  • Page 66 Table 4. Address decoding (continued) Word address predecoding bits Column Row selection selection Number Bits Shall be Number of Block Location Memory Dec D Dec C Dec B Dec A Dec E tested? words address address word bits not mandatory FIFO1,2 application 1024...
  • Page 67 This example assumes a single bit error reported at the hit address Ah of the SRAM. With reference to Table 1, the addressing logic of the system RAM consists of 13 bits which go through multiple decoders: • Row selection 1.Hitting address. Safety Manual for MPC5777M, Rev. 1.1 NXP Semiconductors...
  • Page 68 DecD DecC DecB DecA 000 Description DecD combination DecD combination DecD combination DecB combination DecB combination DecC combination DecC combination Ah : victim address (red cell) DecC combination DecA combination DecA combination DecA combination Complementary address Safety Manual for MPC5777M, Rev. 1.1 NXP Semiconductors...
  • Page 69: Obtaining The List Of Locations To Be Read

    In the next step starting from the victim address, the value of DecD, DecC and DecB is kept unchanged and all combinations of DecA are considered. As result three additional word-lines are added to the list (in gray in Table Safety Manual for MPC5777M, Rev. 1.1 NXP Semiconductors...
  • Page 70 DecA combination DecA combination Complementary address Same procedure shall be applied for remaining address decoders, i.e. DecD and DecC, as result some additional word-lines are added to the list (in grey in Table Safety Manual for MPC5777M, Rev. 1.1 NXP Semiconductors...
  • Page 71 Table 10. All cells should be read DecE DecD DecC DecB DecA 000 Description DecD combination DecD combination DecD combination DecB combination DecB combination DecC combination DecC combination Ah : victim address (red cell) Safety Manual for MPC5777M, Rev. 1.1 NXP Semiconductors...
  • Page 72 DecB combination DecB combination DecC combination DecC combination Ah : victim address (red cell) DecC combination DecA combination DecA combination DecA combination Complementary address DecD combination DecD combination DecD combination DecD combination Safety Manual for MPC5777M, Rev. 1.1 NXP Semiconductors...
  • Page 73 1.This rules is not valid for the word-lines of the hit-address and its complement. All columns of these word-lines shall be read. 2.This specific order is represented by the number in the cell of Table Safety Manual for MPC5777M, Rev. 1.1 NXP Semiconductors...
  • Page 74 To summarize: • All grey locations of this table shall be read • Reading of victim and complement word-lines shall follow a specific order. 1.The number in the cell represents the reading order. Safety Manual for MPC5777M, Rev. 1.1 NXP Semiconductors...
  • Page 75: Memories Including Block Address Decoding75

    Following the steps described in Section 5.3, Obtaining the list of locations to be read, the list of locations to be read in the block containing the hit-address are shown in Table 13 (in gray). Safety Manual for MPC5777M, Rev. 1.1 NXP Semiconductors...
  • Page 76 DecC combination DecB combination DecB combination DecB combination DecB combination 1.The procedure to find the requested order is the same used to obtain the order for the complementary word-line in section 5.3 Safety Manual for MPC5777M, Rev. 1.1 NXP Semiconductors...
  • Page 77 DecC combination DecB combination DecB combination DecB combination DecB combination DecB combination DecB combination DecA combination DecA combination Block combination Ah : victim address (red cell) Block combination Block combination Block combination Safety Manual for MPC5777M, Rev. 1.1 NXP Semiconductors...
  • Page 78 DecB combination DecB combination DecB combination DecB combination DecA combination DecA combination Block combination Ah : victim address (red cell) Block combination Block combination Block combination Block combination Complementary address Block combination Safety Manual for MPC5777M, Rev. 1.1 NXP Semiconductors...
  • Page 79: Test Result

    MCU causes SBEs on different words of the same word-line. In this case, an additional software step is needed to distinguish between: • a MCU event, or • a permanent fault affecting the address decoders. Additional memory locations shall be read to discriminate between either case above. Safety Manual for MPC5777M, Rev. 1.1 NXP Semiconductors...
  • Page 80 (blue word-line in Table 19). If multiple SEC are detected while reading these additional word-lines, there is a high probability they are all the result of addressing fault. Safety Manual for MPC5777M, Rev. 1.1 NXP Semiconductors...
  • Page 81: Testing All-X In Ram

    (%d) addr = 0x%08x, addr_ecc = 0x%02x\n", $all1_found, $addr, $ecc; $addr += 8; $guesses++; sub count_ones { my $string = sprintf("%08b", shift); my $count = 0; my $i; for($i=0; $i<8; $i++) { if(substr($string, $i, 1) eq "1") { $count++; Safety Manual for MPC5777M, Rev. 1.1 NXP Semiconductors...
  • Page 82 $data_bex8[$i] |= $bit << 1; $data_bex8[$i] |= $bit << 2; $data_bex8[$i] |= $bit << 3; $data_bex8[$i] |= $bit << 4; $data_bex8[$i] |= $bit << 5; $data_bex8[$i] |= $bit << 6; $data_bex8[$i] |= $bit << 7; Safety Manual for MPC5777M, Rev. 1.1 NXP Semiconductors...
  • Page 83 ^ (0x8f & $addrx8[23]) ^ (0xd6 & $addrx8[22]) ^ (0x79 & $addrx8[21]) ^ (0xba & $addrx8[20]) ^ (0x9b & $addrx8[19]) ^ (0xe5 & $addrx8[18]) ^ (0x57 & $addrx8[17]) ^ (0xec & $addrx8[16]); Safety Manual for MPC5777M, Rev. 1.1 NXP Semiconductors...
  • Page 84 ^ (0x61 & $data_lex8[35]) ^ (0x86 & $data_lex8[34]) ^ (0x91 & $data_lex8[33]) ^ (0x46 & $data_lex8[32]) ^ (0x58 & $data_lex8[31]) ^ (0x4f & $data_lex8[30]) ^ (0x38 & $data_lex8[29]) ^ (0x75 & $data_lex8[28]) Safety Manual for MPC5777M, Rev. 1.1 NXP Semiconductors...
  • Page 85 This script finds the first N addresses with 2 bits set and 2 bits cleared in the address ECC contribution. Usage is as follows: • find_allx_addr address [number] • address – starting address to start searching from • number – number of addresses to find, default is 1 Safety Manual for MPC5777M, Rev. 1.1 NXP Semiconductors...
  • Page 86: Ecc Checkbit/Syndrome Coding Scheme

    H matrix which defines the association between the data (and address) bits and the checkbits. They are: 1. There are no all zeroes columns. 2. Every column is distinct. 3. Every column contains an odd number of ones, and hence is “odd weight”. Safety Manual for MPC5777M, Rev. 1.1 NXP Semiconductors...
  • Page 87 D[63:32], D[31:0], and A[31:3] are logically summed (output of each table section is XOR’ed) together to the final value driven on the hwchkbit[7:0] outputs. Note that this table uses the AHB bit numbering convention where bit[0] is the least significant bit. Safety Manual for MPC5777M, Rev. 1.1 NXP Semiconductors...
  • Page 88 * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * Safety Manual for MPC5777M, Rev. 1.1 NXP Semiconductors...
  • Page 89 = (((data_a2_is_zero >> 31) & 1) ? 0xb0 : 0x0) /* data[63] */ ^ (((data_a2_is_zero >> 30) & 1) ? 0x23 : 0x0) /* data[62] */ ^ (((data_a2_is_zero >> 29) & 1) ? 0x70 : 0x0) /* data[61] */ Safety Manual for MPC5777M, Rev. 1.1 NXP Semiconductors...
  • Page 90 >> 12) & 1) ? 0x51 : 0x0) /* data[12] */ ^ (((data_a2_is_one >> 11) & 1) ? 0xe0 : 0x0) /* data[11] */ ^ (((data_a2_is_one >> 10) & 1) ? 0xa2 : 0x0) /* data[10] */ Safety Manual for MPC5777M, Rev. 1.1 NXP Semiconductors...
  • Page 91: Further Information

    The termination of the ability of a functional unit to perform a required function. Acronyms and abbreviations A short list of acronyms and abbreviations used in this document is shown in Table Safety Manual for MPC5777M, Rev. 1.1 NXP Semiconductors...
  • Page 92 Power Supply and Monitor function Process Safety Time RCCU Redundancy Control Checking Unit MC_RGM Reset Generation Module Safety Manual Safety Integrity Level SSCM System Status and Control Module Sine Wave Generator Software Watchdog Timer Safety Manual for MPC5777M, Rev. 1.1 NXP Semiconductors...
  • Page 93: Document Revision History

    Document revision history Table 23 summarizes revisions to this document. Table 23. Revision history Revision Date Description of changes 15 Jan 2015 Initial release. 10 Apr 2017 Converted the document to use NXP branding. Safety Manual for MPC5777M, Rev. 1.1 NXP Semiconductors...
  • Page 94 How to Reach Us: Information in this document is provided solely to enable system and software implementers to use NXP products. There are no express or implied copyright Home Page: licenses granted hereunder to design or fabricate any integrated circuits based nxp.com on the information in this document.

Table of Contents

Save PDF