SFFS138 December 2021 TCAN1164-Q1
Table A-2 summarizes the functional safety mechanisms present in hardware or recommend for implementation in software or at the system level as described in Section 4. Table A-1 describes each column in Table A-2 and gives examples of what content could appear in each cell.
Functional Safety Mechanism | Description |
---|---|
TI Safety Mechanism Unique Identifier | A unique identifier assigned to this safety mechanism for easier tracking. |
Safety Mechanism Name | The full name of this safety mechanism. |
Safety Mechanism Category | Safety Mechanism - This test provides coverage for faults on the
primary function. It may also provide coverage on another safety
mechanism. Test for Safety Mechanism - This test provides coverage for faults of a safety mechanism only. It does not provide coverage on the primary function. Fault Avoidance - This is typically a feature used to improve the effectiveness of a related safety mechanism. |
Safety Mechanism Type | Can be either hardware, software, a combination of both hardware and software, or system. See Section 5.2 for more details. |
Safety Mechanism Operation Interval | The timing behavior of the safety mechanism with respect to the test interval defined for a
functional safety requirement / functional safety goal. Can be
either continuous, or on-demand. Continuous - the safety mechanism constantly monitors the hardware-under-test for a failure condition. Periodic or On-Demand - the safety mechanism is executed periodically, when demanded by the application. This includes Built-In Self-Tests that are executed one time per drive cycle or once every few hours. |
Test Execution Time | Time period required for the safety mechanism to complete, not including error reporting
time. Note: Certain parameters are not set until there is a concrete implementation in a specific component. When component specific information is required, the component data sheet should be referenced. Note: For software-driven tests, the majority contribution of the Test Execution Time is often software implementation-dependent. |
Action on Detected Fault | The response that this safety mechanism takes when an error is detected. Note: For software-driven tests, the Action on Detected Fault may depend on software implementation. |
Time to Report | Typical time required for safety mechanism to indicate a detected fault to the
system. Note: For software-driven tests, the majority contribution of the Time to Report is often software implementation-dependent. |
TI Safety Mechanism Unique Identifier | Safety Mechanism Name | Safety Mechanism Category | Safety Mechanism Type | Safety Mechanism Operation Interval | Test Execution Time | Action on Detected Fault | Time to Report |
---|---|---|---|---|---|---|---|
SM-1 | CAN bus fault | Safety Mechanism | Component Hardare Functional Safety Mechanisms | Continuous - In normal mode | 150 ns | Interrupt bits in 8'h50[7], 8'h50[3], and register 8'h54[6:0] indicates a CAN bus fault. | 50 ns |
SM-2 | Thermal shutdown; TSD | Safety Mechanism | Component Hardare Functional Safety Mechanisms | Continuous | 4.4 μs | Turn off the CAN transceiver and set the interrupt bit registers 8'h50[7], 8'50[5], and 8'h52[1] indicating junction temperature exceeded and enters TSD protected mode. | 1.1 μs |
SM-3 | CAN bus short circuit limiter, IOS | Safety Mechanism | Component Hardare Functional Safety Mechanisms | Continuous | N/A | Limits the current through the CANH and CANL pins. | N/A |
SM-4 | CAN TXD pin dominant state timeout; tTXD_DTO | Safety Mechanism | Component Hardare Functional Safety Mechanisms | Continuous - in normal mode | 3.5 ms | The device will turn off the CAN transceiver and indicate the fault at 8'50[7], 8'h50[6], 8'h51[0]. | 1.1 μs |
SM-5 | VCCOUT LDO short circuit current limit | Safety Mechanism | Component Hardare Functional Safety Mechanisms | Continuous | N/A | Limits the current through the VCCOUT pin. | N/A |
SM-6 | VSUP supply undervoltage; UVSUP | Safety Mechanism | Component Hardare Functional Safety Mechanisms | Continuous | 2.2 μs | Device enters programmed mode, or fail-safe mode, sets interrupt registers 8'h50[7], 8'h50[5] and 8'h52[4] and indicates UVSUP condition. | 1.1 μs |
SM-7 | VCCOUT undervoltage; UVCCOUT | Safety Mechanism | Component Hardare Functional Safety Mechanisms | Continuous | 330 ms | Device enters reset mode, sets interrupt registers 8'h50[7], 8'h50[5] and 8'h52[2] and indicates UVCCOUT condition. | 1.1 μs |
SM-8 | VCCOUT overvoltage; OVCCOUT | Safety Mechanism | Component Hardare Functional Safety Mechanisms | Continuous | 2.2 μs | Device enters fail-safe mode, sets interrupt registers 8'h50[7], 8'h50[5] and 8'h52[5] and indicates OVCCOUT condition. | 1.1 μs |
SM-9 | Timeout, Window or Q&A watchdog error | Safety Mechanism | Component Hardare Functional Safety Mechanisms | Continuous | Programmable | Increments WD error counter and if exceeded programmed value will set WD interrupt, and hold nRST low for tnRST(warm) and indicate back to MCU with nINT pin. | 1.1 μs |
SM-10 | SPI communication error; SPIERR | Safety Mechanism | Component Hardare Functional Safety Mechanisms | Continuous | 50 ns after rising edge of nCS | The device shall monitor MCU SPI communication utilizing clock count check and if there are too many or not enough clock signals the MCU write to the device will be blocked and 8'h50[7], 8'h50[4] and 8'h53[7]. | 1.1 μs |
SM-11 | Scratchpad write/read | Safety Mechanism | Component Hardare Functional Safety Mechanisms | Continuous when MCU is initialized | SPI clock rate dependent as a write plus data followed by a read and data required | Using the scratchpad, 8'h0F[7:0], by the processor makes it possible to write and read back data to determine SPI communication is valid. | N/A |
SM-12 | Sleep Wake Error Timer; tINACTIVE | Safety Mechanism | Component Hardare Functional Safety Mechanisms | Continuous | 5 min | If tINACTIVE times out, device will indicate the fault at 8'h50[7], 8'h50[4] and 8'h53[5]. | 1.1 μs |
SM-13 | Internal memory CRC; CRC_EEPROM | Safety Mechanism | Component Hardare Functional Safety Mechanisms | Periodic - Exiting fail-safe | 425 μs | The device will attempt to load and CRC check the EEPROM up to eight times and if fail it will indicate the the fault at 8'h50[7], 8'h50[4] and 8'h53[0]. | 1.1 μs |
SM-14 | SCLK internal pull-down to GND | Safety Mechanism | Component Hardare Functional Safety Mechanisms | Continuous | N/A | Avoids floating pin | N/A |
SM-15 | nRST and SDI internal pull-up to VCCOUT | Safety Mechanism | Component Hardare Functional Safety Mechanisms | Continuous | N/A | Avoids floating pin | N/A |
SM-16 | nCS internal pull-up to VCCOUT | Safety Mechanism | Component Hardare Functional Safety Mechanisms | Continuous | N/A | Avoids floating pin | N/A |
SM-17 | TXD internal pull-up to VCCOUT | Safety Mechanism | Component Hardare Functional Safety Mechanisms | Continuous | N/A | Avoids floating pin | N/A |
SM-18 | CAN protocol | Safety Mechanism | Component Hardare Functional Safety Mechanisms | Periodic | N/A | CAN protocol has several mechanism that will make sure the data provided is correct, like CRC. If incorrect the processor will disregard the CAN packets | N/A |