SPRUIT5 April   2021 TMS320F280021 , TMS320F280021-Q1 , TMS320F280023 , TMS320F280023-Q1 , TMS320F280023C , TMS320F280025 , TMS320F280025-Q1 , TMS320F280025C , TMS320F280025C-Q1

 

  1.   Trademarks
  2. 1Introduction
  3. 2TMS320F28002x Product Safety Capability and Constraints
  4. 3TI Development Process for Management of Systematic Faults
    1. 3.1 TI New-Product Development Process
    2. 3.2 TI Safety Development Process
  5. 4TMS320F28002x Product Overview
    1. 4.1 C2000 Architecture and Product Overview
      1. 4.1.1 TMS320F28002x MCU
    2. 4.2 Functional Safety Concept
      1. 4.2.1 TMS320F28002x MCU Safety Features
      2. 4.2.2 Fault Tolerant Time Interval (FTTI)
      3. 4.2.3 TMS320F28002x MCU Safe State
      4. 4.2.4 Operating States
      5. 4.2.5 Management of Faults
      6. 4.2.6 Suggestions for Improving Freedom From Interference
      7. 4.2.7 Suggestions for Addressing Common Cause Failures
    3. 4.3 C2000 Safety Diagnostics Libraries
    4. 4.4 TMS320F28002x MCU Safety Implementation
      1. 4.4.1 Assumed Safety Requirements
        1. 4.4.1.1 Example Safety Concept Implementation Options on TMS320F28002x MCU
          1. 4.4.1.1.1 Safety Concept Implementation
  6. 5Brief Description of Safety Elements
    1. 5.1 TMS320F28002x MCU Infrastructure Components
      1. 5.1.1 Power Supply
      2. 5.1.2 Clock
      3. 5.1.3 System PLL
      4. 5.1.4 Reset
      5. 5.1.5 System Control Module and Configuration Registers
      6. 5.1.6 Efuse Static Configuration
      7. 5.1.7 JTAG Debug, Trace, Calibration, and Test Access
    2. 5.2 Processing Elements
      1. 5.2.1 C28x Central Processing Unit (CPU)
      2. 5.2.2 Diagnostics for CPU
      3. 5.2.3 Floating Point Unit (FPU)
    3. 5.3 Memory (Flash, SRAM and ROM)
      1. 5.3.1 Embedded Flash Memory
      2. 5.3.2 Diagnostics for Embedded Flash
      3. 5.3.3 Embedded SRAM
      4. 5.3.4 Embedded ROM
    4. 5.4 On-Chip Communication Including Bus-Arbitration
      1. 5.4.1 Device Interconnect
      2. 5.4.2 Direct Memory Access (DMA)
      3. 5.4.3 Enhanced Peripheral Interrupt Expander (ePIE) Module
      4. 5.4.4 Dual Zone Code Security Module (DCSM)
      5. 5.4.5 CrossBar (X-BAR)
      6. 5.4.6 Timer
      7. 5.4.7 Configurable Logic Block
    5. 5.5 Digital I/O
      1. 5.5.1 General-Purpose Input/Output (GPIO) and Pinmuxing
      2. 5.5.2 Enhanced Pulse Width Modulators (ePWM)
      3. 5.5.3 High Resolution PWM (HRPWM)
      4. 5.5.4 Enhanced Capture (eCAP)
      5. 5.5.5 High Resolution Capture (HRCAP)
      6. 5.5.6 Enhanced Quadrature Encoder Pulse (eQEP)
      7. 5.5.7 External Interrupt (XINT)
    6. 5.6 Analog I/O
      1. 5.6.1 Analog-to-Digital Converter (ADC)
      2. 5.6.2 Comparator Subsystem (CMPSS)
    7. 5.7 Data Transmission
      1. 5.7.1 Controller Area Network (DCAN)
      2. 5.7.2 Serial Peripheral Interface (SPI)
      3. 5.7.3 Serial Communication Interface (SCI)
      4. 5.7.4 Inter-Integrated Circuit (I2C)
      5. 5.7.5 Fast Serial Interface (FSI)
      6. 5.7.6 Local Interconnect Network (LIN)
      7. 5.7.7 Power Management Bus Module (PMBus)
      8. 5.7.8 Host Interface Controller (HIC)
  7. 6Brief Description of Diagnostics
    1. 6.1 TMS320F28002x MCU Infrastructure Components
      1. 6.1.1  Clock Integrity Check Using CPU Timer
      2. 6.1.2  Clock Integrity Check Using HRPWM
      3. 6.1.3  Clock Integrity Check Using DCC
      4. 6.1.4  EALLOW Protection for Critical Registers
      5. 6.1.5  Efuse Autoload Self-Test
      6. 6.1.6  Efuse ECC
      7. 6.1.7  Efuse ECC Logic Self-Test
      8. 6.1.8  External Monitoring of Clock via XCLKOUT
      9. 6.1.9  External Monitoring of Warm Reset (XRSn)
      10. 6.1.10 External Voltage Supervisor
      11. 6.1.11 External Watchdog
      12. 6.1.12 Glitch Filtering on Reset Pins
      13. 6.1.13 Hardware Disable of JTAG Port
      14. 6.1.14 Internal Watchdog (WD)
      15. 6.1.15 Lock Mechanism for Control Registers
      16. 6.1.16 Missing Clock Detect (MCD)
      17. 6.1.17 NMIWD Reset Functionality
      18. 6.1.18 NMIWD Shadow Registers
      19. 6.1.19 Multi-Bit Enable Keys for Control Registers
      20. 6.1.20 Online Monitoring of Temperature
      21. 6.1.21 Periodic Software Read Back of Static Configuration Registers
      22. 6.1.22 Peripheral Clock Gating (PCLKCR)
      23. 6.1.23 Peripheral Soft Reset (SOFTPRES)
      24. 6.1.24 PLL Lock Profiling Using On-Chip Timer
      25. 6.1.25 PLL lock indication
      26. 6.1.26 Reset Cause Information
      27. 6.1.27 Software Read Back of Written Configuration
      28. 6.1.28 Software Test of ERRORSTS Functionality
      29. 6.1.29 Software Test of Missing Clock Detect Functionality
      30. 6.1.30 Software test of DCC functionality including error tests
      31. 6.1.31 Interleaving of FSM states
      32. 6.1.32 Software Test of Reset
      33. 6.1.33 Software Test of Watchdog (WD) Operation
      34. 6.1.34 Brownout Reset (BOR)
      35. 6.1.35 Dual clock comparator (DCC) - Type 2
    2. 6.2 Processing Elements
      1. 6.2.1  CPU Hardware Built-In Self-Test (HWBIST)
      2. 6.2.2  CPU Hardware Built-In Self-Test (HWBIST) Auto-Coverage
      3. 6.2.3  CPU Hardware Built-In Self-Test (HWBIST) Timeout Feature
      4. 6.2.4  CPU Hardware Built-In Self-Test (HWBIST) Fault Injection Capability
      5. 6.2.5  CPU Handling of Illegal Operation, Illegal Results and Instruction Trapping
      6. 6.2.6  Stack Overflow Detection
      7. 6.2.7  VCRC Check of Static Memory Contents
      8. 6.2.8  VCRC Auto Coverage
      9. 6.2.9  Embedded Real Time Analysis and Diagnostic (ERAD)
      10. 6.2.10 Inbuilt hardware redundancy in ERAD bus comparator module
    3. 6.3 Memory (Flash, SRAM and ROM)
      1. 6.3.1  Bit Multiplexing in Flash Memory Array
      2. 6.3.2  Bit Multiplexing in SRAM Memory Array
      3. 6.3.3  Data Scrubbing to Detect/Correct Memory Errors
      4. 6.3.4  Flash ECC
      5. 6.3.5  Flash Program Verify and Erase Verify Check
      6. 6.3.6  Software Test of ECC Logic
      7. 6.3.7  Software Test of Flash Prefetch, Data Cache and Wait-States
      8. 6.3.8  Access Protection Mechanism for Memories
      9. 6.3.9  SRAM ECC
      10. 6.3.10 SRAM Parity
      11. 6.3.11 Software Test of Parity Logic
      12. 6.3.12 Software Test of SRAM
      13. 6.3.13 Memory Power-On Self-Test (MPOST)
      14. 6.3.14 Background CRC
      15. 6.3.15 Watchdog for Background CRC
    4. 6.4 On-Chip Communication Including Bus-Arbitration
      1. 6.4.1  1oo2 Software Voting Using Secondary Free Running Counter
      2. 6.4.2  DMA Overflow Interrupt
      3. 6.4.3  Maintaining Interrupt Handler for Unused Interrupts
      4. 6.4.4  Power-Up Pre-Operational Security Checks
      5. 6.4.5  Majority Voting and Error Detection of Link Pointer
      6. 6.4.6  PIE Double SRAM Hardware Comparison
      7. 6.4.7  PIE Double SRAM Comparison Check
      8. 6.4.8  Software Check of X-BAR Flag
      9. 6.4.9  Software Test of ePIE Operation Including Error Tests
      10. 6.4.10 Disabling of Unused DMA Trigger Sources
      11. 6.4.11 Software Test of CLB Function Including Error Tests
      12. 6.4.12 Monitoring of CLB by eCAP or eQEP
      13. 6.4.13 Periodic Software Read Back of SPI Buffer
      14. 6.4.14 Timeout detection through ERAD counter
    5. 6.5 Digital I/O
      1. 6.5.1  eCAP Application Level Safety Mechanism
      2. 6.5.2  ePWM Application Level Safety Mechanism
      3. 6.5.3  ePWM Fault Detection Using X-BAR
      4. 6.5.4  ePWM Synchronization Check
      5. 6.5.5  eQEP Application Level Safety Mechanism
      6. 6.5.6  eQEP Quadrature Watchdog
      7. 6.5.7  eQEP Software Test of Quadrature Watchdog Functionality
      8. 6.5.8  Hardware Redundancy
      9. 6.5.9  HRPWM Built-In Self-Check and Diagnostic Capabilities
      10. 6.5.10 Information Redundancy Techniques
      11. 6.5.11 Monitoring of ePWM by eCAP
      12. 6.5.12 Monitoring of ePWM by ADC
      13. 6.5.13 Online Monitoring of Periodic Interrupts and Events
      14. 6.5.14 SD Modulator Clock Fail Detection Mechanism
      15. 6.5.15 Software Test of Function Including Error Tests
      16. 6.5.16 Monitoring of HRPWM by HRCAP
      17. 6.5.17 HRCAP Calibration Logic Test Feature
      18. 6.5.18 QMA Error Detection Logic
    6. 6.6 Analog I/O
      1. 6.6.1 ADC Information Redundancy Techniques
      2. 6.6.2 ADC Input Signal Integrity Check
      3. 6.6.3 ADC Signal Quality Check by Varying Acquisition Window
      4. 6.6.4 CMPSS Ramp Generator Functionality Check
      5. 6.6.5 DAC to ADC Loopback Check
      6. 6.6.6 Opens/Shorts Detection Circuit for ADC
      7. 6.6.7 VDAC Conversion by ADC
      8. 6.6.8 Disabling Unused Sources of SOC Inputs to ADC
    7. 6.7 Data Transmission
      1. 6.7.1  Information Redundancy Techniques Including End-to-End Safing
      2. 6.7.2  Bit Error Detection
      3. 6.7.3  CRC in Message
      4. 6.7.4  DCAN Acknowledge Error Detection
      5. 6.7.5  DCAN Form Error Detection
      6. 6.7.6  DCAN Stuff Error Detection
      7. 6.7.7  I2C Access Latency Profiling Using On-Chip Timer
      8. 6.7.8  I2C Data Acknowledge Check
      9. 6.7.9  Parity in Message
      10. 6.7.10 SCI Break Error Detection
      11. 6.7.11 Frame Error Detection
      12. 6.7.12 Overrun Error Detection
      13. 6.7.13 Software Test of Function Using I/O Loopback
      14. 6.7.14 SPI Data Overrun Detection
      15. 6.7.15 Transmission Redundancy
      16. 6.7.16 FSI Data Overrun/Underrun Detection
      17. 6.7.17 FSI Frame Overrun Detection
      18. 6.7.18 FSI CRC Framing Checks
      19. 6.7.19 FSI ECC Framing Checks
      20. 6.7.20 FSI Frame Watchdog
      21. 6.7.21 FSI RX Ping Watchdog
      22. 6.7.22 FSI Tag Monitor
      23. 6.7.23 FSI Frame Type Error Detection
      24. 6.7.24 FSI End of Frame Error Detection
      25. 6.7.25 FSI Register Protection Mechanisms
      26. 6.7.26 LIN Physical Bus Error Detection
      27. 6.7.27 LIN No-Response Error Detection
      28. 6.7.28 LIN Checksum Error Detection
      29. 6.7.29 Data Parity Error Detection
      30. 6.7.30 LIN ID Parity Error Detection
      31. 6.7.31 PMBus Protocol CRC in Message
      32. 6.7.32 Clock Timeout
      33. 6.7.33 Communication Access Latency Profiling Using On-Chip Timer
      34. 6.7.34 Signature mechanism for interrupt and acknowlegdement in software
      35. 6.7.35 Software Timeout mechansim for interrupt logic
      36. 6.7.36 Access protection enable for read/write operations in software
      37. 6.7.37 Detection of illegal access sequences or access types from host to device
      38. 6.7.38 Detection of simultaneous MMR access by host and device
      39. 6.7.39 Enabling locking mechanism for registers
      40. 6.7.40 Disabling of unused EVENTRIG trigger sources
  8. 7References
  9.   A Safety Architecture Configurations
    1.     A.1 Safety Architecture Configurations
  10.   B Distributed Developments
    1.     B.1 How the Functional Safety Lifecycle Applies to Functional Safety-Compliant Products
    2.     B.2 Activities Performed by Texas Instruments
    3.     B.3 Information Provided
  11.   C Summary of Safety Features and Diagnostics
    1.     C.1 Summary of Safety Features and Diagnostics
  12.   D Glossary
    1.     D.1 Glossary

4.4.1.1 Example Safety Concept Implementation Options on TMS320F28002x MCU

TMS320F28002x class of devices supports C28x processing unit. The safety functions, which ensure that each safety goal can be met, can be implemented by the C28x. HWBIST can be used for diagnostic coverage for the processing units (ISO 26262-5:2018, Table D.4 and IEC 61508-2:2010, Table A.4). Safety mechanisms such as , Internal Watchdog (WD) and so forth, can also be utilized. For common cause failures such as clock, power and reset, an external watchdog should be used. Here are some definitions:

  • Intended Function: Control application implemented on TMS320F28002x (PFC, DCDC, traction-inverter etc.)
  • Safety Function: Achieves risk reduction and implemented for safety goals identified from HARA
    • Example: prevent over-current, over/under voltage, over temperature, forward/reverse torque etc.)
    • Shall meet >= 90% SPFM for both permanent and transient faults
  • Diagnostic Function: Ensures safety-function will operate correctly when required
    • Shall meet >= 60% LFM for ISO 26262:2018 (ASIL-B compliance targeted) systems

The following is a reference safety concept option which can be implemented on TMS320F28002x.