SPRUID8D September   2020  – January 2022 TMS320F280040-Q1 , TMS320F280040C-Q1 , TMS320F280041 , TMS320F280041-Q1 , TMS320F280041C , TMS320F280041C-Q1 , TMS320F280045 , TMS320F280048-Q1 , TMS320F280048C-Q1 , TMS320F280049 , TMS320F280049-Q1 , TMS320F280049C , TMS320F280049C-Q1

 

  1.   Trademarks
  2. 1Introduction
  3. 2TMS320F28004x Product Safety Capability and Constraints
  4. 3TI Development Process for Management of Systematic Faults
    1. 3.1 TI New-Product Development Process
    2. 3.2 TI Functional Safety Development Process
  5. 4TMS320F28004x Product Overview
    1. 4.1 C2000 Architecture and Product Overview
      1. 4.1.1 TMS320F28004x MCU
    2. 4.2 Functional Safety Concept
      1. 4.2.1 VDA E-GAS Monitoring Concept With TMS320F28004x MCU
      2. 4.2.2 Fault Tolerant Time Interval (FTTI)
      3. 4.2.3 TMS320F28004x MCU Safe State
      4. 4.2.4 Operating States
      5. 4.2.5 Management of Faults
      6. 4.2.6 Suggestions for Improving Freedom From Interference
      7. 4.2.7 Suggestions for Addressing Common Cause Failures
    3. 4.3 C2000 Safety Diagnostics Libraries
      1. 4.3.1 Assumptions of Use - F28004x Self-Test Libraries
      2. 4.3.2 Operational Details - F28004x Self-Test Libraries
        1. 4.3.2.1 Operational Details – C28x Self-Test Library
        2. 4.3.2.2 Operational Details – CLA Self-Test Library
        3. 4.3.2.3 Operational Details – SDL
      3. 4.3.3 C2000 Safety STL Software Development Flow
      4. 4.3.4 Software Delivery Form (SDF) for STLs
    4. 4.4 TMS320F28004x MCU Safety Implementation
      1. 4.4.1 Assumed Safety Requirements
      2. 4.4.2 Example Safety Concept Implementation Options on TMS320F28004x MCU
        1. 4.4.2.1 Safety Concept Implementation: Option 1
        2. 4.4.2.2 Safety Concept Implementation: Option 2
  6. 5Brief Description of Safety Elements
    1. 5.1 TMS320F28004x MCU Infrastructure Components
      1. 5.1.1 Power Supply
      2. 5.1.2 Clock
      3. 5.1.3 Reset
      4. 5.1.4 System Control Module and Configuration Registers
      5. 5.1.5 Efuse Static Configuration
      6. 5.1.6 JTAG Debug, Trace, Calibration, and Test Access
    2. 5.2 Processing Elements
      1. 5.2.1 C28x Central Processing Unit (CPU)
      2. 5.2.2 Control Law Accelerator
    3. 5.3 Memory (Flash, SRAM and ROM)
      1. 5.3.1 Embedded Flash Memory
      2. 5.3.2 Embedded SRAM
      3. 5.3.3 Embedded ROM
    4. 5.4 On-Chip Communication Including Bus-Arbitration
      1. 5.4.1 Device Interconnect
      2. 5.4.2 Direct Memory Access (DMA)
      3. 5.4.3 Enhanced Peripheral Interrupt Expander (ePIE) Module
      4. 5.4.4 Dual Zone Code Security Module (DCSM)
      5. 5.4.5 CrossBar (X-BAR)
      6. 5.4.6 Timer
    5. 5.5 Digital I/O
      1. 5.5.1 General-Purpose Input/Output (GPIO) and Pinmuxing
      2. 5.5.2 Enhanced Pulse Width Modulators (ePWM)
      3. 5.5.3 High Resolution PWM (HRPWM)
      4. 5.5.4 Enhanced Capture (eCAP)
      5. 5.5.5 High Resolution Capture (HRCAP)
      6. 5.5.6 Enhanced Quadrature Encoder Pulse (eQEP)
      7. 5.5.7 Sigma Delta Filter Module (SDFM)
      8. 5.5.8 External Interrupt (XINT)
    6. 5.6 Analogue I/O
      1. 5.6.1 Analog-to-Digital Converter (ADC)
      2. 5.6.2 Buffered Digital to Analog Converter (DAC)
      3. 5.6.3 Comparator Subsystem (CMPSS)
      4. 5.6.4 Programmable Gain Amplifier (PGA)
    7. 5.7 Data Transmission
      1. 5.7.1 Controller Area Network (DCAN)
      2. 5.7.2 Serial Peripheral Interface (SPI)
      3. 5.7.3 Serial Communication Interface (SCI)
      4. 5.7.4 Inter-Integrated Circuit (I2C)
      5. 5.7.5 Fast Serial Interface (FSI)
      6. 5.7.6 Local Interconnect Network (LIN)
      7. 5.7.7 Power Management Bus Module (PMBus)
  7. 6Brief Description of Diagnostics
    1. 6.1 TMS320F28004x MCU Infrastructure Components
      1. 6.1.1  Clock Integrity Check Using CPU Timer
      2. 6.1.2  Clock Integrity Check Using HRPWM
      3. 6.1.3  EALLOW and MEALLOW Protection for Critical Registers
      4. 6.1.4  Efuse Autoload Self-Test
      5. 6.1.5  Efuse ECC
      6. 6.1.6  Efuse ECC Logic Self-Test
      7. 6.1.7  External Monitoring of Clock via XCLKOUT
      8. 6.1.8  External Monitoring of Warm Reset (XRSn)
      9. 6.1.9  External Voltage Supervisor
      10. 6.1.10 External Watchdog
      11. 6.1.11 Glitch Filtering on Reset Pins
      12. 6.1.12 Hardware Disable of JTAG Port
      13. 6.1.13 Internal Watchdog (WD)
      14. 6.1.14 Lock Mechanism for Control Registers
      15. 6.1.15 Missing Clock Detect (MCD)
      16. 6.1.16 NMIWD Reset Functionality
      17. 6.1.17 NMIWD Shadow Registers
      18. 6.1.18 Multi-Bit Enable Keys for Control Registers
      19. 6.1.19 Online Monitoring of Temperature
      20. 6.1.20 Periodic Software Read Back of Static Configuration Registers
      21. 6.1.21 Peripheral Clock Gating (PCLKCR)
      22. 6.1.22 Peripheral Soft Reset (SOFTPRES)
      23. 6.1.23 PLL Lock Profiling Using On-Chip Timer
      24. 6.1.24 Reset Cause Information
      25. 6.1.25 Software Read Back of Written Configuration
      26. 6.1.26 Software Test of ERRORSTS Functionality
      27. 6.1.27 Software Test of Missing Clock Detect Functionality
      28. 6.1.28 Software Test of Reset
      29. 6.1.29 Software Test of Watchdog (WD) Operation
      30. 6.1.30 Brownout Reset (BOR)
      31. 6.1.31 Dual clock comparator (DCC) - Type0
      32. 6.1.32 Peripheral Access Protection - Type 0
    2. 6.2 Processing Elements
      1. 6.2.1  CLA Handling of Illegal Operation, Illegal Results
      2. 6.2.2  CLA Liveness Check Using CPU
      3. 6.2.3  CPU Handling of Illegal Operation, Illegal Results and Instruction Trapping
      4. 6.2.4  Reciprocal Comparison by Software
      5. 6.2.5  Software Test of CLA
      6. 6.2.6  Software Test of CPU
      7. 6.2.7  Stack Overflow Detection
      8. 6.2.8  VCU CRC Check of Static Memory Contents
      9. 6.2.9  VCU CRC Auto Coverage
      10. 6.2.10 Disabling of Unused CLA Trigger Sources
      11. 6.2.11 Embedded Real Time Analysis and Diagnostic (ERAD) - Type 0
    3. 6.3 Memory (Flash, SRAM and ROM)
      1. 6.3.1  Bit Multiplexing in Flash Memory Array
      2. 6.3.2  Bit Multiplexing in SRAM Memory Array
      3. 6.3.3  Data Scrubbing to Detect/Correct Memory Errors
      4. 6.3.4  Flash ECC
      5. 6.3.5  Flash Program Verify and Erase Verify Check
      6. 6.3.6  Software Test of ECC Logic
      7. 6.3.7  Software Test of Flash Prefetch, Data Cache and Wait-States
      8. 6.3.8  Access Protection Mechanism for Memories
      9. 6.3.9  SRAM ECC
      10. 6.3.10 SRAM Parity
      11. 6.3.11 Software Test of Parity Logic
      12. 6.3.12 Software Test of SRAM
      13. 6.3.13 Background CRC for CLA-PROM (CLAPROMCRC)
      14. 6.3.14 Memory Power-On Self-Test (MPOST)
    4. 6.4 On-Chip Communication Including Bus-Arbitration
      1. 6.4.1  1oo2 Software Voting Using Secondary Free Running Counter
      2. 6.4.2  DMA Overflow Interrupt
      3. 6.4.3  Maintaining Interrupt Handler for Unused Interrupts
      4. 6.4.4  Power-Up Pre-Operational Security Checks
      5. 6.4.5  Majority Voting and Error Detection of Link Pointer
      6. 6.4.6  PIE Double SRAM Hardware Comparison
      7. 6.4.7  PIE Double SRAM Comparison Check
      8. 6.4.8  Software Check of X-BAR Flag
      9. 6.4.9  Software Test of ePIE Operation Including Error Tests
      10. 6.4.10 Disabling of Unused DMA Trigger Sources
    5. 6.5 Digital I/O
      1. 6.5.1  eCAP Application Level Safety Mechanism
      2. 6.5.2  ePWM Application Level Safety Mechanism
      3. 6.5.3  ePWM Fault Detection Using X-BAR
      4. 6.5.4  ePWM Synchronization Check
      5. 6.5.5  eQEP Application Level Safety Mechanism
      6. 6.5.6  eQEP Quadrature Watchdog
      7. 6.5.7  eQEP Software Test of Quadrature Watchdog Functionality
      8. 6.5.8  Hardware Redundancy
      9. 6.5.9  HRPWM Built-In Self-Check and Diagnostic Capabilities
      10. 6.5.10 Information Redundancy Techniques
      11. 6.5.11 Monitoring of ePWM by eCAP
      12. 6.5.12 Monitoring of ePWM by ADC
      13. 6.5.13 Online Monitoring of Periodic Interrupts and Events
      14. 6.5.14 SDFM Comparator Filter for Online Monitoring - Type 0
      15. 6.5.15 SD Modulator Clock Fail Detection Mechanism
      16. 6.5.16 Software Test of Function Including Error Tests
      17. 6.5.17 Monitoring of HRPWM by HRCAP
      18. 6.5.18 HRCAP Calibration Logic Test Feature
      19. 6.5.19 QMA Error Detection Logic
    6. 6.6 Analogue I/O
      1. 6.6.1  ADC Information Redundancy Techniques
      2. 6.6.2  ADC Input Signal Integrity Check
      3. 6.6.3  ADC Signal Quality Check by Varying Acquisition Window
      4. 6.6.4  CMPSS Ramp Generator Functionality Check
      5. 6.6.5  DAC to ADC Loopback Check
      6. 6.6.6  DAC to Comparator Loopback Check
      7. 6.6.7  PGA to ADC Loopback Test
      8. 6.6.8  Opens/Shorts Detection Circuit for ADC
      9. 6.6.9  VDAC Conversion by ADC
      10. 6.6.10 Disabling Unused Sources of SOC Inputs to ADC
    7. 6.7 Data Transmission
      1. 6.7.1  Information Redundancy Techniques Including End-to-End Safing
      2. 6.7.2  Bit Error Detection
      3. 6.7.3  CRC in Message
      4. 6.7.4  DCAN Acknowledge Error Detection
      5. 6.7.5  DCAN Form Error Detection
      6. 6.7.6  DCAN Stuff Error Detection
      7. 6.7.7  I2C Access Latency Profiling Using On-Chip Timer
      8. 6.7.8  I2C Data Acknowledge Check
      9. 6.7.9  Parity in Message
      10. 6.7.10 SCI Break Error Detection
      11. 6.7.11 Frame Error Detection
      12. 6.7.12 Overrun Error Detection
      13. 6.7.13 Software Test of Function Using I/O Loopback
      14. 6.7.14 SPI Data Overrun Detection
      15. 6.7.15 Transmission Redundancy
      16. 6.7.16 FSI Data Overrun/Underrun Detection
      17. 6.7.17 FSI Frame Overrun Detection
      18. 6.7.18 FSI CRC Framing Checks
      19. 6.7.19 FSI ECC Framing Checks
      20. 6.7.20 FSI Frame Watchdog
      21. 6.7.21 FSI RX Ping Watchdog
      22. 6.7.22 FSI Tag Monitor
      23. 6.7.23 FSI Frame Type Error Detection
      24. 6.7.24 FSI End of Frame Error Detection
      25. 6.7.25 FSI Register Protection Mechanisms
      26. 6.7.26 LIN Physical Bus Error Detection
      27. 6.7.27 LIN No-Response Error Detection
      28. 6.7.28 LIN Checksum Error Detection
      29. 6.7.29 Data Parity Error Detection
      30. 6.7.30 LIN ID Parity Error Detection
      31. 6.7.31 PMBus Protocol CRC in Message
      32. 6.7.32 Clock Timeout
      33. 6.7.33 Communication Access Latency Profiling Using On-Chip Timer
  8. 7References
  9.   A Safety Architecture Configurations
  10.   B Distributed Developments
    1.     B.1 How the Functional Safety Lifecycle Applies to Functional Safety-Compliant Products
    2.     B.2 Activities Performed by Texas Instruments
    3.     B.3 Information Provided
  11.   C Terms and Definitions
  12.   D Summary of Safety Features and Diagnostics
  13.   E Glossary
  14.   Revision History

4.2.6 Suggestions for Improving Freedom From Interference

The following techniques and safety measures shall be used as applicable for improving independence of function  when using the TMS320F28004x MCU:

  1. Hold peripherals clocks disabled if the available peripherals are unused (CLK14-Peripheral Clock Gating (PCLKCR)).
  2. Hold peripherals in reset if the available peripherals are unused (RST9-Peripheral Soft Reset (SOFTPRES)).
  3. When possible, separate critical I/O functions by using non adjacent I/O pins/balls.
  4. Partition the memory as per the application requirements to respective processing units and configure the Access Protection Mechanism for Memories, for each memory instance such that only the permitted masters have access to memory.
  5. The Dual Code Security Module (DCSM) can be used for functional safety where functions with different safety integrity levels can be executed from different security zones (zone1, zone2, and unsecured zone), acting as firewalls and thus mitigating the risk due to interference from one secure zone to another. For more information, see Achieving Coexistence of Safety Functions for EV/HEV Using C2000™ MCUs
  6. TMS320F28004x supports SYS10-Peripheral access protection - Type 0. After programming peripheral access protection registers, each master can exclusively control the peripheral to safeguard usage by particular application against errant writes or corruption by other masters in the system. This is enabled using the dedicated access control bits per peripheral which allow or protect against the access from given master. Each peripheral has two bit qualifier per master to decode the access allowed. For more details, see the PERIPH_AC_REGS Registers in TMS320F28004x Technical Reference Manual.
  7. ADC11-Disabling Unused Sources of SOC Inputs to ADC can help avoid interference from unused peripherals to disturb functionality of ADC.
  8. DMA9-Disabling of Unused DMA Trigger Sources will help minimize interference caused by unintentional DMA transfers.
  9. CLA11-Disabling of Unused CLA Trigger Sources will mitigate risk of interference caused due to the trigger events.
  10. To avoid interference from spurious activity on MCU’s debug port, JTAG1-Hardware Disable of JTAG Port can be used.
  11. Safety applications running on the CPU can be interfered by unintentional faulty interrupt events to PIE module. PIE7-Maintaining Interrupt Handler for Unused Interrupts and PIE8-Online Monitoring of Interrupts and Events will detect such interfering failures.
  12. MCU resources in supporting CPU execution such as memory, interrupt controller, and so forth could be impacted by resources from lower safety integrity safety functions coexisting on same MCU. Safety mechanisms such as SRAM11-Access Protection Mechanism for Memories, SRAM16–Information Redundancy Techniques, SRAM17-CPU Handling of Illegal Operation, Illegal Results and Instruction Trapping will be able to detect such interference.
  13. Critical configuration registers could be victim of interference from bus masters on MCU which implements lower safety integrity functions. These can be protected by SYS1-Multi-Bit Enable Keys for Control Registers, SYS2-Lock Mechanism for Control Registers, SYS8-EALLOW and MEALLOW Protection for Critical Registers.