SPRT759A October   2023  – June 2024 F29H850TU , F29H859TU-Q1 , TMS320F280021 , TMS320F280021-Q1 , TMS320F280023 , TMS320F280023-Q1 , TMS320F280023C , TMS320F280025 , TMS320F280025-Q1 , TMS320F280025C , TMS320F280025C-Q1 , TMS320F280033 , TMS320F280034 , TMS320F280034-Q1 , TMS320F280036-Q1 , TMS320F280036C-Q1 , TMS320F280037 , TMS320F280037-Q1 , TMS320F280037C , TMS320F280037C-Q1 , TMS320F280038-Q1 , TMS320F280038C-Q1 , TMS320F280039 , TMS320F280039-Q1 , TMS320F280039C , TMS320F280039C-Q1 , TMS320F280040-Q1 , TMS320F280040C-Q1 , TMS320F280041 , TMS320F280041-Q1 , TMS320F280041C , TMS320F280041C-Q1 , TMS320F280045 , TMS320F280048-Q1 , TMS320F280048C-Q1 , TMS320F280049 , TMS320F280049-Q1 , TMS320F280049C , TMS320F280049C-Q1 , TMS320F28075 , TMS320F28075-Q1 , TMS320F28076 , TMS320F28374D , TMS320F28374S , TMS320F28375D , TMS320F28375S , TMS320F28375S-Q1 , TMS320F28376D , TMS320F28376S , TMS320F28377D , TMS320F28377D-EP , TMS320F28377D-Q1 , TMS320F28377S , TMS320F28377S-Q1 , TMS320F28378D , TMS320F28378S , TMS320F28379D , TMS320F28379D-Q1 , TMS320F28379S , TMS320F28384D , TMS320F28384D-Q1 , TMS320F28384S , TMS320F28384S-Q1 , TMS320F28386D , TMS320F28386D-Q1 , TMS320F28386S , TMS320F28386S-Q1 , TMS320F28388D , TMS320F28388S , TMS320F28P650DH , TMS320F28P650DK , TMS320F28P650SH , TMS320F28P650SK , TMS320F28P659DH-Q1 , TMS320F28P659DK-Q1 , TMS320F28P659SH-Q1

 

  1.   1
  2.   Abstract
  3.   Trademarks
  4.   Introduction
  5.   Overview of IEC 60730 and UL 1998 Classifications
    1.     C2000 Capability by Device Family
  6.   C2000 Safety Collateral
    1.     Getting Started
    2.     Functional Safety Manuals
    3.     Software Collateral
  7.   Implementing Acceptable Measures on C2000 Real-Time MCUs
    1.     Implementation Steps
    2.     Example Mapping
    3.     Additional Best Practices
  8.   Mapping Acceptable Control Measures to C2000 Unique Identifiers
    1.     Unique Identifier Reference
    2.     CPU Related Faults
    3.     Interrupt Related Faults
    4.     Clock Related Faults
    5.     Memory Related Faults
    6.     Internal Data Path Faults
    7.     Input/Output Related Faults
    8.     Communication, Monitoring Devices, and Custom Chip Faults
  9.   Glossary
  10.   References

Overview of IEC 60730 and UL 1998 Classifications

To create a foundation for fault control techniques, both the IEC 60730 and UL 1998 specifications divide products into classes. The class assignment is determined by a hazard and risk analysis applied to the specific control. This analysis is based on both the likelihood of the failure and the resulting consequence of the failure.

IEC 60730 Annex H Figure 1 IEC 60730 Annex H

IEC 60730 defines 3 classes: A, B and C:

  • Class A: controls are not related to safety
  • Class B: controls intended to prevent unsafe operation
  • Class C: controls intended to prevent dangerous hazards

UL 1998 defines two classes: 1 and 2. UL 1998 class 1 is comparable to IEC 60730 class B and UL 1998 class 2 is comparable to IEC 60730 class C. For class definitions and examples, see Table 1.

Table 1 Class Definitions and Examples
Class Definition (1) Examples
IEC 60730 class A "H.2.22.1 class A control function - control functions that are not intended to be relied upon for the safety of the application" Room thermostats, temperature control.
IEC 60730 class B
and
UL 1998 class 1		 "H.2.22.2 class B control function - control functions that are intended to prevent an unsafe state of the appliance. Note: Failure of the control function will not lead directly to a hazardous situation. Thermal cut-out. Door locks for laundry equipment.
"A3.1 Software Class 1: Sections of software intended to control function to reduce the likelihood of a risk associated with the equipment."
IEC 60730 class C
and
UL 1998 class 2		 "H.2.22.3 class C control function - control functions that are intended to prevent special hazards such as explosion or whose failure could directly cause a hazard in the appliance" Automatic burner controls. Thermal cut-outs for a closed water heater system.
"A3.2 Software Class 2 – Sections of software intended to control functions to reduce the likelihood of special risks (for example, explosion) associated with the equipment."
(1) Reference: IEC 60730-1 Annex H and UL 1998 Appendix A

The standards define the components that must be tested along with examples of acceptable measures to detect faults/errors of that component. Depending on the class, the components to test include the CPU, clocks, volatile and non-volatile memory, internal data path, I/O and communication interfaces (Table 2). In general, for each component there are a few types of measures that the developer can choose from to verify/test component functionality. These suggested measures can be:

  • Hardware-based
  • Software-based
  • A combination of both hardware- and software-based

The implementation of IEC 60730 acceptable measures are meant to detect, and prevent, unsafe conditions and hazards associated with the equipment. These requirements are derived from the IEC 61508 standard "Functional safety of electrical/electronic/programmable electronic (E/E/PE) systems." The focus of IEC 61508 is how to apply, design, and maintain automatic protection systems called safety-related systems.

Table 2 Summary of Failure Modes Described by IEC 60730 / UL 1998
Component to be Tested Hardware Fault / Error to Detect (1)
Class B / 1 Class C / 2
1. CPU 1.1 Registers Stuck-at DC fault
1.2 Instruction decode and execution N/A (2) Wrong decode and execution
1.3 Program counter Stuck-at DC fault
1.4 Addressing N/A DC fault
1.5 Data paths N/A DC fault
2. Interrupts None or too frequent None or too frequent related to different sources
3. Clock Wrong frequency Wrong frequency
4. Memory 4.1 Non-volatile All single bit faults All single and double bit errors
4.2 Volatile DC fault DC fault and dynamic cross links
4.3 Addressing Stuck at DC fault
5. Internal data path 5.1 Data Stuck-at DC fault
5.2 Addressing Wrong address Wrong address, multiple addressing
6. External communication 6.1 Data All single-bit and double bit errors All single-bit, double-bit and triple-bit errors
6.2 Addressing Wrong address Wrong and multiple addressing
6.3 Timing Wrong point in time Wrong point in time
Wrong sequence Wrong sequence
7. Input/output periphery 7.1 Digital I/O Open and short circuit or as specified in the product standard Open and short circuit or as specified in the product standard
7.2 Analog I/O
7.2.1 A/D and D/A converter		 Open and short circuit or as specified in the product standard Open and short circuit or as specified in the product standard
7.2 Analog I/O
7.2.2 Analog multiplexer		 Wrong addressing Wrong addressing
8. Monitoring devices and comparators N/A Any output outside the static and dynamic functional specification
9. Components not covered by 1-8.
Custom chips, ASIC, GAL, Gate array		 Any output outside the static and dynamic functional specification Any output outside the static and dynamic functional specification
(1) Reference: IEC 60730-1 Table H.1 and UL 1998 Table A.2
(2) N/A (not applicable): detection of this error/fault is not required by the standards for this specific class.