SFFS624A March   2024  – December 2024 MSPM0G3105 , MSPM0G3105-Q1 , MSPM0G3106 , MSPM0G3106-Q1 , MSPM0G3107 , MSPM0G3107-Q1 , MSPM0G3505 , MSPM0G3505-Q1 , MSPM0G3506 , MSPM0G3506-Q1 , MSPM0G3507 , MSPM0G3507-Q1

 

  1.   1
  2. 1Introduction
    1.     Trademarks
  3. 2 MSPM0G Hardware Component Functional Safety Capability
  4. 3Development Process for Management of Systematic Faults
    1. 3.1 TI New-Product Development Process
  5. 4 MSPM0G Component Overview
    1. 4.1 Targeted Applications
    2. 4.2 Hardware Component Functional Safety Concept
    3. 4.3 Functional Safety Constraints and Assumptions
  6. 5Description of Hardware Component Parts
    1. 5.1  ADC
    2. 5.2  Comparator
    3. 5.3  DAC
    4. 5.4  OPA
    5. 5.5  CPU
    6. 5.6  RAM
    7. 5.7  FLASH
    8. 5.8  GPIO
    9. 5.9  DMA
    10. 5.10 SPI
    11. 5.11 I2C
    12. 5.12 UART
    13. 5.13 Timers (TIMx)
    14. 5.14 Power Management Unit (PMU)
    15. 5.15 Clock Module (CKM)
    16. 5.16 CAN-FD
    17. 5.17 Events
    18. 5.18 IOMUX
    19. 5.19 VREF
    20. 5.20 WWDT
    21. 5.21 CRC
  7. 6 MSPM0G Management of Random Faults
    1. 6.1 Fault Reporting
    2. 6.2 Functional Safety Mechanism Categories
    3. 6.3 Description of Functional Safety Mechanisms
      1. 6.3.1  ADC1, COMP1, DAC1, DMA1, GPIO2, TIM2, I2C2, IOMUX1, OA1, SPI2, UART2, SYSCTL5, MCAN3, CPU4, CRC1, EVENT1, REF1, WDT1: Periodic Read of Static Configuration Registers
      2. 6.3.2  ADC2: Software Test of Functionality
      3. 6.3.3  ADC3: ADC Trigger Overflow Check
      4. 6.3.4  ADC4: Window Comparator
      5. 6.3.5  ADC5: Test of Window Comparator
      6. 6.3.6  ADC6: ADC Plausibility Checks
      7. 6.3.7  OA2: Test of OA Using Internal DAC as a Driver
      8. 6.3.8  OA3: ADC Monitoring of OA Output
      9. 6.3.9  COMP2: Software Test of Comparator Using Internal DAC
      10. 6.3.10 COMP3: External Pin Input to COMP
      11. 6.3.11 COMP4: Comparator Hysteresis
      12. 6.3.12 COMP5: Redundant Comparator
      13. 6.3.13 WDT: Windowed Watchdog Timer
      14. 6.3.14 WDT2: WWDT Counter Check
      15. 6.3.15 WDT3: WWDT Software Test
      16. 6.3.16 REF2: VREF to ADC Reference Input
      17. 6.3.17 CPU1: CPU Test Using Software Test Library
      18. 6.3.18 CPU2: Software Test of CPU Data Buses
      19. 6.3.19 CPU3: Software Redundancy
      20. 6.3.20 SYSMEM1: Software Read of Memory, DMA Write
      21. 6.3.21 SYSMEM2: DMA Read from SRAM, CPU Write
      22. 6.3.22 SYSMEM3: Parity Logic Test
      23. 6.3.23 SYSMEM4: Parity Protection on SRAM
      24. 6.3.24 FLASH1: FLASH Single Error Correction, Double Error Detection Mechanism
      25. 6.3.25 FXBAR2: Periodic Software Readback of FLASH data
      26. 6.3.26 FXBAR3: Software Test of ECC Checker Logic
      27. 6.3.27 FXBAR4: Write Protection of FLASH
      28. 6.3.28 DAC2: DAC Test Using Internal ADC as DAC Output Checker
      29. 6.3.29 DAC3: DAC FIFO Underrun Interrupt
      30. 6.3.30 DMA2: Software Test of DMA Function
      31. 6.3.31 DMA3: Software DMA Channel Test
      32. 6.3.32 DMA4: CRC Check of the Transferred Data
      33. 6.3.33 GPIO1: GPIO Test Using Pin I/O Loopback
      34. 6.3.34 GPIO3: GPIO Multiple (Redundant) Outputs
      35. 6.3.35 TIM1: Test for PWM Generation
      36. 6.3.36 TIM3: Test for Fault Generation
      37. 6.3.37 TIM4: Fault Detection to Take the PWMs to Safe State
      38. 6.3.38 TIM5: Input Capture on Two or More Timer Instances
      39. 6.3.39 TIM6: Timer Period Monitoring
      40. 6.3.40 I2C1: Software Test of I2C Function Using Internal Loopback Mechanism
      41. 6.3.41 I2C3, SPI4, UART3, MCAN2: Information Redundancy Techniques Including End-to-End Safing
      42. 6.3.42 I2C4, SPI5, UART4: Transmission Redundancy
      43. 6.3.43 I2C5, UART5: Timeout Monitoring
      44. 6.3.44 I2C6: Test of CRC function
      45. 6.3.45 I2C7: Packet Error check in SMBUS Mode
      46. 6.3.46 IOMUX2: IOMUX Coverage as Part of Other IP Safety Mechanisms
      47. 6.3.47 SPI1: Software Test of SPI Function
      48. 6.3.48 SPI3: SPI Periodic Safety Message Exchange
      49. 6.3.49 UART1: Software Test of UART Function
      50. 6.3.50 UART6: UART Error Flags
      51. 6.3.51 SYSCTL1: MCLK Monitor
      52. 6.3.52 SYSCTL2: HFCLK Start-Up Monitor
      53. 6.3.53 SYSCTL3: LFCLK Monitor
      54. 6.3.54 SYSCTL6: SYSPLL Start-Up Monitor
      55. 6.3.55 SYSCTL8: Brownout Reset (BOR) Supervisor
      56. 6.3.56 SYSCTL9: FCC Counter Logic to Calculate Clock Frequencies
      57. 6.3.57 SYSCTL10: External Voltage Monitor
      58. 6.3.58 SYSCTL11: Boot Process Monitor
      59. 6.3.59 SYSCTL14: Brownout Voltage Monitor
      60. 6.3.60 SYSCTL15: External Voltage Monitor
      61. 6.3.61 SYSCTL16: External Watchdog Timer
      62. 6.3.62 MCAN1: Software test of function using I/O Loopback
      63. 6.3.63 MCAN4: SRAM ECC
      64. 6.3.64 MCAN5: Software Test of ECC Check Logic
      65. 6.3.65 MCAN6: MCAN Timeout Function
      66. 6.3.66 MCAN7: MCAN Timestamp Function
      67. 6.3.67 CRC: CRC Checker
      68. 6.3.68 EVENT2: Interrupt Connectivity Check
  8. 7An In-Context Look at This Safety Element out of Context
    1. 7.1 System Functional Safety Concept Examples
  9.   A Summary of Recommended Functional Safety Mechanism Usage
  10.   B Revision History

4.3 Functional Safety Constraints and Assumptions

In creating a functional Safety Element out of Context (SEooC) concept and doing the functional safety analysis, TI generates a series of assumptions on system level design, functional safety concept, and requirements. These assumptions (sometimes called Assumptions of Use) are listed below. Additional assumptions about the detailed implementation of safety mechanisms are separately located in Section 6.3.

The MSPM0G Functional Safety Analysis was done under the following system assumptions:

  • [SA_1] The MSPM0G MCU has interfaces to external sensors.
  • [SA_2] The MSPM0G MCU has interfaces to external actuators.
  • [SA_3] The MSPM0G MCU has interfaces to communicate with an external host controller.
  • [SA_4] The MSPM0G MCU has a programmable CPU to execute a controller function taking sensor inputs and controlling actuator.
  • [SA_5] The system integrator reviews the recommended diagnostics in the safety analysis report (FMEDA) and safety manual and determines the appropriate diagnostics to include in the system. These diagnostics are implemented according to the device safety manual and data sheet.
  • [SA_6] The external power supply provides the appropriate power on each of the power inputs. These rails are monitored for deviations outside the device specifications and a reset is asserted if the voltage is outside the range.
  • [SA_7] The MSPM0G MCU monitors failures on external clock (if present).
  • [SA_8] The MSPM0G MCU monitors failures on external sensors.
  • [SA_9] The MSPM0G MCU monitors failures on external actuators.
  • [SA_10] In case of internal errors in the MSPM0G MCU or the interfacing sensors and actuators, the MSPM0G MCU is reset. The host controller monitors communication loss and determines that the MSPM0G MCU is in a faulted state.
  • [SA_11] The system integrator provisions an actuator disable mechanism controller by the host controller.
  • [SA_14] The system is assumed to have a FTTI > 10ms.

Listed below are the additional recommendations:

  • [COEX0]: The following components are assumed to be not safety related (NSR components):
    • MATHACL
    • RTC
    • TRNG
    • AES
  • [COEX1] TI recommends that components that are not in use are disabled in the application software.
  • [COEX2] TI recommends that the interrupt sources of components that are not in use are disabled.
  • [COEX3] TI recommends that DMA triggers of components that are not in use are disabled.
  • [COEX4] TI recommends that unused fault inputs in timers are disabled.
  • [COEX5] If external safety mechanisms are used, the system integrator is responsible for doing a dependent failure analysis at the system level.
  • [COEX6] TI assumes that NSR components are not used in the safety context.
  • [COEX7] TI recommends that debug is disabled in safety-critical applications.
  • [COEX8] TI recommends that a default interrupt service routine is coded, even for unused interrupts.
  • [COEX9] TI recommends that the application does not use IPs that are NSR as the trigger source of other IPs.
  • [COEX10] TI recommends that the application does not program Flash during safety-critical tasks.

During integration activities these assumptions of use and integration guidelines described for this component shall be considered. Use caution if one of the above functional safety assumptions on this component cannot be met, as some identified gaps may be unresolvable at the system level.