SFFS700 May   2024 TMS320F28P650DH , TMS320F28P650DK , TMS320F28P650SH , TMS320F28P650SK , TMS320F28P659DH-Q1 , TMS320F28P659DK-Q1 , TMS320F28P659SH-Q1

 

  1.   1
  2. 1Introduction
  3.   Trademarks
  4. 2Hardware Component Functional Safety Capability
  5. 3TI Development Process for Management of Systematic Faults
    1. 3.1 TI New-Product Development Process
    2. 3.2 TI Functional Safety Development Process
  6. 4TMS320F28P65x Component Overview
    1. 4.1 Targeted Applications
    2. 4.2 Hardware Component Functional Safety Concept
      1. 4.2.1 VDA E-GAS Monitoring Concept
      2. 4.2.2 Fault Tolerant Time Interval (FTTI)
      3. 4.2.3 TMS320F28P65x MCU Safe State
      4. 4.2.4 Operating States
      5. 4.2.5 TMS320F28P65x MCU Safety Implementation
        1. 4.2.5.1 Assumed Safety Requirements
        2. 4.2.5.2 Example Safety Concept Implementation Options on TMS320F28P65x MCU
          1. 4.2.5.2.1 Safety Concept Implementation: Option 1
          2. 4.2.5.2.2 Safety Concept Implementation: Option 2
          3. 4.2.5.2.3 Safety Concept Implementation: Option 3
          4. 4.2.5.2.4 Safety Concept Implementation: Option 4
          5. 4.2.5.2.5 Safety Concept Implementation: Option 5
          6. 4.2.5.2.6 Safety Concept Implementation: Option 6
      6. 4.2.6 TMS320F28P65x Diagnostic Libraries
        1. 4.2.6.1 Assumptions of Use: F28P65x Self-Test Libraries
        2. 4.2.6.2 Operational Details: F28P65x Self-Test Libraries
          1. 4.2.6.2.1 Operational Details: C28x Self-Test Library
          2. 4.2.6.2.2 Operational Details: CLA Self-Test Library
          3. 4.2.6.2.3 Operational Details - Software Diagnostic Libraries
        3. 4.2.6.3 C2000 Safety STL Software Development Flow
    3. 4.3 Functional Safety Constraints and Assumptions
  7. 5Description of Safety Elements
    1. 5.1 C2000 MCU Infrastructure Components
      1. 5.1.1 Power Supply
      2. 5.1.2 Clock
      3. 5.1.3 APLL
      4. 5.1.4 Reset
      5. 5.1.5 System Control Module and Configuration Registers
      6. 5.1.6 JTAG Debug, Trace, Calibration, and Test Access
      7. 5.1.7 Advanced Encryption Standard (AES) Accelerator
    2. 5.2 Processing Elements
      1. 5.2.1 C28x Central Processing Unit (CPU)
      2. 5.2.2 Control Law Accelerator (CLA)
    3. 5.3 Memory (Flash, SRAM and ROM)
      1. 5.3.1 Embedded Flash Memory
      2. 5.3.2 Embedded SRAM
      3. 5.3.3 Embedded ROM
    4. 5.4 On-Chip Communication Including Bus-Arbitration
      1. 5.4.1 Device Interconnect
      2. 5.4.2 Direct Memory Access (DMA)
      3. 5.4.3 Inter Processor Communication (IPC)
      4. 5.4.4 Enhanced Peripheral Interrupt Expander (ePIE) Module
      5. 5.4.5 Dual Zone Code Security Module (DCSM)
      6. 5.4.6 CrossBar (X-BAR)
      7. 5.4.7 Timer
      8. 5.4.8 Configurable Logic Block (CLB)
    5. 5.5 Digital I/O
      1. 5.5.1 General-Purpose Input/Output (GPIO) and Pin Muxing
      2. 5.5.2 Enhanced Pulse Width Modulators (ePWM)
      3. 5.5.3 High Resolution PWM (HRPWM)
      4. 5.5.4 Enhanced Capture (eCAP)
      5. 5.5.5 High Resolution Capture (HRCAP)
      6. 5.5.6 Enhanced Quadrature Encoder Pulse (eQEP)
      7. 5.5.7 Sigma Delta Filter Module (SDFM)
      8. 5.5.8 External Interrupt (XINT)
    6. 5.6 Analog I/O
      1. 5.6.1 Analog-to-Digital Converter (ADC)
      2. 5.6.2 Buffered Digital-to-Analog Converter (DAC)
      3. 5.6.3 Comparator Subsystem (CMPSS)
    7. 5.7 Data Transmission
      1. 5.7.1  Controller Area Network (DCAN)
      2. 5.7.2  Controller Area Network (MCAN, CAN FD)
      3. 5.7.3  Ethernet for Control Automation Technology (EtherCAT)
      4. 5.7.4  Serial Peripheral Interface (SPI)
      5. 5.7.5  Serial Communication Interface (SCI)
      6. 5.7.6  Universal Asynchronous Receiver/Transmitter (UART)
      7. 5.7.7  Local Interconnect Network (LIN)
      8. 5.7.8  Inter-Integrated Circuit (I2C)
      9. 5.7.9  Fast Serial Interface (FSI)
      10. 5.7.10 Power Management Bus Module (PMBus)
      11. 5.7.11 External Memory Interface (EMIF)
    8. 5.8 Not Safety Related Elements
  8. 6Management of Random Faults
    1. 6.1 Fault Reporting
    2. 6.2 Suggestions for Improving Freedom From Interference
    3. 6.3 Suggestions for Addressing Common Cause Failures
    4. 6.4 Descriptions of Functional Safety Mechanisms
      1. 6.4.1 C2000 MCU Infrastructure Components
        1. 6.4.1.1  Clock Integrity Check Using DCC
        2. 6.4.1.2  Clock Integrity Check Using CPU Timer
        3. 6.4.1.3  Clock Integrity Check Using HRPWM
        4. 6.4.1.4  EALLOW and MEALLOW Protection for Critical Registers
        5. 6.4.1.5  External Clock Monitoring via XCLKOUT
        6. 6.4.1.6  External Monitoring of Warm Reset (XRSn)
        7. 6.4.1.7  External Voltage Supervisor
        8. 6.4.1.8  External Watchdog
        9. 6.4.1.9  Brownout Reset (BOR)
        10. 6.4.1.10 Glitch Filtering on Reset Pins
        11. 6.4.1.11 Hardware Disable of JTAG Port
        12. 6.4.1.12 Lockout of JTAG Access Using OTP
        13. 6.4.1.13 Internal Watchdog (WD)
        14. 6.4.1.14 Lock Mechanism for Control Registers
        15. 6.4.1.15 Missing Clock Detect (MCD)
        16. 6.4.1.16 NMIWD Reset Functionality
        17. 6.4.1.17 NMIWD Shadow Registers
        18. 6.4.1.18 Multibit Enable Keys for Control Registers
        19. 6.4.1.19 Online Monitoring of Temperature
        20. 6.4.1.20 Periodic Software Read Back of Static Configuration Registers
        21. 6.4.1.21 Peripheral Clock Gating (PCLKCR)
        22. 6.4.1.22 Peripheral Soft Reset (SOFTPRES)
        23. 6.4.1.23 Peripheral Access Protection – Type 1
        24. 6.4.1.24 Software Test of Reset – Type 1
        25. 6.4.1.25 PLL Lock Profiling Using On-Chip Timer
        26. 6.4.1.26 Reset Cause Information
        27. 6.4.1.27 Software Read Back of Written Configuration
        28. 6.4.1.28 Software Test of ERRORSTS Functionality
        29. 6.4.1.29 Software Test of Missing Clock Detect Functionality
        30. 6.4.1.30 Software Test of Watchdog (WD) Operation
        31. 6.4.1.31 Dual Clock Comparator (DCC) – Type 2
        32. 6.4.1.32 PLL Lock Indication
        33. 6.4.1.33 Software Test of DCC Functionality Including Error Tests
        34. 6.4.1.34 Software Test of PLL Functionality Including Error Tests
        35. 6.4.1.35 Interleaving of FSM States
        36. 6.4.1.36 Decryption of Encrypted Data Output Using Same KEY and IV
        37. 6.4.1.37 Software Test of Standalone GHASH Operation
      2. 6.4.2 Processing Elements
        1. 6.4.2.1  CPU Handling of Illegal Operation, Illegal Results and Instruction Trapping
        2. 6.4.2.2  Reciprocal Comparison by Software
        3. 6.4.2.3  Software Test of CPU
        4. 6.4.2.4  CPU Hardware Built-In Self-Test (HWBIST)
        5. 6.4.2.5  CPU Hardware Built-In Self-Test (HWBIST) Auto-Coverage
        6. 6.4.2.6  CPU Hardware Built-In Self-Test (HWBIST) Fault Injection Capability
        7. 6.4.2.7  CPU Hardware Built-In Self-Test (HWBIST) Timeout Feature
        8. 6.4.2.8  Software Test of CLA
        9. 6.4.2.9  CLA Handling of Illegal Operation and Illegal Results
        10. 6.4.2.10 CLA Liveness Check Using CPU
        11. 6.4.2.11 Disabling of Unused CLA Task Trigger Sources
        12. 6.4.2.12 Stack Overflow Detection
        13. 6.4.2.13 VCRC Check of Static Memory Contents
        14. 6.4.2.14 VCRC Auto Coverage
        15. 6.4.2.15 Hardware Redundancy Using Lockstep Compare Module (LCM)
        16. 6.4.2.16 Self-Test Logic for LCM
        17. 6.4.2.17 LCM Compare Error Forcing Mode
        18. 6.4.2.18 LCM MMR Parity
        19. 6.4.2.19 Test of LCM MMR Parity
        20. 6.4.2.20 Lockstep Self-test Mux Select Logic Fault Detection
        21. 6.4.2.21 Redundancy in LCM Comparator
        22. 6.4.2.22 Embedded Real Time Analysis and Diagnostic (ERAD)
        23. 6.4.2.23 Inbuilt Hardware Redundancy in ERAD Bus Comparator Module
      3. 6.4.3 Memory (Flash, SRAM and ROM)
        1. 6.4.3.1  Bit Multiplexing in Flash Memory Array
        2. 6.4.3.2  Bit Multiplexing in SRAM Memory Array
        3. 6.4.3.3  Data Scrubbing to Detect and Correct Memory Errors
        4. 6.4.3.4  Flash ECC
        5. 6.4.3.5  Flash Program Verify and Erase Verify Check
        6. 6.4.3.6  Flash Program and Erase Protection
        7. 6.4.3.7  Flash Wrapper Error and Status Reporting
        8. 6.4.3.8  Prevent 0 to 1 Transition Using Program Command
        9. 6.4.3.9  On-Demand Software Program Verify and Blank Check
        10. 6.4.3.10 CMDWEPROT* and Program Command Data Buffer Registers Self-Clear After Command Execution
        11. 6.4.3.11 ECC Generation and Checker Logic is Separate in Hardware
        12. 6.4.3.12 Auto ECC Generation Override
        13. 6.4.3.13 Software Test of ECC Logic
        14. 6.4.3.14 Software Test of Flash Prefetch, Data Cache and Wait-States
        15. 6.4.3.15 Access Protection Mechanism for Memories
        16. 6.4.3.16 SRAM ECC
        17. 6.4.3.17 SRAM Parity
        18. 6.4.3.18 Software Test of Parity Logic
        19. 6.4.3.19 Software Test of SRAM
        20. 6.4.3.20 Memory Power-On Self-Test (MPOST)
        21. 6.4.3.21 Background CRC
        22. 6.4.3.22 Watchdog for Background CRC
        23. 6.4.3.23 ROM Parity
        24. 6.4.3.24 Redundant Parity Engine
      4. 6.4.4 On-Chip Communication Including Bus-Arbitration
        1. 6.4.4.1  1oo2 Software Voting Using Secondary Free Running Counter
        2. 6.4.4.2  DMA Overflow Interrupt
        3. 6.4.4.3  Event Timestamping Using IPC Counter
        4. 6.4.4.4  Maintaining Interrupt Handler for Unused Interrupts
        5. 6.4.4.5  Majority Voting and Error Detection of Link Pointer
        6. 6.4.4.6  PIE Double SRAM Comparison Check
        7. 6.4.4.7  PIE Double SRAM Hardware Comparison
        8. 6.4.4.8  Power-Up Pre-Operational Security Checks
        9. 6.4.4.9  Software Check of X-BAR Flag
        10. 6.4.4.10 Software Test of ePIE Operation Including Error Tests
        11. 6.4.4.11 Disabling of Unused DMA Trigger Sources
        12. 6.4.4.12 Software Test of CLB Function Including Error Tests
        13. 6.4.4.13 Monitoring of CLB by eCAP or eQEP
        14. 6.4.4.14 Periodic Software Read Back of SPI Buffer
        15. 6.4.4.15 IPC 64-Bit Counter Value Plausibility Check
      5. 6.4.5 Digital I/O
        1. 6.4.5.1  ECAP Application Level Safety Mechanism
        2. 6.4.5.2  ePWM Application Level Safety Mechanism
        3. 6.4.5.3  ePWM Fault Detection Using XBAR
        4. 6.4.5.4  ePWM Synchronization Check
        5. 6.4.5.5  Online MINMAX Monitoring of TRIP Events
        6. 6.4.5.6  Fault Avoidance Using Minimum Dead Band
        7. 6.4.5.7  Fault Avoidance Using Illegal Combo Logic
        8. 6.4.5.8  Diode Emulation Mode Monitoring
        9. 6.4.5.9  eQEP Application Level Safety Mechanisms
        10. 6.4.5.10 eQEP Quadrature Watchdog
        11. 6.4.5.11 eQEP Software Test of Quadrature Watchdog Functionality
        12. 6.4.5.12 Hardware Redundancy
        13. 6.4.5.13 HRPWM Built-In Self-Check and Diagnostic Capabilities
        14. 6.4.5.14 Information Redundancy Techniques
        15. 6.4.5.15 Monitoring of ePWM by eCAP
        16. 6.4.5.16 Monitoring of ePWM by ADC
        17. 6.4.5.17 Online Monitoring of Interrupts and Events
        18. 6.4.5.18 SDFM Comparator Filter for Online Monitoring
        19. 6.4.5.19 SD Modulator Clock Fail Detection Mechanism
        20. 6.4.5.20 Software Test of Function Including Error Tests
        21. 6.4.5.21 Monitoring of HRPWM by HRCAP
        22. 6.4.5.22 HRCAP Calibration Logic Test Feature
        23. 6.4.5.23 QMA Error Detection Logic
      6. 6.4.6 Analog I/O
        1. 6.4.6.1  ADC Information Redundancy Techniques
        2. 6.4.6.2  ADC Input Signal Integrity Check
        3. 6.4.6.3  ADC Signal Quality Check by Varying Acquisition Window
        4. 6.4.6.4  Hardware Redundancy with ADC Safety Checker
        5. 6.4.6.5  Hardware Redundancy of ADC Safety Checker
        6. 6.4.6.6  Disabling Unused Sources of SOC Inputs to ADC
        7. 6.4.6.7  CMPSS Ramp Generator Functionality Check
        8. 6.4.6.8  DAC to ADC Loopback Check
        9. 6.4.6.9  DAC to Comparator Loopback Check
        10. 6.4.6.10 Opens/Shorts Detection Circuit for ADC
        11. 6.4.6.11 VDAC Conversion by ADC
      7. 6.4.7 Data Transmission
        1. 6.4.7.1  Bit Error Detection
        2. 6.4.7.2  CRC in Message
        3. 6.4.7.3  DCAN Acknowledge Error Detection
        4. 6.4.7.4  DCAN Form Error Detection
        5. 6.4.7.5  DCAN Stuff Error Detection
        6. 6.4.7.6  PWM Trip by MCAN
        7. 6.4.7.7  MCAN Stuff Error Detection
        8. 6.4.7.8  MCAN Form Error Detection
        9. 6.4.7.9  MCAN Acknowledge Error Detection
        10. 6.4.7.10 Timeout on FIFO Activity
        11. 6.4.7.11 Timestamp Consistency Checks
        12. 6.4.7.12 Tx-Event Checks
        13. 6.4.7.13 Interrupt on Message RAM Access Failure
        14. 6.4.7.14 Software Test of Function Including Error Tests Using EPG
        15. 6.4.7.15 EMIF Access Latency Profiling Using On-Chip Timer
        16. 6.4.7.16 EMIF Access Protection Mechanism
        17. 6.4.7.17 EMIF Asynchronous Memory Timeout Protection Mechanism
        18. 6.4.7.18 I2C Access Latency Profiling Using On-Chip Timer
        19. 6.4.7.19 Information Redundancy Techniques Including End-to-End Safing
        20. 6.4.7.20 I2C Data Acknowledge Check
        21. 6.4.7.21 Parity in Message
        22. 6.4.7.22 Break Error Detection
        23. 6.4.7.23 Frame Error Detection
        24. 6.4.7.24 Overrun Error Detection
        25. 6.4.7.25 Software Test of Function Using I/O Loopback
        26. 6.4.7.26 SPI Data Overrun Detection
        27. 6.4.7.27 Transmission Redundancy
        28. 6.4.7.28 Data Parity Error Detection
        29. 6.4.7.29 LIN Physical Bus Error Detection
        30. 6.4.7.30 LIN No-Response Error Detection
        31. 6.4.7.31 LIN Checksum Error Detection
        32. 6.4.7.32 LIN ID Parity Error Detection
        33. 6.4.7.33 Communication Access Latency Profiling Using On-Chip Timer
        34. 6.4.7.34 FSI Data Overrun and Underrun Detection
        35. 6.4.7.35 FSI Frame Overrun Detection
        36. 6.4.7.36 FSI CRC Framing Checks
        37. 6.4.7.37 FSI ECC Framing Checks
        38. 6.4.7.38 FSI Frame Watchdog
        39. 6.4.7.39 FSI RX Ping Watchdog
        40. 6.4.7.40 FSI Tag Monitor
        41. 6.4.7.41 FSI Frame Type Error Detection
        42. 6.4.7.42 FSI End of Frame Error Detection
        43. 6.4.7.43 FSI Register Protection Mechanisms
        44. 6.4.7.44 PMBus Protocol CRC in Message
        45. 6.4.7.45 PMBus Clock Timeout
        46. 6.4.7.46 EtherCAT MDIO Command Error Indication
        47. 6.4.7.47 EtherCAT Sync-Manager
        48. 6.4.7.48 EtherCAT Working Counter Error Indication
        49. 6.4.7.49 EtherCAT Frame Error Indication
        50. 6.4.7.50 EtherCAT Physical Layer Error Indication
        51. 6.4.7.51 PDI Timeout Error Indication
        52. 6.4.7.52 EtherCAT EEPROM CRC Error Indication
        53. 6.4.7.53 EtherCAT EEPROM Not Done Error Indication
        54. 6.4.7.54 EtherCAT Data Link Error Indication
        55. 6.4.7.55 EtherCAT Phy Link Error Indication
        56. 6.4.7.56 Sync, GPO Monitoring Using External Monitor
        57. 6.4.7.57 EtherCAT Enhanced Link Detection With LED
        58. 6.4.7.58 HW Redundancy of GPIO, FMMU, Sync Manager and SYNC OUT
  9. 7References
  10.   A Summary of Safety Features and Diagnostics
  11.   B Distributed Developments
    1.     B.1 How the Functional Safety Life Cycle Applies to Functional Safety-Compliant Products
    2.     B.2 Activities Performed by Texas Instruments
    3.     B.3 Information Provided

1 Introduction

The TMS320F28P65x is being offered as a Functional Safety Compliant Safety Element out of Context (SEooC) product. This implies that TMS320F28P65x was developed in compliance with TI's ISO-9001/IATF-16949 compliant hardware product development process. Subsequently, this product was independently assessed to meet a systematic capability compliance of ASIL D (according to ISO-26262:2018) and SIL 3 (according to IEC-61508:2010), see Certification for Functional Safety Hardware Process. As such, this safety manual is intended to be informative only to help explain how to use the features of TMS320F28P65x device to assist the system designer in achieving a given ASIL or SIL level. System designers are responsible for evaluating this device in the context of their system and determining the system-level ASIL or SIL coverage achieved therein.

This document is the Functional Safety Manual for the TMS320F28P65x MCU series from Texas Instruments which is part of the high performance C2000™ real-time microcontroller product line. The C2000 product line utilizes a common safety architecture that is implemented for multiple products in automotive and industrial applications.

The products supported by this document have been assessed to be meet a systematic capability compliance of ASIL-D (according to ISO 26262) and SIL-3 (according to IEC 61508). For more information, see Certification for Functional Safety Hardware Process.

This Functional Safety Manual is part of the Functional Safety-Compliant design package to aid customers who are designing systems in compliance with ISO26262 or IEC61508 functional safety standards.

Table 1-1 shows a complete list of the products supported by this safety manual.

Table 1-1 Products Supported by This Safety Manual
Orderable Devices
Dual-Core Part Numbers Single-Core Part Numbers
F28P650DK9NMR F28P650SK7NMRR
F28P650DK9NMRR F28P650SK7PTP
F28P650DK9PTP F28P650SK7ZEJR
F28P650DK9ZEJ F28P650SK6PZPR
F28P650DK9ZEJR F28P650SK6NMRR
F28P650DK7NMRR F28P650SK6PTP
F28P650DK7PTP F28P650SK6ZEJR
F28P650DK7ZEJR F28P659SH6PZPRQ1
F28P650DK8NMRR F28P659SH6PTPQ1
F28P650DK8PTP F28P650SH7NMRR
F28P650DK8ZEJR F28P650SH7PTP
F28P659DK8PZPQ1 F28P650SH7ZEJR
F28P659DK8PZPRQ1 F28P650SH6PZPR
F28P659DK8PTPQ1 F28P650SH6NMRR
F28P659DK8ZEJQ1 F28P650SH6PTP
F28P659DK8ZEJRQ1 F28P650SH6ZEJR
F28P650DK6PZP
F28P650DK6PZPR
F28P650DK6NMRR
F28P650DK6PTP
F28P650DK6ZEJR
F28P659DH8PZPRQ1
F28P650DH6PZPR
F28P650DH6NMRR
F28P650DH6PTP
F28P650DH6ZEJR

This Functional Safety Manual provides information needed by system developers to assist in the creation of a safety critical system using a supported TMS320F28P65x MCU. This document contains:

  • An overview of the component architecture
  • An overview of the development process used to decrease the probability of systematic failures
  • An overview of the functional safety architecture for management of random failures
  • The details of architecture partitions and implemented functional safety mechanisms

The following information is documented in the Detailed Safety Analysis Report (SAR) section of the FMEDA, for TMS320F28P65x C2000™ Safety Critical Microcontrollers, which is only available under a Functional Safety NDA and is not repeated in this document:

  • Failure rates (FIT) of the component
  • Fault model used to estimate device failure rates to enable calculation of customized failure rates
  • Functional safety metrics of the hardware component for targeted standards (viz. IEC 61508:2010 and ISO 26262:2018)
  • Quantitative functional safety analysis (also known as FMEDA, Failure Modes, Effects, and Diagnostics Analysis) with detail of the different parts of the component, allowing for customized application of functional safety mechanisms
  • Assumptions used in the calculation of functional safety metrics

It is expected that the user of this document should have a general familiarity with the TMS320F28P65x product families. More information can be found at www.ti.com/C2000.

This document is intended to be used in conjunction with the pertinent data sheets, technical reference manuals, and other documentation for the products being supplied.

For information which is beyond the scope of the listed deliverables, please contact your TI sales representative or www.ti.com.