
PUBLIC
© NXP Semiconductors N.V.
Uncontrolled copy if printed
All information hereunder is per NXP’s best knowledge. This document does not provide for any
representation or warranty express or implied by NXP. NXP makes no representation or warranty that
customer’s applications or design will be suitable for customers’ specified use without further testing or
modification. Customers are responsible for the design and operation of their applications and products
using NXP products, and NXP accepts no liability for any assistance with applications or customer product
design. Customers should provide appropriate design and operating safeguards to minimize the risks
associated with their applications and products.
For reliable information on the NXP product please consult the respective NXP data sheet. Unless
otherwise recorded in a written agreement, all sales transactions by NXP are subject to our general terms
and conditions of commercial sale. These are published at http://www.nxp.com/about/about-nxp/our-
terms-and-conditions-of-commercial-sale:TERMSCONDITIONSSALE
S32 Safety Software Framework
Product Brief

PUBLIC
© NXP Semiconductors N.V.
Uncontrolled copy if printed
NXP S32 Safety Software Framework.
The same SAF API, slightly different functionality.
1.0 Software Product Overview
The S32 Safety Software Framework (SAF) is a software product containing software
components for establishing the safety foundation for customer’s safety applications compliant with
ISO 26262 functional safety. It allows integration up to ASIL D automotive safety integrity level. It is
developed as Safety Element out of Context (SEooC). The S32 Safety Software Framework is
designed to be integrable within AUTOSAR® and non - AUTOSAR applications. It is a software product
covering all NXP S32 Automotive Platform devices (see Figure 1, S32K in a separate package).
Vehicle
Networking
Gateway,
Domain Controllers
ADAS &
Autonomous
Driving
Powertrain & Vehicle
Dynamics
Radar, LIDAR
Vision
Sensor Fusion
Body Electronics
Edge Nodes
Chassis & Safety
Powertrain & Hybrid/EV
Figure 1. NXP’s S32 Safety Software Framework supporting all NXP S32 devices

PUBLIC
© NXP Semiconductors N.V.
Uncontrolled copy if printed
The S32 Safety Software Framework provides the software modules from Hardware and
Service safety layers as shown in Figure 2. The Software modules provided are:
- BIST Manager - Built in Self-Test Manager covering both LBIST (Logic BIST) and MBIST
(Memory BIST)
- eMCEM – extended Microcontroller Error Manager
- Mode Selector – Mode Selector (including Safety Config)
- sBoot – Safety Boot
- SquareCheck – Square Check (Check the Checkers)
- SW Recovery – Software Recovery
* SbSW – Safety by SW
Figure 2. NXP’s S32 Safety Software Framework content
Note: The users who will develop their own safety solution can use the S32 Safety Peripheral Drivers
(SPD) product containing the BIST Manager and eMCEM. It complements the S32 Real Time Drivers
product to provide software support for the on-chip peripheral modules.
Flash
Controller
Computational Shell
+ IO Peripherals
SWT
SbSW IP
HW Safety
Measures

PUBLIC
© NXP Semiconductors N.V.
Uncontrolled copy if printed
The S32 Safety Software Framework components are involved during boot, runtime, and fault
recovery. The components involvement is depicted in Figure 3. The components exchange data to
execute the right measures and responses at the given application state.
Figure 3. S32 Safety Software Framework operation diagram

PUBLIC
© NXP Semiconductors N.V.
Uncontrolled copy if printed
2.0 Software Content
The S32 Safety Software Framework is essential in supporting applications on S32 Automotive
Platform devices to achieve safety. The main features of the S32 Safety Software Framework are as
follows:
- Checking the hardware safety mechanisms, i.e., latent fault detection
- BIST management and deployment to provide high availability
- Enabling booting into either normal or degraded modes
- Ensuring the device is correctly setup to be able to start safety function
- Handling and reaction to detected faults
- Support for local and global recovery strategies
- Compliance with ISO 26262
BIST Manager (Built in Self Test Manager)
- A driver for MBIST and LBIST HW modules
- Analyzes the results provided by LBIST and MBIST HW and initiates their execution

PUBLIC
© NXP Semiconductors N.V.
Uncontrolled copy if printed
eMCEM (Extended Microcontroller Error Manager)
- Fault management of the microcontroller
- Configuration of fault reactions (reset, alarm IRQ, NMI, no reaction)
- Sophisticated error handling mechanism
- Allows to register an individual alarm handler for each FCCU fault
- Redirection of fault reaction if the respective safety mechanism is tested by SquareCheck
- Fault status reporting and fault clearing
- Error injection
- Memory error reporting
ModeSelector (Mode Selector)
− A SW component used for selecting the application normal mode or degraded mode
− Degraded modes increase device availability by enabling a usage of the device under the
presence of non-critical permanent faults
− The selection is based on FCCU results, SquareCheck results, optionally MBIST/LBIST
results, and diagnostic information stored by SW Recovery.
− There is also a possibility to call SW Recovery followed by Functional Reset in the cases of no
operating mode can be selected
− Executed during the boot (startup) phase when the system is in a safe state
− Configuration of HW resource regions and association to the fault sources needed for the
selectable modes

PUBLIC
© NXP Semiconductors N.V.
Uncontrolled copy if printed
sBoot (safe Boot)
• A SW component checking whether the device booted to a safe configuration
• Executed at the beginning of the application execution before the safety context is established
• Verifies that the device configuration meets the hardware safety manual (SM) assumptions
eMcem – FCCU
(+ERM/SRAMC)
Custom Bootloader/
Startup Code
mSel_SelectMode()
Fault Analysis (+ Statistical Analysis)
sCheck – Safety
User Initialization
Normal Mode
User Initialization
Degraded Mode(s)

PUBLIC
© NXP Semiconductors N.V.
Uncontrolled copy if printed
SquareCheck
• A SW component used for latent fault detection
− Detects faults in the hardware safety mechanisms
• Provides start-up, runtime and shut-down APIs
• Provides required Diagnostic Coverage as per ISO 26262 up to ASIL D
SW Recovery (Software Recovery)
− A SW component used for global recovery
− Called either in the case the MCU needs to recover from a fault that could not be handled by a
local recovery or in the case Mode Selector can’t select any operational mode
− Store diagnostic information for Mode Selector
− Executed when MCU is in a safe state

PUBLIC
© NXP Semiconductors N.V.
Uncontrolled copy if printed
3.0 Supported Targets
The S32 Safety Software Framework described in this product brief is intended to be used
with NXP
Semiconductors S32G2 devices.
4.0 Quality, Standards Compliance and Testing Approach
The S32 Safety Software Framework software product is developed according to NXP Software
Development Processes that is ISO 26262, Automotive-SPICE, IATF 16949 and ISO 9001 compliant.