SFFS700 May   2024 TMS320F28P650DH , TMS320F28P650DK , TMS320F28P650SH , TMS320F28P650SK , TMS320F28P659DH-Q1 , TMS320F28P659DK-Q1 , TMS320F28P659SH-Q1

 

  1.   1
  2. 1Introduction
  3.   Trademarks
  4. 2Hardware Component Functional Safety Capability
  5. 3TI Development Process for Management of Systematic Faults
    1. 3.1 TI New-Product Development Process
    2. 3.2 TI Functional Safety Development Process
  6. 4TMS320F28P65x Component Overview
    1. 4.1 Targeted Applications
    2. 4.2 Hardware Component Functional Safety Concept
      1. 4.2.1 VDA E-GAS Monitoring Concept
      2. 4.2.2 Fault Tolerant Time Interval (FTTI)
      3. 4.2.3 TMS320F28P65x MCU Safe State
      4. 4.2.4 Operating States
      5. 4.2.5 TMS320F28P65x MCU Safety Implementation
        1. 4.2.5.1 Assumed Safety Requirements
        2. 4.2.5.2 Example Safety Concept Implementation Options on TMS320F28P65x MCU
          1. 4.2.5.2.1 Safety Concept Implementation: Option 1
          2. 4.2.5.2.2 Safety Concept Implementation: Option 2
          3. 4.2.5.2.3 Safety Concept Implementation: Option 3
          4. 4.2.5.2.4 Safety Concept Implementation: Option 4
          5. 4.2.5.2.5 Safety Concept Implementation: Option 5
          6. 4.2.5.2.6 Safety Concept Implementation: Option 6
      6. 4.2.6 TMS320F28P65x Diagnostic Libraries
        1. 4.2.6.1 Assumptions of Use: F28P65x Self-Test Libraries
        2. 4.2.6.2 Operational Details: F28P65x Self-Test Libraries
          1. 4.2.6.2.1 Operational Details: C28x Self-Test Library
          2. 4.2.6.2.2 Operational Details: CLA Self-Test Library
          3. 4.2.6.2.3 Operational Details - Software Diagnostic Libraries
        3. 4.2.6.3 C2000 Safety STL Software Development Flow
    3. 4.3 Functional Safety Constraints and Assumptions
  7. 5Description of Safety Elements
    1. 5.1 C2000 MCU Infrastructure Components
      1. 5.1.1 Power Supply
      2. 5.1.2 Clock
      3. 5.1.3 APLL
      4. 5.1.4 Reset
      5. 5.1.5 System Control Module and Configuration Registers
      6. 5.1.6 JTAG Debug, Trace, Calibration, and Test Access
      7. 5.1.7 Advanced Encryption Standard (AES) Accelerator
    2. 5.2 Processing Elements
      1. 5.2.1 C28x Central Processing Unit (CPU)
      2. 5.2.2 Control Law Accelerator (CLA)
    3. 5.3 Memory (Flash, SRAM and ROM)
      1. 5.3.1 Embedded Flash Memory
      2. 5.3.2 Embedded SRAM
      3. 5.3.3 Embedded ROM
    4. 5.4 On-Chip Communication Including Bus-Arbitration
      1. 5.4.1 Device Interconnect
      2. 5.4.2 Direct Memory Access (DMA)
      3. 5.4.3 Inter Processor Communication (IPC)
      4. 5.4.4 Enhanced Peripheral Interrupt Expander (ePIE) Module
      5. 5.4.5 Dual Zone Code Security Module (DCSM)
      6. 5.4.6 CrossBar (X-BAR)
      7. 5.4.7 Timer
      8. 5.4.8 Configurable Logic Block (CLB)
    5. 5.5 Digital I/O
      1. 5.5.1 General-Purpose Input/Output (GPIO) and Pin Muxing
      2. 5.5.2 Enhanced Pulse Width Modulators (ePWM)
      3. 5.5.3 High Resolution PWM (HRPWM)
      4. 5.5.4 Enhanced Capture (eCAP)
      5. 5.5.5 High Resolution Capture (HRCAP)
      6. 5.5.6 Enhanced Quadrature Encoder Pulse (eQEP)
      7. 5.5.7 Sigma Delta Filter Module (SDFM)
      8. 5.5.8 External Interrupt (XINT)
    6. 5.6 Analog I/O
      1. 5.6.1 Analog-to-Digital Converter (ADC)
      2. 5.6.2 Buffered Digital-to-Analog Converter (DAC)
      3. 5.6.3 Comparator Subsystem (CMPSS)
    7. 5.7 Data Transmission
      1. 5.7.1  Controller Area Network (DCAN)
      2. 5.7.2  Controller Area Network (MCAN, CAN FD)
      3. 5.7.3  Ethernet for Control Automation Technology (EtherCAT)
      4. 5.7.4  Serial Peripheral Interface (SPI)
      5. 5.7.5  Serial Communication Interface (SCI)
      6. 5.7.6  Universal Asynchronous Receiver/Transmitter (UART)
      7. 5.7.7  Local Interconnect Network (LIN)
      8. 5.7.8  Inter-Integrated Circuit (I2C)
      9. 5.7.9  Fast Serial Interface (FSI)
      10. 5.7.10 Power Management Bus Module (PMBus)
      11. 5.7.11 External Memory Interface (EMIF)
    8. 5.8 Not Safety Related Elements
  8. 6Management of Random Faults
    1. 6.1 Fault Reporting
    2. 6.2 Suggestions for Improving Freedom From Interference
    3. 6.3 Suggestions for Addressing Common Cause Failures
    4. 6.4 Descriptions of Functional Safety Mechanisms
      1. 6.4.1 C2000 MCU Infrastructure Components
        1. 6.4.1.1  Clock Integrity Check Using DCC
        2. 6.4.1.2  Clock Integrity Check Using CPU Timer
        3. 6.4.1.3  Clock Integrity Check Using HRPWM
        4. 6.4.1.4  EALLOW and MEALLOW Protection for Critical Registers
        5. 6.4.1.5  External Clock Monitoring via XCLKOUT
        6. 6.4.1.6  External Monitoring of Warm Reset (XRSn)
        7. 6.4.1.7  External Voltage Supervisor
        8. 6.4.1.8  External Watchdog
        9. 6.4.1.9  Brownout Reset (BOR)
        10. 6.4.1.10 Glitch Filtering on Reset Pins
        11. 6.4.1.11 Hardware Disable of JTAG Port
        12. 6.4.1.12 Lockout of JTAG Access Using OTP
        13. 6.4.1.13 Internal Watchdog (WD)
        14. 6.4.1.14 Lock Mechanism for Control Registers
        15. 6.4.1.15 Missing Clock Detect (MCD)
        16. 6.4.1.16 NMIWD Reset Functionality
        17. 6.4.1.17 NMIWD Shadow Registers
        18. 6.4.1.18 Multibit Enable Keys for Control Registers
        19. 6.4.1.19 Online Monitoring of Temperature
        20. 6.4.1.20 Periodic Software Read Back of Static Configuration Registers
        21. 6.4.1.21 Peripheral Clock Gating (PCLKCR)
        22. 6.4.1.22 Peripheral Soft Reset (SOFTPRES)
        23. 6.4.1.23 Peripheral Access Protection – Type 1
        24. 6.4.1.24 Software Test of Reset – Type 1
        25. 6.4.1.25 PLL Lock Profiling Using On-Chip Timer
        26. 6.4.1.26 Reset Cause Information
        27. 6.4.1.27 Software Read Back of Written Configuration
        28. 6.4.1.28 Software Test of ERRORSTS Functionality
        29. 6.4.1.29 Software Test of Missing Clock Detect Functionality
        30. 6.4.1.30 Software Test of Watchdog (WD) Operation
        31. 6.4.1.31 Dual Clock Comparator (DCC) – Type 2
        32. 6.4.1.32 PLL Lock Indication
        33. 6.4.1.33 Software Test of DCC Functionality Including Error Tests
        34. 6.4.1.34 Software Test of PLL Functionality Including Error Tests
        35. 6.4.1.35 Interleaving of FSM States
        36. 6.4.1.36 Decryption of Encrypted Data Output Using Same KEY and IV
        37. 6.4.1.37 Software Test of Standalone GHASH Operation
      2. 6.4.2 Processing Elements
        1. 6.4.2.1  CPU Handling of Illegal Operation, Illegal Results and Instruction Trapping
        2. 6.4.2.2  Reciprocal Comparison by Software
        3. 6.4.2.3  Software Test of CPU
        4. 6.4.2.4  CPU Hardware Built-In Self-Test (HWBIST)
        5. 6.4.2.5  CPU Hardware Built-In Self-Test (HWBIST) Auto-Coverage
        6. 6.4.2.6  CPU Hardware Built-In Self-Test (HWBIST) Fault Injection Capability
        7. 6.4.2.7  CPU Hardware Built-In Self-Test (HWBIST) Timeout Feature
        8. 6.4.2.8  Software Test of CLA
        9. 6.4.2.9  CLA Handling of Illegal Operation and Illegal Results
        10. 6.4.2.10 CLA Liveness Check Using CPU
        11. 6.4.2.11 Disabling of Unused CLA Task Trigger Sources
        12. 6.4.2.12 Stack Overflow Detection
        13. 6.4.2.13 VCRC Check of Static Memory Contents
        14. 6.4.2.14 VCRC Auto Coverage
        15. 6.4.2.15 Hardware Redundancy Using Lockstep Compare Module (LCM)
        16. 6.4.2.16 Self-Test Logic for LCM
        17. 6.4.2.17 LCM Compare Error Forcing Mode
        18. 6.4.2.18 LCM MMR Parity
        19. 6.4.2.19 Test of LCM MMR Parity
        20. 6.4.2.20 Lockstep Self-test Mux Select Logic Fault Detection
        21. 6.4.2.21 Redundancy in LCM Comparator
        22. 6.4.2.22 Embedded Real Time Analysis and Diagnostic (ERAD)
        23. 6.4.2.23 Inbuilt Hardware Redundancy in ERAD Bus Comparator Module
      3. 6.4.3 Memory (Flash, SRAM and ROM)
        1. 6.4.3.1  Bit Multiplexing in Flash Memory Array
        2. 6.4.3.2  Bit Multiplexing in SRAM Memory Array
        3. 6.4.3.3  Data Scrubbing to Detect and Correct Memory Errors
        4. 6.4.3.4  Flash ECC
        5. 6.4.3.5  Flash Program Verify and Erase Verify Check
        6. 6.4.3.6  Flash Program and Erase Protection
        7. 6.4.3.7  Flash Wrapper Error and Status Reporting
        8. 6.4.3.8  Prevent 0 to 1 Transition Using Program Command
        9. 6.4.3.9  On-Demand Software Program Verify and Blank Check
        10. 6.4.3.10 CMDWEPROT* and Program Command Data Buffer Registers Self-Clear After Command Execution
        11. 6.4.3.11 ECC Generation and Checker Logic is Separate in Hardware
        12. 6.4.3.12 Auto ECC Generation Override
        13. 6.4.3.13 Software Test of ECC Logic
        14. 6.4.3.14 Software Test of Flash Prefetch, Data Cache and Wait-States
        15. 6.4.3.15 Access Protection Mechanism for Memories
        16. 6.4.3.16 SRAM ECC
        17. 6.4.3.17 SRAM Parity
        18. 6.4.3.18 Software Test of Parity Logic
        19. 6.4.3.19 Software Test of SRAM
        20. 6.4.3.20 Memory Power-On Self-Test (MPOST)
        21. 6.4.3.21 Background CRC
        22. 6.4.3.22 Watchdog for Background CRC
        23. 6.4.3.23 ROM Parity
        24. 6.4.3.24 Redundant Parity Engine
      4. 6.4.4 On-Chip Communication Including Bus-Arbitration
        1. 6.4.4.1  1oo2 Software Voting Using Secondary Free Running Counter
        2. 6.4.4.2  DMA Overflow Interrupt
        3. 6.4.4.3  Event Timestamping Using IPC Counter
        4. 6.4.4.4  Maintaining Interrupt Handler for Unused Interrupts
        5. 6.4.4.5  Majority Voting and Error Detection of Link Pointer
        6. 6.4.4.6  PIE Double SRAM Comparison Check
        7. 6.4.4.7  PIE Double SRAM Hardware Comparison
        8. 6.4.4.8  Power-Up Pre-Operational Security Checks
        9. 6.4.4.9  Software Check of X-BAR Flag
        10. 6.4.4.10 Software Test of ePIE Operation Including Error Tests
        11. 6.4.4.11 Disabling of Unused DMA Trigger Sources
        12. 6.4.4.12 Software Test of CLB Function Including Error Tests
        13. 6.4.4.13 Monitoring of CLB by eCAP or eQEP
        14. 6.4.4.14 Periodic Software Read Back of SPI Buffer
        15. 6.4.4.15 IPC 64-Bit Counter Value Plausibility Check
      5. 6.4.5 Digital I/O
        1. 6.4.5.1  ECAP Application Level Safety Mechanism
        2. 6.4.5.2  ePWM Application Level Safety Mechanism
        3. 6.4.5.3  ePWM Fault Detection Using XBAR
        4. 6.4.5.4  ePWM Synchronization Check
        5. 6.4.5.5  Online MINMAX Monitoring of TRIP Events
        6. 6.4.5.6  Fault Avoidance Using Minimum Dead Band
        7. 6.4.5.7  Fault Avoidance Using Illegal Combo Logic
        8. 6.4.5.8  Diode Emulation Mode Monitoring
        9. 6.4.5.9  eQEP Application Level Safety Mechanisms
        10. 6.4.5.10 eQEP Quadrature Watchdog
        11. 6.4.5.11 eQEP Software Test of Quadrature Watchdog Functionality
        12. 6.4.5.12 Hardware Redundancy
        13. 6.4.5.13 HRPWM Built-In Self-Check and Diagnostic Capabilities
        14. 6.4.5.14 Information Redundancy Techniques
        15. 6.4.5.15 Monitoring of ePWM by eCAP
        16. 6.4.5.16 Monitoring of ePWM by ADC
        17. 6.4.5.17 Online Monitoring of Interrupts and Events
        18. 6.4.5.18 SDFM Comparator Filter for Online Monitoring
        19. 6.4.5.19 SD Modulator Clock Fail Detection Mechanism
        20. 6.4.5.20 Software Test of Function Including Error Tests
        21. 6.4.5.21 Monitoring of HRPWM by HRCAP
        22. 6.4.5.22 HRCAP Calibration Logic Test Feature
        23. 6.4.5.23 QMA Error Detection Logic
      6. 6.4.6 Analog I/O
        1. 6.4.6.1  ADC Information Redundancy Techniques
        2. 6.4.6.2  ADC Input Signal Integrity Check
        3. 6.4.6.3  ADC Signal Quality Check by Varying Acquisition Window
        4. 6.4.6.4  Hardware Redundancy with ADC Safety Checker
        5. 6.4.6.5  Hardware Redundancy of ADC Safety Checker
        6. 6.4.6.6  Disabling Unused Sources of SOC Inputs to ADC
        7. 6.4.6.7  CMPSS Ramp Generator Functionality Check
        8. 6.4.6.8  DAC to ADC Loopback Check
        9. 6.4.6.9  DAC to Comparator Loopback Check
        10. 6.4.6.10 Opens/Shorts Detection Circuit for ADC
        11. 6.4.6.11 VDAC Conversion by ADC
      7. 6.4.7 Data Transmission
        1. 6.4.7.1  Bit Error Detection
        2. 6.4.7.2  CRC in Message
        3. 6.4.7.3  DCAN Acknowledge Error Detection
        4. 6.4.7.4  DCAN Form Error Detection
        5. 6.4.7.5  DCAN Stuff Error Detection
        6. 6.4.7.6  PWM Trip by MCAN
        7. 6.4.7.7  MCAN Stuff Error Detection
        8. 6.4.7.8  MCAN Form Error Detection
        9. 6.4.7.9  MCAN Acknowledge Error Detection
        10. 6.4.7.10 Timeout on FIFO Activity
        11. 6.4.7.11 Timestamp Consistency Checks
        12. 6.4.7.12 Tx-Event Checks
        13. 6.4.7.13 Interrupt on Message RAM Access Failure
        14. 6.4.7.14 Software Test of Function Including Error Tests Using EPG
        15. 6.4.7.15 EMIF Access Latency Profiling Using On-Chip Timer
        16. 6.4.7.16 EMIF Access Protection Mechanism
        17. 6.4.7.17 EMIF Asynchronous Memory Timeout Protection Mechanism
        18. 6.4.7.18 I2C Access Latency Profiling Using On-Chip Timer
        19. 6.4.7.19 Information Redundancy Techniques Including End-to-End Safing
        20. 6.4.7.20 I2C Data Acknowledge Check
        21. 6.4.7.21 Parity in Message
        22. 6.4.7.22 Break Error Detection
        23. 6.4.7.23 Frame Error Detection
        24. 6.4.7.24 Overrun Error Detection
        25. 6.4.7.25 Software Test of Function Using I/O Loopback
        26. 6.4.7.26 SPI Data Overrun Detection
        27. 6.4.7.27 Transmission Redundancy
        28. 6.4.7.28 Data Parity Error Detection
        29. 6.4.7.29 LIN Physical Bus Error Detection
        30. 6.4.7.30 LIN No-Response Error Detection
        31. 6.4.7.31 LIN Checksum Error Detection
        32. 6.4.7.32 LIN ID Parity Error Detection
        33. 6.4.7.33 Communication Access Latency Profiling Using On-Chip Timer
        34. 6.4.7.34 FSI Data Overrun and Underrun Detection
        35. 6.4.7.35 FSI Frame Overrun Detection
        36. 6.4.7.36 FSI CRC Framing Checks
        37. 6.4.7.37 FSI ECC Framing Checks
        38. 6.4.7.38 FSI Frame Watchdog
        39. 6.4.7.39 FSI RX Ping Watchdog
        40. 6.4.7.40 FSI Tag Monitor
        41. 6.4.7.41 FSI Frame Type Error Detection
        42. 6.4.7.42 FSI End of Frame Error Detection
        43. 6.4.7.43 FSI Register Protection Mechanisms
        44. 6.4.7.44 PMBus Protocol CRC in Message
        45. 6.4.7.45 PMBus Clock Timeout
        46. 6.4.7.46 EtherCAT MDIO Command Error Indication
        47. 6.4.7.47 EtherCAT Sync-Manager
        48. 6.4.7.48 EtherCAT Working Counter Error Indication
        49. 6.4.7.49 EtherCAT Frame Error Indication
        50. 6.4.7.50 EtherCAT Physical Layer Error Indication
        51. 6.4.7.51 PDI Timeout Error Indication
        52. 6.4.7.52 EtherCAT EEPROM CRC Error Indication
        53. 6.4.7.53 EtherCAT EEPROM Not Done Error Indication
        54. 6.4.7.54 EtherCAT Data Link Error Indication
        55. 6.4.7.55 EtherCAT Phy Link Error Indication
        56. 6.4.7.56 Sync, GPO Monitoring Using External Monitor
        57. 6.4.7.57 EtherCAT Enhanced Link Detection With LED
        58. 6.4.7.58 HW Redundancy of GPIO, FMMU, Sync Manager and SYNC OUT
  9. 7References
  10.   A Summary of Safety Features and Diagnostics
  11.   B Distributed Developments
    1.     B.1 How the Functional Safety Life Cycle Applies to Functional Safety-Compliant Products
    2.     B.2 Activities Performed by Texas Instruments
    3.     B.3 Information Provided

6.1 Fault Reporting

The TMS320F28P65x MCU product architecture provides different levels of fault indication from internal safety mechanisms using CPU Interrupt, Non Maskable Interrupt (NMI), assertion of ERRORSTS pin, assertion of CPU input reset and assertion of warm reset (XRSn). The fault response is the action that is taken by the TMS320F28P65x MCU or system when a fault is indicated. Multiple potential fault responses are possible during a fault indication. The system integrator is responsible to determine which fault response should be taken to ensure consistency with the system safety concept. The fault indication ordered in terms of severity (device power down being the most severe) is shown in Figure 6-1.

TMS320F28P650DH TMS320F28P650DK TMS320F28P650SH TMS320F28P650SK TMS320F28P658DG TMS320F28P658DJ TMS320F28P658SJ Fault Response Severity Figure 6-1 Fault Response Severity
  • Device Power Down: This is the highest priority fault response where the external component (see Section 4.2.5.1) detects malfunctioning of the device or other system components and powers down the TMS320F28P65x MCU. From this state, it is possible to re-enter cold boot to attempt recovery.
  • Assertion of XRSn: The XRSn reset could be generated from an internal or external monitor that detects a critical fault having potential to violate safety goal. Internal sources generate this fault response when the TMS320F28P65x MCU is not able to handle the internal fault condition by itself (for example, CPU1 (master CPU) is not able to handle NMI by itself). From this state, it is possible to re-enter cold boot and attempt recovery.
  • Assertion of CPU Reset: CPU Reset changes the state of the CPU from pre-operational or operational state to warm boot phase. The CPU Reset is generated from an internal monitor that detects any security violations. On a properly working system, the security violations may be the secondary effect due to a fault condition. In addition, CPU2 subsystem generates this fault response when it is not able to handle the internal fault condition by itself (for example, CPU2 is not able to handle NMI by itself). From this state, it is possible to re-enter warm boot phase and attempt recovery.
  • Non Maskable Interrupt (NMI) and assertion of ERRORSTS pin: C28x CPU supports a Non Maskable Interrupt (NMI), which has a higher priority than all other interrupts. Each CPU subsystem is equipped with a NMIWD module responsible for generating NMI to the C28x CPU. ERRORSTS pin will also be asserted along with NMI. Depending on the system level requirements, the fault can be handled either internal to the TMS320F28P65x MCU using software or at the system level using the ERRORSTS pin information.
  • CPU Interrupt: CPU interrupt allows events external to the CPU to generate a program sequence context transfer to an interrupt handler where software has an opportunity to manage the fault. The peripheral interrupt expansion (PIE) block multiplexes multiple interrupt sources into a smaller set of CPU interrupt inputs.