Questions about S32K1** series safety manual

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Questions about S32K1** series safety manual

1,151 Views
lgao
Contributor II

Q1: SM_018: The system transitions itself to a Safe state system when the MCU has no active output (for example, tristate). What is meaning of no active output? Does it require pull-up or pull down to avoid no active output? Does it only related with safety relevant pins?

Q2: SM_019: It is assumed that the application identifies, and signals, continuous switching between reset and standard operating mode as a failure condition. What is the reason?

Q3: SM_020: The minimum number of random hardware faults causing the loss of correct operation is assumed to be 1. Hardware Fault Tolerance (HFT) is assumed to be 0 for the MCU. The MCU is designed to be fail-silent or fail-indicate. The unit of number 1 is "FIT"? Does it mean the random faults maybe 1, 2, 3, ..., not 1.2, 1.5?

Q4: SM_211: It is assumed that the Application Fault Tolerant Time Interval is 100 ms. A list with the reaction time of the Hardware measures is attached to the safety manual. Why it assumed application FTTI is 100ms? What is the impact if it less than or more than 100ms? Which page shows the list with the reaction time of hardware measure?

Q5: SM_087: It is assumed that the external power is supervised for high and low deviations where no supervision is provided on the MCU. K32K144 already has LVD, why the low deviation still needs external supervisor?

Q6: SM_204: It is assumed that the ADCs are used to monitor the bandgap reference voltage of the PMC and to monitor the internal supplies connected to ADCs. Does it mean that bandgap reference voltage may has some faults, so need ADCs to monitor it? How to realize it? Can we use the external power supply which is monitored by power supervisor as the reference to compare with bandgap reference voltage?

Q7: SM_080: For safety-relevant applications, the use of the clock monitors is mandatory. If the modules that the SCG monitors are used by the application safety function, the user shall verify that the clock monitors are not disabled and their faults are managed by the software. How to do with "verify that their fualts are managed by the software"?

Q8: SM_081: The following supervisor functions are required: Loss of external clock, SPLL frequency higher than the frequency reference and SPLL frequency lower than the lower frequency reference. This activity requires initial check or configuration or both?

Q9: SM_075: FlexCAN and CLKOUT, both of which feature a mode to be clocked directly by the SOSC, should not make use of these modes in normal operation unless effects of clock glitches are sufficiently detected by the applied FT-COM layer. This is not appliable for normal CAN port?

Q10: SM_119: The Flash memory ECC failure reporting path should be checked to validate if detected ECC faults are correctly reported. In our design, ECC fault will lead to reset, no reporting, In this way, do we still need to check it? if so, how to do it?

Q11: Do we need to purchase SCST? If not, what is the impact? If from system point of view, without SCST, all HW metric like SPF, MPF can meet ASIL B requirements, does it mean not necessary to purchase it?

Q12: SM_094: It is assumed that the system MPU is checked for correct functionality before it is used in safety applications. One can configure the possible access rights of each present master and check for expected system reaction. The check shall be done once within L-FTTI (at start up). How to do with it?

Labels (1)
6 Replies

973 Views
nxf55526
NXP Employee
NXP Employee

Q1: SM_018: The system transitions itself to a Safe state system when the MCU has no active output (for example, tristate). What is meaning of no active output? Does it require pull-up or pull down to avoid no active output? Does it only related with safety relevant pins?

 

A1. Please refer to ‘Section 4.1.1.1 High Impedance outputs’ in ‘S32K1XX_SM_Rev5’.It describes that ‘no active output’ means powered down state/tristated outputs and to put pull-up or pull-down resistors on I/O to avoid no active output. This assumption is for output pins whose high impedance state is not safe.

 

Q2: SM_019: It is assumed that the application identifies, and signals, continuous switching between reset and standard operating mode as a failure condition. What is the reason?

 

A2. If we are getting a reset again and again from the same source in the MCU, it could be coming due to a permanent fault. In such case, the application would have to identify and take corrective action like putting system in safe state.

 

Q3: SM_020: The minimum number of random hardware faults causing the loss of correct operation is assumed to be 1. Hardware Fault Tolerance (HFT) is assumed to be 0 for the MCU. The MCU is designed to be fail-silent or fail-indicate. The unit of number 1 is "FIT"? Does it mean the random faults maybe 1, 2, 3, ..., not 1.2, 1.5?

 

A3. The unit of number 1 is not ‘FIT’. It doesn’t have a unit. This assumption is saying that a single fault (single point fault(SPF) as per ISO26262:2018) can cause system to fail by violating the safety goal. Random faults can be whole numbers only like 0,1,2 etc. but not fractions like 1.2, 1.5 etc.

 

Q4: SM_211: It is assumed that the Application Fault Tolerant Time Interval is 100 ms. A list with the reaction time of the Hardware measures is attached to the safety manual. Why it assumed application FTTI is 100ms? What is the impact if it less than or more than 100ms? Which page shows the list with the reaction time of hardware measure?

 

A4. FTTI has been assumed as 100ms for developing a Safety Element out of context (SEooC). The actual FTTI needs to be calculated at the item level. The impact of FTTI being less or more than 100ms needs to be evaluated at system level. NXP provides ’S32K1XX_HW_Safety_Measure_ReactionTime.xlsx’ as attached with the Safety Manual to describe the reaction time of the Hardware measures.

 

Q5: SM_087: It is assumed that the external power is supervised for high and low deviations where no supervision is provided on the MCU. K32K144 already has LVD, why the low deviation still needs external supervisor?

 

A5. This assumption asks for external monitoring on supplies that are not monitored internally. For VDD supply, this is not required if LVD is enabled internally.

 

Q6: SM_204: It is assumed that the ADCs are used to monitor the bandgap reference voltage of the PMC and to monitor the internal supplies connected to ADCs. Does it mean that bandgap reference voltage may has some faults, so need ADCs to monitor it? How to realize it? Can we use the external power supply which is monitored by power supervisor as the reference to compare with bandgap reference voltage?

 

A6. Please refer to section ‘43.5 ADC internal supply monitoring’ in ‘S32K1XX_RM_Rev12’.

 

Q7: SM_080: For safety-relevant applications, the use of the clock monitors is mandatory. If the modules that the SCG monitors are used by the application safety function, the user shall verify that the clock monitors are not disabled and their faults are managed by the software. How to do with "verify that their faults are managed by the software"?

 

A7. If CMUs are configured for generation of interrupt in case of fault, then there needs to be an ISR to handle the fault reaction. This should be verified at system level by checking relevant programming registers. Refer to ‘Chapter 25 Reset and Boot’ in ‘S32K1XX_RM_Rev12’.

 

Q8: SM_081: The following supervisor functions are required: Loss of external clock, SPLL frequency higher than the frequency reference and SPLL frequency lower than the lower frequency reference. This activity requires initial check or configuration or both?

 

A8. The implementation hint of this assumption describes that this is only configuration related and not checking the function itself.

 

Q9: SM_075: FlexCAN and CLKOUT, both of which feature a mode to be clocked directly by the SOSC, should not make use of these modes in normal operation unless effects of clock glitches are sufficiently detected by the applied FT-COM layer. This is not applicable for normal CAN port?

 

A9. If normal CAN port is not used for safety related communication, then this is not applicable.

 

Q10: SM_119: The Flash memory ECC failure reporting path should be checked to validate if detected ECC faults are correctly reported. In our design, ECC fault will lead to reset, no reporting, In this way, do we still need to check it? if so, how to do it?

 

A10. Can you please explain how you have mapped double bit errors in Flash memory to a reset. To my knowledge, an ECC fault will lead to an interrupt. Please refer to ’36.4.4.1.12 Flash Error Configuration Register’ in ‘S32K1XX_RM_Rev12’.

 

Q11: Do we need to purchase SCST? If not, what is the impact? If from system point of view, without SCST, all HW metric like SPF, MPF can meet ASIL B requirements, does it mean not necessary to purchase it?

 

A11. SCST is able to detect permanent faults in the core (computation function). In case you have alternative mechanisms at system level to cover for random hardware failures in computation function or if your computation function is not Safety Related, then you won’t need SCST. NXP recommends to use SCST because it ensures that there are no Single Point Failures in the computation function.

 

Q12: SM_094: It is assumed that the system MPU is checked for correct functionality before it is used in safety applications. One can configure the possible access rights of each present master and check for expected system reaction. The check shall be done once within L-FTTI (at start up). How to do with it?

 

A12. You can check the MPU functionality by accessing the protected regions with insufficient rights and ensuring that an error response is received.

 

Hope this helps.

Kind Regards,

Avni

973 Views
sfjia
Contributor II

Hi Avni

Thanks a lot for your response!

Where/How can I get ’S32K1XX_HW_Safety_Measure_ReactionTime.xlsx’?   I can't find it in the safety group.

Best regards

0 Kudos

973 Views
aarul
NXP Employee
NXP Employee

It is attached to the Safety Manual.

0 Kudos

973 Views
sfjia
Contributor II

Hi Aarul

There is either no link or document attached to the Safety Manual about S32K1XX_HW_Safety_Measure_ReactionTime.xlsx",  could you pls send me the link or documents directly.

Thank you.

0 Kudos

973 Views
aarul
NXP Employee
NXP Employee

That's strange. I opened the Safety Manual at below link and I see the attachment (snapshot pasted below).

https://community.nxp.com/servlet/JiveServlet/downloadBody/340378-102-3-295615/S32K1XXSM_Rev5.pdf 

Can you please re-confirm that you do not see it?

pastedImage_1.png

973 Views
sfjia
Contributor II

Oh, Got it 

Thank you!

0 Kudos