SFFS889
July 2024
TMS320F2800132
,
TMS320F2800133
,
TMS320F2800135
,
TMS320F2800137
1
Trademarks
1
Introduction
2
TMS320F280013x Hardware Component Functional Safety Capability
3
TI Development Process for Management of Systematic Faults
3.1
TI New-Product Development Process
3.2
TI Functional Safety Development Process
4
Component Overview
4.1
Targeted Applications
4.1.1
TMS320F280013x MCU
4.2
Hardware Component Functional Safety Concept
4.2.1
TMS320F280013x MCU Safety Features
4.2.2
Fault Tolerant Time Interval (FTTI)
4.2.3
TMS320F280013x MCU Safe State
4.2.4
Operating States
4.3
Hardware Component Configuration
4.3.1
Assumptions of Use - F280013x Self-Test Libraries
4.3.2
Operational Details - SDL
4.3.2.1
Operational Details – SDL Module Mapping
4.4
TMS320F280013x MCU Safety Implementation
4.4.1
Assumptions of Use
4.4.2
Example Safety Concept Implementation Options on TMS320F280013x MCU
5
Description of Safety Elements
5.1
TMS320F280013x MCU Infrastructure Components
5.1.1
Power Supply
5.1.2
Clock
5.1.3
APLL
5.1.4
Reset
5.1.5
System Control Module and Configuration Registers
5.1.6
JTAG Debug, Trace, Calibration, and Test Access
5.2
Processing Elements
5.2.1
C28x Central Processing Unit (CPU)
5.3
Memory (Flash, SRAM and ROM)
5.3.1
Embedded Flash Memory
5.3.2
Embedded SRAM
5.3.3
Embedded ROM
5.4
On-Chip Communication Including Bus Arbitration
5.4.1
Device Interconnect
5.4.2
Enhanced Peripheral Interrupt Expander (ePIE) Module
5.4.3
Dual Zone Code Security Module (DCSM)
5.4.4
Crossbar (X-BAR)
5.4.5
Timer
5.5
Digital I/O
5.5.1
General-Purpose Input/Output (GPIO) and Pinmuxing
5.5.2
Enhanced Pulse Width Modulators (ePWM)
5.5.3
High Resolution PWM (HRPWM)
5.5.4
Enhanced Capture (eCAP)
5.5.5
Enhanced Quadrature Encoder Pulse (eQEP)
5.5.6
External Interrupt (XINT)
5.6
Analog I/O
5.6.1
Analog-to-Digital Converter (ADC)
5.6.2
Comparator Subsystem (CMPSS)
5.7
Data Transmission
5.7.1
Controller Area Network (DCAN)
5.7.2
Serial Peripheral Interface (SPI)
5.7.3
Serial Communication Interface (SCI)
5.7.4
Inter-Integrated Circuit (I2C)
6
Management of Random Faults
6.1
Fault Reporting
6.1.1
Suggestions for Improving Freedom From Interference
6.1.2
Suggestions for Addressing Common Cause Failures
6.2
Functional Safety Mechanism
6.3
Description of Functional Safety Mechanisms
6.3.1
TMS320F280013x MCU Infrastructure Components
6.3.1.1
Clock Integrity Check Using DCC
6.3.1.2
Clock Integrity Check Using CPU Timer
6.3.1.3
Clock Integrity Check Using HRPWM
6.3.1.4
EALLOW Protection for Critical Registers
6.3.1.5
External Monitoring of Clock via XCLKOUT
6.3.1.6
External Monitoring of Warm Reset (XRSn)
6.3.1.7
External Voltage Supervisor
6.3.1.8
External Watchdog
6.3.1.9
Glitch Filtering on Reset Pins
6.3.1.10
Hardware Disable of JTAG Port
6.3.1.11
Lockout of JTAG Access Using OTP
6.3.1.12
Internal Watchdog (WD)
6.3.1.13
Lock Mechanism for Control Registers
6.3.1.14
Missing Clock Detect (MCD)
6.3.1.15
NMIWD Reset Functionality
6.3.1.16
NMIWD Shadow Registers
6.3.1.17
Multi-Bit Enable Keys for Control Registers
6.3.1.18
Online Monitoring of Temperature
6.3.1.19
Periodic Software Read Back of Static Configuration Registers
6.3.1.20
Peripheral Clock Gating (PCLKCR)
6.3.1.21
Peripheral Soft Reset (SOFTPRES)
6.3.1.22
Software Test of Reset - Type 1
6.3.1.23
PLL Lock Profiling Using On-Chip Timer
6.3.1.24
Reset Cause Information
6.3.1.25
Software Read Back of Written Configuration
6.3.1.26
Software Test of ERRORSTS Functionality
6.3.1.27
Software Test of Missing Clock Detect Functionality
6.3.1.28
Software Test of Watchdog (WD) Operation
6.3.1.29
Dual-Clock Comparator (DCC) - Type 2
6.3.1.30
PLL Lock Indication
6.3.1.31
Software Test of DCC Functionality Including Error Tests
6.3.1.32
Software Test of PLL Functionality Including Error Tests
6.3.1.33
Interleaving of FSM States
6.3.1.34
Brownout Reset (BOR)
6.3.2
Processing Elements
6.3.2.1
CPU Handling of Illegal Operation, Illegal Results, and Instruction Trapping
6.3.2.2
Stack Overflow Detection
6.3.2.3
CRC Check of Static Memory Contents
6.3.3
Memory (Flash, SRAM and ROM)
6.3.3.1
Bit Multiplexing in Flash Memory Array
6.3.3.2
Bit Multiplexing in SRAM Memory Array
6.3.3.3
Data Scrubbing to Detect/Correct Memory Errors
6.3.3.4
Flash ECC
6.3.3.5
Flash Program Verify and Erase Verify Check
6.3.3.6
Flash Program/Erase Protection
6.3.3.7
Flash Wrapper Error and Status Reporting
6.3.3.8
Prevent 0 to 1 Transition Using Program Command
6.3.3.9
On-Demand Software Program Verify and Blank Check
6.3.3.10
CMDWEPROT* and Program Command Data Buffer Registers Self-Clear After Command Execution
6.3.3.11
ECC Generation and Checker Logic is Separate in Hardware
6.3.3.12
Auto ECC Generation Override
6.3.3.13
Software Test of ECC Logic
6.3.3.14
Software Test of Flash Prefetch, Data Cache, and Wait-States
6.3.3.15
Access Protection Mechanism for Memories
6.3.3.16
SRAM ECC
6.3.3.17
SRAM Parity
6.3.3.18
Software Test of Parity Logic
6.3.3.19
Software Test of SRAM
6.3.3.20
Memory Power-On Self-Test (MPOST)
6.3.3.21
ROM Parity
6.3.4
On-Chip Communication Including Bus-Arbitration
6.3.4.1
1oo2 Software Voting Using Secondary Free Running Counter
6.3.4.2
Maintaining Interrupt Handler for Unused Interrupts
6.3.4.3
Power-Up Pre-Operational Security Checks
6.3.4.4
Majority Voting and Error Detection of Link Pointer
6.3.4.5
Software Check of X-BAR Flag
6.3.4.6
Software Test of ePIE Operation Including Error Tests
6.3.5
Digital I/O
6.3.5.1
eCAP Application Level Safety Mechanism
6.3.5.2
ePWM Application Level Safety Mechanism
6.3.5.3
ePWM Fault Detection Using X-BAR
6.3.5.4
ePWM Synchronization Check
6.3.5.5
eQEP Application Level Safety Mechanism
6.3.5.6
eQEP Quadrature Watchdog
6.3.5.7
eQEP Software Test of Quadrature Watchdog Functionality
6.3.5.8
Hardware Redundancy
6.3.5.9
HRPWM Built-In Self-Check and Diagnostic Capabilities
6.3.5.10
Information Redundancy Techniques
6.3.5.11
Monitoring of ePWM by eCAP
6.3.5.12
Monitoring of ePWM by ADC
6.3.5.13
Online Monitoring of Periodic Interrupts and Events
6.3.5.14
Software Test of Function Including Error Tests
6.3.5.15
QMA Error Detection Logic
6.3.6
Analog I/O
6.3.6.1
ADC Information Redundancy Techniques
6.3.6.2
ADC Input Signal Integrity Check
6.3.6.3
ADC Signal Quality Check by Varying Acquisition Window
6.3.6.4
CMPSS Ramp Generator Functionality Check
6.3.6.5
DAC to ADC Loopback Check
6.3.6.6
Opens/Shorts Detection Circuit for ADC
6.3.6.7
Disabling Unused Sources of SOC Inputs to ADC
6.3.7
Data Transmission
6.3.7.1
Information Redundancy Techniques Including End-to-End Safing
6.3.7.2
Bit Error Detection
6.3.7.3
CRC in Message
6.3.7.4
DCAN Acknowledge Error Detection
6.3.7.5
DCAN Form Error Detection
6.3.7.6
DCAN Stuff Error Detection
6.3.7.7
Software Test of Function Including Error Tests Using EPG
6.3.7.8
I2C Access Latency Profiling Using On-Chip Timer
6.3.7.9
I2C Data Acknowledge Check
6.3.7.10
Parity in Message
6.3.7.11
SCI Break Error Detection
6.3.7.12
Frame Error Detection
6.3.7.13
Overrun Error Detection
6.3.7.14
Software Test of Function Using I/O Loopback
6.3.7.15
SPI Data Overrun Detection
6.3.7.16
Transmission Redundancy
A Summary of Safety Features and Diagnostics
B References
5.7
Data Transmission