Safety Manual S32k116

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Safety Manual S32k116

1,695 Views
Sushmitha_V
Contributor I

Working on S32K116 Part Number , have questions on the safety mechanism applicable for this particular part number and on the implementation assumption. Referring to excel attached in safety manual "S32K1XX_HW_Safety_Measure_ReactionTime"

Sushmitha_V_0-1718775142753.png

1) System OSC Clock monitoring enabled as per the sheet it's mentioned to be applicable for S32K14X Family so should this applicable for S32K116

If SOSC clock is not applicable for S32K116 then below should be removed from FMEDA and should not be considered for S32K116

SM_075
SM_076
Validate clock using FlexRay and/or CAN communication within FTTI

 

2) FIRC SWTest Safety measure is not mentioned is FMEDA so is this applicable for the above part number 

3) CMU(FIRC) SM is used for FIRC has S32K116 does have SPLL? and there is no safety assumption in that list should it be referred to SM_083

4) PLL Monitoring is Not applicable for S32K116?

Sushmitha_V_2-1718778041379.png

5) Under power supply what are the first(Core, Clock, NVM and Input Voltage Supply Low Voltage Detectors) and last(Supply ball redundancy) safety measures are for and is it applicable for S32k116 and if so what are safety assumptions to be referred for

Sushmitha_V_3-1718778789893.png

6) Software core self test - As per manual there is a library for the list of assumption and measure where is this manual placed and can i get the details of it and this is applicable for S32K116 ?

7) No information on Parity , is this applicable for s32K116?

Sushmitha_V_4-1718779350159.png

As per FMEDA the ECC and reporting enabled safety measure is used but there is no safety assumption mapped to it 

9) As per FMEDA "CHECK ECC reporting path inside FTTI" is not implemented so is this applicable for S32K116

10) Security engine is marked as not implemented in FMEDA so is it applicable?

Sushmitha_V_6-1718780298257.png

11) No information on the EIM, ECC_EDC safety measures, can you provide this details

 

0 Kudos
16 Replies

992 Views
Sushmitha_V
Contributor I

@chokor  can you respond to the queries posted on a month ago and on 25/10/24

0 Kudos

976 Views
Sushmitha_V
Contributor I

@chokor Can you respond to below queries posted earlier

If SOSC clock is not applicable for S32K116 then  should the below SM also be marked as NOT applicable for  S32K116

SM_075 , SM_076 Validate clock using FlexRay and/or CAN communication within FTTI 

FIRC SW test is software measure should this have same DC has CMU 

1) In S32k116 which modules are qualified for periodic Low latency interrupt. this is regarding [SM_099] Periodic low latency IRQs will use a running timer/counter to ensure their call period is expected.

2) SM_043 The overall system needs to include measures to monitor error flags in registers of the MCU and move the system to a Safe statesystem when an error is indicated. for the mentioned SM since in S32K116 we dont have external watchdog support should this be not applicable for S32k116 because in the manual it says error out signal only applicable for S23K14X family or can we realize this functionality by other means. Here error monitoring what is the context and which all failures come under this category 

0 Kudos

943 Views
chokor
NXP Employee
NXP Employee

SM_075 , SM_076 are not applicable

- FIRC SW test DC is 90 %

- Processing modules might use this timer to measure the interrupt latency

- Any kind of error within the MCU will be reported in status register, and the MCU will switch to safe state. On possible implementation is that the system read the status register for example Via SPI using PMIC or another MCU or other devices,  to assure the safe state of the system at ECU level.

 

0 Kudos

922 Views
Sushmitha_V
Contributor I

@chokor : But i see in FMEDA SM_075 and SM_076 is used and claimed to have 60% DC so would it be applicable for S32k116 or not . if not why is it being used in FMEDA analysis.

what would be the DC for security engine check

0 Kudos

897 Views
chokor
NXP Employee
NXP Employee

Hi,

-could you please send a screenshot where you initially found that "System OSC Clock monitoring enabled as per the sheet it's mentioned to be applicable for S32K14X Family "? maybe a mismatch?

-Regarding security engine check question, could you please tell for which failure mode what safety sechanism? within the FMEDA don't you have any information?

BR,

0 Kudos

620 Views
Sushmitha_V
Contributor I

Sushmitha_V_0-1732108983270.png

Attaching the screenshot from FMEDA of S32k116 where it says SM_076, SM_075 is applicable


Sushmitha_V_2-1732109310726.png

 

In safety report for S32K116, following SM_117, SM_118 is recomended so if we have to implement this what would be the DC for this SM

@chokor : refer above

0 Kudos

489 Views
chokor
NXP Employee
NXP Employee

chokor_0-1732889020999.png

- So, SM_075 and SM_076 are applicable for S32K1XX family. what was mentionned to be applicable only to S32k14x are for different SMs. 

Conclusion : SM_075 and SM_076 are applicable with DC 60%

- SM_117 and SM_118 for security engine DC is 60%

chokor_2-1732889646967.png

 

 

 

0 Kudos

992 Views
Sushmitha_V
Contributor I

1) In S32k116 which modules are qualified for periodic Low latency interrupt. this is regarding [SM_099] Periodic low latency IRQs will use a running timer/counter to ensure their call period is expected.

2) SM_043 The overall system needs to include measures to monitor error flags in registers of the MCU and move the system to a Safe statesystem when an error is indicated. for the mentioned SM since in S32K116 we dont have external watchdog support should this be not applicable for S32k116 because in the manual it says error out signal only applicable for S23K14X family or can we realize this functionality by other means. Here error monitoring what is the context and which all failures come under this category 

 

0 Kudos

993 Views
Sushmitha_V
Contributor I

@chokor can you respond to queries

 

0 Kudos

1,122 Views
Sushmitha_V
Contributor I

If SOSC clock is not applicable for S32K116 then below should the below also be marked as NOT applicable for  S32K116

SM_075
SM_076
Validate clock using FlexRay and/or CAN communication within FTTI

 

Pertaining to above query can you provide the confirmation on "Error injection reporting path" SM  and if this recommended what would be the DC for it .

And Also since FIRC SW test is software measure should this have same DC has CMU 

 

0 Kudos

1,536 Views
chokor
NXP Employee
NXP Employee

Hi,

1) SOSC clock is not applicable for S32K116, FMEDA does not use them as well

2) it is applicable 

 
  chokor_0-1723029251816.png

 


3) The S32K11x variants does not have SPLL, S32K11x devices includes CMU which monitors only FIRC which is a main
source of System Clock.Refer to SM_083

4) no

5) Low voltage detectors are They are voltage monitors of logic units. refer to SM_084. Ball redundancy to avoid open/short circuits, refer to SM_142

6) Structural Core Self-Test (SCST) Library | NXP Semiconductors

7) Parity not applicable for S32K116

refer to SM_111

9) no

10) it is applicable, refer to SM_118

11) EIM allows to induce single-bit and multi-bit inversions on read data when accessing the System RAM, refer to SM_111. For Error Dectetion Code refer to SM_112. Here are Diag coverages: 

chokor_1-1723031213581.png

 

BR,

Abbas CHOKOR

 

0 Kudos

1,535 Views
Sushmitha_V
Contributor I

Thanks for Answering all those queries, Just a follow up question

1) The CMU would already check for the faults in FIRC , do we additionally need to do FIRCSW test aswell and what the need for this test, why is there a two recommended safety measures CMU(FIRC) and FIRC SW test. I see for FIRC  SM_074 and SM_073 is used.

2) When we are checking for ECC and reporting path shouldnt we check if the error reporting path as an issue or not, but in safety manual Safety measures SM_119 is recommended. Can you just brief on this

0 Kudos

1,478 Views
chokor
NXP Employee
NXP Employee

Hi,

1)The CMU FIRC test checks for latent faults as it runs at startup, while the FIRC SW test runs cyclicly each FTTI to increase integrity of FIRC since a fault in FIRC frequency might end up in failures in several safety measures.

2) This is exactly what is recommended by SMM_119

0 Kudos

1,478 Views
chokor
NXP Employee
NXP Employee
Hi,

1)The CMU FIRC test checks for latent faults as it runs at startup, while the FIRC SW test runs cyclicly each FTTI to increase integrity of FIRC since a fault in FIRC frequency might end up in failures in several safety measures.

2) This is exactly what is recommended by SMM_119
0 Kudos

1,415 Views
Sushmitha_V
Contributor I

Thanks Again.

last query on Error reporting part check, as per the last reply you mentioned that "Error injection reporting path" is Not applicable for S32k116 , but SM_119 recommends for this check so what is the conclusion on this SM

0 Kudos

983 Views
chokor
NXP Employee
NXP Employee

"Error injection reporting path" is Not applicable for S32k116 as per default FMEDA. However,  if the fault contributes to application safety goal violation (a safety related fault), recommended SM has to be added.

0 Kudos