SFFS779 December   2024 TMS320F28P550SJ

 

  1.   1
  2. 1Introduction
  3.   Trademarks
  4. 2 TMS320F28P55x Product Safety Capability and Constraints
  5. 3TI Development Process for Management of Systematic Faults
    1. 3.1 TI New-Product Development Process
    2. 3.2 TI Functional Safety Development Process
  6. 4 TMS320F28P55x Component Overview
    1. 4.1 Targeted Applications
    2. 4.2 Hardware Component Functional Safety Concept
      1. 4.2.1 VDA E-GAS Monitoring Concept
      2. 4.2.2 Fault Tolerant Time Interval (FTTI)
      3. 4.2.3 TMS320F28P55x MCU Safe State
        1. 4.2.3.1 Assumed Safety Requirements
      4. 4.2.4 Operating States
    3. 4.3 TMS320F28P55x MCU Safety Implementation
      1. 4.3.1 Assumed Safety Requirements
      2. 4.3.2 Example Safety Concept Implementation Options on TMS320F28P55x MCU
        1. 4.3.2.1 Safety Concept Implementation: Option 1
        2. 4.3.2.2 Safety Concept Implementation: Option 2
    4. 4.4 TMS320F28P55x Diagnostic Libraries
      1. 4.4.1 Assumptions of Use - F28P55x Self-Test Libraries
      2. 4.4.2 Operational Details - F28P55x Self-Test Libraries
        1. 4.4.2.1 Operational Details – C28x Self-Test Library
        2. 4.4.2.2 Operational Details – CLA Self-Test Library
        3. 4.4.2.3 Operational Details - Software Diagnostic Libraries
      3. 4.4.3 C2000 Safety STL Software Development Flow
    5. 4.5 Functional Safety Constraints and Assumptions
  7. 5Description of Safety Elements
    1. 5.1 C2000 MCU Infrastructure Components
      1. 5.1.1 Power Supply
        1. 5.1.1.1 Power Supply (Power) Safety Features List
      2. 5.1.2 Clock
        1. 5.1.2.1 Clock Safety Features List
      3. 5.1.3 APLL
        1. 5.1.3.1 APLL Safety Features List
      4. 5.1.4 Reset
        1. 5.1.4.1 Reset Safety Features List
      5. 5.1.5 System Control Module and Configuration Registers
        1. 5.1.5.1 System Control Module and Configuration Registers (System control) Safety Features List
      6. 5.1.6 JTAG Debug, Trace, Calibration, and Test Access
        1. 5.1.6.1 Debug Logic (JTAG) Safety Features List
      7. 5.1.7 Advanced Encryption Standard (AES) Accelerator
        1. 5.1.7.1 AES Safety Features List
    2. 5.2 Processing Elements
      1. 5.2.1 C28x Central Processing Unit (CPU)
        1. 5.2.1.1 C28x Central Processing Unit (C28x) Safety Features List
        2. 5.2.1.2 FPU_TMU (FPU_TMU) Safety Features List
      2. 5.2.2 Control Law Accelerator
        1. 5.2.2.1 Control Law Accelerator (MCLA) Safety Features List
    3. 5.3 Memory (Flash, SRAM and ROM)
      1. 5.3.1 Embedded Flash Memory
        1. 5.3.1.1 NW Embedded Flash Memory (NW Flash) Safety Features List
      2. 5.3.2 Embedded SRAM
        1. 5.3.2.1 SRAM Safety Features List
      3. 5.3.3 Embedded ROM
        1. 5.3.3.1 ROM Safety Features List
    4. 5.4 On-Chip Communication Including Bus-Arbitration
      1. 5.4.1 Device Interconnect
        1. 5.4.1.1 Device Interconnect (Interconnect_Bridges) Safety Features List
      2. 5.4.2 Direct Memory Access (DMA)
        1. 5.4.2.1 DMA Safety Features List
      3. 5.4.3 Enhanced Peripheral Interrupt Expander (ePIE) Module
        1. 5.4.3.1 Enhanced Peripheral Interrupt Expander (PIE) Module Safety Features List
      4. 5.4.4 Dual Zone Code Security Module (DCSM)
        1. 5.4.4.1 Dual Zone Code Security Module (DCSM) Safety Features List
      5. 5.4.5 CrossBar (X-BAR)
        1. 5.4.5.1 CrossBar (XBAR) Safety Features List
      6. 5.4.6 Timer
        1. 5.4.6.1 CPU_Timer Safety Features List
      7. 5.4.7 Configurable Logic Block
        1. 5.4.7.1 Configurable Logic Block (CLB) Safety Features List
    5. 5.5 Digital I/O
      1. 5.5.1 General-Purpose Input/Output (GPIO) and Pin Muxing
        1. 5.5.1.1 General Pupose I O and Multiplexing (GPIO_Pinmux) Safety Features List
      2. 5.5.2 Enhanced Pulse Width Modulators (ePWM)
        1. 5.5.2.1 Enhanced Pulse Width Modulators (ePWM) Safety Features List
      3. 5.5.3 High Resolution PWM (HRPWM)
        1. 5.5.3.1 High Resolution Pulse Width Modulator (OTTO) Safety Features List
      4. 5.5.4 Enhanced Capture (eCAP)
        1. 5.5.4.1 Enhanced Capture (ECAP) Safety Features List
      5. 5.5.5 High Resolution Capture (HRCAP)
        1. 5.5.5.1 High Resolution Capture (HRCAP) Safety Features List
      6. 5.5.6 Enhanced Quadrature Encoder Pulse (eQEP)
        1. 5.5.6.1 Enhanced Quadrature Encoder Pulse (eQEP) Safety Features List
      7. 5.5.7 External Interrupt (XINT)
        1. 5.5.7.1 XINT Safety Features List
    6. 5.6 Analog I/O
      1. 5.6.1 Analog-to-Digital Converter (ADC)
        1. 5.6.1.1 ADC Safety Features List
      2. 5.6.2 Buffered Digital-to-Analog Converter (DAC)
        1. 5.6.2.1 BufDAC Safety Features List
      3. 5.6.3 Comparator Subsystem (CMPSS)
        1. 5.6.3.1 Comparator Subsystem (CMPSS) Safety Features List
      4. 5.6.4 Programmable Gain Amplifier (PGA)
        1. 5.6.4.1 Programmable Gain Amplifier (PGA) Safety Features List
    7. 5.7 Data Transmission
      1. 5.7.1 Controller Area Network (MCAN, CAN FD)
        1. 5.7.1.1 MCAN Safety Features List
      2. 5.7.2 Serial Peripheral Interface (SPI)
        1. 5.7.2.1 Serial Peripheral Interface (SPI) Safety Features List
      3. 5.7.3 Serial Communication Interface (SCI)
        1. 5.7.3.1 Serial Communications Interface (SCI) Safety Features List
      4. 5.7.4 Inter-Integrated Circuit (I2C)
        1. 5.7.4.1 Inter-Integrated Circuit (I2C) Safety Features List
      5. 5.7.5 Fast Serial Interface (FSI)
        1. 5.7.5.1 Fast Serial Interface (FSI) Safety Features List
      6. 5.7.6 Power Management Bus Module (PMBus)
        1. 5.7.6.1 Power Management BUS (PMBUS) Safety Features List
      7. 5.7.7 Local Interconnect Network (LIN)
        1. 5.7.7.1 Local Interconnect Network (LIN) Safety Features List
    8. 5.8 Not Safety Related Elements
  8. 6Management of Random Faults
    1. 6.1 Fault Reporting
    2. 6.2 Suggestions for Improving Freedom From Interference
    3. 6.3 Suggestions for Addressing Common Cause Failures
    4. 6.4 Descriptions of Functional Safety Mechanisms
      1. 6.4.1 C2000 MCU Infrastructure Components
        1. 6.4.1.1  External Voltage Supervisor
        2. 6.4.1.2  External Watchdog
        3. 6.4.1.3  Multibit Enable Keys for Control Registers
        4. 6.4.1.4  Lock Mechanism for Control Registers
        5. 6.4.1.5  Software Readback of Written Configuration
        6. 6.4.1.6  Periodic Software Readback of Static Configuration Registers
        7. 6.4.1.7  Online Monitoring of Temperature
        8. 6.4.1.8  EALLOW and MEALLOW Protection for Critical Registers
        9. 6.4.1.9  Internal Watchdog (WD)
        10. 6.4.1.10 Brownout Reset (BOR)
        11. 6.4.1.11 Missing Clock Detect (MCD)
        12. 6.4.1.12 Clock Integrity Check Using CPU Timer
        13. 6.4.1.13 Clock Integrity Check Using HRPWM
        14. 6.4.1.14 External Clock Monitoring Using XCLKOUT
        15. 6.4.1.15 Software Test of Watchdog (WD) Operation
        16. 6.4.1.16 Software Test of Missing Clock Detect Functionality
        17. 6.4.1.17 PLL Lock Profiling Using On-Chip Timer
        18. 6.4.1.18 Peripheral Clock Gating (PCLKCR)
        19. 6.4.1.19 Dual Clock Comparator (DCC) – Type 2
        20. 6.4.1.20 Clock Integrity Check Using DCC
        21. 6.4.1.21 PLL Lock Indication
        22. 6.4.1.22 Software Test of DCC Functionality Including Error Tests
        23. 6.4.1.23 External Clock Monitoring Using XCLKOUT
        24. 6.4.1.24 Software Test of PLL Functionality Including Error Tests
        25. 6.4.1.25 Interleaving of FSM States
        26. 6.4.1.26 External Monitoring of Warm Reset (XRSn)
        27. 6.4.1.27 Reset Cause Information
        28. 6.4.1.28 Glitch Filtering on Reset Pins
        29. 6.4.1.29 NMIWD Shadow Registers
        30. 6.4.1.30 NMIWD Reset Functionality
        31. 6.4.1.31 Peripheral Soft Reset (SOFTPRES)
        32. 6.4.1.32 Software Test of ERRORSTS Functionality
        33. 6.4.1.33 Software Test of Reset – Type 1
        34. 6.4.1.34 Peripheral Access Protection – Type 1
        35. 6.4.1.35 Hardware Disable of JTAG Port
        36. 6.4.1.36 Lockout of JTAG Access Using OTP
        37. 6.4.1.37 Decryption of Encrypted Data Output Using Same KEY and IV
        38. 6.4.1.38 Information Redundancy Techniques Including End-to-End Safing
        39. 6.4.1.39 Transmission Redundancy
        40. 6.4.1.40 Disabling of Unused DMA Trigger Sources
        41. 6.4.1.41 Software Test of Function Including Error Tests
        42. 6.4.1.42 Software Test of Standalone GHASH Operation
      2. 6.4.2 Processing Elements
        1. 6.4.2.1  Reciprocal Comparison by Software
        2. 6.4.2.2  Software Test of CPU
        3. 6.4.2.3  Periodic Software Readback of Static Configuration Registers
        4. 6.4.2.4  Access Protection Mechanism for Memories
        5. 6.4.2.5  Hardware Disable of JTAG Port
        6. 6.4.2.6  CPU Handling of Illegal Operation, Illegal Results, and Instruction Trapping
        7. 6.4.2.7  Internal Watchdog (WD)
        8. 6.4.2.8  External Watchdog
        9. 6.4.2.9  Information Redundancy Techniques
        10. 6.4.2.10 Stack Overflow Detection
        11. 6.4.2.11 VCRC Auto Coverage
        12. 6.4.2.12 Embedded Real Time Analysis and Diagnostic (ERAD)
        13. 6.4.2.13 Inbuilt Hardware Redundancy in ERAD Bus Comparator Module
        14. 6.4.2.14 Software Test of CLA
        15. 6.4.2.15 CLA Handling of Illegal Operation and Illegal Results
        16. 6.4.2.16 Software Readback of Written Configuration
        17. 6.4.2.17 CLA Liveness Check Using CPU
        18. 6.4.2.18 Software Test of Function Including Error Tests
      3. 6.4.3 Memory (Flash, SRAM and ROM)
        1. 6.4.3.1  SRAM ECC
        2. 6.4.3.2  SRAM Parity
        3. 6.4.3.3  Software Test of SRAM
        4. 6.4.3.4  Bit Multiplexing in SRAM Memory Array
        5. 6.4.3.5  Periodic Software Readback of Static Configuration Registers
        6. 6.4.3.6  Software Readback of Written Configuration
        7. 6.4.3.7  Data Scrubbing to Detect/Correct Memory Errors
        8. 6.4.3.8  VCRC Check of Static Memory Contents
        9. 6.4.3.9  Software Test of Function Including Error Tests
        10. 6.4.3.10 Access Protection Mechanism for Memories
        11. 6.4.3.11 Lock Mechanism for Control Registers
        12. 6.4.3.12 Software Test of ECC Logic
        13. 6.4.3.13 Software Test of Parity Logic
        14. 6.4.3.14 Information Redundancy Techniques
        15. 6.4.3.15 CPU Handling of Illegal Operation, Illegal Results, and Instruction Trapping
        16. 6.4.3.16 Internal Watchdog (WD)
        17. 6.4.3.17 External Watchdog
        18. 6.4.3.18 CLA Handling of Illegal Operation and Illegal Results
        19. 6.4.3.19 Memory Power-On Self-Test (MPOST)
        20. 6.4.3.20 Power-Up Pre-Operational Security Checks
        21. 6.4.3.21 ROM Parity
        22. 6.4.3.22 Flash ECC
        23. 6.4.3.23 Flash Program Verify and Erase Verify Check
        24. 6.4.3.24 Flash Program and Erase Protection
        25. 6.4.3.25 Flash Wrapper Error and Status Reporting
        26. 6.4.3.26 Prevent 0 to 1 Transition Using Program Command
        27. 6.4.3.27 On-demand Software Program Verify and Blank Check
        28. 6.4.3.28 Software Readback of Written Configuration
        29. 6.4.3.29 CMDWEPROT* and Program Command Data Buffer Registers Self-Clear After Command Execution
        30. 6.4.3.30 ECC Generation and Checker Logic is Separate in Hardware
        31. 6.4.3.31 Bit Multiplexing in Flash Memory Array
        32. 6.4.3.32 Auto ECC Generation Override
        33. 6.4.3.33 Software Test of Flash Prefetch, Data Cache, and Wait States
        34. 6.4.3.34 Software Test of ECC Logic
      4. 6.4.4 On-Chip Communication Including Bus-Arbitration
        1. 6.4.4.1  Software Test of Function Including Error Tests
        2. 6.4.4.2  Internal Watchdog (WD)
        3. 6.4.4.3  External Watchdog
        4. 6.4.4.4  Periodic Software Readback of Static Configuration Registers
        5. 6.4.4.5  Software Readback of Written Configuration
        6. 6.4.4.6  CPU Handling of Illegal Operation, Illegal Results, and Instruction Trapping
        7. 6.4.4.7  CLA Handling of Illegal Operation and Illegal Results
        8. 6.4.4.8  Transmission Redundancy
        9. 6.4.4.9  Hardware Redundancy
        10. 6.4.4.10 EALLOW and MEALLOW Protection for Critical Registers
        11. 6.4.4.11 Information Redundancy Techniques
        12. 6.4.4.12 DMA Overflow Interrupt
        13. 6.4.4.13 Access Protection Mechanism for Memories
        14. 6.4.4.14 Disabling of Unused DMA Trigger Sources
        15. 6.4.4.15 Software Test of SRAM
        16. 6.4.4.16 Software Test of ePIE Operation Including Error Tests
        17. 6.4.4.17 Maintaining Interrupt Handler for Unused Interrupts
        18. 6.4.4.18 Online Monitoring of Interrupts and Events
        19. 6.4.4.19 SRAM Parity
        20. 6.4.4.20 Software Test of Parity Logic
        21. 6.4.4.21 Multibit Enable Keys for Control Registers
        22. 6.4.4.22 Majority Voting and Error Detection of Link Pointer
        23. 6.4.4.23 VCRC Check of Static Memory Contents
        24. 6.4.4.24 Software Check of X-BAR Flag
        25. 6.4.4.25 1oo2 Software Voting Using Secondary Free Running Counter
        26. 6.4.4.26 Software Test of Function Including Error Tests
        27. 6.4.4.27 Monitoring of CLB by eCAP or eQEP
        28. 6.4.4.28 Lock Mechanism for Control Registers
        29. 6.4.4.29 Periodic Software Read Back of SPI Buffer
      5. 6.4.5 Digital I/O
        1. 6.4.5.1  Software Test of Function Including Error Tests
        2. 6.4.5.2  Hardware Redundancy
        3. 6.4.5.3  Monitoring of ePWM by eCAP
        4. 6.4.5.4  Periodic Software Readback of Static Configuration Registers
        5. 6.4.5.5  Software Readback of Written Configuration
        6. 6.4.5.6  Lock Mechanism for Control Registers
        7. 6.4.5.7  ePWM Fault Detection Using XBAR
        8. 6.4.5.8  ePWM Synchronization Check
        9. 6.4.5.9  ePWM Application-Level Safety Mechanism
        10. 6.4.5.10 Online Monitoring of Interrupts and Events
        11. 6.4.5.11 Monitoring of ePWM by ADC
        12. 6.4.5.12 HRPWM Built-In Self-Check and Diagnostic Capabilities
        13. 6.4.5.13 Information Redundancy Techniques
        14. 6.4.5.14 ECAP Application-Level Safety Mechanism
        15. 6.4.5.15 eQEP Quadrature Watchdog
        16. 6.4.5.16 eQEP Application-Level Safety Mechanisms
        17. 6.4.5.17 QMA Error Detection Logic
        18. 6.4.5.18 eQEP Software Test of Quadrature Watchdog Functionality
      6. 6.4.6 Analog I/O
        1. 6.4.6.1  Software Test of Function Including Error Tests
        2. 6.4.6.2  DAC to ADC Loopback Check
        3. 6.4.6.3  ADC Information Redundancy Techniques
        4. 6.4.6.4  Open and Short Detection Circuit for ADC
        5. 6.4.6.5  Software Readback of Written Configuration
        6. 6.4.6.6  Periodic Software Readback of Static Configuration Registers
        7. 6.4.6.7  ADC Signal Quality Check by Varying Acquisition Window
        8. 6.4.6.8  ADC Input Signal Integrity Check
        9. 6.4.6.9  Monitoring of ePWM by ADC
        10. 6.4.6.10 Hardware Redundancy
        11. 6.4.6.11 Lock Mechanism for Control Registers
        12. 6.4.6.12 DAC to Comparator Loopback Check
        13. 6.4.6.13 Lock Mechanism for Control Registers
        14. 6.4.6.14 CMPSS Ramp Generator Functionality Check
        15. 6.4.6.15 PGA to ADC Loopback Test
      7. 6.4.7 Data Transmission
        1. 6.4.7.1  Software Test of Function Using I/O Loopback
        2. 6.4.7.2  Information Redundancy Techniques Including End-to-End Safing
        3. 6.4.7.3  Transmission Redundancy
        4. 6.4.7.4  Periodic Software Readback of Static Configuration Registers
        5. 6.4.7.5  Software Readback of Written Configuration
        6. 6.4.7.6  Data Parity Error Detection
        7. 6.4.7.7  SCI Overrun Error Detection
        8. 6.4.7.8  SCI Frame Error Detection
        9. 6.4.7.9  LIN Physical Bus Error Detection
        10. 6.4.7.10 LIN No-Response Error Detection
        11. 6.4.7.11 Bit Error Detection
        12. 6.4.7.12 LIN Checksum Error Detection
        13. 6.4.7.13 LIN ID Parity Error Detection
        14. 6.4.7.14 SCI Break Error Detection
        15. 6.4.7.15 Communication Access Latency Profiling Using On-Chip Timer
        16. 6.4.7.16 Software Test of Function Including Error Tests Using EPG
        17. 6.4.7.17 Software Test of Function Using I/O Loopback
        18. 6.4.7.18 SPI Data Overrun Detection
        19. 6.4.7.19 Hardware Redundancy
        20. 6.4.7.20 FSI Data Overrun and Underrun Detection
        21. 6.4.7.21 FSI Frame Overrun Detection
        22. 6.4.7.22 FSI CRC Framing Checks
        23. 6.4.7.23 FSI ECC Framing Checks
        24. 6.4.7.24 FSI Frame Watchdog
        25. 6.4.7.25 FSI RX Ping Watchdog
        26. 6.4.7.26 FSI Tag Monitor
        27. 6.4.7.27 FSI Frame Type Error Detection
        28. 6.4.7.28 FSI End-of-Frame Error Detection
        29. 6.4.7.29 FSI Register Protection Mechanisms
        30. 6.4.7.30 Hardware Disable of JTAG Port
        31. 6.4.7.31 Parity in Message
        32. 6.4.7.32 I2C Data Acknowledge Check
        33. 6.4.7.33 I2C Access Latency Profiling Using On-Chip Timer
        34. 6.4.7.34 PMBus Protocol CRC in Message
        35. 6.4.7.35 PMBus Clock Timeout
        36. 6.4.7.36 PWM Trip by MCAN
        37. 6.4.7.37 Software Test of SRAM
        38. 6.4.7.38 SRAM ECC
        39. 6.4.7.39 Bit Multiplexing in SRAM Memory Array
        40. 6.4.7.40 MCAN Stuff Error Detection
        41. 6.4.7.41 MCAN Form Error Detection
        42. 6.4.7.42 MCAN Acknowledge Error Detection
        43. 6.4.7.43 CRC in Message
        44. 6.4.7.44 Software Test of ECC Logic
        45. 6.4.7.45 Timeout on FIFO Activity
        46. 6.4.7.46 Timestamp Consistency Checks
        47. 6.4.7.47 Tx-Event Checks
        48. 6.4.7.48 Interrupt on Message RAM Access Failure
        49. 6.4.7.49 Software Test of Function Including Error Tests Using EPG
  9. 7References
  10. 8f28p55x Summary of Safety Features and Diagnostic
    1.     332
  11.   A Distributed Developments
    1.     A.1 How the Functional Safety Life Cycle Applies to Functional Safety-Compliant Products
    2.     A.2 Activities Performed by Texas Instruments
    3.     A.3 Information Provided
  12.   B Revision History

6.1 Fault Reporting

The TMS320F28P55x MCU product architecture provides different levels of fault indication from internal safety mechanisms using CPU interrupt, non maskable interrupt (NMI), assertion of ERRORSTS pin, assertion of CPU input reset and assertion of warm reset (XRSn). The fault response is the action that is taken by the TMS320F28P55x MCU or system when a fault is indicated. Multiple potential fault responses are possible during a fault indication. The system integrator is responsible for determining which fault response is taken to verify consistency with the system safety concept. The fault indication, ordered in terms of severity (device power down being the most severe), is shown in Figure 6-1.

TMS320F28P55 Fault Response Severity Figure 6-1 Fault Response Severity
  • Device Power Down: This is the highest priority fault response where the external component (refer to Section 4.2.3.1) detects malfunctioning of the device or other system components and powers down the TMS320F28P55x MCU. From this state, re-entering cold boot to attempting recovery is possible.
  • Assertion of XRSn: The XRSn reset can be generated from an internal or external monitor that detects a critical fault having the potential to violate a safety goal. Internal sources generate this fault response when the TMS320F28P55x MCU is not able to handle the internal fault condition solely (for example, CPU1 is not able to handle NMI solely). From this state,re-entering cold boot and attempting recovery is possible.
  • Assertion of CPU Reset: CPU reset changes the state of the CPU from pre-operational or operational state to warm boot phase. The CPU Reset is generated from an internal monitor that detects any security violations. On a properly working system, the security violations can be the secondary effect due to a fault condition. From this state, re-entering warm boot phase and attempting recovery is possible.
  • Non Maskable Interrupt (NMI) and Assertion of ERRORSTS Pin: C28x CPU supports a non maskable interrupt (NMI), which has a higher priority than all other interrupts. Each CPU subsystem is equipped with a NMIWD module responsible for generating NMI to the CPU. ERRORSTS pin is asserted along with NMI. Depending on the system-level requirements, the fault can be handled either internal to the TMS320F28P55x MCU using software or at the system-level using the ERRORSTS pin information.
  • CPU Interrupt: CPU interrupt allows events external to the CPU to generate a program sequence context transfer to an interrupt handler where software has an opportunity to manage the fault. The peripheral interrupt expansion (PIE) block multiplexes multiple interrupt sources into a smaller set of CPU interrupt inputs.