FMEDA Columns

HeebeomPark · ‎11-03-2023

[Reference File] : S32K388-289pins_2022_R2.1.xlsx

Regarding the following columns, how do you determine that it is safety related or it could violate safety goals?

For the column "violates safety goals", it shall be marked from integrator?

When it comes to requesting final calculation of SPFM, LFM and PMHF to NXP, how integrator shall do the columns?

Also, for below the following cases , what integrator shall do?

Both "safety related in this hw analysis" and "Violates safety goals" are not marked but there are already safety mechanisms are filled and we enabled this?

In this case should we mark it the columns?

Also, for below the following cases , what integrator shall do?

Both "safety related in this hw analysis" and "Violates safety goals" are not marked but there are no safety mechanisms are filled ?

In this case should we mark it the columns? We should determine the safety mechanisms even though the integrator is not familiar with the MCU inside?

For the transient fault, some are not covered by Safety mechanisms. In this case, NXP determines that the transient fault doesnt affects any functional safety that the safety mechanisms are empty?

HeebeomPark · ‎11-16-2023

Regarding the failure "Failure of Program and Erase State Machine", which is not transient, the mitigation is below from FMEDA Column "Z"?

Why the safety mechanism is not filled in FMEDA?

And can you specify what the application SW do? For example, which register and which bit shall be checked? What is the corresponding safety mechanism in Safety Mechanism list?

PESM provides a PGM/ERS Check (PEG) to validate that the correct programming / erase sequence has been applied. The value of PEG bit is updated automatically in MCSR register during the program and erase high voltage operations and this value can be checked by the software to validate correct PGM/ERS operation.

Regarding the following statement from FMEDA Column "Y" for FOSU, LBIST and MBIST, which failures and from which one in MCU? Can you specify the statement in more detail?

"Need more than 2 failures for this element to fail"

ehtesham_khan · ‎11-14-2023

Hi Heebeom Park,

The element that is safety related is determined by the safety concept and we analyze the particular failure mode if it can violate the safety goal or not.

Please see the module classification for checking which element is SR, SR-AD or NSR.

For the case where we have suggested the safety mechanisms but they are still not safety related and not violating safety goals comes under safety related application dependent (SR-AD). For few SR-ADs, there are no safety mechanisms recommended, the system integrator must apply safety mechanisms for those failure modes if it used in safety application.

Messaging unit (MU) is SR-AD and if integrator is using it to communicate between the cores, he must apply additional plausibility checks to verify the correct functionality.

The Flash safety mechanisms are marked in "Multiple Failures violate Safety Goals" and the relevant safety mechanism are mentioned in "SM prevents FM from being latent". Column Q,R.

FOSU, LBIST and MBIST are marked as 100% safe as they require more than 2 failures simultaneously to violate safety goal. Check comments in column Y.

The transient faults of safety mechanisms are does not affect functional safety [ISO26262-11:2018, clause 5.1.7.2.2]. We have not covered them with any safety mechanism in FMEDA.

Regards,

Ehtesham