SLLA651 April   2025 TCAN2845-Q1 , TCAN2847-Q1 , TCAN2855-Q1 , TCAN2857-Q1

 

  1.   1
  2.   Abstract
  3.   Trademarks
  4. 1Introduction
  5. 2Device States
    1. 2.1 Init Mode
    2. 2.2 Restart Mode
    3. 2.3 Standby Mode
    4. 2.4 Normal Mode
    5. 2.5 Sleep Mode
    6. 2.6 Fail-Safe Mode
  6. 3Power Electronics
    1. 3.1 VSUP
    2. 3.2 VHSS
    3. 3.3 VCAN
    4. 3.4 VCC1
    5. 3.5 VCC2
    6. 3.6 VEXMON, VEXCTRL, and VEXCC
    7. 3.7 HSSx
  7. 4Communication Capabilities
    1. 4.1 CAN-FD and Classical CAN
    2. 4.2 CAN-SIC
    3. 4.3 LIN
  8. 5Protection Features
    1. 5.1 Undervoltage (UV) Monitors
      1. 5.1.1 VSUP
      2. 5.1.2 VHSS
      3. 5.1.3 VCAN
      4. 5.1.4 VEXCC
      5. 5.1.5 VCC1
      6. 5.1.6 VCC2
    2. 5.2 Overvoltage (OV) Monitors
      1. 5.2.1 HSSx
      2. 5.2.2 VCC1
      3. 5.2.3 VCC2
      4. 5.2.4 VEXCC
    3. 5.3 Short Circuit (SC) Monitors
      1. 5.3.1 VCC1
      2. 5.3.2 VCC2
      3. 5.3.3 VEXCC
    4. 5.4 Electrical Faults and Impact on SBC Mode
    5. 5.5 Temperature Sensors
    6. 5.6 Watchdog
      1. 5.6.1 Watchdog Error Counter
      2. 5.6.2 Timeout
      3. 5.6.3 Window
      4. 5.6.4 Initial Long Window
      5. 5.6.5 Q&A
    7. 5.7 Communication Fault Monitoring
      1. 5.7.1 CAN
      2. 5.7.2 LIN
    8. 5.8 LIMP
  9. 6Programming, Memory, and Control
    1. 6.1 SPI
    2. 6.2 EEPROM
    3. 6.3 Interrupts
    4. 6.4 Control
  10. 7Miscellaneous Features
    1. 7.1 Local Wake Ups
    2. 7.2 CAN Bus Wake Up (BWRR)
    3. 7.3 Partial Networking
    4. 7.4 GFO, nRST, and SW
  11. 8Summary
  12. 9References

2.6 Fail-Safe Mode

The final mode for the SBC is fail-safe mode (FSM), an optional fault handling mode that can be used to increase design robustness. Upon entry to fail-safe mode most of the SBCs subsystems are turned off except LIMP which can be on, wake pins which can be as programmed, and the SWE timer. The following subsystems can react dependent on fault type: transceivers and HSS module.

There are five ways to enter fail-safe mode; all of which are fault conditions. Three of these are dependent on VCC1 – which include overvoltage (OVCC1), short circuit (VCC1_SC), thermal shut down (TSD). The other two entry pathways deal with restart mode failures, namely restart counter overflow or restart timer timing out.

There are three main ways to exit fail-safe mode and return to normal operation. The first way is a wake event occurs and all the faults have cleared which can cause the device to transition to restart mode. The second option is to enable the SWE timer during fail-safe mode and if the timer expires the device can transition to sleep mode and VCC1 can be off regardless of the programmed state of VCC1 during sleep mode. Lastly, if fail safe mode cyclic wake is enabled either timer1 or timer2 can have a programmed on time which can wake the device and check to see if faults have cleared – if enabled, the device can transition to restart mode otherwise the device remains in fail-safe mode until faults are cleared and that is detected during the on-time of the timer.

Fail-Safe Mode (FSM) Figure 2-7 Fail-Safe Mode (FSM)