SFFS277 November   2023 TMS320F280033 , TMS320F280034 , TMS320F280034-Q1 , TMS320F280036-Q1 , TMS320F280036C-Q1 , TMS320F280037 , TMS320F280037-Q1 , TMS320F280037C , TMS320F280037C-Q1 , TMS320F280038-Q1 , TMS320F280038C-Q1 , TMS320F280039 , TMS320F280039-Q1 , TMS320F280039C , TMS320F280039C-Q1

 

  1.   1
  2.   Functional Safety Manual for TMS320F28003x
  3.   Trademarks
  4. 1Introduction
  5. 2TMS320F28003x Product Safety Capability and Constraints
  6. 3TI Development Process for Management of Systematic Faults
    1. 3.1 TI New-Product Development Process
    2. 3.2 TI Functional Safety Development Process
  7. 4TMS320F28003x Product Overview
    1. 4.1 TMS320F28003x Real-Time MCU
    2. 4.2 Functional Safety Concept
      1. 4.2.1 VDA E-GAS Monitoring Concept With TMS320F28003x MCU
      2. 4.2.2 Fault Tolerant Time Interval (FTTI)
      3. 4.2.3 TMS320F28003x MCU Safe State
      4. 4.2.4 Operating States
      5. 4.2.5 Management of Faults
      6. 4.2.6 Suggestions for Improving Freedom From Interference
      7. 4.2.7 Suggestions for Addressing Common Cause Failures
    3. 4.3 C2000 Safety Diagnostics Libraries
      1. 4.3.1 Assumptions of Use - F28003x Self-Test Libraries
      2. 4.3.2 Operational Details - F28003x Self-Test Libraries
        1. 4.3.2.1 Operational Details – CLA Self-Test Library
        2. 4.3.2.2 Operational Details – SDL
      3. 4.3.3 C2000 Safety STL Software Development Flow
      4. 4.3.4 Software Delivery Form (SDF) for STLs
    4. 4.4 TMS320F28003x MCU Safety Implementation
      1. 4.4.1 Assumed Safety Requirements
      2. 4.4.2 Example Safety Concept Implementation Options on TMS320F28003x MCU
        1. 4.4.2.1 Safety Concept Implementation: Option 1
        2. 4.4.2.2 Safety Concept Implementation: Option 2
  8. 5Brief Description of Safety Elements
    1. 5.1 TMS320F28003x MCU Infrastructure Components
      1. 5.1.1 Power Supply
      2. 5.1.2 Clock
      3. 5.1.3 APLL
      4. 5.1.4 Reset
      5. 5.1.5 System Control Module and Configuration Registers
      6. 5.1.6 Efuse Static Configuration
      7. 5.1.7 JTAG Debug, Trace, Calibration, and Test Access
      8. 5.1.8 Advanced Encryption Standard (AES) Accelerator
    2. 5.2 Processing Elements
      1. 5.2.1 C28x Central Processing Unit (CPU)
      2. 5.2.2 Control Law Accelerator
    3. 5.3 Memory (Flash, SRAM and ROM)
      1. 5.3.1 Embedded Flash Memory
      2. 5.3.2 Embedded SRAM
      3. 5.3.3 Embedded ROM
    4. 5.4 On-Chip Communication Including Bus-Arbitration
      1. 5.4.1 Device Interconnect
      2. 5.4.2 Direct Memory Access (DMA)
      3. 5.4.3 Enhanced Peripheral Interrupt Expander (ePIE) Module
      4. 5.4.4 Dual Zone Code Security Module (DCSM)
      5. 5.4.5 CrossBar (X-BAR)
      6. 5.4.6 Timer
      7. 5.4.7 Configurable Logic Block (CLB)
    5. 5.5 Digital I/O
      1. 5.5.1 General-Purpose Input/Output (GPIO) and Pin Muxing
      2. 5.5.2 Enhanced Pulse Width Modulators (ePWM)
      3. 5.5.3 High Resolution PWM (HRPWM)
      4. 5.5.4 Enhanced Capture (eCAP)
      5. 5.5.5 High Resolution Capture (HRCAP)
      6. 5.5.6 Enhanced Quadrature Encoder Pulse (eQEP)
      7. 5.5.7 Sigma Delta Filter Module (SDFM)
      8. 5.5.8 External Interrupt (XINT)
    6. 5.6 Analogue I/O
      1. 5.6.1 Analog-to-Digital Converter (ADC)
      2. 5.6.2 Buffered Digital to Analog Converter (DAC)
      3. 5.6.3 Comparator Subsystem (CMPSS)
    7. 5.7 Data Transmission
      1. 5.7.1 Controller Area Network (DCAN)
      2. 5.7.2 Controller Area Network (MCAN, CAN FD)
      3. 5.7.3 Serial Peripheral Interface (SPI)
      4. 5.7.4 Serial Communication Interface (SCI)
      5. 5.7.5 Inter-Integrated Circuit (I2C)
      6. 5.7.6 Fast Serial Interface (FSI)
      7. 5.7.7 Local Interconnect Network (LIN)
      8. 5.7.8 Power Management Bus Module (PMBus)
      9. 5.7.9 Host Interface Controller (HIC)
  9. 6Brief Description of Diagnostics
    1. 6.1 TMS320F28003x MCU Infrastructure Components
      1. 6.1.1  Clock Integrity Check Using CPU Timer
      2. 6.1.2  Clock Integrity Check Using HRPWM
      3. 6.1.3  Clock Integrity Check Using DCC
      4. 6.1.4  EALLOW and MEALLOW Protection for Critical Registers
      5. 6.1.5  Efuse Autoload Self-Test
      6. 6.1.6  Efuse ECC
      7. 6.1.7  Efuse ECC Logic Self-Test
      8. 6.1.8  External Monitoring of Clock via XCLKOUT
      9. 6.1.9  External Monitoring of Warm Reset (XRSn)
      10. 6.1.10 External Voltage Supervisor
      11. 6.1.11 External Watchdog
      12. 6.1.12 External Clock Monitoring
      13. 6.1.13 Glitch Filtering on Reset Pins
      14. 6.1.14 Hardware Disable of JTAG Port
      15. 6.1.15 Internal Watchdog (WD)
      16. 6.1.16 Lock Mechanism for Control Registers
      17. 6.1.17 Missing Clock Detect (MCD)
      18. 6.1.18 NMIWD Reset Functionality
      19. 6.1.19 NMIWD Shadow Registers
      20. 6.1.20 Multibit Enable Keys for Control Registers
      21. 6.1.21 Online Monitoring of Temperature
      22. 6.1.22 Periodic Software Read Back of Static Configuration Registers
      23. 6.1.23 Peripheral Clock Gating (PCLKCR)
      24. 6.1.24 Peripheral Soft Reset (SOFTPRES)
      25. 6.1.25 PLL Lock Profiling Using On-Chip Timer
      26. 6.1.26 Reset Cause Information
      27. 6.1.27 Software Read Back of Written Configuration
      28. 6.1.28 Software Test of ERRORSTS Functionality
      29. 6.1.29 Software Test of Missing Clock Detect Functionality
      30. 6.1.30 Software Test of Reset
      31. 6.1.31 Software Test of Reset (Type 1)
      32. 6.1.32 Software Test of Watchdog (WD) Operation
      33. 6.1.33 Dual clock comparator (DCC) - Type 2
      34. 6.1.34 PLL Lock Indication
      35. 6.1.35 Software Test of DCC Functionality Including Error Tests
      36. 6.1.36 Software Test of PLL Functionality Including Error Tests
      37. 6.1.37 Interleaving of FSM States
      38. 6.1.38 Peripheral Access Protection - Type 1
      39. 6.1.39 Decryption of Encrypted Data Output Using Same KEY and IV
      40. 6.1.40 Software Test of Standalone GHASH Operation
    2. 6.2 Processing Elements
      1. 6.2.1  CPU Hardware Built-In Self-Test (HWBIST)
      2. 6.2.2  CPU Hardware Built-In Self-Test (HWBIST) Auto-Coverage
      3. 6.2.3  CPU Hardware Built-In Self-Test (HWBIST) Timeout Feature
      4. 6.2.4  CPU Hardware Built-In Self-Test (HWBIST) Fault Injection Capability
      5. 6.2.5  CLA Handling of Illegal Operation, Illegal Results
      6. 6.2.6  CLA Liveness Check Using CPU
      7. 6.2.7  CPU Handling of Illegal Operation, Illegal Results and Instruction Trapping
      8. 6.2.8  Reciprocal Comparison by Software
      9. 6.2.9  Software Test of CLA
      10. 6.2.10 Stack Overflow Detection
      11. 6.2.11 VCRC Check of Static Memory Contents
      12. 6.2.12 VCRC Auto Coverage
      13. 6.2.13 Disabling of Unused CLA Trigger Sources
      14. 6.2.14 Embedded Real Time Analysis and Diagnostic (ERAD)
      15. 6.2.15 Inbuilt Hardware Redundancy in ERAD Bus Comparator Module
    3. 6.3 Memory (Flash, SRAM and ROM)
      1. 6.3.1  Bit Multiplexing in Flash Memory Array
      2. 6.3.2  Bit Multiplexing in SRAM Memory Array
      3. 6.3.3  Data Scrubbing to Detect/Correct Memory Errors
      4. 6.3.4  Flash ECC
      5. 6.3.5  Flash Program Verify and Erase Verify Check
      6. 6.3.6  Software Test of ECC Logic
      7. 6.3.7  Software Test of Flash Prefetch, Data Cache and Wait-States
      8. 6.3.8  Access Protection Mechanism for Memories
      9. 6.3.9  SRAM ECC
      10. 6.3.10 SRAM Parity
      11. 6.3.11 Software Test of Parity Logic
      12. 6.3.12 Software Test of SRAM
      13. 6.3.13 Memory Power-On Self-Test (MPOST)
      14. 6.3.14 Background CRC
      15. 6.3.15 Watchdog for Background CRC
      16. 6.3.16 ROM Parity
    4. 6.4 On-Chip Communication Including Bus-Arbitration
      1. 6.4.1  1oo2 Software Voting Using Secondary Free Running Counter
      2. 6.4.2  DMA Overflow Interrupt
      3. 6.4.3  Maintaining Interrupt Handler for Unused Interrupts
      4. 6.4.4  Power-Up Pre-Operational Security Checks
      5. 6.4.5  Majority Voting and Error Detection of Link Pointer
      6. 6.4.6  PIE Double SRAM Hardware Comparison
      7. 6.4.7  PIE Double SRAM Comparison Check
      8. 6.4.8  Software Check of X-BAR Flag
      9. 6.4.9  Software Test of ePIE Operation Including Error Tests
      10. 6.4.10 Disabling of Unused DMA Trigger Sources
      11. 6.4.11 Software Test of CLB Function Including Error Tests
      12. 6.4.12 Monitoring of CLB by eCAP or eQEP
      13. 6.4.13 Periodic Software Read Back of SPI Buffer
    5. 6.5 Digital I/O
      1. 6.5.1  eCAP Application Level Safety Mechanism
      2. 6.5.2  ePWM Application Level Safety Mechanism
      3. 6.5.3  ePWM Fault Detection Using X-BAR
      4. 6.5.4  ePWM Synchronization Check
      5. 6.5.5  eQEP Application Level Safety Mechanism
      6. 6.5.6  eQEP Quadrature Watchdog
      7. 6.5.7  eQEP Software Test of Quadrature Watchdog Functionality
      8. 6.5.8  Hardware Redundancy
      9. 6.5.9  HRPWM Built-In Self-Check and Diagnostic Capabilities
      10. 6.5.10 Information Redundancy Techniques
      11. 6.5.11 Monitoring of ePWM by eCAP
      12. 6.5.12 Monitoring of ePWM by ADC
      13. 6.5.13 Online Monitoring of Periodic Interrupts and Events
      14. 6.5.14 SDFM Comparator Filter for Online Monitoring - Type 1
      15. 6.5.15 SD Modulator Clock Fail Detection Mechanism
      16. 6.5.16 Software Test of Function Including Error Tests
      17. 6.5.17 Monitoring of HRPWM by HRCAP
      18. 6.5.18 HRCAP Calibration Logic Test Feature
      19. 6.5.19 QMA Error Detection Logic
    6. 6.6 Analogue I/O
      1. 6.6.1 ADC Information Redundancy Techniques
      2. 6.6.2 ADC Input Signal Integrity Check
      3. 6.6.3 ADC Signal Quality Check by Varying Acquisition Window
      4. 6.6.4 CMPSS Ramp Generator Functionality Check
      5. 6.6.5 DAC to ADC Loopback Check
      6. 6.6.6 DAC to Comparator Loopback Check
      7. 6.6.7 Opens/Shorts Detection Circuit for ADC
      8. 6.6.8 VDAC Conversion by ADC
    7. 6.7 Data Transmission
      1. 6.7.1  Information Redundancy Techniques Including End-to-End Safing
      2. 6.7.2  Bit Error Detection
      3. 6.7.3  CRC in Message
      4. 6.7.4  DCAN Acknowledge Error Detection
      5. 6.7.5  DCAN Form Error Detection
      6. 6.7.6  DCAN Stuff Error Detection
      7. 6.7.7  PWM Trip by MCAN
      8. 6.7.8  MCAN Stuff Error Detection
      9. 6.7.9  MCAN Form Error Detection
      10. 6.7.10 MCAN Acknowledge Error Detection
      11. 6.7.11 Timeout on FIFO Activity
      12. 6.7.12 Timestamp Consistency Checks
      13. 6.7.13 Tx-Event Checks
      14. 6.7.14 Interrupt on Message RAM Access Failure
      15. 6.7.15 Software Test of Function Including Error Tests Using EPG
      16. 6.7.16 I2C Access Latency Profiling Using On-Chip Timer
      17. 6.7.17 I2C Data Acknowledge Check
      18. 6.7.18 Parity in Message
      19. 6.7.19 SCI Break Error Detection
      20. 6.7.20 Frame Error Detection
      21. 6.7.21 Overrun Error Detection
      22. 6.7.22 Software Test of Function Using I/O Loopback
      23. 6.7.23 SPI Data Overrun Detection
      24. 6.7.24 Transmission Redundancy
      25. 6.7.25 FSI Data Overrun/Underrun Detection
      26. 6.7.26 FSI Frame Overrun Detection
      27. 6.7.27 FSI CRC Framing Checks
      28. 6.7.28 FSI ECC Framing Checks
      29. 6.7.29 FSI Frame Watchdog
      30. 6.7.30 FSI RX Ping Watchdog
      31. 6.7.31 FSI Tag Monitor
      32. 6.7.32 FSI Frame Type Error Detection
      33. 6.7.33 FSI End of Frame Error Detection
      34. 6.7.34 FSI Register Protection Mechanisms
      35. 6.7.35 LIN Physical Bus Error Detection
      36. 6.7.36 LIN No-Response Error Detection
      37. 6.7.37 LIN Checksum Error Detection
      38. 6.7.38 Data Parity Error Detection
      39. 6.7.39 LIN ID Parity Error Detection
      40. 6.7.40 PMBus Protocol CRC in Message
      41. 6.7.41 Clock Timeout
      42. 6.7.42 Communication Access Latency Profiling Using On-Chip Timer
      43. 6.7.43 Signature Mechanism for Interrupt and Acknowledgment in Software
      44. 6.7.44 Software Timeout Mechanism for Interrupt Logic
      45. 6.7.45 Access Protection Enable for Read/Write Operations in Software
      46. 6.7.46 Detection of Illegal Access Sequences or Access Types from Host to Device
      47. 6.7.47 Detection of Simultaneous MMR Access by Host and Device
      48. 6.7.48 Enabling the Locking Mechanism for Registers
      49. 6.7.49 Disabling of Unused EVTRIG Trigger Sources
  10. 7References
  11.   A Safety Architecture Configurations
  12.   B Distributed Developments
    1.     B.1 How the Functional Safety Life Cycle Applies to Functional Safety-Compliant Products
    2.     B.2 Activities Performed by Texas Instruments
    3.     B.3 Information Provided
  13.   C Terms and Definitions
  14.   D Summary of Safety Features and Diagnostics
  15.   E Glossary
  16.   F Revision History

TI Functional Safety Development Process

The TI functional safety development flow derives from ISO 26262:2018 and IEC 61508:2010 a set of requirements and methodologies to be applied to semiconductor development. This flow is combined with TI's standard new product development process to develop Functional Safety-Compliant components. The details of this functional safety development flow are described in the TI internal specification - Functional Safety Hardware.

Key elements of the TI functional safety-development flow are as follows:

  • Assumptions on system level design, functional safety concept, and requirements based on TI's experience with components in functional safety applications
  • Qualitative and quantitative functional safety analysis techniques including analysis of silicon failure modes and application of functional safety mechanisms
  • Base FIT rate estimation based on multiple industry standards and TI manufacturing data
  • Documentation of functional safety work products during the component development
  • Integration of lessons learned through multiple functional safety component developments, functional safety standard working groups, and the expertise of TI customers

Table 3-1 lists these functional safety development activities that are overlaid atop the standard development flow in Figure 3-1.

For more information about which functional safety life-cycle activities TI performs, see Appendix B.

The customer facing work products derived from this Functional Safety-Compliant process are applicable to many other functional safety standards beyond ISO 26262:2018 and IEC 61508:2010.

Table 3-1 Functional Safety Activities Overlaid on Top of TI's Standard Development Process
AssessPlanCreateValidateSustain and End-of-Life
Determine if functional safety process execution is requiredDefine component target SIL/ASIL capabilityDevelop component level functional safety requirementsValidate functional safety design in siliconDocument any reported issues (as needed)
Nominate a functional safety managerGenerate functional safety planInclude functional safety requirements in design specificationCharacterize the functional safety designPerform incident reporting of sustaining operations (as needed)
End of Phase AuditVerify the functional safety planVerify the design specificationQualify the functional safety design (per AEC-Q100)Update work products (as needed)
Initiate functional safety caseStart functional safety designFinalize functional safety case
Analyze target applications to generate system level functional safety assumptionsPerform qualitative analysis of design (that is, failure mode analysis)Perform assessment of project
End of Phase AuditVerify the qualitative analysisRelease functional safety manual
Verify the functional safety designRelease functional safety analysis report
Perform quantitative analysis of design (that is, FMEDA)Release functional safety report
Verify the quantitative analysisEnd of Phase Audit
Iterate functional safety design as necessary
End of Phase Audit