The products supported by this document have been assessed to be meet a systematic capability compliance of ASIL D (according to ISO 26262) and SIL 3 (according to IEC 61508). For more information, see the Texas Instrument's functional safety hardware development process.

This Functional Safety Manual is part of the Functional Safety-Compliant design package to aid customers who are designing systems in compliance with ISO26262 or IEC61508 functional safety standards.

This document is a functional safety manual for the Texas Instruments TMS320F28004x safety critical microcontroller product family. The product family utilizes a common safety architecture that is implemented in multiple application focused products.

Product configurations supported by this functional safety manual include silicon revision B of the following products listed in Table 1-1. The device revision can be determined by the REVID field of the device identification registers outlined in the product data sheet.

This Functional Safety Manual provides information needed by system developers to assist in the creation of a safety critical system using a supported TMS320F28004x MCU. This document contains:

• An overview of the component architecture
• An overview of the development process used to decrease the probability of systematic failures
• An overview of the functional safety architecture for management of random failures
• The details of architecture partitions and implemented functional safety mechanisms

The following information is documented in the Detailed Functional Safety Analysis Report (SAR) for TMS320F28004x C2000™ MCUs, which is only available under Functional Safety NDA and is not repeated in this document:

• Failure rates (FIT) of the component
• Fault model used to estimate device failure rates to enable calculation of customized failure rates
• Functional safety metrics of the hardware component for targeted standards (viz. IEC 61508:2010 and ISO 26262:2018)
• Quantitative functional safety analysis (also known as FMEDA, Failure Modes, Effects, and Diagnostics Analysis) with detail of the different parts of the component, allowing for customized application of functional safety mechanisms
• Assumptions used in the calculation of functional safety metrics

It is expected that the user of this document should have a general familiarity with the TMS320F28004x product families. More information can be found at www.ti.com/C2000.

This document is intended to be used in conjunction with the pertinent data sheets, technical reference manuals, and other documentation for the products being supplied.

For information which is beyond the scope of the listed deliverables, please contact your TI sales representative or www.ti.com.

This section summarizes the TMS320F28004x product safety capability. Each TMS320F28004x product:

• Is offered as a Functional Safety Element Out Of Context (SEooC)
• Was assessed to have met the relevant systematic capability compliance requirements of IEC 61508:2010 and ISO 26262:2018 and
  • Achieves systematic integrity of SIL 3 and ASIL D
• In addition, the device can meet hardware architectural metrics up to ASIL B by implementing proper safety concept (for example, Reciprocal Comparison by Software).
• Contains multiple features to support Freedom From Interference (FFI) for mixed-criticality of safety requirements assigned to the different sub-elements
• The TMS320F28004x MCUs are Type B devices, as defined in IEC 61508-2:2010
• This device claims no hardware fault tolerance, (for example, no claims of HFT > 0), as defined in IEC 61508:2010
• For safety components developed according to many safety standards, it is expected that the component functional safety manual will provide a list of product safety constraints. For a simple component or more complex components developed for a single application, this is a reasonable response. However, the TMS320F28004x MCU product family is both a complex design and is not developed targeting a single, specific application. Therefore, a single set of product safety constraints cannot govern all viable uses of the product

For functional safety development, it is necessary to manage both systematic and random faults. Texas Instruments follows a new-product development process for all of its components which helps to decrease the probability of systematic failures. This new-product development process is described in Section 3.1. Components being designed for functional safety applications will additionally follow the requirements of TI's functional safety development process, which is described in Section 3.2.

Texas Instruments has been developing components for automotive and industrial markets since 1996. Automotive markets have strong requirements regarding quality management and product reliability. The TI new-product development process features many elements necessary to manage systematic faults. Additionally, the documentation and reports for these components can be used to assist with compliance to a wide range of standards for customer’s end applications including automotive and industrial systems (e.g ISO 26262-4:2018, IEC 61508-2:2010).

This component was developed using TI’s new product development process which has been certified as compliant to ISO 9001 / IATF 16949 as assessed by Bureau Veritas (BV).

The standard development process breaks development into phases:

• Assess
• Plan
• Create
• Validate

Figure 3-1 shows the standard process.

Figure 3-1 TI New-Product Development Process

The TI functional safety development flow derives from ISO 26262:2018 and IEC 61508:2010 a set of requirements and methodologies to be applied to semiconductor development. This flow is combined with TI's standard new product development process to develop Functional Safety-Compliant components. The details of this functional safety development flow are described in the TI internal specification - Functional Safety Hardware.

Key elements of the TI functional safety-development flow are as follows:

• Assumptions on system level design, functional safety concept, and requirements based on TI's experience with components in functional safety applications
• Qualitative and quantitative functional safety analysis techniques including analyses of silicon failure modes and application of functional safety mechanisms
• Base FIT rate estimation based on multiple industry standards and TI manufacturing data
• Documentation of functional safety work products during the component development
• Integration of lessons learned through multiple functional safety component developments, functional safety standard working groups, and the expertise of TI customers

Table 3-1 lists these functional safety development activities that are overlaid atop the standard development flow in Figure 3-1.

For more information about which functional safety lifecycle activities TI performs, see Section B.

The customer facing work products derived from this Functional Safety-Compliant process are applicable to many other functional safety standards beyond ISO 26262:2018 and IEC 61508:2010.