SFFS222 October   2023 TMS320F2800153-Q1 , TMS320F2800154-Q1 , TMS320F2800155-Q1 , TMS320F2800156-Q1 , TMS320F2800157 , TMS320F2800157-Q1

 

  1.   1
  2.   Trademarks
  3. 1Introduction
  4. 2TMS320F280015x Hardware Component Functional Safety Capability
  5. 3TI Development Process for Management of Systematic Faults
    1. 3.1 TI New-Product Development Process
    2. 3.2 TI Functional Safety Development Process
  6. 4TMS320F280015x Component Overview
    1. 4.1 C2000 Architecture and Product Overview
      1. 4.1.1 TMS320F280015x MCU
    2. 4.2 Functional Safety Concept
      1. 4.2.1 VDA E-GAS Monitoring Concept With TMS320F280015x MCU
      2. 4.2.2 Fault Tolerant Time Interval (FTTI)
      3. 4.2.3 TMS320F280015x MCU Safe State
      4. 4.2.4 Operating States
    3. 4.3 C2000 Safety Diagnostics Libraries
      1. 4.3.1 Assumptions of Use - F280015x Self-Test Libraries
      2. 4.3.2 Operational Details - F280015x Self-Test Libraries
        1. 4.3.2.1 Operational Details – C28x Self-Test Library
        2. 4.3.2.2 Operational Details – SDL
      3. 4.3.3 C2000 Safety STL Software Development Flow
    4. 4.4 TMS320F280015x MCU Safety Implementation
      1. 4.4.1 Assumed Safety Requirements
      2. 4.4.2 Example Safety Concept Implementation Options on TMS320F280015x MCU
        1. 4.4.2.1 Safety Concept Implementation: Option 1
        2. 4.4.2.2 Safety Concept Implementation: Option 2
  7. 5Description of Safety Elements
    1. 5.1 TMS320F280015x MCU Infrastructure Components
      1. 5.1.1 Power Supply
      2. 5.1.2 Clock
      3. 5.1.3 APLL
      4. 5.1.4 Reset
      5. 5.1.5 System Control Module and Configuration Registers
      6. 5.1.6 JTAG Debug, Trace, Calibration, and Test Access
    2. 5.2 Processing Elements
      1. 5.2.1 C28x Central Processing Unit (CPU)
    3. 5.3 Memory (Flash, SRAM and ROM)
      1. 5.3.1 Embedded Flash Memory
      2. 5.3.2 Embedded SRAM
      3. 5.3.3 Embedded ROM
    4. 5.4 On-Chip Communication Including Bus-Arbitration
      1. 5.4.1 Device Interconnect
      2. 5.4.2 Enhanced Peripheral Interrupt Expander (ePIE) Module
      3. 5.4.3 Dual Zone Code Security Module (DCSM)
      4. 5.4.4 CrossBar (X-BAR)
      5. 5.4.5 Timer
    5. 5.5 Digital I/O
      1. 5.5.1 General-Purpose Input/Output (GPIO) and Pinmuxing
      2. 5.5.2 Enhanced Pulse Width Modulators (ePWM)
      3. 5.5.3 High Resolution PWM (HRPWM)
      4. 5.5.4 Enhanced Capture (eCAP)
      5. 5.5.5 Enhanced Quadrature Encoder Pulse (eQEP)
      6. 5.5.6 External Interrupt (XINT)
    6. 5.6 Analog I/O
      1. 5.6.1 Analog-to-Digital Converter (ADC)
      2. 5.6.2 Comparator Subsystem (CMPSS)
    7. 5.7 Data Transmission
      1. 5.7.1 Controller Area Network (DCAN)
      2. 5.7.2 Controller Area Network (MCAN, CAN FD)
      3. 5.7.3 Serial Peripheral Interface (SPI)
      4. 5.7.4 Serial Communication Interface (SCI)
      5. 5.7.5 Inter-Integrated Circuit (I2C)
      6. 5.7.6 Local Interconnect Network (LIN)
  8. 6Management of Random Faults
    1. 6.1 Fault Reporting
    2. 6.2 Suggestions for Improving Freedom From Interference
    3. 6.3 Suggestions for Addressing Common Cause Failures
    4. 6.4 Description of Functional Safety Mechanisms
      1. 6.4.1 TMS320F280015x MCU Infrastructure Components
        1. 6.4.1.1  Clock Integrity Check Using DCC
        2. 6.4.1.2  Clock Integrity Check Using CPU Timer
        3. 6.4.1.3  Clock Integrity Check Using HRPWM
        4. 6.4.1.4  EALLOW Protection for Critical Registers
        5. 6.4.1.5  External Monitoring of Clock via XCLKOUT
        6. 6.4.1.6  External Monitoring of Warm Reset (XRSn)
        7. 6.4.1.7  External Voltage Supervisor
        8. 6.4.1.8  External Watchdog
        9. 6.4.1.9  Glitch Filtering on Reset Pins
        10. 6.4.1.10 Hardware Disable of JTAG Port
        11. 6.4.1.11 Lockout of JTAG Access Using OTP
        12. 6.4.1.12 Internal Watchdog (WD)
        13. 6.4.1.13 Lock Mechanism for Control Registers
        14. 6.4.1.14 Missing Clock Detect (MCD)
        15. 6.4.1.15 NMIWD Reset Functionality
        16. 6.4.1.16 NMIWD Shadow Registers
        17. 6.4.1.17 Multi-Bit Enable Keys for Control Registers
        18. 6.4.1.18 Online Monitoring of Temperature
        19. 6.4.1.19 Periodic Software Read Back of Static Configuration Registers
        20. 6.4.1.20 Peripheral Clock Gating (PCLKCR)
        21. 6.4.1.21 Peripheral Soft Reset (SOFTPRES)
        22. 6.4.1.22 Software Test of Reset - Type 1
        23. 6.4.1.23 PLL Lock Profiling Using On-Chip Timer
        24. 6.4.1.24 Reset Cause Information
        25. 6.4.1.25 Software Read Back of Written Configuration
        26. 6.4.1.26 Software Test of ERRORSTS Functionality
        27. 6.4.1.27 Software Test of Missing Clock Detect Functionality
        28. 6.4.1.28 Software Test of Watchdog (WD) Operation
        29. 6.4.1.29 Dual-Clock Comparator (DCC) - Type 2
        30. 6.4.1.30 PLL Lock Indication
        31. 6.4.1.31 Software Test of DCC Functionality Including Error Tests
        32. 6.4.1.32 Software Test of PLL Functionality Including Error Tests
        33. 6.4.1.33 Interleaving of FSM States
        34. 6.4.1.34 Brownout Reset (BOR)
      2. 6.4.2 Processing Elements
        1. 6.4.2.1  CPU Handling of Illegal Operation, Illegal Results and Instruction Trapping
        2. 6.4.2.2  Software Test of CPU
        3. 6.4.2.3  Stack Overflow Detection
        4. 6.4.2.4  VCRC Check of Static Memory Contents
        5. 6.4.2.5  VCRC Auto Coverage
        6. 6.4.2.6  Hardware Redundancy Using Lockstep Compare Module (LCM)
        7. 6.4.2.7  Self-test Logic for LCM
        8. 6.4.2.8  LCM Compare Error Forcing Mode
        9. 6.4.2.9  LCM MMR Parity
        10. 6.4.2.10 Test of LCM MMR Parity
        11. 6.4.2.11 Lockstep Self-test Mux Select Logic Fault Detection
        12. 6.4.2.12 Redundancy in LCM Comparator
      3. 6.4.3 Memory (Flash, SRAM and ROM)
        1. 6.4.3.1  Bit Multiplexing in Flash Memory Array
        2. 6.4.3.2  Bit Multiplexing in SRAM Memory Array
        3. 6.4.3.3  Data Scrubbing to Detect/Correct Memory Errors
        4. 6.4.3.4  Flash ECC
        5. 6.4.3.5  Flash Program Verify and Erase Verify Check
        6. 6.4.3.6  Flash Program/Erase Protection
        7. 6.4.3.7  Flash Wrapper Error and Status Reporting
        8. 6.4.3.8  Prevent 0 to 1 Transition Using Program Command
        9. 6.4.3.9  On-demand Software Program Verify and Blank Check
        10. 6.4.3.10 CMDWEPROT* and Program Command Data Buffer Registers Self-Clear After Command Execution
        11. 6.4.3.11 ECC Generation and Checker Logic is Separate in Hardware
        12. 6.4.3.12 Auto ECC Generation Override
        13. 6.4.3.13 Software Test of ECC Logic
        14. 6.4.3.14 Software Test of Flash Prefetch, Data Cache and Wait-States
        15. 6.4.3.15 Access Protection Mechanism for Memories
        16. 6.4.3.16 SRAM ECC
        17. 6.4.3.17 SRAM Parity
        18. 6.4.3.18 Software Test of Parity Logic
        19. 6.4.3.19 Software Test of SRAM
        20. 6.4.3.20 Memory Power-On Self-Test (MPOST)
        21. 6.4.3.21 ROM Parity
      4. 6.4.4 On-Chip Communication Including Bus-Arbitration
        1. 6.4.4.1 1oo2 Software Voting Using Secondary Free Running Counter
        2. 6.4.4.2 Maintaining Interrupt Handler for Unused Interrupts
        3. 6.4.4.3 Power-Up Pre-Operational Security Checks
        4. 6.4.4.4 Majority Voting and Error Detection of Link Pointer
        5. 6.4.4.5 Software Check of X-BAR Flag
        6. 6.4.4.6 Software Test of ePIE Operation Including Error Tests
      5. 6.4.5 Digital I/O
        1. 6.4.5.1  eCAP Application Level Safety Mechanism
        2. 6.4.5.2  ePWM Application Level Safety Mechanism
        3. 6.4.5.3  ePWM Fault Detection Using X-BAR
        4. 6.4.5.4  ePWM Synchronization Check
        5. 6.4.5.5  eQEP Application Level Safety Mechanism
        6. 6.4.5.6  eQEP Quadrature Watchdog
        7. 6.4.5.7  eQEP Software Test of Quadrature Watchdog Functionality
        8. 6.4.5.8  Hardware Redundancy
        9. 6.4.5.9  HRPWM Built-In Self-Check and Diagnostic Capabilities
        10. 6.4.5.10 Information Redundancy Techniques
        11. 6.4.5.11 Monitoring of ePWM by eCAP
        12. 6.4.5.12 Monitoring of ePWM by ADC
        13. 6.4.5.13 Online Monitoring of Periodic Interrupts and Events
        14. 6.4.5.14 Software Test of Function Including Error Tests
        15. 6.4.5.15 QMA Error Detection Logic
      6. 6.4.6 Analog I/O
        1. 6.4.6.1 ADC Information Redundancy Techniques
        2. 6.4.6.2 ADC Input Signal Integrity Check
        3. 6.4.6.3 ADC Signal Quality Check by Varying Acquisition Window
        4. 6.4.6.4 CMPSS Ramp Generator Functionality Check
        5. 6.4.6.5 DAC to ADC Loopback Check
        6. 6.4.6.6 Opens/Shorts Detection Circuit for ADC
        7. 6.4.6.7 Disabling Unused Sources of SOC Inputs to ADC
      7. 6.4.7 Data Transmission
        1. 6.4.7.1  Information Redundancy Techniques Including End-to-End Safing
        2. 6.4.7.2  Bit Error Detection
        3. 6.4.7.3  CRC in Message
        4. 6.4.7.4  DCAN Acknowledge Error Detection
        5. 6.4.7.5  DCAN Form Error Detection
        6. 6.4.7.6  DCAN Stuff Error Detection
        7. 6.4.7.7  PWM Trip by MCAN
        8. 6.4.7.8  MCAN Acknowledge Error Detection
        9. 6.4.7.9  MCAN Form Error Detection
        10. 6.4.7.10 MCAN Stuff Error Detection
        11. 6.4.7.11 Timeout on FIFO Activity
        12. 6.4.7.12 Timestamp Consistency Checks
        13. 6.4.7.13 Tx-Event Checks
        14. 6.4.7.14 Interrupt on Message RAM Access Failure
        15. 6.4.7.15 Software Test of Function Including Error Tests Using EPG
        16. 6.4.7.16 I2C Access Latency Profiling Using On-Chip Timer
        17. 6.4.7.17 I2C Data Acknowledge Check
        18. 6.4.7.18 Parity in Message
        19. 6.4.7.19 SCI Break Error Detection
        20. 6.4.7.20 Frame Error Detection
        21. 6.4.7.21 Overrun Error Detection
        22. 6.4.7.22 Software Test of Function Using I/O Loopback
        23. 6.4.7.23 SPI Data Overrun Detection
        24. 6.4.7.24 Transmission Redundancy
        25. 6.4.7.25 LIN Physical Bus Error Detection
        26. 6.4.7.26 LIN No-Response Error Detection
        27. 6.4.7.27 LIN Checksum Error Detection
        28. 6.4.7.28 Data Parity Error Detection
        29. 6.4.7.29 LIN ID Parity Error Detection
        30. 6.4.7.30 PMBus Protocol CRC in Message
        31. 6.4.7.31 Clock Timeout
        32. 6.4.7.32 Communication Access Latency Profiling Using On-Chip Timer
  9. 7References
  10.   A Summary of Safety Features and Diagnostics
  11.   B Distributed Developments
    1.     B.1 How the Functional Safety Lifecycle Applies to Functional Safety-Compliant Products
    2.     B.2 Activities Performed by Texas Instruments
    3.     B.3 Information Provided

6.4.5.14 Software Test of Function Including Error Tests

A software test can be utilized to test basic functionality of the module and to inject diagnostic errors and check for proper error response. Such a test can be executed at boot or periodically. Software requirements necessary are defined by the software implemented by the system integrator.

Ideas for creating some module specific tests functionality and error tests are given below:

  • Software test of input and output X-BAR module can be performed by having a loop created (output X-BAR can be used as stimulus to input X-BAR) using the input and output X-BAR, sending a known test sequence at the input and observing it at the final output. Integrity of ePWM X-BAR can be checked by sending the test stimulus and observing the response using ePWM trip or sync functionality.
  • Software test of XINT functionality can be checked by configuring the input X-BAR and forcing the corresponding GPIO register to generate an interrupt. The diagnostic coverage can be enhanced by performing checks for the polarity (XINTxCR.POLARITY) and enable (XINTxCR.ENABLE) functionality as well.
  • eCAP and eQEP functionality can be checked by looping back the PWM, HRPWM or GPIO outputs to the respective module inputs, providing a known good sequence as required by the module and observing the module output. In the case of eCAP, the test can be done internally with the help of input X-BAR.
  • ROM prefetch functionality can be checked using similar techniques as given in Section 6.4.3.14.
  • The ePWM module consists of Time-Base (TB), Counter Compare (CC), Action Qualifier (AQ), Dead-Band Generator (DB), PWM Chopper (PC), Trip Zone (TZ), Event Trigger (ET) and Digital Compare (DC) sub-modules. The individual sub-modules can be tested by providing suitable stimulus using ePWM and observing the response using one of the capture (time stamping) modules (eCAP, XINT, eQEP, and so forth). It is recommended to cover the various register values associated with application configuration while performing the software test. Due to the regular linear nature of the various sub-modules, it is possible to get high coverage using a software test.
  • A software test of SRAM wrapper logic should provide diagnostic coverage for arbitration between various masters having access to the particular SRAM and correct functioning of access protection. This is in addition to the test used to provide coverage of SRAM bit cells (see Section 6.4.3.19).
  • The interconnect (INC) functionality can be tested by writing complementary data-patterns like 0xA5A5,0x5A5A, and so forth from processing units from the CPU, and reading back it from registers of the IPs’ connected via different bridges .The read-back data can be compared with expected golden values to ensure fault-free interconnect operation. This exercise can be repeated for different data width types of accesses (16 and 32 bits) and wide address ranges as applicable. The CPU accesses can be repeated for different instances of peripherals used in application connected to various bridges as shown in Figure 4-1.

  • To test core functionality of the ADC module and post processing block (PPB), a set of predetermined voltage levels can be provided on the ADC input pin by external circuit or internal DAC. The ADC / PPB results thus obtained can be cross checked against the expected value to ensure proper operation. Extreme corner values of ADC being used in application can be applied and tested to check the successful conversion across the operational range. ADC configuration registers can be checked by writing complementary data-patterns, read back and compared to expected values.

  • Comparator sub-system (CMPSS) has a set of registers which can be checked by writing complementary data-patterns like 0xA5A5, 0x5A5A, and so forth in both 16 and 32 bit access modes. These can be read back and compared against expected values. Features of the CMPSS module such as ramp decrement can be checked for counting down of RAMPDLYA after it is loaded from RAMPDLYS by a rising PWMSYNC signal. It should be ensured that the decrementer reduces to zero and stays there until next reload from RAMPDLYS. Extreme values of RAMPDLYS can be configured before count down. Digital filter CTRIPHFILCTL/CTRIPLFILCTL registers can be checked by configuring them to a variety of SAMPWIN (Sample window) and THRESH (Majority voting threshold) values, and then verifying COMPHSTS/COMPLSTS changes with change in filter output. Applicable range of filter clock pre-scaler values (CTRIPLFILCLKCTL) can be exercised to ensure that filter samples correctly.
  • The general operation of the CPU Timers can be tested by a software test by loading 32-bit counter register TIMH from period register PRDH, starts decrementing of the counter on every clock cycle. When counter reaches zero a timer interrupt output generates an interrupt pulse. While testing the timer functionality vary the Timer Prescale Counter (TPR) value and also vary input clocks by selecting clock source as SYSCLK, INTOSC1, INTOSC2, or XTAL. Test interrupts generation capability at the end of the timer counting. Check for the time overflow flag and Timer reload (TRB) functions in TCR register for correct functioning.
  • A software test function in DCSM can be implemented independently in zone1, zone2 and unsecured zone to check DCSM functionality. Device security configurations are loaded from OTP to DCSM during the device boot phase. The test function can implement access filtering checks (read-write and execute permissions) to RAMs and flash sectors belonging to the same zone and different zone. An additional check for EXEONLY configuration can also be implemented for the RAMs and flash sectors to ensure that all access other than execute access is blocked.