• Menu
  • Product
  • Email
  • PDF
  • Order now

  • Functional Safety Manual for TMS320F2837xD, TMS320F2837xS and TMS320F2807x

    • SPRUI78D March   2019  – January 2022 TMS320F28075 , TMS320F28075-Q1 , TMS320F28076 , TMS320F28374D , TMS320F28374S , TMS320F28375D , TMS320F28375S , TMS320F28375S-Q1 , TMS320F28376D , TMS320F28376S , TMS320F28377D , TMS320F28377D-Q1 , TMS320F28377S , TMS320F28377S-Q1 , TMS320F28378D , TMS320F28378S , TMS320F28379D , TMS320F28379D-Q1 , TMS320F28379S

       

  • CONTENTS
  • SEARCH
  • Functional Safety Manual for TMS320F2837xD, TMS320F2837xS and TMS320F2807x
  1.   Trademarks
  2. 1 Introduction
    1. 1.1 About This Document
    2. 1.2 Acronyms Used in This Document
    3. 1.3 C2000 Architecture and Product Overview
      1. 1.3.1 TMS320F2837xD Delfino MCU
      2. 1.3.2 TMS320F2837xS Delfino MCU
      3. 1.3.3 TMS320F2807x Piccolo MCU
  3. 2 System Integrator Development Interface Agreement
    1. 2.1 Safety Enabled Design Packages for Functional Safety Applications
    2. 2.2 System Integrator Activities
      1. 2.2.1 Operational and Environmental Constraints
      2. 2.2.2 Safety Concept Definition
      3. 2.2.3 Safety Concept Implementation
      4. 2.2.4 Verification of Safety Concept Including Safety Metric Calculation
    3. 2.3 Product Safety Constraints
    4. 2.4 Suggestions for Improving Freedom From Interference
    5. 2.5 Suggestions for Addressing Common Cause Failures
    6. 2.6 Support for System Integrator Activities
  4. 3 C2000 Development Process for Management of Systematic Faults
    1. 3.1 TI's Hardware Development Process
    2. 3.2 Yogitech fRMethodology Enhanced Development Process
    3. 3.3 TI’s Enhanced Safety Development Process
    4. 3.4 C2000 Diagnostics Libraries
      1. 3.4.1 TMS320F2837xD TMS320F2837xS TMS320F2807x Diagnostic Software Library (SDL)
      2. 3.4.2 C2000 CLA STL (CLA-STL)
  5. 4 TMS320F2837xD/S and TMS320F2807x MCU Architecture for Management of Random Faults
    1. 4.1 Functional Safety Concept
      1. 4.1.1 VDA E-GAS Monitoring Concept
      2. 4.1.2 Fault Tolerant Time Interval (FTTI)
    2. 4.2 TMS320F2837xD/S and TMS320F2807x MCU Safety Philosophy
      1. 4.2.1 TMS320F2837xD MCU Safety Philosophy
      2. 4.2.2 TMS320F2837xS and TMS320F2807x MCU Safety Philosophy
      3. 4.2.3 Assumed Safety Requirements
      4. 4.2.4 C2000 MCU Safe State
      5. 4.2.5 Operating States
      6. 4.2.6 Management of Faults
  6. 5 Brief Description of Safety Elements
    1. 5.1 C2000 MCU Infrastructure Components
      1. 5.1.1 Power Supply
      2. 5.1.2 Clock
      3. 5.1.3 Reset
      4. 5.1.4 System Control Module and Configuration Registers
      5. 5.1.5 Efuse Static Configuration
      6. 5.1.6 JTAG Debug, Trace, Calibration, and Test Access
    2. 5.2 Processing Elements
      1. 5.2.1 C28x Central Processing Unit (CPU)
      2. 5.2.2 Control Law Accelerator
    3. 5.3 Memory (Flash, SRAM and ROM)
      1. 5.3.1 Embedded Flash Memory
      2. 5.3.2 Embedded SRAM
      3. 5.3.3 Embedded ROM
    4. 5.4 On-Chip Communication Including Bus-Arbitration
      1. 5.4.1 Device Interconnect
      2. 5.4.2 Direct Memory Access (DMA)
      3. 5.4.3 Inter Processor Communication (IPC)
      4. 5.4.4 Enhanced Peripheral Interrupt Expander (ePIE) Module
      5. 5.4.5 Dual Zone Code Security Module (DCSM)
      6. 5.4.6 CrossBar (X-BAR)
      7. 5.4.7 Timer
    5. 5.5 Digital I/O
      1. 5.5.1 General-Purpose Input/Output (GPIO) and Pinmuxing
      2. 5.5.2 Enhanced Pulse Width Modulators (ePWM)
      3. 5.5.3 High Resolution PWM (HRPWM)
      4. 5.5.4 Enhanced Capture (eCAP)
      5. 5.5.5 Enhanced Quadrature Encoder Pulse (eQEP)
      6. 5.5.6 Sigma Delta Filter Module (SDFM)
      7. 5.5.7 External Interrupt (XINT)
    6. 5.6 Analogue I/O
      1. 5.6.1 Analog-to-Digital Converter (ADC)
      2. 5.6.2 Buffered Digital to Analog Converter (DAC)
      3. 5.6.3 Comparator Subsystem (CMPSS)
    7. 5.7 Data Transmission
      1. 5.7.1 Controller Area Network (DCAN)
      2. 5.7.2 Serial Peripheral Interface (SPI)
      3. 5.7.3 Serial Communication Interface (SCI)
      4. 5.7.4 Inter-Integrated Circuit (I2C)
      5. 5.7.5 Multi-Channel Buffered Serial Port (MCBSP)
      6. 5.7.6 External Memory Interface (EMIF)
    8. 5.8 Not Safety Related Elements
  7. 6 Brief Description of Diagnostics
    1. 6.1 C2000 MCU Infrastructure Components
      1. 6.1.1  Clock Integrity Check Using CPU Timer
      2. 6.1.2  Clock Integrity Check Using HRPWM
      3. 6.1.3  EALLOW and MEALLOW Protection for Critical Registers
      4. 6.1.4  Efuse Autoload Self-Test
      5. 6.1.5  Efuse ECC
      6. 6.1.6  Efuse ECC Logic Self-Test
      7. 6.1.7  External Clock Monitoring via XCLKOUT
      8. 6.1.8  External Monitoring of Warm Reset (XRSn)
      9. 6.1.9  External Voltage Supervisor
      10. 6.1.10 External Watchdog
      11. 6.1.11 Glitch Filtering on Reset Pins
      12. 6.1.12 Hardware Disable of JTAG Port
      13. 6.1.13 Internal Watchdog (WD)
      14. 6.1.14 Lock Mechanism for Control Registers
      15. 6.1.15 Missing Clock Detect (MCD)
      16. 6.1.16 NMIWD Reset Functionality
      17. 6.1.17 NMIWD Shadow Registers
      18. 6.1.18 Multi-Bit Enable Keys for Control Registers
      19. 6.1.19 Online Monitoring of Temperature
      20. 6.1.20 Periodic Software Read Back of Static Configuration Registers
      21. 6.1.21 Peripheral Clock Gating (PCLKCR)
      22. 6.1.22 Peripheral Soft Reset (SOFTPRES)
      23. 6.1.23 PLL Lock Profiling Using On-Chip Timer
      24. 6.1.24 Reset Cause Information
      25. 6.1.25 Software Read Back of Written Configuration
      26. 6.1.26 Software Test of ERRORSTS Functionality
      27. 6.1.27 Software Test of Missing Clock Detect Functionality
      28. 6.1.28 Software Test of Reset
      29. 6.1.29 Software Test of Watchdog(WD) Operation
    2. 6.2 Processing Elements
      1. 6.2.1  CLA Handling of Illegal Operation and Illegal Results
      2. 6.2.2  CLA Liveness Check Using CPU
      3. 6.2.3  CPU Hardware Built-In Self-Test (HWBIST)
      4. 6.2.4  CPU Hardware Built-In Self-Test (HWBIST) Auto-Coverage
      5. 6.2.5  CPU Hardware Built-In Self-Test (HWBIST) Fault Injection Capability
      6. 6.2.6  CPU Hardware Built-In Self-Test (HWBIST) Timeout Feature
      7. 6.2.7  CPU Handling of Illegal Operation, Illegal Results and Instruction Trapping
      8. 6.2.8  Reciprocal Comparison by Software
      9. 6.2.9  Software Test of CLA
      10. 6.2.10 Stack Overflow Detection
      11. 6.2.11 VCU CRC Check of Static Memory Contents
      12. 6.2.12 VCU CRC Auto Coverage
      13. 6.2.13 Disabling of Unused CLA Task Trigger Sources
    3. 6.3 Memory (Flash, SRAM and ROM)
      1. 6.3.1  Bit Multiplexing in Flash Memory Array
      2. 6.3.2  Bit Multiplexing in SRAM Memory Array
      3. 6.3.3  Data Scrubbing to Detect/Correct Memory Errors
      4. 6.3.4  Flash ECC
      5. 6.3.5  Flash Program Verify and Erase Verify Check
      6. 6.3.6  Software Test of ECC Logic
      7. 6.3.7  Software Test of Flash Prefetch, Data Cache and Wait-States
      8. 6.3.8  Access Protection Mechanism for Memories
      9. 6.3.9  SRAM ECC
      10. 6.3.10 SRAM Parity
      11. 6.3.11 Software Test of Parity Logic
      12. 6.3.12 Software Test of SRAM
    4. 6.4 On-Chip Communication Including Bus-Arbitration
      1. 6.4.1  1oo2 Software Voting Using Secondary Free Running Counter
      2. 6.4.2  DMA Overflow Interrupt
      3. 6.4.3  Event Timestamping Using IPC Counter
      4. 6.4.4  Maintaining Interrupt Handler for Unused Interrupts
      5. 6.4.5  Majority Voting and Error Detection of Link Pointer
      6. 6.4.6  PIE Double SRAM Comparison Check
      7. 6.4.7  PIE Double SRAM Hardware Comparison
      8. 6.4.8  Power-Up Pre-Operational Security Checks
      9. 6.4.9  Software Check of X-BAR Flag
      10. 6.4.10 Software Test of ePIE Operation Including Error Tests
      11. 6.4.11 Disabling of Unused DMA Trigger Sources
      12. 6.4.12 IPC 64-Bit Counter Value Plausibility Check
    5. 6.5 Digital I/O
      1. 6.5.1  ECAP Application Level Safety Mechanism
      2. 6.5.2  ePWM Application Level Safety Mechanism
      3. 6.5.3  ePWM Fault Detection Using XBAR
      4. 6.5.4  ePWM Synchronization Check
      5. 6.5.5  eQEP Application Level Safety Mechanisms
      6. 6.5.6  eQEP Quadrature Watchdog
      7. 6.5.7  eQEP Software Test of Quadrature Watchdog Functionality
      8. 6.5.8  Hardware Redundancy
      9. 6.5.9  HRPWM Built-In Self-Check and Diagnostic Capabilities
      10. 6.5.10 Information Redundancy Techniques
      11. 6.5.11 Monitoring of ePWM by eCAP
      12. 6.5.12 Monitoring of ePWM by ADC
      13. 6.5.13 Online Monitoring of Interrupts and Events
      14. 6.5.14 SDFM Comparator Filter for Online Monitoring
      15. 6.5.15 SD Modulator Clock Fail Detection Mechanism
      16. 6.5.16 Software Test of Function Including Error Tests
    6. 6.6 Analogue I/O
      1. 6.6.1 ADC Information Redundancy Techniques
      2. 6.6.2 ADC Input Signal Integrity Check
      3. 6.6.3 ADC Signal Quality Check by Varying Acquisition Window
      4. 6.6.4 CMPSS Ramp Generator Functionality Check
      5. 6.6.5 DAC to ADC Loopback Check
      6. 6.6.6 DAC to Comparator Loopback Check
      7. 6.6.7 Opens/Shorts Detection Circuit for ADC
      8. 6.6.8 VDAC Conversion by ADC
      9. 6.6.9 Disabling Unused Sources of SOC Inputs to ADC
    7. 6.7 Data Transmission
      1. 6.7.1  Bit Error Detection
      2. 6.7.2  CRC in Message
      3. 6.7.3  DCAN Acknowledge Error Detection
      4. 6.7.4  DCAN Form Error Detection
      5. 6.7.5  DCAN Stuff Error Detection
      6. 6.7.6  EMIF Access Latency Profiling Using On-Chip Timer
      7. 6.7.7  EMIF Access Protection Mechanism
      8. 6.7.8  EMIF Asynchronous Memory Timeout Protection Mechanism
      9. 6.7.9  I2C Access Latency Profiling Using On-Chip Timer
      10. 6.7.10 Information Redundancy Techniques Including End-to-End Safeing
      11. 6.7.11 I2C Data Acknowledge Check
      12. 6.7.12 McBSP Receiver Overrun Detection
      13. 6.7.13 McBSP Receiver Sync Error Detection
      14. 6.7.14 McBSP Transmitter Sync Error Detection
      15. 6.7.15 McBSP Transmitter Underflow Detection
      16. 6.7.16 Parity in Message
      17. 6.7.17 SCI Break Error Detection
      18. 6.7.18 SCI Frame Error Detection
      19. 6.7.19 SCI Overrun Error Detection
      20. 6.7.20 Software Test of Function Using I/O Loopback
      21. 6.7.21 SPI Data Overrun Detection
      22. 6.7.22 Transmission Redundancy
  8. 7 Safety Architecture Configurations
  9. 8 Terms and Definitions
  10. 9 Summary of Safety Features and Diagnostics
  11. 10References
  12. 11Revision History
  13. IMPORTANT NOTICE
search No matches found.
  • Full reading width
    • Full reading width
    • Comfortable reading width
    • Expanded reading width
  • Card for each section
  • Card with all content

 

FUNCTIONAL SAFETY MANUAL

Functional Safety Manual for TMS320F2837xD, TMS320F2837xS and TMS320F2807x

Trademarks

C2000 is a trademark of Texas Instruments.

All trademarks are the property of their respective owners.

1 Introduction

The products supported by this document have been assessed to be meet a systematic capability compliance of ASIL-D (according to ISO 26262) and SIL-3 (according to IEC 61508). For more information, see the Texas Instrument's functional safety hardware development process.

This Functional Safety Manual is part of the safety design package to aid customers who are designing systems in compliance with ISO 26262 or IEC 61508 functional safety standards.

Table 1-1 shows a complete list of the products supported by this functional safety manual (including silicon revision C) and the part numbers.

Table 1-1 Products Supported by This Functional Safety Manual
Orderable Devices
Piccolo Part Numbers
TMS320F28075PTPQ
TMS320F28075PTPS
TMS320F28075PTPT
TMS320F28075PZPQ
TMS320F28075PZPS
TMS320F28075PZPT
TMS320F28076PTPS
TMS320F28076PZPS
Single Core Part Numbers
TMS320F28374SPTPS
TMS320F28374SPTPT
TMS320F28374SPZPS
TMS320F28374SPZPT
TMS320F28374SZWTS
TMS320F28374SZWTT
TMS320F28374SZWTTR
TMS320F28375SPTPS
TMS320F28375SPTPT
TMS320F28375SPZPQ
TMS320F28375SPZPQR
TMS320F28375SPZPS
TMS320F28375SPZPT
TMS320F28375SZWTS
TMS320F28375SZWTT
TMS320F28376SPTPS
TMS320F28376SPTPT
TMS320F28376SPZPS
TMS320F28376SPZPT
TMS320F28376SZWTS
TMS320F28376SZWTT
TMS320F28377SPTPQ
TMS320F28377SPTPS
TMS320F28377SPTPT
TMS320F28377SPZPQ
TMS320F28377SPZPS
TMS320F28377SPZPT
TMS320F28377SZWTQ
TMS320F28377SZWTS
TMS320F28377SZWTT
TMS320F28378SPTPS
TMS320F28378SPZPS
TMS320F28379SPTPS
TMS320F28379SPTPT
TMS320F28379SPZPS
TMS320F28379SPZPT
TMS320F28379SZWTS
TMS320F28379SZWTT
Dual Core Part Numbers
TMS320F28374DPTPS
TMS320F28374DPTPT
TMS320F28374DZWTS
TMS320F28374DZWTT
TMS320F28375DPTPS
TMS320F28375DPTPT
TMS320F28375DPZPS
TMS320F28375DZWTS
TMS320F28375DZWTT
TMS320F28376DPTPS
TMS320F28376DPTPT
TMS320F28376DZWTS
TMS320F28376DZWTT
TMS320F28377DPTPQ
TMS320F28377DPTPS
TMS320F28377DPTPT
TMS320F28377DZWTQ
TMS320F28377DZWTQR
TMS320F28377DZWTS
TMS320F28377DZWTT
TMS320F28378DPTPS
TMS320F28379DPTPS
TMS320F28379DPTPT
TMS320F28379DZWTS
TMS320F28379DZWTT

1.1 About This Document

This Functional Safety Manual provides information needed by system developers to assist in the creation of a functional safety system using a C2000 microcontroller (MCU). This document contains:

  • Overview of Delfino TMS320F2837xD/S and Piccolo TMS320F2807x MCU product architectures
  • Overview of the development process utilized to reduce systematic failures
  • Overview of the safety architecture for management of random failures
  • Details of architecture partitions and implemented safety mechanisms

It is expected that the user of this document should have a general familiarity with the Delfino TMS320F2837xD/S and Piccolo TMS320F2807x MCU product family. More information can be found at http://www.ti.com/C2000. This document is intended to be used in conjunction with the device-specific data sheets, technical reference manuals, and other documentation for the products being supplied.

1.2 Acronyms Used in This Document

Table terms and definitions ready for reference are listed in Table 1-2.

Table 1-2 Acronyms and Expansions
Acronyms Expansion
ADC Analog-to-Digital Converter
ASIL Automotive Safety Integrity Level (ISO 26262)
CLA Control Law Accelerator
CPU Central Processing Unit
CRC Cyclic Redundancy Check
DAC Digital-to-Analog Converter
DTI Diagnostic Test Interval
E/E/PE Electrical/Electronic/Programmable Electronic
E2E End-to-End Protocol
EMIF External Memory Interface
ePIE enhanced Peripheral Interrupt Expansion
ePWM enhanced Pulse Width Modulator
eQEP enhanced Quadrature Encoder Pulse
EUC Equipment Under Control
FMEDA Failure Mode Effects and Diagnostic Analysis
FPU Floating Point Unit
FSA Functional Safety Assessment
FSM Functional Safety Manual
FTA Fault Tree Analysis
FTTI Fault Tolerant Time Interval
HARA Hazard Analysis and Risk Assessment
HFT Hardware Fault Tolerance
IEC International Electro Technical Commission
ISO International Organization for Standardization
MCU Microcontroller Unit
MTBF Mean Time Between Failure
OTP One Time Configurable
PWM Pulse Width Modulator
SIL Safety Integrity Level
TI Texas Instruments Inc.
TMU Trigonometric Math Unit
VCU Viterbi, Complex Math and CRC Unit

1.3 C2000 Architecture and Product Overview

The TMS320F2837xD/S and TMS320F2807x are powerful 32-bit floating-point microcontroller unit (MCU) designed for advanced closed-loop control in automotive and industrial applications.

1.3.1 TMS320F2837xD Delfino MCU

TMS320F2837xD supports two instances of the C28x + CLA architecture (four processing elements) that significantly boosts system performance. The integrated analog and control peripherals also let designers consolidate control architectures and reduce multiprocessor use in some of the high-end systems.

The C28x CPUs are further boosted by the Trigonometric Math Unit (TMU) accelerator that enables fast execution of algorithms with trigonometric operations common in transforms and torque loop calculations. The Viterbi, Complex Math and CRC Unit (VCU) accelerator reduces the time for complex math operations common in encoded applications. Users may refer to Accelerators: Enhancing the Capabilities of the C2000™ MCU Family to see how the accelerators can be employed to increase the performance of the MCU in many real-time applications.

The CLA is an independent 32-bit floating-point accelerator that runs at the same speed as the main C28x CPU, responding to peripheral triggers with minimum event latency and executing code concurrently with the main CPU.

The TMS320F2837xD supports up to 1MB (512KW) of onboard Flash memory with error correction code (ECC) and up to 204KB (102KW) of SRAM. Two 128-bit secure zones are also available on each CPU for code protection.

GUID-61AC17BD-709B-4FB2-A6CB-EF963B2B8F58-low.gifFigure 1-1 Functional Block Diagram of TMS320F2837xD MCU

Performance analog and control peripherals are also integrated to further enable system consolidation. Four independent 12/16-bit ADCs provide precise and efficient management of multiple analog signals, which ultimately boosts system throughput. The new sigma-delta filter module (SDFM) works in conjunction with the sigma-delta modulator to enable isolated current shunt measurements. The Comparator Subsystem (CMPSS) with windowed comparators allows for protection of power stages when current limit conditions are exceeded or not met. Other analog and control peripherals include the Digital-to-Analog Converter (DAC), Pulse Width Modulation (PWM), Enhanced Capture (eCAP), Enhanced Quadrature Encoder Pulse (eQEP) and other peripherals. Peripherals such as External Memory Interface (EMIF) and Controller Area Network (CAN) modules (ISO11898-1/CAN 2.0B-compliant) extend the connectivity of the C2000 MCUs.

The device configurations supported by this functional safety manual for TMS320F2837xD MCUs is outlined in the TMS320F2837xD Dual-Core Delfino™ Microcontrollers Data Sheet. Not all variants are available in all packages or all temperature grades. To confirm availability, contact your local Texas Instruments sales and marketing.

1.3.2 TMS320F2837xS Delfino MCU

TMS320F2837xS supports a single-instance of the C28x + CLA architecture (two processing elements). The integrated analog and control peripherals also let designers consolidate control architectures and bring down multiprocessor use in some of the high-end systems.

The TMS320F2837xS supports up to 1MB (512KW) of onboard Flash memory with error correction code (ECC) and up to 164KB (82KW) of SRAM. Two 128-bit secure zones are also available on the CPU for code protection.

Performance analog and control peripherals are also integrated on this C2000 MCU to further enable system consolidation, similar to the TMS320F2837xD.

GUID-A9549FC0-4D6C-49A1-8ED6-14CB09A42718-low.gifFigure 1-2 Functional Block Diagram of TMS320F2837xS MCU

The device configurations supported by this functional safety manual for TMS320F2837xS MCUs is outlined in the TMS320F2837xS Delfino™ Microcontrollers Data Sheet. Not all variants are available in all packages or all temperature grades. To confirm availability, contact your local Texas Instruments sales and marketing.

1.3.3 TMS320F2807x Piccolo MCU

The F2807x supports a single-instance of the C28x + CLA architecture (two processing elements). The integrated analog and control peripherals also let designers consolidate control architectures and reduce multiprocessor use in some of the high-end systems.

The F2807x device supports up to 512KB (256KW) of ECC-protected onboard Flash memory and up to 100KB (50KW) of SRAM with parity. Two independent security zones are also available for 128-bit code protection of the main C28x.

GUID-40C4719F-BFF9-461B-9175-4B85707DB6DC-low.gifFigure 1-3 Functional Block Diagram of TMS320F2807x MCU

The performance analog subsystem of the TMS320F2807x MCUs consist of up to three 12-bit ADCs, which enable simultaneous management of three independent power phases, and up to eight windowed comparator subsystems (CMPSSs), allowing very fast, direct trip of the PWMs in overvoltage or overcurrent conditions. In addition, the device has three 12-bit DACs, and precision control peripherals such as enhanced pulse width modulators (ePWMs) with fault protection, eQEP peripherals, and eCAP units. Connectivity peripherals such as dual CAN modules (ISO11898-1/CAN 2.0B compliant) add connectivity to your application.

The device configurations supported by this functional safety manual for TMS320F2807x MCUs is outlined in the TMS320F2807x Piccolo™ Microcontrollers Data Sheet. Not all variants are available in all packages or all temperature grades. To confirm availability, contact your local Texas Instruments sales and marketing.

2 System Integrator Development Interface Agreement

You, as a system and equipment manufacturer or designer, are responsible to ensure that your systems (and any TI hardware or software components incorporated in your systems) meet all applicable safety, regulatory, and system-level performance requirements. All application and safety related information in this document (including application descriptions, suggested safety measures, suggested TI products, and other materials) is provided for reference only. You understand and agree that your use of TI components in safety critical applications is entirely at your risk, and that you (as buyer) agree to defend, indemnify, and hold TI harmless from any and all damages, claims, suits, or expense resulting from such use.

The products supported by this functional safety manual could be implemented as unique silicon designs or may be shared silicon designs that have elements disabled or not guaranteed by specification, even if present in silicon. Only the capabilities that are enabled in the device as specified in the device-specific data sheet and technical reference manual are to be used for safety feature enhancements or safety software implementation. Capabilities that are not part of the device, even though it is supported in the superset of the device family, are not guaranteed to be present and operate.

The effectiveness of the hardware safety mechanisms is noted in the detailed functional safety analysis report. This information should be used to determine the strategy for utilizing safety mechanisms. The technical and implementation details of each safety mechanism can be found in the device-specific technical reference manual. Depending on the safety standard and end equipment targeted, it may be necessary to manage not only single point faults, but also latent faults. Many of the safety mechanisms described in this document can be used as primary diagnostics, diagnostics for latent fault, or both. When considering system design for management of latent faults, failure of execution resources for software diagnostics, such as failure of CPU and memories need to be considered.

2.1 Safety Enabled Design Packages for Functional Safety Applications

Safety enabled design packages for functional safety applications are used in a variety of safety-related applications, including digital power, electric vehicles, industrial machinery, industrial process, medical, automotive, rail, and aviation. Safety enabled products help TI customers get to market quickly with safety critical systems targeting compliance to safety standards such as ISO 26262, IEC 61508, and IEC 60730 (in Europe)/ UL 1998 (in the United States). The C2000 MCUs TMS320F2837xD/S and TMS320F2807x are being offered with QM and 60730 (UL 1998) design packages for functional safety applications.

  • QM design packages for functional safety applications include hardware, software, and tools which are developed according to a quality managed (QM) process for use in functional safety related system designs. These design packages include documentation to support easy evaluation of suitability for use in functional safety system designs with application of appropriate system level measures. The C2000 MCUs TMS320F2837xD/S and TMS320F2807x are automotive-qualified products and comply with the quality management standards of ISO 9001 and ISO/TS16949. In addition as QM offerings, additional documentation is provided (functional safety manual and safety analysis report) to assist customers in reaching compliance of their systems with the ISO 26262 and/or IEC 61508 functional safety standards.
  • 60730 design packages for functional safety applications include software self-test libraries developed in accordance with IEC 60730:2008 requirements to support safety systems of Class A, Class B or Class C. These design packages help manufacturers of automatic controls for household and similar use, to quickly and easily achieve applicable system certification. The TMS320F2837xD/S and TMS320F2807x can be used by customers to achieve system level certification up to IEC 60730 Class C and/or UL 1998 Class 2 levels.

2.2 System Integrator Activities

The system integrator is responsible for carrying out a number of product development activities. These activities carried out may include but are not limited to the information discussed in the following subsections.

2.2.1 Operational and Environmental Constraints

  • Verify that the implementation of the TI component in the system design is compliant to requirements in TI documentation. This includes but is not limited to the requirements found in technical reference manuals, data sheets, errata documents, safety manuals and safety analysis reports.
  • Verify that the system operational lifetime (power-on hours) does not exceed lifetime specifications for the TI component, as specified in the device data sheet. If the operational lifetime (power-on hours) is not specified in the data sheet, contact a TI quality/reliability engineering representative. For more information, see [1].
  • Adhere to the device handling requirements based on JEDEC handling standards J-STD-020 [2] and J-STD-033 [3].
  • Define a mechanism for reporting of the field failures back to Texas Instruments.
  • Define system maintenance requirements. This C2000 MCU does not require maintenance.
  • Define system repair requirements. This C2000 MCU is non-repairable with respect to permanent faults. A power-on reset of the C2000 MCU may be considered a repair activity for transient faults per some definitions of system repair requirements.
  • Define system decommissioning requirements. This C2000 MCU has no specific decommissioning requirements.
  • Define system disposal requirements. This C2000 MCU has no specific disposal requirements.

2.2.2 Safety Concept Definition

  • Define the safety functions and verify that the microcontroller behaves properly to support execution of the defined safety function. This C2000 MCU is a generic product which is capable of supporting a variety of safety functions.
  • Define the system-level safe state concept considering safe-state entry, maintenance of safe state, and safe-state exit as appropriate to the application and verify correct implementation ( see Section 4.2.4).
  • Define the system-level error-handling concept and verify correct implementation.
  • Define appropriate overall timing requirements for safety metrics to be calculated for the application (see Section 4.1.2).
  • Define appropriate safety metric targets for the application.

 
Texas Instruments

© Copyright 1995-2025 Texas Instruments Incorporated. All rights reserved.
Submit documentation feedback | IMPORTANT NOTICE | Trademarks | Privacy policy | Cookie policy | Terms of use | Terms of sale