SFFS779 December   2024 TMS320F28P550SJ

 

  1.   1
  2. 1Introduction
  3.   Trademarks
  4. 2 TMS320F28P55x Product Safety Capability and Constraints
  5. 3TI Development Process for Management of Systematic Faults
    1. 3.1 TI New-Product Development Process
    2. 3.2 TI Functional Safety Development Process
  6. 4 TMS320F28P55x Component Overview
    1. 4.1 Targeted Applications
    2. 4.2 Hardware Component Functional Safety Concept
      1. 4.2.1 VDA E-GAS Monitoring Concept
      2. 4.2.2 Fault Tolerant Time Interval (FTTI)
      3. 4.2.3 TMS320F28P55x MCU Safe State
        1. 4.2.3.1 Assumed Safety Requirements
      4. 4.2.4 Operating States
    3. 4.3 TMS320F28P55x MCU Safety Implementation
      1. 4.3.1 Assumed Safety Requirements
      2. 4.3.2 Example Safety Concept Implementation Options on TMS320F28P55x MCU
        1. 4.3.2.1 Safety Concept Implementation: Option 1
        2. 4.3.2.2 Safety Concept Implementation: Option 2
    4. 4.4 TMS320F28P55x Diagnostic Libraries
      1. 4.4.1 Assumptions of Use - F28P55x Self-Test Libraries
      2. 4.4.2 Operational Details - F28P55x Self-Test Libraries
        1. 4.4.2.1 Operational Details – C28x Self-Test Library
        2. 4.4.2.2 Operational Details – CLA Self-Test Library
        3. 4.4.2.3 Operational Details - Software Diagnostic Libraries
      3. 4.4.3 C2000 Safety STL Software Development Flow
    5. 4.5 Functional Safety Constraints and Assumptions
  7. 5Description of Safety Elements
    1. 5.1 C2000 MCU Infrastructure Components
      1. 5.1.1 Power Supply
        1. 5.1.1.1 Power Supply (Power) Safety Features List
      2. 5.1.2 Clock
        1. 5.1.2.1 Clock Safety Features List
      3. 5.1.3 APLL
        1. 5.1.3.1 APLL Safety Features List
      4. 5.1.4 Reset
        1. 5.1.4.1 Reset Safety Features List
      5. 5.1.5 System Control Module and Configuration Registers
        1. 5.1.5.1 System Control Module and Configuration Registers (System control) Safety Features List
      6. 5.1.6 JTAG Debug, Trace, Calibration, and Test Access
        1. 5.1.6.1 Debug Logic (JTAG) Safety Features List
      7. 5.1.7 Advanced Encryption Standard (AES) Accelerator
        1. 5.1.7.1 AES Safety Features List
    2. 5.2 Processing Elements
      1. 5.2.1 C28x Central Processing Unit (CPU)
        1. 5.2.1.1 C28x Central Processing Unit (C28x) Safety Features List
        2. 5.2.1.2 FPU_TMU (FPU_TMU) Safety Features List
      2. 5.2.2 Control Law Accelerator
        1. 5.2.2.1 Control Law Accelerator (MCLA) Safety Features List
    3. 5.3 Memory (Flash, SRAM and ROM)
      1. 5.3.1 Embedded Flash Memory
        1. 5.3.1.1 NW Embedded Flash Memory (NW Flash) Safety Features List
      2. 5.3.2 Embedded SRAM
        1. 5.3.2.1 SRAM Safety Features List
      3. 5.3.3 Embedded ROM
        1. 5.3.3.1 ROM Safety Features List
    4. 5.4 On-Chip Communication Including Bus-Arbitration
      1. 5.4.1 Device Interconnect
        1. 5.4.1.1 Device Interconnect (Interconnect_Bridges) Safety Features List
      2. 5.4.2 Direct Memory Access (DMA)
        1. 5.4.2.1 DMA Safety Features List
      3. 5.4.3 Enhanced Peripheral Interrupt Expander (ePIE) Module
        1. 5.4.3.1 Enhanced Peripheral Interrupt Expander (PIE) Module Safety Features List
      4. 5.4.4 Dual Zone Code Security Module (DCSM)
        1. 5.4.4.1 Dual Zone Code Security Module (DCSM) Safety Features List
      5. 5.4.5 CrossBar (X-BAR)
        1. 5.4.5.1 CrossBar (XBAR) Safety Features List
      6. 5.4.6 Timer
        1. 5.4.6.1 CPU_Timer Safety Features List
      7. 5.4.7 Configurable Logic Block
        1. 5.4.7.1 Configurable Logic Block (CLB) Safety Features List
    5. 5.5 Digital I/O
      1. 5.5.1 General-Purpose Input/Output (GPIO) and Pin Muxing
        1. 5.5.1.1 General Pupose I O and Multiplexing (GPIO_Pinmux) Safety Features List
      2. 5.5.2 Enhanced Pulse Width Modulators (ePWM)
        1. 5.5.2.1 Enhanced Pulse Width Modulators (ePWM) Safety Features List
      3. 5.5.3 High Resolution PWM (HRPWM)
        1. 5.5.3.1 High Resolution Pulse Width Modulator (OTTO) Safety Features List
      4. 5.5.4 Enhanced Capture (eCAP)
        1. 5.5.4.1 Enhanced Capture (ECAP) Safety Features List
      5. 5.5.5 High Resolution Capture (HRCAP)
        1. 5.5.5.1 High Resolution Capture (HRCAP) Safety Features List
      6. 5.5.6 Enhanced Quadrature Encoder Pulse (eQEP)
        1. 5.5.6.1 Enhanced Quadrature Encoder Pulse (eQEP) Safety Features List
      7. 5.5.7 External Interrupt (XINT)
        1. 5.5.7.1 XINT Safety Features List
    6. 5.6 Analog I/O
      1. 5.6.1 Analog-to-Digital Converter (ADC)
        1. 5.6.1.1 ADC Safety Features List
      2. 5.6.2 Buffered Digital-to-Analog Converter (DAC)
        1. 5.6.2.1 BufDAC Safety Features List
      3. 5.6.3 Comparator Subsystem (CMPSS)
        1. 5.6.3.1 Comparator Subsystem (CMPSS) Safety Features List
      4. 5.6.4 Programmable Gain Amplifier (PGA)
        1. 5.6.4.1 Programmable Gain Amplifier (PGA) Safety Features List
    7. 5.7 Data Transmission
      1. 5.7.1 Controller Area Network (MCAN, CAN FD)
        1. 5.7.1.1 MCAN Safety Features List
      2. 5.7.2 Serial Peripheral Interface (SPI)
        1. 5.7.2.1 Serial Peripheral Interface (SPI) Safety Features List
      3. 5.7.3 Serial Communication Interface (SCI)
        1. 5.7.3.1 Serial Communications Interface (SCI) Safety Features List
      4. 5.7.4 Inter-Integrated Circuit (I2C)
        1. 5.7.4.1 Inter-Integrated Circuit (I2C) Safety Features List
      5. 5.7.5 Fast Serial Interface (FSI)
        1. 5.7.5.1 Fast Serial Interface (FSI) Safety Features List
      6. 5.7.6 Power Management Bus Module (PMBus)
        1. 5.7.6.1 Power Management BUS (PMBUS) Safety Features List
      7. 5.7.7 Local Interconnect Network (LIN)
        1. 5.7.7.1 Local Interconnect Network (LIN) Safety Features List
    8. 5.8 Not Safety Related Elements
  8. 6Management of Random Faults
    1. 6.1 Fault Reporting
    2. 6.2 Suggestions for Improving Freedom From Interference
    3. 6.3 Suggestions for Addressing Common Cause Failures
    4. 6.4 Descriptions of Functional Safety Mechanisms
      1. 6.4.1 C2000 MCU Infrastructure Components
        1. 6.4.1.1  External Voltage Supervisor
        2. 6.4.1.2  External Watchdog
        3. 6.4.1.3  Multibit Enable Keys for Control Registers
        4. 6.4.1.4  Lock Mechanism for Control Registers
        5. 6.4.1.5  Software Readback of Written Configuration
        6. 6.4.1.6  Periodic Software Readback of Static Configuration Registers
        7. 6.4.1.7  Online Monitoring of Temperature
        8. 6.4.1.8  EALLOW and MEALLOW Protection for Critical Registers
        9. 6.4.1.9  Internal Watchdog (WD)
        10. 6.4.1.10 Brownout Reset (BOR)
        11. 6.4.1.11 Missing Clock Detect (MCD)
        12. 6.4.1.12 Clock Integrity Check Using CPU Timer
        13. 6.4.1.13 Clock Integrity Check Using HRPWM
        14. 6.4.1.14 External Clock Monitoring Using XCLKOUT
        15. 6.4.1.15 Software Test of Watchdog (WD) Operation
        16. 6.4.1.16 Software Test of Missing Clock Detect Functionality
        17. 6.4.1.17 PLL Lock Profiling Using On-Chip Timer
        18. 6.4.1.18 Peripheral Clock Gating (PCLKCR)
        19. 6.4.1.19 Dual Clock Comparator (DCC) – Type 2
        20. 6.4.1.20 Clock Integrity Check Using DCC
        21. 6.4.1.21 PLL Lock Indication
        22. 6.4.1.22 Software Test of DCC Functionality Including Error Tests
        23. 6.4.1.23 External Clock Monitoring Using XCLKOUT
        24. 6.4.1.24 Software Test of PLL Functionality Including Error Tests
        25. 6.4.1.25 Interleaving of FSM States
        26. 6.4.1.26 External Monitoring of Warm Reset (XRSn)
        27. 6.4.1.27 Reset Cause Information
        28. 6.4.1.28 Glitch Filtering on Reset Pins
        29. 6.4.1.29 NMIWD Shadow Registers
        30. 6.4.1.30 NMIWD Reset Functionality
        31. 6.4.1.31 Peripheral Soft Reset (SOFTPRES)
        32. 6.4.1.32 Software Test of ERRORSTS Functionality
        33. 6.4.1.33 Software Test of Reset – Type 1
        34. 6.4.1.34 Peripheral Access Protection – Type 1
        35. 6.4.1.35 Hardware Disable of JTAG Port
        36. 6.4.1.36 Lockout of JTAG Access Using OTP
        37. 6.4.1.37 Decryption of Encrypted Data Output Using Same KEY and IV
        38. 6.4.1.38 Information Redundancy Techniques Including End-to-End Safing
        39. 6.4.1.39 Transmission Redundancy
        40. 6.4.1.40 Disabling of Unused DMA Trigger Sources
        41. 6.4.1.41 Software Test of Function Including Error Tests
        42. 6.4.1.42 Software Test of Standalone GHASH Operation
      2. 6.4.2 Processing Elements
        1. 6.4.2.1  Reciprocal Comparison by Software
        2. 6.4.2.2  Software Test of CPU
        3. 6.4.2.3  Periodic Software Readback of Static Configuration Registers
        4. 6.4.2.4  Access Protection Mechanism for Memories
        5. 6.4.2.5  Hardware Disable of JTAG Port
        6. 6.4.2.6  CPU Handling of Illegal Operation, Illegal Results, and Instruction Trapping
        7. 6.4.2.7  Internal Watchdog (WD)
        8. 6.4.2.8  External Watchdog
        9. 6.4.2.9  Information Redundancy Techniques
        10. 6.4.2.10 Stack Overflow Detection
        11. 6.4.2.11 VCRC Auto Coverage
        12. 6.4.2.12 Embedded Real Time Analysis and Diagnostic (ERAD)
        13. 6.4.2.13 Inbuilt Hardware Redundancy in ERAD Bus Comparator Module
        14. 6.4.2.14 Software Test of CLA
        15. 6.4.2.15 CLA Handling of Illegal Operation and Illegal Results
        16. 6.4.2.16 Software Readback of Written Configuration
        17. 6.4.2.17 CLA Liveness Check Using CPU
        18. 6.4.2.18 Software Test of Function Including Error Tests
      3. 6.4.3 Memory (Flash, SRAM and ROM)
        1. 6.4.3.1  SRAM ECC
        2. 6.4.3.2  SRAM Parity
        3. 6.4.3.3  Software Test of SRAM
        4. 6.4.3.4  Bit Multiplexing in SRAM Memory Array
        5. 6.4.3.5  Periodic Software Readback of Static Configuration Registers
        6. 6.4.3.6  Software Readback of Written Configuration
        7. 6.4.3.7  Data Scrubbing to Detect/Correct Memory Errors
        8. 6.4.3.8  VCRC Check of Static Memory Contents
        9. 6.4.3.9  Software Test of Function Including Error Tests
        10. 6.4.3.10 Access Protection Mechanism for Memories
        11. 6.4.3.11 Lock Mechanism for Control Registers
        12. 6.4.3.12 Software Test of ECC Logic
        13. 6.4.3.13 Software Test of Parity Logic
        14. 6.4.3.14 Information Redundancy Techniques
        15. 6.4.3.15 CPU Handling of Illegal Operation, Illegal Results, and Instruction Trapping
        16. 6.4.3.16 Internal Watchdog (WD)
        17. 6.4.3.17 External Watchdog
        18. 6.4.3.18 CLA Handling of Illegal Operation and Illegal Results
        19. 6.4.3.19 Memory Power-On Self-Test (MPOST)
        20. 6.4.3.20 Power-Up Pre-Operational Security Checks
        21. 6.4.3.21 ROM Parity
        22. 6.4.3.22 Flash ECC
        23. 6.4.3.23 Flash Program Verify and Erase Verify Check
        24. 6.4.3.24 Flash Program and Erase Protection
        25. 6.4.3.25 Flash Wrapper Error and Status Reporting
        26. 6.4.3.26 Prevent 0 to 1 Transition Using Program Command
        27. 6.4.3.27 On-demand Software Program Verify and Blank Check
        28. 6.4.3.28 Software Readback of Written Configuration
        29. 6.4.3.29 CMDWEPROT* and Program Command Data Buffer Registers Self-Clear After Command Execution
        30. 6.4.3.30 ECC Generation and Checker Logic is Separate in Hardware
        31. 6.4.3.31 Bit Multiplexing in Flash Memory Array
        32. 6.4.3.32 Auto ECC Generation Override
        33. 6.4.3.33 Software Test of Flash Prefetch, Data Cache, and Wait States
        34. 6.4.3.34 Software Test of ECC Logic
      4. 6.4.4 On-Chip Communication Including Bus-Arbitration
        1. 6.4.4.1  Software Test of Function Including Error Tests
        2. 6.4.4.2  Internal Watchdog (WD)
        3. 6.4.4.3  External Watchdog
        4. 6.4.4.4  Periodic Software Readback of Static Configuration Registers
        5. 6.4.4.5  Software Readback of Written Configuration
        6. 6.4.4.6  CPU Handling of Illegal Operation, Illegal Results, and Instruction Trapping
        7. 6.4.4.7  CLA Handling of Illegal Operation and Illegal Results
        8. 6.4.4.8  Transmission Redundancy
        9. 6.4.4.9  Hardware Redundancy
        10. 6.4.4.10 EALLOW and MEALLOW Protection for Critical Registers
        11. 6.4.4.11 Information Redundancy Techniques
        12. 6.4.4.12 DMA Overflow Interrupt
        13. 6.4.4.13 Access Protection Mechanism for Memories
        14. 6.4.4.14 Disabling of Unused DMA Trigger Sources
        15. 6.4.4.15 Software Test of SRAM
        16. 6.4.4.16 Software Test of ePIE Operation Including Error Tests
        17. 6.4.4.17 Maintaining Interrupt Handler for Unused Interrupts
        18. 6.4.4.18 Online Monitoring of Interrupts and Events
        19. 6.4.4.19 SRAM Parity
        20. 6.4.4.20 Software Test of Parity Logic
        21. 6.4.4.21 Multibit Enable Keys for Control Registers
        22. 6.4.4.22 Majority Voting and Error Detection of Link Pointer
        23. 6.4.4.23 VCRC Check of Static Memory Contents
        24. 6.4.4.24 Software Check of X-BAR Flag
        25. 6.4.4.25 1oo2 Software Voting Using Secondary Free Running Counter
        26. 6.4.4.26 Software Test of Function Including Error Tests
        27. 6.4.4.27 Monitoring of CLB by eCAP or eQEP
        28. 6.4.4.28 Lock Mechanism for Control Registers
        29. 6.4.4.29 Periodic Software Read Back of SPI Buffer
      5. 6.4.5 Digital I/O
        1. 6.4.5.1  Software Test of Function Including Error Tests
        2. 6.4.5.2  Hardware Redundancy
        3. 6.4.5.3  Monitoring of ePWM by eCAP
        4. 6.4.5.4  Periodic Software Readback of Static Configuration Registers
        5. 6.4.5.5  Software Readback of Written Configuration
        6. 6.4.5.6  Lock Mechanism for Control Registers
        7. 6.4.5.7  ePWM Fault Detection Using XBAR
        8. 6.4.5.8  ePWM Synchronization Check
        9. 6.4.5.9  ePWM Application-Level Safety Mechanism
        10. 6.4.5.10 Online Monitoring of Interrupts and Events
        11. 6.4.5.11 Monitoring of ePWM by ADC
        12. 6.4.5.12 HRPWM Built-In Self-Check and Diagnostic Capabilities
        13. 6.4.5.13 Information Redundancy Techniques
        14. 6.4.5.14 ECAP Application-Level Safety Mechanism
        15. 6.4.5.15 eQEP Quadrature Watchdog
        16. 6.4.5.16 eQEP Application-Level Safety Mechanisms
        17. 6.4.5.17 QMA Error Detection Logic
        18. 6.4.5.18 eQEP Software Test of Quadrature Watchdog Functionality
      6. 6.4.6 Analog I/O
        1. 6.4.6.1  Software Test of Function Including Error Tests
        2. 6.4.6.2  DAC to ADC Loopback Check
        3. 6.4.6.3  ADC Information Redundancy Techniques
        4. 6.4.6.4  Open and Short Detection Circuit for ADC
        5. 6.4.6.5  Software Readback of Written Configuration
        6. 6.4.6.6  Periodic Software Readback of Static Configuration Registers
        7. 6.4.6.7  ADC Signal Quality Check by Varying Acquisition Window
        8. 6.4.6.8  ADC Input Signal Integrity Check
        9. 6.4.6.9  Monitoring of ePWM by ADC
        10. 6.4.6.10 Hardware Redundancy
        11. 6.4.6.11 Lock Mechanism for Control Registers
        12. 6.4.6.12 DAC to Comparator Loopback Check
        13. 6.4.6.13 Lock Mechanism for Control Registers
        14. 6.4.6.14 CMPSS Ramp Generator Functionality Check
        15. 6.4.6.15 PGA to ADC Loopback Test
      7. 6.4.7 Data Transmission
        1. 6.4.7.1  Software Test of Function Using I/O Loopback
        2. 6.4.7.2  Information Redundancy Techniques Including End-to-End Safing
        3. 6.4.7.3  Transmission Redundancy
        4. 6.4.7.4  Periodic Software Readback of Static Configuration Registers
        5. 6.4.7.5  Software Readback of Written Configuration
        6. 6.4.7.6  Data Parity Error Detection
        7. 6.4.7.7  SCI Overrun Error Detection
        8. 6.4.7.8  SCI Frame Error Detection
        9. 6.4.7.9  LIN Physical Bus Error Detection
        10. 6.4.7.10 LIN No-Response Error Detection
        11. 6.4.7.11 Bit Error Detection
        12. 6.4.7.12 LIN Checksum Error Detection
        13. 6.4.7.13 LIN ID Parity Error Detection
        14. 6.4.7.14 SCI Break Error Detection
        15. 6.4.7.15 Communication Access Latency Profiling Using On-Chip Timer
        16. 6.4.7.16 Software Test of Function Including Error Tests Using EPG
        17. 6.4.7.17 Software Test of Function Using I/O Loopback
        18. 6.4.7.18 SPI Data Overrun Detection
        19. 6.4.7.19 Hardware Redundancy
        20. 6.4.7.20 FSI Data Overrun and Underrun Detection
        21. 6.4.7.21 FSI Frame Overrun Detection
        22. 6.4.7.22 FSI CRC Framing Checks
        23. 6.4.7.23 FSI ECC Framing Checks
        24. 6.4.7.24 FSI Frame Watchdog
        25. 6.4.7.25 FSI RX Ping Watchdog
        26. 6.4.7.26 FSI Tag Monitor
        27. 6.4.7.27 FSI Frame Type Error Detection
        28. 6.4.7.28 FSI End-of-Frame Error Detection
        29. 6.4.7.29 FSI Register Protection Mechanisms
        30. 6.4.7.30 Hardware Disable of JTAG Port
        31. 6.4.7.31 Parity in Message
        32. 6.4.7.32 I2C Data Acknowledge Check
        33. 6.4.7.33 I2C Access Latency Profiling Using On-Chip Timer
        34. 6.4.7.34 PMBus Protocol CRC in Message
        35. 6.4.7.35 PMBus Clock Timeout
        36. 6.4.7.36 PWM Trip by MCAN
        37. 6.4.7.37 Software Test of SRAM
        38. 6.4.7.38 SRAM ECC
        39. 6.4.7.39 Bit Multiplexing in SRAM Memory Array
        40. 6.4.7.40 MCAN Stuff Error Detection
        41. 6.4.7.41 MCAN Form Error Detection
        42. 6.4.7.42 MCAN Acknowledge Error Detection
        43. 6.4.7.43 CRC in Message
        44. 6.4.7.44 Software Test of ECC Logic
        45. 6.4.7.45 Timeout on FIFO Activity
        46. 6.4.7.46 Timestamp Consistency Checks
        47. 6.4.7.47 Tx-Event Checks
        48. 6.4.7.48 Interrupt on Message RAM Access Failure
        49. 6.4.7.49 Software Test of Function Including Error Tests Using EPG
  9. 7References
  10. 8f28p55x Summary of Safety Features and Diagnostic
    1.     332
  11.   A Distributed Developments
    1.     A.1 How the Functional Safety Life Cycle Applies to Functional Safety-Compliant Products
    2.     A.2 Activities Performed by Texas Instruments
    3.     A.3 Information Provided
  12.   B Revision History

6.4.7.37 Hardware Redundancy

Hardware redundancy techniques can be applied using hardware, or as a combination of hardware and software, to provide runtime diagnostic. In this implementation, redundant hardware resources are utilized to provide diagnostic coverage for elements within and outside (wiring harness, connectors, and transceiver) the TMS320F28P55x MCU.

In case of peripherals like GPIO, XBAR, PWM, OTTO, DAC, CMPSS, and XINT, hardware redundancy can be implemented by having multichannel parallel outputs (where independent outputs are used for transmitting information and failure detection is carried out using internal or external comparators) or input comparison and voting (comparison of independent inputs to comply with a defined tolerance range, time and value). In such scenarios, the system can be designed so the failure of one input or output does not cause the system to go into a dangerous state. While servicing the error conditions (redundancy conditions), as in two redundant sources tripping the PWM, always read back the status flags and verify that both sources are active while tripping and thus providing latent fault coverage for the trip logic.

In case of peripherals like ADC, ECAP, EQEP, and so forth, hardware redundancy can be implemented by having multiple instances of the peripheral sample the same input and simultaneously perform the same operation followed by a cross check of the output values.

In case of communication peripherals like MCAN, SPI, SCI, and so forth, hardware redundancy during signal reception can be implemented by having multiple instances of the peripheral receive the same data followed by a comparison to verify data integrity. Hardware redundancy during transmission can be employed by having a complete redundant signal path (wiring harness, connectors, and transceiver) from the transmitter to the receiver or by sampling the transmitted data by a redundant peripheral instance followed by a data integrity check.

While implementing hardware redundancy for ADC and DAC modules, additional care must be taken to verify common-cause failures do not impact both instances in the same way. Reference voltage sources, configured for redundant module instances, must be independent. Additionally, ADC SOC trigger sources, used for redundant ADC instances, must be configured to different PWM module instances. In case of a DAC module, the comparator can be implemented using an external device.

While implementing hardware redundancy for the PWM module, TI recommends that the PWM module instance used is part of separate sync chains. This requirement is to avoid a common-cause failure on a sync signal that affects both PWM modules in the same way.

While implementing hardware redundancy for the GPIO module, TI recommends using GPIO pins from different GPIO groups to avoid common-cause failures.