SFFS700 May   2024 TMS320F28P650DH , TMS320F28P650DK , TMS320F28P650SH , TMS320F28P650SK , TMS320F28P659DH-Q1 , TMS320F28P659DK-Q1 , TMS320F28P659SH-Q1

 

  1.   1
  2. 1Introduction
  3.   Trademarks
  4. 2Hardware Component Functional Safety Capability
  5. 3TI Development Process for Management of Systematic Faults
    1. 3.1 TI New-Product Development Process
    2. 3.2 TI Functional Safety Development Process
  6. 4TMS320F28P65x Component Overview
    1. 4.1 Targeted Applications
    2. 4.2 Hardware Component Functional Safety Concept
      1. 4.2.1 VDA E-GAS Monitoring Concept
      2. 4.2.2 Fault Tolerant Time Interval (FTTI)
      3. 4.2.3 TMS320F28P65x MCU Safe State
      4. 4.2.4 Operating States
      5. 4.2.5 TMS320F28P65x MCU Safety Implementation
        1. 4.2.5.1 Assumed Safety Requirements
        2. 4.2.5.2 Example Safety Concept Implementation Options on TMS320F28P65x MCU
          1. 4.2.5.2.1 Safety Concept Implementation: Option 1
          2. 4.2.5.2.2 Safety Concept Implementation: Option 2
          3. 4.2.5.2.3 Safety Concept Implementation: Option 3
          4. 4.2.5.2.4 Safety Concept Implementation: Option 4
          5. 4.2.5.2.5 Safety Concept Implementation: Option 5
          6. 4.2.5.2.6 Safety Concept Implementation: Option 6
      6. 4.2.6 TMS320F28P65x Diagnostic Libraries
        1. 4.2.6.1 Assumptions of Use: F28P65x Self-Test Libraries
        2. 4.2.6.2 Operational Details: F28P65x Self-Test Libraries
          1. 4.2.6.2.1 Operational Details: C28x Self-Test Library
          2. 4.2.6.2.2 Operational Details: CLA Self-Test Library
          3. 4.2.6.2.3 Operational Details - Software Diagnostic Libraries
        3. 4.2.6.3 C2000 Safety STL Software Development Flow
    3. 4.3 Functional Safety Constraints and Assumptions
  7. 5Description of Safety Elements
    1. 5.1 C2000 MCU Infrastructure Components
      1. 5.1.1 Power Supply
      2. 5.1.2 Clock
      3. 5.1.3 APLL
      4. 5.1.4 Reset
      5. 5.1.5 System Control Module and Configuration Registers
      6. 5.1.6 JTAG Debug, Trace, Calibration, and Test Access
      7. 5.1.7 Advanced Encryption Standard (AES) Accelerator
    2. 5.2 Processing Elements
      1. 5.2.1 C28x Central Processing Unit (CPU)
      2. 5.2.2 Control Law Accelerator (CLA)
    3. 5.3 Memory (Flash, SRAM and ROM)
      1. 5.3.1 Embedded Flash Memory
      2. 5.3.2 Embedded SRAM
      3. 5.3.3 Embedded ROM
    4. 5.4 On-Chip Communication Including Bus-Arbitration
      1. 5.4.1 Device Interconnect
      2. 5.4.2 Direct Memory Access (DMA)
      3. 5.4.3 Inter Processor Communication (IPC)
      4. 5.4.4 Enhanced Peripheral Interrupt Expander (ePIE) Module
      5. 5.4.5 Dual Zone Code Security Module (DCSM)
      6. 5.4.6 CrossBar (X-BAR)
      7. 5.4.7 Timer
      8. 5.4.8 Configurable Logic Block (CLB)
    5. 5.5 Digital I/O
      1. 5.5.1 General-Purpose Input/Output (GPIO) and Pin Muxing
      2. 5.5.2 Enhanced Pulse Width Modulators (ePWM)
      3. 5.5.3 High Resolution PWM (HRPWM)
      4. 5.5.4 Enhanced Capture (eCAP)
      5. 5.5.5 High Resolution Capture (HRCAP)
      6. 5.5.6 Enhanced Quadrature Encoder Pulse (eQEP)
      7. 5.5.7 Sigma Delta Filter Module (SDFM)
      8. 5.5.8 External Interrupt (XINT)
    6. 5.6 Analog I/O
      1. 5.6.1 Analog-to-Digital Converter (ADC)
      2. 5.6.2 Buffered Digital-to-Analog Converter (DAC)
      3. 5.6.3 Comparator Subsystem (CMPSS)
    7. 5.7 Data Transmission
      1. 5.7.1  Controller Area Network (DCAN)
      2. 5.7.2  Controller Area Network (MCAN, CAN FD)
      3. 5.7.3  Ethernet for Control Automation Technology (EtherCAT)
      4. 5.7.4  Serial Peripheral Interface (SPI)
      5. 5.7.5  Serial Communication Interface (SCI)
      6. 5.7.6  Universal Asynchronous Receiver/Transmitter (UART)
      7. 5.7.7  Local Interconnect Network (LIN)
      8. 5.7.8  Inter-Integrated Circuit (I2C)
      9. 5.7.9  Fast Serial Interface (FSI)
      10. 5.7.10 Power Management Bus Module (PMBus)
      11. 5.7.11 External Memory Interface (EMIF)
    8. 5.8 Not Safety Related Elements
  8. 6Management of Random Faults
    1. 6.1 Fault Reporting
    2. 6.2 Suggestions for Improving Freedom From Interference
    3. 6.3 Suggestions for Addressing Common Cause Failures
    4. 6.4 Descriptions of Functional Safety Mechanisms
      1. 6.4.1 C2000 MCU Infrastructure Components
        1. 6.4.1.1  Clock Integrity Check Using DCC
        2. 6.4.1.2  Clock Integrity Check Using CPU Timer
        3. 6.4.1.3  Clock Integrity Check Using HRPWM
        4. 6.4.1.4  EALLOW and MEALLOW Protection for Critical Registers
        5. 6.4.1.5  External Clock Monitoring via XCLKOUT
        6. 6.4.1.6  External Monitoring of Warm Reset (XRSn)
        7. 6.4.1.7  External Voltage Supervisor
        8. 6.4.1.8  External Watchdog
        9. 6.4.1.9  Brownout Reset (BOR)
        10. 6.4.1.10 Glitch Filtering on Reset Pins
        11. 6.4.1.11 Hardware Disable of JTAG Port
        12. 6.4.1.12 Lockout of JTAG Access Using OTP
        13. 6.4.1.13 Internal Watchdog (WD)
        14. 6.4.1.14 Lock Mechanism for Control Registers
        15. 6.4.1.15 Missing Clock Detect (MCD)
        16. 6.4.1.16 NMIWD Reset Functionality
        17. 6.4.1.17 NMIWD Shadow Registers
        18. 6.4.1.18 Multibit Enable Keys for Control Registers
        19. 6.4.1.19 Online Monitoring of Temperature
        20. 6.4.1.20 Periodic Software Read Back of Static Configuration Registers
        21. 6.4.1.21 Peripheral Clock Gating (PCLKCR)
        22. 6.4.1.22 Peripheral Soft Reset (SOFTPRES)
        23. 6.4.1.23 Peripheral Access Protection – Type 1
        24. 6.4.1.24 Software Test of Reset – Type 1
        25. 6.4.1.25 PLL Lock Profiling Using On-Chip Timer
        26. 6.4.1.26 Reset Cause Information
        27. 6.4.1.27 Software Read Back of Written Configuration
        28. 6.4.1.28 Software Test of ERRORSTS Functionality
        29. 6.4.1.29 Software Test of Missing Clock Detect Functionality
        30. 6.4.1.30 Software Test of Watchdog (WD) Operation
        31. 6.4.1.31 Dual Clock Comparator (DCC) – Type 2
        32. 6.4.1.32 PLL Lock Indication
        33. 6.4.1.33 Software Test of DCC Functionality Including Error Tests
        34. 6.4.1.34 Software Test of PLL Functionality Including Error Tests
        35. 6.4.1.35 Interleaving of FSM States
        36. 6.4.1.36 Decryption of Encrypted Data Output Using Same KEY and IV
        37. 6.4.1.37 Software Test of Standalone GHASH Operation
      2. 6.4.2 Processing Elements
        1. 6.4.2.1  CPU Handling of Illegal Operation, Illegal Results and Instruction Trapping
        2. 6.4.2.2  Reciprocal Comparison by Software
        3. 6.4.2.3  Software Test of CPU
        4. 6.4.2.4  CPU Hardware Built-In Self-Test (HWBIST)
        5. 6.4.2.5  CPU Hardware Built-In Self-Test (HWBIST) Auto-Coverage
        6. 6.4.2.6  CPU Hardware Built-In Self-Test (HWBIST) Fault Injection Capability
        7. 6.4.2.7  CPU Hardware Built-In Self-Test (HWBIST) Timeout Feature
        8. 6.4.2.8  Software Test of CLA
        9. 6.4.2.9  CLA Handling of Illegal Operation and Illegal Results
        10. 6.4.2.10 CLA Liveness Check Using CPU
        11. 6.4.2.11 Disabling of Unused CLA Task Trigger Sources
        12. 6.4.2.12 Stack Overflow Detection
        13. 6.4.2.13 VCRC Check of Static Memory Contents
        14. 6.4.2.14 VCRC Auto Coverage
        15. 6.4.2.15 Hardware Redundancy Using Lockstep Compare Module (LCM)
        16. 6.4.2.16 Self-Test Logic for LCM
        17. 6.4.2.17 LCM Compare Error Forcing Mode
        18. 6.4.2.18 LCM MMR Parity
        19. 6.4.2.19 Test of LCM MMR Parity
        20. 6.4.2.20 Lockstep Self-test Mux Select Logic Fault Detection
        21. 6.4.2.21 Redundancy in LCM Comparator
        22. 6.4.2.22 Embedded Real Time Analysis and Diagnostic (ERAD)
        23. 6.4.2.23 Inbuilt Hardware Redundancy in ERAD Bus Comparator Module
      3. 6.4.3 Memory (Flash, SRAM and ROM)
        1. 6.4.3.1  Bit Multiplexing in Flash Memory Array
        2. 6.4.3.2  Bit Multiplexing in SRAM Memory Array
        3. 6.4.3.3  Data Scrubbing to Detect and Correct Memory Errors
        4. 6.4.3.4  Flash ECC
        5. 6.4.3.5  Flash Program Verify and Erase Verify Check
        6. 6.4.3.6  Flash Program and Erase Protection
        7. 6.4.3.7  Flash Wrapper Error and Status Reporting
        8. 6.4.3.8  Prevent 0 to 1 Transition Using Program Command
        9. 6.4.3.9  On-Demand Software Program Verify and Blank Check
        10. 6.4.3.10 CMDWEPROT* and Program Command Data Buffer Registers Self-Clear After Command Execution
        11. 6.4.3.11 ECC Generation and Checker Logic is Separate in Hardware
        12. 6.4.3.12 Auto ECC Generation Override
        13. 6.4.3.13 Software Test of ECC Logic
        14. 6.4.3.14 Software Test of Flash Prefetch, Data Cache and Wait-States
        15. 6.4.3.15 Access Protection Mechanism for Memories
        16. 6.4.3.16 SRAM ECC
        17. 6.4.3.17 SRAM Parity
        18. 6.4.3.18 Software Test of Parity Logic
        19. 6.4.3.19 Software Test of SRAM
        20. 6.4.3.20 Memory Power-On Self-Test (MPOST)
        21. 6.4.3.21 Background CRC
        22. 6.4.3.22 Watchdog for Background CRC
        23. 6.4.3.23 ROM Parity
        24. 6.4.3.24 Redundant Parity Engine
      4. 6.4.4 On-Chip Communication Including Bus-Arbitration
        1. 6.4.4.1  1oo2 Software Voting Using Secondary Free Running Counter
        2. 6.4.4.2  DMA Overflow Interrupt
        3. 6.4.4.3  Event Timestamping Using IPC Counter
        4. 6.4.4.4  Maintaining Interrupt Handler for Unused Interrupts
        5. 6.4.4.5  Majority Voting and Error Detection of Link Pointer
        6. 6.4.4.6  PIE Double SRAM Comparison Check
        7. 6.4.4.7  PIE Double SRAM Hardware Comparison
        8. 6.4.4.8  Power-Up Pre-Operational Security Checks
        9. 6.4.4.9  Software Check of X-BAR Flag
        10. 6.4.4.10 Software Test of ePIE Operation Including Error Tests
        11. 6.4.4.11 Disabling of Unused DMA Trigger Sources
        12. 6.4.4.12 Software Test of CLB Function Including Error Tests
        13. 6.4.4.13 Monitoring of CLB by eCAP or eQEP
        14. 6.4.4.14 Periodic Software Read Back of SPI Buffer
        15. 6.4.4.15 IPC 64-Bit Counter Value Plausibility Check
      5. 6.4.5 Digital I/O
        1. 6.4.5.1  ECAP Application Level Safety Mechanism
        2. 6.4.5.2  ePWM Application Level Safety Mechanism
        3. 6.4.5.3  ePWM Fault Detection Using XBAR
        4. 6.4.5.4  ePWM Synchronization Check
        5. 6.4.5.5  Online MINMAX Monitoring of TRIP Events
        6. 6.4.5.6  Fault Avoidance Using Minimum Dead Band
        7. 6.4.5.7  Fault Avoidance Using Illegal Combo Logic
        8. 6.4.5.8  Diode Emulation Mode Monitoring
        9. 6.4.5.9  eQEP Application Level Safety Mechanisms
        10. 6.4.5.10 eQEP Quadrature Watchdog
        11. 6.4.5.11 eQEP Software Test of Quadrature Watchdog Functionality
        12. 6.4.5.12 Hardware Redundancy
        13. 6.4.5.13 HRPWM Built-In Self-Check and Diagnostic Capabilities
        14. 6.4.5.14 Information Redundancy Techniques
        15. 6.4.5.15 Monitoring of ePWM by eCAP
        16. 6.4.5.16 Monitoring of ePWM by ADC
        17. 6.4.5.17 Online Monitoring of Interrupts and Events
        18. 6.4.5.18 SDFM Comparator Filter for Online Monitoring
        19. 6.4.5.19 SD Modulator Clock Fail Detection Mechanism
        20. 6.4.5.20 Software Test of Function Including Error Tests
        21. 6.4.5.21 Monitoring of HRPWM by HRCAP
        22. 6.4.5.22 HRCAP Calibration Logic Test Feature
        23. 6.4.5.23 QMA Error Detection Logic
      6. 6.4.6 Analog I/O
        1. 6.4.6.1  ADC Information Redundancy Techniques
        2. 6.4.6.2  ADC Input Signal Integrity Check
        3. 6.4.6.3  ADC Signal Quality Check by Varying Acquisition Window
        4. 6.4.6.4  Hardware Redundancy with ADC Safety Checker
        5. 6.4.6.5  Hardware Redundancy of ADC Safety Checker
        6. 6.4.6.6  Disabling Unused Sources of SOC Inputs to ADC
        7. 6.4.6.7  CMPSS Ramp Generator Functionality Check
        8. 6.4.6.8  DAC to ADC Loopback Check
        9. 6.4.6.9  DAC to Comparator Loopback Check
        10. 6.4.6.10 Opens/Shorts Detection Circuit for ADC
        11. 6.4.6.11 VDAC Conversion by ADC
      7. 6.4.7 Data Transmission
        1. 6.4.7.1  Bit Error Detection
        2. 6.4.7.2  CRC in Message
        3. 6.4.7.3  DCAN Acknowledge Error Detection
        4. 6.4.7.4  DCAN Form Error Detection
        5. 6.4.7.5  DCAN Stuff Error Detection
        6. 6.4.7.6  PWM Trip by MCAN
        7. 6.4.7.7  MCAN Stuff Error Detection
        8. 6.4.7.8  MCAN Form Error Detection
        9. 6.4.7.9  MCAN Acknowledge Error Detection
        10. 6.4.7.10 Timeout on FIFO Activity
        11. 6.4.7.11 Timestamp Consistency Checks
        12. 6.4.7.12 Tx-Event Checks
        13. 6.4.7.13 Interrupt on Message RAM Access Failure
        14. 6.4.7.14 Software Test of Function Including Error Tests Using EPG
        15. 6.4.7.15 EMIF Access Latency Profiling Using On-Chip Timer
        16. 6.4.7.16 EMIF Access Protection Mechanism
        17. 6.4.7.17 EMIF Asynchronous Memory Timeout Protection Mechanism
        18. 6.4.7.18 I2C Access Latency Profiling Using On-Chip Timer
        19. 6.4.7.19 Information Redundancy Techniques Including End-to-End Safing
        20. 6.4.7.20 I2C Data Acknowledge Check
        21. 6.4.7.21 Parity in Message
        22. 6.4.7.22 Break Error Detection
        23. 6.4.7.23 Frame Error Detection
        24. 6.4.7.24 Overrun Error Detection
        25. 6.4.7.25 Software Test of Function Using I/O Loopback
        26. 6.4.7.26 SPI Data Overrun Detection
        27. 6.4.7.27 Transmission Redundancy
        28. 6.4.7.28 Data Parity Error Detection
        29. 6.4.7.29 LIN Physical Bus Error Detection
        30. 6.4.7.30 LIN No-Response Error Detection
        31. 6.4.7.31 LIN Checksum Error Detection
        32. 6.4.7.32 LIN ID Parity Error Detection
        33. 6.4.7.33 Communication Access Latency Profiling Using On-Chip Timer
        34. 6.4.7.34 FSI Data Overrun and Underrun Detection
        35. 6.4.7.35 FSI Frame Overrun Detection
        36. 6.4.7.36 FSI CRC Framing Checks
        37. 6.4.7.37 FSI ECC Framing Checks
        38. 6.4.7.38 FSI Frame Watchdog
        39. 6.4.7.39 FSI RX Ping Watchdog
        40. 6.4.7.40 FSI Tag Monitor
        41. 6.4.7.41 FSI Frame Type Error Detection
        42. 6.4.7.42 FSI End of Frame Error Detection
        43. 6.4.7.43 FSI Register Protection Mechanisms
        44. 6.4.7.44 PMBus Protocol CRC in Message
        45. 6.4.7.45 PMBus Clock Timeout
        46. 6.4.7.46 EtherCAT MDIO Command Error Indication
        47. 6.4.7.47 EtherCAT Sync-Manager
        48. 6.4.7.48 EtherCAT Working Counter Error Indication
        49. 6.4.7.49 EtherCAT Frame Error Indication
        50. 6.4.7.50 EtherCAT Physical Layer Error Indication
        51. 6.4.7.51 PDI Timeout Error Indication
        52. 6.4.7.52 EtherCAT EEPROM CRC Error Indication
        53. 6.4.7.53 EtherCAT EEPROM Not Done Error Indication
        54. 6.4.7.54 EtherCAT Data Link Error Indication
        55. 6.4.7.55 EtherCAT Phy Link Error Indication
        56. 6.4.7.56 Sync, GPO Monitoring Using External Monitor
        57. 6.4.7.57 EtherCAT Enhanced Link Detection With LED
        58. 6.4.7.58 HW Redundancy of GPIO, FMMU, Sync Manager and SYNC OUT
  9. 7References
  10.   A Summary of Safety Features and Diagnostics
  11.   B Distributed Developments
    1.     B.1 How the Functional Safety Life Cycle Applies to Functional Safety-Compliant Products
    2.     B.2 Activities Performed by Texas Instruments
    3.     B.3 Information Provided

4.2.2 Fault Tolerant Time Interval (FTTI)

Various safety mechanisms in the devices are either always-on (see SRAM ECC, CPU Handling of Illegal Operation, Illegal Results and Instruction Trapping, and so forth) or executed periodically (see CPU Hardware Built-In Self-Test (HWBIST), VCRC Check of Static Memory Contents, and so forth) by the application software. The time between the executions of online diagnostic tests by a safety mechanism is termed as Diagnostic Test Interval (DTI). Once the fault is detected, depending on the fault reaction of the associated fault (for example, external system reaction to ERRORSTS pin assertion), the system will enter into the safe-state. The time-span in which a fault or faults can be present in a system before a hazardous event occurs is called Fault Tolerant Time Interval (FTTI) as defined in ISO26262. This is similar to Process Safety Time (PST) defined in IEC61508. Figure 4-6 illustrates the relationship between DTI, Fault Reaction Time and FTTI.

TMS320F28P650DH TMS320F28P650DK TMS320F28P650SH TMS320F28P650SK TMS320F28P658DG TMS320F28P658DJ TMS320F28P658SJ Relationship Between DTI, Fault Reaction Time and FTTI Figure 4-6 Relationship Between DTI, Fault Reaction Time and FTTI
TMS320F28P650DH TMS320F28P650DK TMS320F28P650SH TMS320F28P650SK TMS320F28P658DG TMS320F28P658DJ TMS320F28P658SJ Illustration of FTTIFigure 4-7 Illustration of FTTI

The frequency and extent of each of the Level 2 and Level 3 checks should be consistent with the Fault Tolerant Time Interval (FTTI). Figure 4-7 illustrates the frequency of the required checks. The checks should be such that single point faults of the microcontroller should be detected and responded to, such that the TMS320F28P65xD/S MCU enters a safe state within the FTTI budget. The microcontroller on detection of a fault enters into one of the safe states as illustrated in Figure 4-8. An example of a diagnostic for single point faults is ECC/Parity for memories.

The proposed functional safety concept, subsequent functional safety features and configurations explained in this document are for reference purpose only. The system and equipment designer or manufacturer is responsible to ensure that the end systems (and any Texas Instruments hardware or software components incorporated in the systems) meet all applicable safety, regulatory and system-level performance requirements.