Safety Manual S32k116
Working on S32K116 Part Number , have questions on the safety mechanism applicable for this particular part number and on the implementation assumption. Referring to excel attached in safety manual "S32K1XX_HW_Safety_Measure_ReactionTime"
1) System OSC Clock monitoring enabled as per the sheet it's mentioned to be applicable for S32K14X Family so should this applicable for S32K116
If SOSC clock is not applicable for S32K116 then below should be removed from FMEDA and should not be considered for S32K116
SM_075 SM_076 | Validate clock using FlexRay and/or CAN communication within FTTI |
2) FIRC SWTest Safety measure is not mentioned is FMEDA so is this applicable for the above part number
3) CMU(FIRC) SM is used for FIRC has S32K116 does have SPLL? and there is no safety assumption in that list should it be referred to SM_083
4) PLL Monitoring is Not applicable for S32K116?
5) Under power supply what are the first(Core, Clock, NVM and Input Voltage Supply Low Voltage Detectors) and last(Supply ball redundancy) safety measures are for and is it applicable for S32k116 and if so what are safety assumptions to be referred for
6) Software core self test - As per manual there is a library for the list of assumption and measure where is this manual placed and can i get the details of it and this is applicable for S32K116 ?
7) No information on Parity , is this applicable for s32K116?
9) As per FMEDA "CHECK ECC reporting path inside FTTI" is not implemented so is this applicable for S32K116
10) Security engine is marked as not implemented in FMEDA so is it applicable?
11) No information on the EIM, ECC_EDC safety measures, can you provide this details
@chokor Can you respond to below queries posted earlier
If SOSC clock is not applicable for S32K116 then should the below SM also be marked as NOT applicable for S32K116
SM_075 , SM_076 Validate clock using FlexRay and/or CAN communication within FTTI
FIRC SW test is software measure should this have same DC has CMU
1) In S32k116 which modules are qualified for periodic Low latency interrupt. this is regarding [SM_099] Periodic low latency IRQs will use a running timer/counter to ensure their call period is expected.
2) SM_043 The overall system needs to include measures to monitor error flags in registers of the MCU and move the system to a Safe statesystem when an error is indicated. for the mentioned SM since in S32K116 we dont have external watchdog support should this be not applicable for S32k116 because in the manual it says error out signal only applicable for S23K14X family or can we realize this functionality by other means. Here error monitoring what is the context and which all failures come under this category
- SM_075 , SM_076 are not applicable
- FIRC SW test DC is 90 %
- Processing modules might use this timer to measure the interrupt latency
- Any kind of error within the MCU will be reported in status register, and the MCU will switch to safe state. On possible implementation is that the system read the status register for example Via SPI using PMIC or another MCU or other devices, to assure the safe state of the system at ECU level.
@chokor : But i see in FMEDA SM_075 and SM_076 is used and claimed to have 60% DC so would it be applicable for S32k116 or not . if not why is it being used in FMEDA analysis.
what would be the DC for security engine check
Hi,
-could you please send a screenshot where you initially found that "System OSC Clock monitoring enabled as per the sheet it's mentioned to be applicable for S32K14X Family "? maybe a mismatch?
-Regarding security engine check question, could you please tell for which failure mode what safety sechanism? within the FMEDA don't you have any information?
BR,
Attaching the screenshot from FMEDA of S32k116 where it says SM_076, SM_075 is applicable
In safety report for S32K116, following SM_117, SM_118 is recomended so if we have to implement this what would be the DC for this SM
@chokor : refer above
- So, SM_075 and SM_076 are applicable for S32K1XX family. what was mentionned to be applicable only to S32k14x are for different SMs.
Conclusion : SM_075 and SM_076 are applicable with DC 60%
- SM_117 and SM_118 for security engine DC is 60%
1) In S32k116 which modules are qualified for periodic Low latency interrupt. this is regarding [SM_099] Periodic low latency IRQs will use a running timer/counter to ensure their call period is expected.
2) SM_043 The overall system needs to include measures to monitor error flags in registers of the MCU and move the system to a Safe statesystem when an error is indicated. for the mentioned SM since in S32K116 we dont have external watchdog support should this be not applicable for S32k116 because in the manual it says error out signal only applicable for S23K14X family or can we realize this functionality by other means. Here error monitoring what is the context and which all failures come under this category
If SOSC clock is not applicable for S32K116 then below should the below also be marked as NOT applicable for S32K116
SM_075 SM_076 | Validate clock using FlexRay and/or CAN communication within FTTI |
Pertaining to above query can you provide the confirmation on "Error injection reporting path" SM and if this recommended what would be the DC for it .
And Also since FIRC SW test is software measure should this have same DC has CMU
Hi,
1) SOSC clock is not applicable for S32K116, FMEDA does not use them as well
2) it is applicable
|
3) The S32K11x variants does not have SPLL, S32K11x devices includes CMU which monitors only FIRC which is a main
source of System Clock.Refer to SM_083
4) no
5) Low voltage detectors are They are voltage monitors of logic units. refer to SM_084. Ball redundancy to avoid open/short circuits, refer to SM_142
6) Structural Core Self-Test (SCST) Library | NXP Semiconductors
7) Parity not applicable for S32K116
9) no
10) it is applicable, refer to SM_118
11) EIM allows to induce single-bit and multi-bit inversions on read data when accessing the System RAM, refer to SM_111. For Error Dectetion Code refer to SM_112. Here are Diag coverages:
BR,
Abbas CHOKOR
Thanks for Answering all those queries, Just a follow up question
1) The CMU would already check for the faults in FIRC , do we additionally need to do FIRCSW test aswell and what the need for this test, why is there a two recommended safety measures CMU(FIRC) and FIRC SW test. I see for FIRC SM_074 and SM_073 is used.
2) When we are checking for ECC and reporting path shouldnt we check if the error reporting path as an issue or not, but in safety manual Safety measures SM_119 is recommended. Can you just brief on this
Hi,
1)The CMU FIRC test checks for latent faults as it runs at startup, while the FIRC SW test runs cyclicly each FTTI to increase integrity of FIRC since a fault in FIRC frequency might end up in failures in several safety measures.
2) This is exactly what is recommended by SMM_119
1)The CMU FIRC test checks for latent faults as it runs at startup, while the FIRC SW test runs cyclicly each FTTI to increase integrity of FIRC since a fault in FIRC frequency might end up in failures in several safety measures.
2) This is exactly what is recommended by SMM_119
Thanks Again.
last query on Error reporting part check, as per the last reply you mentioned that "Error injection reporting path" is Not applicable for S32k116 , but SM_119 recommends for this check so what is the conclusion on this SM
"Error injection reporting path" is Not applicable for S32k116 as per default FMEDA. However, if the fault contributes to application safety goal violation (a safety related fault), recommended SM has to be added.