9.1 Design for Safety
Specific design techniques have been used in the device to resolve general purpose safety concerns. This allows reduced software development and code size, as well as savings on external hardware circuitry, since built-in self-tests are already embedded in the device. The table below gives the list of peripherals which incorporate these techniques for general purpose safety considerations.
| Peripheral | Component | Fault/Error/Feature |
|---|---|---|
| PMC, SUPC | Clock | MCK frequency
monitor - MCK out-of-range operation |
| 32.768 kHz
crystal oscillator frequency monitor - Abnormal frequency deviation - Failure | ||
| Main crystal
oscillator failure detector - Crystal failure detection | ||
| ICM | Memories | Any error detection |
| SEFC | Embedded nonvolatile memory | Single bit error correction |
| Double bit error detection | ||
| System Controller | All | Safety
critical peripheral logic or circuitry is fed by the always-on slow RC
oscillator - WDT, RSTC, start-up counters, timeout counters, etc. |
| PIO | I/O lines | Digital I/O - Plausibility check |
| ADC | Analog I/O and
ADC converter - Plausibility check | |
| WDT | Watchdog | Watchdog is
driven by an internal always ON clock - Program counter stuck at faults |
| Watchdog
configuration can be locked until the next reset - Errant writes (programming errors, errors introduced by system or hardware failures) | ||
| Watchdog overflow generates a reset or interrupt | ||
| Cortex-M4 MPU | Memory Protection Unit | Cortex-M4 Memory Protection Unit |
|
MATRIX, RTC, RTT, RSTC, PMC, PIOC, FLEXCOM, QSPI, TC, ADC | Peripherals | Configuration,
Interrupt Enable/Disable and Control registers can be independently
write-protected - Errant writes (programming errors, errors introduced by system or hardware failures) |
| RTC | Peripheral | Robust against crystal oscillator glitches. The design of the RTC 32.768 kHz divider does not propagate glitches downstream to time/date counter. |