Is peripheral access control (via XRDC) needed for ASIL A?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Is peripheral access control (via XRDC) needed for ASIL A?

1,009 Views
joohau
Contributor II

Dear NXP safety experts,

 

We're developing an application for which the S32K322 MCU will implement a number of safety measures which are rated with an ASIL A rating.
We're developing the complete software (safety and non-safety) ourselves. Of course freedom of interference between the safety and non-safety software needs to be guaranteed but we're wondering to what extend it's recommended to use the XRDC for this?

On core0 there will be safety and non-safety code running on the same core.

Q1:  Do you have an example on how to protect this using the XRDC, mainly on how the PID arbitration should look like? And can we configure this with the RTD and S32DS?

Q2: How does a task make a request using a specific PID?

 

One more concrete design question: 

Q3: We want to use the fault inputs of the LCU in a safety mechanism. The LCU is also used to generate (non-static) complementary PWM signals (controlled by an algorithm on the second core). Is this acceptable for an ASIL A application or should we assign for example LCU0 to the control algorithm and LCU1 to the safety software?

0 Kudos
5 Replies

987 Views
nxf55526
NXP Employee
NXP Employee

Hi Joohau,

Apologies for delay in reply. Please find answers to your questions below:

A1. It is not possible to run safety and non-safety related code on same core in S32K322 MCU since we have a single domain ID per core and it is not possible to update it dynamically based on task. Please post your question on following link: https://community.nxp.com/t5/S32K/bd-p/S32K, to understand the usage of RTD and DS for configuring XRDC.

A2.All tasks running on a core would have a single DID irrespective of their PID value. Is this information still required as to how a task makes a request using a specific PID?

A3. It needs to be ensured that LCU module is not a source of common-cause faults, leading to failure of both the safety function as well as the safety mechanism that LCU is part of. Please evaluate as per your implementation if this can be ensured through a single LCU or if two LCU instances are required.

Kind Regards,

Avni

0 Kudos

976 Views
joohau
Contributor II

Dear Avni,

Thank you for your response

I'm not sure if I understand your answers correctly. Your answers seem to contradict with the reference manual regarding this topic.

Regarding A1 and A2: The reference manual (RM) explicitly mentions an example where safety and non-safety code is running on the same master core. Core M7_0 of the S32K322 contains a PID register (PID0) and the RM explicitly says "an application can mimic PID-based domain assignment by writing a value to that field (PIDm[PID])".
Furthermore, example 18.5.7.2 of the RM (DFMT0 PID-based domain assignment example) mentions exactly our test-case: "A core master ... processes both safety-critical tasks and routine tasks, using two domains:
— Domain 0 is reserved for safety-critical tasks (PID = 0–15).
— Domain 1 is reserved for routine tasks (PID > 15)."
 

Q4: how does this information from the RM relate to your answer?

Best regards,
Joost

0 Kudos

949 Views
nxf55526
NXP Employee
NXP Employee

Hi Joohau,

Apologies for the delayed reply. The section in reference manual that you mentioned is generic with real restrictions brought to the MCU by XRDC instantiation.

For S32K322, the only way to run safety and non-safety applications on single core is updating MDAC (DID field) dynamically selecting between free domain IDs. The following are the assumptions for this to work:

  1. One core is not used (is in wait mode, disabled or operates in lock step mode) because of domain restrictions per core
  2. Non-safety task cannot change did while OS kernel and safety task can.
  3. OS Kernel updates MDAC respectively prior safety / non-safety task is called.
  4. OS Kernels uses privileged mode
  5. Safety task can use privileged or user mode
  6. Non-safety task can use only user mode

Please note that for S32K3, there is no ISO26262 compliant RTOS delivered by NXP. So there is no NXP SW deliverable available to fulfill the above requirements and you would have to find a suitable vendor providing an OS for this purpose. 

 

Hope the answer is helpful. 

Kind Regards,

Avni

0 Kudos

981 Views
Higgs_Boson
Contributor I

hi,

 If we just use one single core, it is no need to used XRDC ?

0 Kudos

944 Views
nxf55526
NXP Employee
NXP Employee

Hi Lin,

Apologies for the delayed reply.
If you are using only a single M7 core as a master on the chip and you don't need any access protection over the on-chip memory and peripherals, then there is no need to use XRDC. In your safety application, also ensure that peripherals are not able to corrupt the data stored in on-chip memory, i.e. ensure there is freedom from interference between the peripherals and the on-chip memory. You can additionally use the MPU present in CM7 core to define regions within the memory map of the Cortex-M processor and grant privileged or unprivileged access to these regions. For example, if the processor is running in unprivileged mode and tries to access an address within a privileged region, a memory protection exception will be raised and the processor will vector to the memory protection ISR. For further details regarding MPU, please have a look at the chip reference manual. 

Hope this is helpful,
Kind Regards,
Avni

0 Kudos