PXROS-HR startup and Safety

A safety critical application running on the AURIX TX2xx device requires the integration of the SafeTlib test for built-in safety mechanisms. The SafeTlib runs an internal state machine with four phases(Early Pre-run, Pre-run, Runtime, and Post-run). Each stage correlates a specific status of the microcontroller, especially SMU module.

The SafeTlib phases Early Pre-run and Pre-run with related tests must be running before the PXROS-HR initialization function PxInit(). The reason, any safety mechanism must be tested before their first use. The kernel function sets the MPU protection at the very beginning. The SafeTlib can execute the MPU test at the Pre-run test only. Therefore, the kernel PxInit() function shall be performed either at the end of the Pre-run or the Runtime mode.

In the multicore device, certain tests require a specific condition for test execution. One of this condition affects the default starting of the PXROS-HR when the all cores must run in parallel at a time. The integration brings necessary to use PXROS-HR utilities supporting to start CPU from IDLE mode.

The PXROS-HR should start the initialization either at Pre-run or Runtime. During the Runtime, the all safety mechanism are active, and the SMU reports any errors in according to its configuration. The kernel handles the MPU traps actively. Therefore the SMU shall not report any MPU faults. The SMU interference can corrupt the kernel context switch operation.

The Pre-run phase provides only a theoretical place for kernel initialization. However, practically the transition to the Runtime phase needs the core synchronization, which brings additional complexity when the kernel already runs tasks.

The following figure depicts the recommended solution with initialization in the Runtime phase.

pxros cpu1 compat safetlib
Fig. 1. CPU1 as MASTER_CORE, COMPAT mode disabled, SafeTlib

The initialization with SafeTlib is not part of the enclosed projects.