SFFS141 December   2021 TCAN1167-Q1

 

  1.   1
    1.     2
  2.   3
  3.   4
    1.     5
  4.   6
    1.     7
    2.     8
    3.     9
    4.     10
    5.     11
    6.     12
    7.     13
  5.   14
    1.     15
    2.     16
    3.     17
      1.      18
        1.       19
        2.       20
        3.       21
        4.       22
        5.       23
      2.      24
        1.       25
        2.       26
        3.       27
        4.       28
      3.      29
        1.       30
        2.       31
        3.       32
        4.       33
      4.      34
        1.       35
      5.      36
        1.       37
        2.       38
        3.       39
        4.       40
    4.     41
      1.      42
      2.      43
      3.      44
  6.   45
  7.   46
    1.     47
    2.     48
    3.     49
  8.   50

Summary of Recommended Functional Safety Mechanism Usage

Table A-2 summarizes the functional safety mechanisms present in hardware or recommend for implementation in software or at the system level as described in Section 4. Table A-1 describes each column in Table A-2 and gives examples of what content could appear in each cell.

Table A-1 Legend of Functional Safety Mechanisms
Functional Safety MechanismDescription
TI Safety Mechanism Unique IdentifierA unique identifier assigned to this safety mechanism for easier tracking.
Safety Mechanism NameThe full name of this safety mechanism.
Safety Mechanism CategorySafety Mechanism - This test provides coverage for faults on the primary function. It may also provide coverage on another safety mechanism.

Test for Safety Mechanism - This test provides coverage for faults of a safety mechanism only. It does not provide coverage on the primary function.

Fault Avoidance - This is typically a feature used to improve the effectiveness of a related safety mechanism.

Safety Mechanism TypeCan be either hardware, software, a combination of both hardware and software, or system. See Section 5.2 for more details.
Safety Mechanism Operation IntervalThe timing behavior of the safety mechanism with respect to the test interval defined for a functional safety requirement / functional safety goal. Can be either continuous, or on-demand.

Continuous - the safety mechanism constantly monitors the hardware-under-test for a failure condition.

Periodic or On-Demand - the safety mechanism is executed periodically, when demanded by the application. This includes Built-In Self-Tests that are executed one time per drive cycle or once every few hours.

Test Execution TimeTime period required for the safety mechanism to complete, not including error reporting time.

Note: Certain parameters are not set until there is a concrete implementation in a specific component. When component specific information is required, the component data sheet should be referenced.

Note: For software-driven tests, the majority contribution of the Test Execution Time is often software implementation-dependent.

Action on Detected FaultThe response that this safety mechanism takes when an error is detected.

Note: For software-driven tests, the Action on Detected Fault may depend on software implementation.

Time to ReportTypical time required for safety mechanism to indicate a detected fault to the system.

Note: For software-driven tests, the majority contribution of the Time to Report is often software implementation-dependent.

Table A-2 Summary of Functional Safety Mechanisms
TI Safety Mechanism Unique IdentifierSafety Mechanism NameSafety Mechanism CategorySafety Mechanism TypeSafety Mechanism Operation IntervalTest Execution TimeAction on Detected FaultTime to Report
SM-1CAN bus faultSafety MechanismComponent Hardare Functional Safety MechanismsContinuous - In normal mode150 nsInterrupt bits in 8'h50[7], 8'h50[3], and register 8'h54[6:0] indicates a CAN bus fault.50 ns
SM-2 Thermal shutdown; TSD Safety Mechanism Component Hardare Functional Safety Mechanisms Continuous - all modes except for sleep 4.4 μs Turn off the CAN transceiver and set the interrupt bit registers 8'h50[7], 8'50[5], and 8'h52[1] indicating junction temperature exceeded and enters TSD protected mode. 1.1 μs
SM-3 CAN bus short circuit limiter, IOS Safety Mechanism Component Hardare Functional Safety Mechanisms Continuous - all modes except for sleep N/A Limits the current through the CANH and CANL pins. N/A
SM-4 CAN TXD pin dominant state timeout; tTXD_DTO Safety Mechanism Component Hardare Functional Safety Mechanisms Continuous - in normal mode 3.5 ms The device will turn off the CAN transceiver and indicate the fault at 8'50[7], 8'h50[6], 8'h51[0]. 1.1 μs
SM-5 VCCOUT LDO short circuit current limit Safety Mechanism Component Hardare Functional Safety Mechanisms Continuous - all modes except for sleep N/A Limits the current through the VCCOUT pin. N/A
SM-6 VSUP supply undervoltage; UVSUP Safety Mechanism Component Hardare Functional Safety Mechanisms Continuous - all modes except for sleep 2.2 μs Device enters programmed mode, sleep or fail-safe mode, sets interrupt registers 8'h50[7], 8'h50[5] and 8'h52[4] and indicates UVSUP condition. 1.1 μs
SM-7 VCCOUT undervoltage; UVCCOUT Safety Mechanism Component Hardare Functional Safety Mechanisms Continuous - all modes except for sleep 330 ms Device enters reset mode, sets interrupt registers 8'h50[7], 8'h50[5] and 8'h52[2] and indicates UVCCOUT condition. 1.1 μs
SM-8 VCCOUT overvoltage; OVCCOUT Safety Mechanism Component Hardare Functional Safety Mechanisms Continuous - all modes except for sleep 2.2 μs Device enters fail-safe mode, sets interrupt registers 8'h50[7], 8'h50[5] and 8'h52[5] and indicates OVCCOUT condition. 1.1 μs
SM-9 Timeout, Window or Q&A watchdog error Safety Mechanism Component Hardare Functional Safety Mechanisms Continuous Programmable Increments WD error counter and if exceeded programmed value will set WD interrupt, and hold nRST low for tnRST(warm) and indicate back to MCU with nINT pin. 1.1 μs
SM-10 SPI communication error; SPIERR Safety Mechanism Component Hardare Functional Safety Mechanisms Continuous 50 ns after rising edge of nCS The device shall monitor MCU SPI communication utilizing clock count check and if there are too many or not enough clock signals the MCU write to the device will be blocked and 8'h50[7], 8'h50[4] and 8'h53[7]. 1.1 μs
SM-11 Scratchpad write/read Safety Mechanism Component Hardare Functional Safety Mechanisms Continuous when MCU is initialized SPI clock rate dependent as a write plus data followed by a read and data required Using the scratchpad, 8'h0F[7:0], by the processor makes it possible to write and read back data to determine SPI communication is valid. N/A
SM-12 Sleep Wake Error Timer; tINACTIVE Safety Mechanism Component Hardare Functional Safety Mechanisms Continuous 5 min If tINACTIVE times out, device will enter sleep mode and will indicate the fault at 8'h50[7], 8'h50[4] and 8'h53[5]. 1.1 μs
SM-13 Internal memory CRC; CRC_EEPROM Safety Mechanism Component Hardare Functional Safety Mechanisms Periodic - Exiting fail-safe and sleep modes 425 μs The device will attempt to load and CRC check the EEPROM up to eight times and if fail it will indicate the the fault at 8'h50[7], 8'h50[4] and 8'h53[0]. 1.1 μs
SM-14 SCLK internal pull-down to GND Safety Mechanism Component Hardare Functional Safety Mechanisms Continuous N/A Avoids floating pin N/A
SM-15 nRST and SDI internal pull-up to VCCOUT Safety Mechanism Component Hardare Functional Safety Mechanisms Continuous - all modes except for sleep N/A Avoids floating pin N/A
SM-16 nCS internal pull-up to VCCOUT Safety Mechanism Component Hardare Functional Safety Mechanisms Continuous - all modes except for sleep N/A Avoids floating pin N/A
SM-17 TXD internal pull-up to VCCOUT Safety Mechanism Component Hardare Functional Safety Mechanisms Continuous - all modes except for sleep N/A Avoids floating pin N/A
SM-18 CAN protocol Safety Mechanism Component Hardare Functional Safety Mechanisms Periodic N/A CAN protocol has several mechanism that will make sure the data provided is correct, like CRC. If incorrect the processor will disregard the CAN packets N/A