SFFS889 July   2024 TMS320F2800132 , TMS320F2800133 , TMS320F2800135 , TMS320F2800137

 

  1.   1
  2.   Trademarks
  3. 1Introduction
  4. 2TMS320F280013x Hardware Component Functional Safety Capability
  5. 3TI Development Process for Management of Systematic Faults
    1. 3.1 TI New-Product Development Process
    2. 3.2 TI Functional Safety Development Process
  6. 4Component Overview
    1. 4.1 Targeted Applications
      1. 4.1.1 TMS320F280013x MCU
    2. 4.2 Hardware Component Functional Safety Concept
      1. 4.2.1 TMS320F280013x MCU Safety Features
      2. 4.2.2 Fault Tolerant Time Interval (FTTI)
      3. 4.2.3 TMS320F280013x MCU Safe State
      4. 4.2.4 Operating States
    3. 4.3 Hardware Component Configuration
      1. 4.3.1 Assumptions of Use - F280013x Self-Test Libraries
      2. 4.3.2 Operational Details - SDL
        1. 4.3.2.1 Operational Details – SDL Module Mapping
    4. 4.4 TMS320F280013x MCU Safety Implementation
      1. 4.4.1 Assumptions of Use
      2. 4.4.2 Example Safety Concept Implementation Options on TMS320F280013x MCU
  7. 5Description of Safety Elements
    1. 5.1 TMS320F280013x MCU Infrastructure Components
      1. 5.1.1 Power Supply
      2. 5.1.2 Clock
      3. 5.1.3 APLL
      4. 5.1.4 Reset
      5. 5.1.5 System Control Module and Configuration Registers
      6. 5.1.6 JTAG Debug, Trace, Calibration, and Test Access
    2. 5.2 Processing Elements
      1. 5.2.1 C28x Central Processing Unit (CPU)
    3. 5.3 Memory (Flash, SRAM and ROM)
      1. 5.3.1 Embedded Flash Memory
      2. 5.3.2 Embedded SRAM
      3. 5.3.3 Embedded ROM
    4. 5.4 On-Chip Communication Including Bus Arbitration
      1. 5.4.1 Device Interconnect
      2. 5.4.2 Enhanced Peripheral Interrupt Expander (ePIE) Module
      3. 5.4.3 Dual Zone Code Security Module (DCSM)
      4. 5.4.4 Crossbar (X-BAR)
      5. 5.4.5 Timer
    5. 5.5 Digital I/O
      1. 5.5.1 General-Purpose Input/Output (GPIO) and Pinmuxing
      2. 5.5.2 Enhanced Pulse Width Modulators (ePWM)
      3. 5.5.3 High Resolution PWM (HRPWM)
      4. 5.5.4 Enhanced Capture (eCAP)
      5. 5.5.5 Enhanced Quadrature Encoder Pulse (eQEP)
      6. 5.5.6 External Interrupt (XINT)
    6. 5.6 Analog I/O
      1. 5.6.1 Analog-to-Digital Converter (ADC)
      2. 5.6.2 Comparator Subsystem (CMPSS)
    7. 5.7 Data Transmission
      1. 5.7.1 Controller Area Network (DCAN)
      2. 5.7.2 Serial Peripheral Interface (SPI)
      3. 5.7.3 Serial Communication Interface (SCI)
      4. 5.7.4 Inter-Integrated Circuit (I2C)
  8. 6Management of Random Faults
    1. 6.1 Fault Reporting
      1. 6.1.1 Suggestions for Improving Freedom From Interference
      2. 6.1.2 Suggestions for Addressing Common Cause Failures
    2. 6.2 Functional Safety Mechanism
    3. 6.3 Description of Functional Safety Mechanisms
      1. 6.3.1 TMS320F280013x MCU Infrastructure Components
        1. 6.3.1.1  Clock Integrity Check Using DCC
        2. 6.3.1.2  Clock Integrity Check Using CPU Timer
        3. 6.3.1.3  Clock Integrity Check Using HRPWM
        4. 6.3.1.4  EALLOW Protection for Critical Registers
        5. 6.3.1.5  External Monitoring of Clock via XCLKOUT
        6. 6.3.1.6  External Monitoring of Warm Reset (XRSn)
        7. 6.3.1.7  External Voltage Supervisor
        8. 6.3.1.8  External Watchdog
        9. 6.3.1.9  Glitch Filtering on Reset Pins
        10. 6.3.1.10 Hardware Disable of JTAG Port
        11. 6.3.1.11 Lockout of JTAG Access Using OTP
        12. 6.3.1.12 Internal Watchdog (WD)
        13. 6.3.1.13 Lock Mechanism for Control Registers
        14. 6.3.1.14 Missing Clock Detect (MCD)
        15. 6.3.1.15 NMIWD Reset Functionality
        16. 6.3.1.16 NMIWD Shadow Registers
        17. 6.3.1.17 Multi-Bit Enable Keys for Control Registers
        18. 6.3.1.18 Online Monitoring of Temperature
        19. 6.3.1.19 Periodic Software Read Back of Static Configuration Registers
        20. 6.3.1.20 Peripheral Clock Gating (PCLKCR)
        21. 6.3.1.21 Peripheral Soft Reset (SOFTPRES)
        22. 6.3.1.22 Software Test of Reset - Type 1
        23. 6.3.1.23 PLL Lock Profiling Using On-Chip Timer
        24. 6.3.1.24 Reset Cause Information
        25. 6.3.1.25 Software Read Back of Written Configuration
        26. 6.3.1.26 Software Test of ERRORSTS Functionality
        27. 6.3.1.27 Software Test of Missing Clock Detect Functionality
        28. 6.3.1.28 Software Test of Watchdog (WD) Operation
        29. 6.3.1.29 Dual-Clock Comparator (DCC) - Type 2
        30. 6.3.1.30 PLL Lock Indication
        31. 6.3.1.31 Software Test of DCC Functionality Including Error Tests
        32. 6.3.1.32 Software Test of PLL Functionality Including Error Tests
        33. 6.3.1.33 Interleaving of FSM States
        34. 6.3.1.34 Brownout Reset (BOR)
      2. 6.3.2 Processing Elements
        1. 6.3.2.1 CPU Handling of Illegal Operation, Illegal Results, and Instruction Trapping
        2. 6.3.2.2 Stack Overflow Detection
        3. 6.3.2.3 CRC Check of Static Memory Contents
      3. 6.3.3 Memory (Flash, SRAM and ROM)
        1. 6.3.3.1  Bit Multiplexing in Flash Memory Array
        2. 6.3.3.2  Bit Multiplexing in SRAM Memory Array
        3. 6.3.3.3  Data Scrubbing to Detect/Correct Memory Errors
        4. 6.3.3.4  Flash ECC
        5. 6.3.3.5  Flash Program Verify and Erase Verify Check
        6. 6.3.3.6  Flash Program/Erase Protection
        7. 6.3.3.7  Flash Wrapper Error and Status Reporting
        8. 6.3.3.8  Prevent 0 to 1 Transition Using Program Command
        9. 6.3.3.9  On-Demand Software Program Verify and Blank Check
        10. 6.3.3.10 CMDWEPROT* and Program Command Data Buffer Registers Self-Clear After Command Execution
        11. 6.3.3.11 ECC Generation and Checker Logic is Separate in Hardware
        12. 6.3.3.12 Auto ECC Generation Override
        13. 6.3.3.13 Software Test of ECC Logic
        14. 6.3.3.14 Software Test of Flash Prefetch, Data Cache, and Wait-States
        15. 6.3.3.15 Access Protection Mechanism for Memories
        16. 6.3.3.16 SRAM ECC
        17. 6.3.3.17 SRAM Parity
        18. 6.3.3.18 Software Test of Parity Logic
        19. 6.3.3.19 Software Test of SRAM
        20. 6.3.3.20 Memory Power-On Self-Test (MPOST)
        21. 6.3.3.21 ROM Parity
      4. 6.3.4 On-Chip Communication Including Bus-Arbitration
        1. 6.3.4.1 1oo2 Software Voting Using Secondary Free Running Counter
        2. 6.3.4.2 Maintaining Interrupt Handler for Unused Interrupts
        3. 6.3.4.3 Power-Up Pre-Operational Security Checks
        4. 6.3.4.4 Majority Voting and Error Detection of Link Pointer
        5. 6.3.4.5 Software Check of X-BAR Flag
        6. 6.3.4.6 Software Test of ePIE Operation Including Error Tests
      5. 6.3.5 Digital I/O
        1. 6.3.5.1  eCAP Application Level Safety Mechanism
        2. 6.3.5.2  ePWM Application Level Safety Mechanism
        3. 6.3.5.3  ePWM Fault Detection Using X-BAR
        4. 6.3.5.4  ePWM Synchronization Check
        5. 6.3.5.5  eQEP Application Level Safety Mechanism
        6. 6.3.5.6  eQEP Quadrature Watchdog
        7. 6.3.5.7  eQEP Software Test of Quadrature Watchdog Functionality
        8. 6.3.5.8  Hardware Redundancy
        9. 6.3.5.9  HRPWM Built-In Self-Check and Diagnostic Capabilities
        10. 6.3.5.10 Information Redundancy Techniques
        11. 6.3.5.11 Monitoring of ePWM by eCAP
        12. 6.3.5.12 Monitoring of ePWM by ADC
        13. 6.3.5.13 Online Monitoring of Periodic Interrupts and Events
        14. 6.3.5.14 Software Test of Function Including Error Tests
        15. 6.3.5.15 QMA Error Detection Logic
      6. 6.3.6 Analog I/O
        1. 6.3.6.1 ADC Information Redundancy Techniques
        2. 6.3.6.2 ADC Input Signal Integrity Check
        3. 6.3.6.3 ADC Signal Quality Check by Varying Acquisition Window
        4. 6.3.6.4 CMPSS Ramp Generator Functionality Check
        5. 6.3.6.5 DAC to ADC Loopback Check
        6. 6.3.6.6 Opens/Shorts Detection Circuit for ADC
        7. 6.3.6.7 Disabling Unused Sources of SOC Inputs to ADC
      7. 6.3.7 Data Transmission
        1. 6.3.7.1  Information Redundancy Techniques Including End-to-End Safing
        2. 6.3.7.2  Bit Error Detection
        3. 6.3.7.3  CRC in Message
        4. 6.3.7.4  DCAN Acknowledge Error Detection
        5. 6.3.7.5  DCAN Form Error Detection
        6. 6.3.7.6  DCAN Stuff Error Detection
        7. 6.3.7.7  Software Test of Function Including Error Tests Using EPG
        8. 6.3.7.8  I2C Access Latency Profiling Using On-Chip Timer
        9. 6.3.7.9  I2C Data Acknowledge Check
        10. 6.3.7.10 Parity in Message
        11. 6.3.7.11 SCI Break Error Detection
        12. 6.3.7.12 Frame Error Detection
        13. 6.3.7.13 Overrun Error Detection
        14. 6.3.7.14 Software Test of Function Using I/O Loopback
        15. 6.3.7.15 SPI Data Overrun Detection
        16. 6.3.7.16 Transmission Redundancy
  9.   A Summary of Safety Features and Diagnostics
  10.   B References

6.1 Fault Reporting

The TMS320F280013x MCU product architecture provides different levels of fault indication from internal safety mechanisms using CPU interrupt, non maskable interrupt (NMI), assertion of ERRORSTS pin, assertion of CPU input reset, and assertion of warm reset (XRSn). The fault response is the action that is taken by the TMS320F280013x MCU or system when a fault is indicated. Multiple potential fault responses are possible during a fault indication. The system integrator is responsible to determine which fault response must be taken to verify consistency with the system safety concept. The fault indication ordered in terms of severity (device power down being the most severe) is shown in Figure 6-1.

Fault Response SeverityFigure 6-1 Fault Response Severity
  • Device powerdown: This is the highest priority fault response where the external component (see Section 4.4.1) detects malfunctioning of the device, or other system components, and powers down the TMS320F280013x MCU. From this state, re-entering cold boot to attempt recovery is possible.
  • Assertion of XRSn: The XRSn reset can be generated from an internal or external monitor that detects a critical fault having the potential to violate a safety goal. Internal sources generate this fault response when the TMS320F280013x MCU is not able to handle the internal fault condition by itself (for example, CPU1,or controller CPU, is not able to handle NMI by itself). From this state, re-entering cold boot to attempt recovery is possible.
  • Assertion of CPU reset: CPU reset changes the state of the CPU from a pre-operational, or operational, state to warm-boot phase. The CPU reset is generated from an internal monitor that detects any security violations. Security violations can be the effect of a fault condition.
  • Non maskable interrupt (NMI) and assertion of ERRORSTS pin: C28x CPU supports a non maskable interrupt (NMI), which has a higher priority than all other interrupts. The TMS320F280013x MCU is equipped with a NMIWD module responsible for generating NMI to the C28x CPU. ERRORSTS pin is also asserted with NMI. Depending on the system level requirements, the fault can be handled either internal to the TMS320F280013x MCU using software or at the system level using the ERRORSTS pin information.
  • CPU interrupt: CPU interrupt allows events external to the CPU to generate a program-sequence, context transfer to an interrupt handler where software has an opportunity to manage the fault. The peripheral interrupt expansion (PIE) block multiplexes multiple interrupt sources into a smaller set of CPU interrupt inputs.