SFFS700 May   2024 TMS320F28P650DH , TMS320F28P650DK , TMS320F28P650SH , TMS320F28P650SK , TMS320F28P659DH-Q1 , TMS320F28P659DK-Q1 , TMS320F28P659SH-Q1

 

  1.   1
  2. 1Introduction
  3.   Trademarks
  4. 2Hardware Component Functional Safety Capability
  5. 3TI Development Process for Management of Systematic Faults
    1. 3.1 TI New-Product Development Process
    2. 3.2 TI Functional Safety Development Process
  6. 4TMS320F28P65x Component Overview
    1. 4.1 Targeted Applications
    2. 4.2 Hardware Component Functional Safety Concept
      1. 4.2.1 VDA E-GAS Monitoring Concept
      2. 4.2.2 Fault Tolerant Time Interval (FTTI)
      3. 4.2.3 TMS320F28P65x MCU Safe State
      4. 4.2.4 Operating States
      5. 4.2.5 TMS320F28P65x MCU Safety Implementation
        1. 4.2.5.1 Assumed Safety Requirements
        2. 4.2.5.2 Example Safety Concept Implementation Options on TMS320F28P65x MCU
          1. 4.2.5.2.1 Safety Concept Implementation: Option 1
          2. 4.2.5.2.2 Safety Concept Implementation: Option 2
          3. 4.2.5.2.3 Safety Concept Implementation: Option 3
          4. 4.2.5.2.4 Safety Concept Implementation: Option 4
          5. 4.2.5.2.5 Safety Concept Implementation: Option 5
          6. 4.2.5.2.6 Safety Concept Implementation: Option 6
      6. 4.2.6 TMS320F28P65x Diagnostic Libraries
        1. 4.2.6.1 Assumptions of Use: F28P65x Self-Test Libraries
        2. 4.2.6.2 Operational Details: F28P65x Self-Test Libraries
          1. 4.2.6.2.1 Operational Details: C28x Self-Test Library
          2. 4.2.6.2.2 Operational Details: CLA Self-Test Library
          3. 4.2.6.2.3 Operational Details - Software Diagnostic Libraries
        3. 4.2.6.3 C2000 Safety STL Software Development Flow
    3. 4.3 Functional Safety Constraints and Assumptions
  7. 5Description of Safety Elements
    1. 5.1 C2000 MCU Infrastructure Components
      1. 5.1.1 Power Supply
      2. 5.1.2 Clock
      3. 5.1.3 APLL
      4. 5.1.4 Reset
      5. 5.1.5 System Control Module and Configuration Registers
      6. 5.1.6 JTAG Debug, Trace, Calibration, and Test Access
      7. 5.1.7 Advanced Encryption Standard (AES) Accelerator
    2. 5.2 Processing Elements
      1. 5.2.1 C28x Central Processing Unit (CPU)
      2. 5.2.2 Control Law Accelerator (CLA)
    3. 5.3 Memory (Flash, SRAM and ROM)
      1. 5.3.1 Embedded Flash Memory
      2. 5.3.2 Embedded SRAM
      3. 5.3.3 Embedded ROM
    4. 5.4 On-Chip Communication Including Bus-Arbitration
      1. 5.4.1 Device Interconnect
      2. 5.4.2 Direct Memory Access (DMA)
      3. 5.4.3 Inter Processor Communication (IPC)
      4. 5.4.4 Enhanced Peripheral Interrupt Expander (ePIE) Module
      5. 5.4.5 Dual Zone Code Security Module (DCSM)
      6. 5.4.6 CrossBar (X-BAR)
      7. 5.4.7 Timer
      8. 5.4.8 Configurable Logic Block (CLB)
    5. 5.5 Digital I/O
      1. 5.5.1 General-Purpose Input/Output (GPIO) and Pin Muxing
      2. 5.5.2 Enhanced Pulse Width Modulators (ePWM)
      3. 5.5.3 High Resolution PWM (HRPWM)
      4. 5.5.4 Enhanced Capture (eCAP)
      5. 5.5.5 High Resolution Capture (HRCAP)
      6. 5.5.6 Enhanced Quadrature Encoder Pulse (eQEP)
      7. 5.5.7 Sigma Delta Filter Module (SDFM)
      8. 5.5.8 External Interrupt (XINT)
    6. 5.6 Analog I/O
      1. 5.6.1 Analog-to-Digital Converter (ADC)
      2. 5.6.2 Buffered Digital-to-Analog Converter (DAC)
      3. 5.6.3 Comparator Subsystem (CMPSS)
    7. 5.7 Data Transmission
      1. 5.7.1  Controller Area Network (DCAN)
      2. 5.7.2  Controller Area Network (MCAN, CAN FD)
      3. 5.7.3  Ethernet for Control Automation Technology (EtherCAT)
      4. 5.7.4  Serial Peripheral Interface (SPI)
      5. 5.7.5  Serial Communication Interface (SCI)
      6. 5.7.6  Universal Asynchronous Receiver/Transmitter (UART)
      7. 5.7.7  Local Interconnect Network (LIN)
      8. 5.7.8  Inter-Integrated Circuit (I2C)
      9. 5.7.9  Fast Serial Interface (FSI)
      10. 5.7.10 Power Management Bus Module (PMBus)
      11. 5.7.11 External Memory Interface (EMIF)
    8. 5.8 Not Safety Related Elements
  8. 6Management of Random Faults
    1. 6.1 Fault Reporting
    2. 6.2 Suggestions for Improving Freedom From Interference
    3. 6.3 Suggestions for Addressing Common Cause Failures
    4. 6.4 Descriptions of Functional Safety Mechanisms
      1. 6.4.1 C2000 MCU Infrastructure Components
        1. 6.4.1.1  Clock Integrity Check Using DCC
        2. 6.4.1.2  Clock Integrity Check Using CPU Timer
        3. 6.4.1.3  Clock Integrity Check Using HRPWM
        4. 6.4.1.4  EALLOW and MEALLOW Protection for Critical Registers
        5. 6.4.1.5  External Clock Monitoring via XCLKOUT
        6. 6.4.1.6  External Monitoring of Warm Reset (XRSn)
        7. 6.4.1.7  External Voltage Supervisor
        8. 6.4.1.8  External Watchdog
        9. 6.4.1.9  Brownout Reset (BOR)
        10. 6.4.1.10 Glitch Filtering on Reset Pins
        11. 6.4.1.11 Hardware Disable of JTAG Port
        12. 6.4.1.12 Lockout of JTAG Access Using OTP
        13. 6.4.1.13 Internal Watchdog (WD)
        14. 6.4.1.14 Lock Mechanism for Control Registers
        15. 6.4.1.15 Missing Clock Detect (MCD)
        16. 6.4.1.16 NMIWD Reset Functionality
        17. 6.4.1.17 NMIWD Shadow Registers
        18. 6.4.1.18 Multibit Enable Keys for Control Registers
        19. 6.4.1.19 Online Monitoring of Temperature
        20. 6.4.1.20 Periodic Software Read Back of Static Configuration Registers
        21. 6.4.1.21 Peripheral Clock Gating (PCLKCR)
        22. 6.4.1.22 Peripheral Soft Reset (SOFTPRES)
        23. 6.4.1.23 Peripheral Access Protection – Type 1
        24. 6.4.1.24 Software Test of Reset – Type 1
        25. 6.4.1.25 PLL Lock Profiling Using On-Chip Timer
        26. 6.4.1.26 Reset Cause Information
        27. 6.4.1.27 Software Read Back of Written Configuration
        28. 6.4.1.28 Software Test of ERRORSTS Functionality
        29. 6.4.1.29 Software Test of Missing Clock Detect Functionality
        30. 6.4.1.30 Software Test of Watchdog (WD) Operation
        31. 6.4.1.31 Dual Clock Comparator (DCC) – Type 2
        32. 6.4.1.32 PLL Lock Indication
        33. 6.4.1.33 Software Test of DCC Functionality Including Error Tests
        34. 6.4.1.34 Software Test of PLL Functionality Including Error Tests
        35. 6.4.1.35 Interleaving of FSM States
        36. 6.4.1.36 Decryption of Encrypted Data Output Using Same KEY and IV
        37. 6.4.1.37 Software Test of Standalone GHASH Operation
      2. 6.4.2 Processing Elements
        1. 6.4.2.1  CPU Handling of Illegal Operation, Illegal Results and Instruction Trapping
        2. 6.4.2.2  Reciprocal Comparison by Software
        3. 6.4.2.3  Software Test of CPU
        4. 6.4.2.4  CPU Hardware Built-In Self-Test (HWBIST)
        5. 6.4.2.5  CPU Hardware Built-In Self-Test (HWBIST) Auto-Coverage
        6. 6.4.2.6  CPU Hardware Built-In Self-Test (HWBIST) Fault Injection Capability
        7. 6.4.2.7  CPU Hardware Built-In Self-Test (HWBIST) Timeout Feature
        8. 6.4.2.8  Software Test of CLA
        9. 6.4.2.9  CLA Handling of Illegal Operation and Illegal Results
        10. 6.4.2.10 CLA Liveness Check Using CPU
        11. 6.4.2.11 Disabling of Unused CLA Task Trigger Sources
        12. 6.4.2.12 Stack Overflow Detection
        13. 6.4.2.13 VCRC Check of Static Memory Contents
        14. 6.4.2.14 VCRC Auto Coverage
        15. 6.4.2.15 Hardware Redundancy Using Lockstep Compare Module (LCM)
        16. 6.4.2.16 Self-Test Logic for LCM
        17. 6.4.2.17 LCM Compare Error Forcing Mode
        18. 6.4.2.18 LCM MMR Parity
        19. 6.4.2.19 Test of LCM MMR Parity
        20. 6.4.2.20 Lockstep Self-test Mux Select Logic Fault Detection
        21. 6.4.2.21 Redundancy in LCM Comparator
        22. 6.4.2.22 Embedded Real Time Analysis and Diagnostic (ERAD)
        23. 6.4.2.23 Inbuilt Hardware Redundancy in ERAD Bus Comparator Module
      3. 6.4.3 Memory (Flash, SRAM and ROM)
        1. 6.4.3.1  Bit Multiplexing in Flash Memory Array
        2. 6.4.3.2  Bit Multiplexing in SRAM Memory Array
        3. 6.4.3.3  Data Scrubbing to Detect and Correct Memory Errors
        4. 6.4.3.4  Flash ECC
        5. 6.4.3.5  Flash Program Verify and Erase Verify Check
        6. 6.4.3.6  Flash Program and Erase Protection
        7. 6.4.3.7  Flash Wrapper Error and Status Reporting
        8. 6.4.3.8  Prevent 0 to 1 Transition Using Program Command
        9. 6.4.3.9  On-Demand Software Program Verify and Blank Check
        10. 6.4.3.10 CMDWEPROT* and Program Command Data Buffer Registers Self-Clear After Command Execution
        11. 6.4.3.11 ECC Generation and Checker Logic is Separate in Hardware
        12. 6.4.3.12 Auto ECC Generation Override
        13. 6.4.3.13 Software Test of ECC Logic
        14. 6.4.3.14 Software Test of Flash Prefetch, Data Cache and Wait-States
        15. 6.4.3.15 Access Protection Mechanism for Memories
        16. 6.4.3.16 SRAM ECC
        17. 6.4.3.17 SRAM Parity
        18. 6.4.3.18 Software Test of Parity Logic
        19. 6.4.3.19 Software Test of SRAM
        20. 6.4.3.20 Memory Power-On Self-Test (MPOST)
        21. 6.4.3.21 Background CRC
        22. 6.4.3.22 Watchdog for Background CRC
        23. 6.4.3.23 ROM Parity
        24. 6.4.3.24 Redundant Parity Engine
      4. 6.4.4 On-Chip Communication Including Bus-Arbitration
        1. 6.4.4.1  1oo2 Software Voting Using Secondary Free Running Counter
        2. 6.4.4.2  DMA Overflow Interrupt
        3. 6.4.4.3  Event Timestamping Using IPC Counter
        4. 6.4.4.4  Maintaining Interrupt Handler for Unused Interrupts
        5. 6.4.4.5  Majority Voting and Error Detection of Link Pointer
        6. 6.4.4.6  PIE Double SRAM Comparison Check
        7. 6.4.4.7  PIE Double SRAM Hardware Comparison
        8. 6.4.4.8  Power-Up Pre-Operational Security Checks
        9. 6.4.4.9  Software Check of X-BAR Flag
        10. 6.4.4.10 Software Test of ePIE Operation Including Error Tests
        11. 6.4.4.11 Disabling of Unused DMA Trigger Sources
        12. 6.4.4.12 Software Test of CLB Function Including Error Tests
        13. 6.4.4.13 Monitoring of CLB by eCAP or eQEP
        14. 6.4.4.14 Periodic Software Read Back of SPI Buffer
        15. 6.4.4.15 IPC 64-Bit Counter Value Plausibility Check
      5. 6.4.5 Digital I/O
        1. 6.4.5.1  ECAP Application Level Safety Mechanism
        2. 6.4.5.2  ePWM Application Level Safety Mechanism
        3. 6.4.5.3  ePWM Fault Detection Using XBAR
        4. 6.4.5.4  ePWM Synchronization Check
        5. 6.4.5.5  Online MINMAX Monitoring of TRIP Events
        6. 6.4.5.6  Fault Avoidance Using Minimum Dead Band
        7. 6.4.5.7  Fault Avoidance Using Illegal Combo Logic
        8. 6.4.5.8  Diode Emulation Mode Monitoring
        9. 6.4.5.9  eQEP Application Level Safety Mechanisms
        10. 6.4.5.10 eQEP Quadrature Watchdog
        11. 6.4.5.11 eQEP Software Test of Quadrature Watchdog Functionality
        12. 6.4.5.12 Hardware Redundancy
        13. 6.4.5.13 HRPWM Built-In Self-Check and Diagnostic Capabilities
        14. 6.4.5.14 Information Redundancy Techniques
        15. 6.4.5.15 Monitoring of ePWM by eCAP
        16. 6.4.5.16 Monitoring of ePWM by ADC
        17. 6.4.5.17 Online Monitoring of Interrupts and Events
        18. 6.4.5.18 SDFM Comparator Filter for Online Monitoring
        19. 6.4.5.19 SD Modulator Clock Fail Detection Mechanism
        20. 6.4.5.20 Software Test of Function Including Error Tests
        21. 6.4.5.21 Monitoring of HRPWM by HRCAP
        22. 6.4.5.22 HRCAP Calibration Logic Test Feature
        23. 6.4.5.23 QMA Error Detection Logic
      6. 6.4.6 Analog I/O
        1. 6.4.6.1  ADC Information Redundancy Techniques
        2. 6.4.6.2  ADC Input Signal Integrity Check
        3. 6.4.6.3  ADC Signal Quality Check by Varying Acquisition Window
        4. 6.4.6.4  Hardware Redundancy with ADC Safety Checker
        5. 6.4.6.5  Hardware Redundancy of ADC Safety Checker
        6. 6.4.6.6  Disabling Unused Sources of SOC Inputs to ADC
        7. 6.4.6.7  CMPSS Ramp Generator Functionality Check
        8. 6.4.6.8  DAC to ADC Loopback Check
        9. 6.4.6.9  DAC to Comparator Loopback Check
        10. 6.4.6.10 Opens/Shorts Detection Circuit for ADC
        11. 6.4.6.11 VDAC Conversion by ADC
      7. 6.4.7 Data Transmission
        1. 6.4.7.1  Bit Error Detection
        2. 6.4.7.2  CRC in Message
        3. 6.4.7.3  DCAN Acknowledge Error Detection
        4. 6.4.7.4  DCAN Form Error Detection
        5. 6.4.7.5  DCAN Stuff Error Detection
        6. 6.4.7.6  PWM Trip by MCAN
        7. 6.4.7.7  MCAN Stuff Error Detection
        8. 6.4.7.8  MCAN Form Error Detection
        9. 6.4.7.9  MCAN Acknowledge Error Detection
        10. 6.4.7.10 Timeout on FIFO Activity
        11. 6.4.7.11 Timestamp Consistency Checks
        12. 6.4.7.12 Tx-Event Checks
        13. 6.4.7.13 Interrupt on Message RAM Access Failure
        14. 6.4.7.14 Software Test of Function Including Error Tests Using EPG
        15. 6.4.7.15 EMIF Access Latency Profiling Using On-Chip Timer
        16. 6.4.7.16 EMIF Access Protection Mechanism
        17. 6.4.7.17 EMIF Asynchronous Memory Timeout Protection Mechanism
        18. 6.4.7.18 I2C Access Latency Profiling Using On-Chip Timer
        19. 6.4.7.19 Information Redundancy Techniques Including End-to-End Safing
        20. 6.4.7.20 I2C Data Acknowledge Check
        21. 6.4.7.21 Parity in Message
        22. 6.4.7.22 Break Error Detection
        23. 6.4.7.23 Frame Error Detection
        24. 6.4.7.24 Overrun Error Detection
        25. 6.4.7.25 Software Test of Function Using I/O Loopback
        26. 6.4.7.26 SPI Data Overrun Detection
        27. 6.4.7.27 Transmission Redundancy
        28. 6.4.7.28 Data Parity Error Detection
        29. 6.4.7.29 LIN Physical Bus Error Detection
        30. 6.4.7.30 LIN No-Response Error Detection
        31. 6.4.7.31 LIN Checksum Error Detection
        32. 6.4.7.32 LIN ID Parity Error Detection
        33. 6.4.7.33 Communication Access Latency Profiling Using On-Chip Timer
        34. 6.4.7.34 FSI Data Overrun and Underrun Detection
        35. 6.4.7.35 FSI Frame Overrun Detection
        36. 6.4.7.36 FSI CRC Framing Checks
        37. 6.4.7.37 FSI ECC Framing Checks
        38. 6.4.7.38 FSI Frame Watchdog
        39. 6.4.7.39 FSI RX Ping Watchdog
        40. 6.4.7.40 FSI Tag Monitor
        41. 6.4.7.41 FSI Frame Type Error Detection
        42. 6.4.7.42 FSI End of Frame Error Detection
        43. 6.4.7.43 FSI Register Protection Mechanisms
        44. 6.4.7.44 PMBus Protocol CRC in Message
        45. 6.4.7.45 PMBus Clock Timeout
        46. 6.4.7.46 EtherCAT MDIO Command Error Indication
        47. 6.4.7.47 EtherCAT Sync-Manager
        48. 6.4.7.48 EtherCAT Working Counter Error Indication
        49. 6.4.7.49 EtherCAT Frame Error Indication
        50. 6.4.7.50 EtherCAT Physical Layer Error Indication
        51. 6.4.7.51 PDI Timeout Error Indication
        52. 6.4.7.52 EtherCAT EEPROM CRC Error Indication
        53. 6.4.7.53 EtherCAT EEPROM Not Done Error Indication
        54. 6.4.7.54 EtherCAT Data Link Error Indication
        55. 6.4.7.55 EtherCAT Phy Link Error Indication
        56. 6.4.7.56 Sync, GPO Monitoring Using External Monitor
        57. 6.4.7.57 EtherCAT Enhanced Link Detection With LED
        58. 6.4.7.58 HW Redundancy of GPIO, FMMU, Sync Manager and SYNC OUT
  9. 7References
  10.   A Summary of Safety Features and Diagnostics
  11.   B Distributed Developments
    1.     B.1 How the Functional Safety Life Cycle Applies to Functional Safety-Compliant Products
    2.     B.2 Activities Performed by Texas Instruments
    3.     B.3 Information Provided

4.2.5.2 Example Safety Concept Implementation Options on TMS320F28P65x MCU

The CPU1 subsystem in the TMS320F28P65xD class of devices and the sole CPU in TMS320F28P65xS variants supports a pair of diverse processing units (C28x and CLA) with heterogeneous asymmetric architectures, instruction sets and software tools. Either of the processing units can be used to execute the intended function (the main real-time control function). The safety functions, which ensure that each safety goal can be met, can be implemented for diagnostic of random hardware failure by running Reciprocal Comparison by Software in separate processing units providing high diagnostic coverage for the processing units (ISO 26262-5:2018, Table D.4 and IEC 61508-2:2010, Table A.4). Safety mechanisms such as CPU Handling of Illegal Operation, Illegal Results and Instruction Trapping, CLA Handling of Illegal Operation and Illegal Results, Internal Watchdog and so forth, can also be utilized. CPU Hardware Built-In Self-Test (HWBIST) can be used to implement latent fault coverage of the diagnostic function. Heterogeneous CPU cores minimize possibility of common mode failures while implementing this reciprocal comparison, thereby improving confidence in its Diagnostic Coverage. For common cause failures such as clock, power and reset, an external watchdog should be used.

The CPU2 subsystem in the TMS320F28P65xD class of devices supports a pair of lockstep C28x CPUs. In this case, the safety functions can be implemented via Hardware Redundancy Using Lockstep Compare Module (LCM) for diagnostic of random hardware failure, providing diagnostic coverage for the processing units. Safety mechanisms such as CPU Handling of Illegal Operation, Illegal Results and Instruction Trapping, CLA Handling of Illegal Operation and Illegal Results, Internal Watchdog and so forth, can also be utilized. Software Test of CPU, Self-test Logic for LCM, and LCM Compare Error Forcing Mode can be used to implement latent fault coverage of the diagnostic function. Again, for common cause failures such as clock, power and reset, an external watchdog should be used.

Here are some definitions relevant to the following implementation options:

  • Intended Function: Control application implemented on TMS320F28P65x (PFC, DCDC, traction-inverter etc.)
  • Safety Function: Achieves risk reduction and implemented for safety goals identified from HARA
    • Example: prevent over-current, over/under voltage, over temperature, forward/reverse torque etc.)
  • Diagnostic Function: Ensures safety-function will operate correctly when required
    • Shall meet >= 60% LFM for ISO 26262:2018 (ASIL B compliance targeted) systems

The following are the safety concept options which can be implemented on TMS320F28P65x.