SFFS022 December   2022 TMS320F28384D , TMS320F28384D-Q1 , TMS320F28384S , TMS320F28384S-Q1 , TMS320F28386D , TMS320F28386D-Q1 , TMS320F28386S , TMS320F28386S-Q1 , TMS320F28388D , TMS320F28388S

 

  1.   Safety Manual for TMS320F2838xD and TMS320F2838xS
  2.   Trademarks
  3. 1Introduction
  4. 2TMS320F2838x Product Safety Capability and Constraints
  5. 3TI Development Process for Management of Systematic Faults
    1. 3.1 TI New-Product Development Process
    2. 3.2 TI Functional Safety Development Process
    3. 3.3 C2000 Architecture and Product Overview
      1. 3.3.1 TMS320F2838xD Real-Time MCUs
      2. 3.3.2 TMS320F2838xS Real-Time MCU
    4. 3.4 Functional Safety Concept
      1. 3.4.1 VDA E-GAS Monitoring Concept
      2. 3.4.2 TMS320F2838xD/S MCU Safety Philosophy
        1. 3.4.2.1 TMS320F2838xS Safety Philosophy
        2. 3.4.2.2 TMS320F2838xD MCU Safety Philosophy
      3. 3.4.3 Fault Tolerant Time Interval (FTTI)
      4. 3.4.4 TMS320F2838x MCU Safe State
      5. 3.4.5 Assumed Safety Requirements
      6. 3.4.6 Operating States
      7. 3.4.7 Management of Faults
      8. 3.4.8 Suggestions for Improving Freedom From Interference
      9. 3.4.9 Suggestions for Addressing Common Cause Failures
  6. 4TMS320F2838x Diagnostics Libraries
    1. 4.1 Assumptions of Use - F2838x Self-Test Libraries
    2. 4.2 Operational Details - F2838x Self-Test Libraries
      1. 4.2.1 Operational Details – CLA Self-Test Library
      2. 4.2.2 Operational Details - SDL
    3. 4.3 C2000 Safety STL Software Development Flow
    4. 4.4 TMS320F2838x MCU Safety Implementation
      1. 4.4.1 Assumed Safety Requirements
      2. 4.4.2 Example Safety Concept Implementation Options on TMS320F2838x MCU
        1. 4.4.2.1 Safety Concept Implementation: Option 1
          1. 4.4.2.1.1 Safety Concept Implementation: Option 2
  7. 5Brief Description of Safety Elements
    1. 5.1 C2000 MCU Infrastructure Components
      1. 5.1.1 Power Supply
      2. 5.1.2 Clock
      3. 5.1.3 Reset
      4. 5.1.4 System Control Module and Configuration Registers
      5. 5.1.5 Efuse Static Configuration
      6. 5.1.6 JTAG Debug, Trace, Calibration, and Test Access
    2. 5.2 Processing Elements
      1. 5.2.1 C28x Central Processing Unit (CPU)
      2. 5.2.2 Control Law Accelerator
    3. 5.3 Memory (Flash, SRAM and ROM)
      1. 5.3.1 Embedded Flash Memory
      2. 5.3.2 Embedded SRAM
      3. 5.3.3 Embedded ROM
    4. 5.4 On-Chip Communication Including Bus-Arbitration
      1. 5.4.1 Device Interconnect
      2. 5.4.2 Direct Memory Access (DMA)
      3. 5.4.3 Inter Processor Communication (IPC)
      4. 5.4.4 Enhanced Peripheral Interrupt Expander (ePIE) Module
      5. 5.4.5 Dual Zone Code Security Module (DCSM)
      6. 5.4.6 CrossBar (X-BAR)
      7. 5.4.7 Timer
      8. 5.4.8 Configurable Logic Block
    5. 5.5 Digital I/O
      1. 5.5.1 General-Purpose Input/Output (GPIO) and Pin Muxing
      2. 5.5.2 Enhanced Pulse Width Modulators (ePWM)
      3. 5.5.3 High Resolution PWM (HRPWM)
      4. 5.5.4 Enhanced Capture (eCAP)
      5. 5.5.5 High Resolution Capture (HRCAP)
      6. 5.5.6 Enhanced Quadrature Encoder Pulse (eQEP)
      7. 5.5.7 Sigma Delta Filter Module (SDFM)
      8. 5.5.8 External Interrupt (XINT)
    6. 5.6 Analog I/O
      1. 5.6.1 Analog-to-Digital Converter (ADC)
      2. 5.6.2 Buffered Digital-to-Analog Converter (DAC)
      3. 5.6.3 Comparator Subsystem (CMPSS)
    7. 5.7 Data Transmission
      1. 5.7.1 Controller Area Network (DCAN)
      2. 5.7.2 ECAT
      3. 5.7.3 Serial Peripheral Interface (SPI)
      4. 5.7.4 Serial Communication Interface (SCI)
      5. 5.7.5 Inter-Integrated Circuit (I2C)
      6. 5.7.6 Fast Serial Interface (FSI)
      7. 5.7.7 Power Management Bus Module (PMBus)
      8. 5.7.8 Multichannel Buffered Serial Port (McBSP)
      9. 5.7.9 External Memory Interface (EMIF)
    8. 5.8 Not Safety Related Elements
  8. 6Brief Description of Diagnostics
    1. 6.1 C2000 MCU Infrastructure Components
      1. 6.1.1  Clock Integrity Check Using CPU Timer
      2. 6.1.2  Clock Integrity Check Using HRPWM
      3. 6.1.3  EALLOW and MEALLOW Protection for Critical Registers
      4. 6.1.4  Efuse Autoload Self-Test
      5. 6.1.5  Efuse ECC
      6. 6.1.6  Efuse ECC Logic Self-Test
      7. 6.1.7  External Clock Monitoring via XCLKOUT
      8. 6.1.8  External Monitoring of Warm Reset (XRSn)
      9. 6.1.9  External Voltage Supervisor
      10. 6.1.10 External Watchdog
      11. 6.1.11 Glitch Filtering on Reset Pins
      12. 6.1.12 Hardware Disable of JTAG Port
      13. 6.1.13 Internal Watchdog (WD)
      14. 6.1.14 Lock Mechanism for Control Registers
      15. 6.1.15 Missing Clock Detect (MCD)
      16. 6.1.16 NMIWD Reset Functionality
      17. 6.1.17 NMIWD Shadow Registers
      18. 6.1.18 Multibit Enable Keys for Control Registers
      19. 6.1.19 Online Monitoring of Temperature
      20. 6.1.20 Periodic Software Read Back of Static Configuration Registers
      21. 6.1.21 Peripheral Clock Gating (PCLKCR)
      22. 6.1.22 Peripheral Soft Reset (SOFTPRES)
      23. 6.1.23 Software Test of Reset (Type 1)
      24. 6.1.24 PLL Lock Profiling Using On-Chip Timer
      25. 6.1.25 Reset Cause Information
      26. 6.1.26 Software Read Back of Written Configuration
      27. 6.1.27 Software Test of ERRORSTS Functionality
      28. 6.1.28 Software Test of Missing Clock Detect Functionality
      29. 6.1.29 Software Test of Reset
      30. 6.1.30 Software Test of Watchdog (WD) Operation
    2. 6.2 AUXPLL
      1. 6.2.1 Clock Integrity Check Using DCC
      2. 6.2.2 PLL Lock Indication
      3. 6.2.3 Internal Watchdog (WD)
      4. 6.2.4 Software Test of DCC Functionality Including Error Tests
      5. 6.2.5 External Clock Monitoring
      6. 6.2.6 Software Test of PLL Functionality Including Error Tests
      7. 6.2.7 Interleaving of FSM States
      8. 6.2.8 Dual Clock Comparator (DCC) – Type 1
      9. 6.2.9 Peripheral Access Protection - Type 0
    3. 6.3 Processing Elements
      1. 6.3.1  CLA Handling of Illegal Operation and Illegal Results
      2. 6.3.2  CLA Liveness Check Using CPU
      3. 6.3.3  CPU Hardware Built-In Self-Test (HWBIST)
      4. 6.3.4  CPU Hardware Built-In Self-Test (HWBIST) Auto-Coverage
      5. 6.3.5  CPU Hardware Built-In Self-Test (HWBIST) Fault Injection Capability
      6. 6.3.6  CPU Hardware Built-In Self-Test (HWBIST) Timeout Feature
      7. 6.3.7  CPU Handling of Illegal Operation, Illegal Results and Instruction Trapping
      8. 6.3.8  Reciprocal Comparison by Software
      9. 6.3.9  Software Test of CLA
      10. 6.3.10 Stack Overflow Detection
      11. 6.3.11 VCU CRC Check of Static Memory Contents
      12. 6.3.12 VCU CRC Auto Coverage
      13. 6.3.13 Embedded Real Time Analysis and Diagnostic (ERAD)
      14. 6.3.14 Inbuilt hardware redundancy in ERAD bus comparator module
      15. 6.3.15 Disabling of Unused CLA Task Trigger Sources
    4. 6.4 Memory (Flash, SRAM and ROM)
      1. 6.4.1  Bit Multiplexing in Flash Memory Array
      2. 6.4.2  Bit Multiplexing in SRAM Memory Array
      3. 6.4.3  Data Scrubbing to Detect/Correct Memory Errors
      4. 6.4.4  Flash ECC
      5. 6.4.5  Flash Program Verify and Erase Verify Check
      6. 6.4.6  Software Test of ECC Logic
      7. 6.4.7  Software Test of Flash Prefetch, Data Cache and Wait-States
      8. 6.4.8  Access Protection Mechanism for Memories
      9. 6.4.9  SRAM ECC
      10. 6.4.10 SRAM Parity
      11. 6.4.11 Software Test of Parity Logic
      12. 6.4.12 Software Test of SRAM
      13. 6.4.13 Memory Power-On Self-Test (MPOST)
      14. 6.4.14 Background CRC
      15. 6.4.15 Watchdog for Background CRC
      16. 6.4.16 Redundant Parity Engine
      17. 6.4.17 Test of SRAM Parity
    5. 6.5 On-Chip Communication Including Bus-Arbitration
      1. 6.5.1  1oo2 Software Voting Using Secondary Free Running Counter
      2. 6.5.2  DMA Overflow Interrupt
      3. 6.5.3  Event Timestamping Using IPC Counter
      4. 6.5.4  Maintaining Interrupt Handler for Unused Interrupts
      5. 6.5.5  Majority Voting and Error Detection of Link Pointer
      6. 6.5.6  PIE Double SRAM Comparison Check
      7. 6.5.7  PIE Double SRAM Hardware Comparison
      8. 6.5.8  Power-Up Pre-Operational Security Checks
      9. 6.5.9  Software Check of X-BAR Flag
      10. 6.5.10 Software Test of ePIE Operation Including Error Tests
      11. 6.5.11 Disabling of Unused DMA Trigger Sources
      12. 6.5.12 Software Test of CLB Function Including Error Tests
      13. 6.5.13 Monitoring of CLB by eCAP or eQEP
      14. 6.5.14 Lock Mechanism for Control Registers
      15. 6.5.15 Internal Watchdog (WD)
      16. 6.5.16 Periodic Software Read Back of SPI Buffer
      17. 6.5.17 IPC 64-Bit Counter Value Plausibility Check
    6. 6.6 Digital I/O
      1. 6.6.1  ECAP Application Level Safety Mechanism
      2. 6.6.2  ePWM Application Level Safety Mechanism
      3. 6.6.3  ePWM Fault Detection Using XBAR
      4. 6.6.4  ePWM Synchronization Check
      5. 6.6.5  eQEP Application Level Safety Mechanisms
      6. 6.6.6  eQEP Quadrature Watchdog
      7. 6.6.7  eQEP Software Test of Quadrature Watchdog Functionality
      8. 6.6.8  Hardware Redundancy
      9. 6.6.9  HRPWM Built-In Self-Check and Diagnostic Capabilities
      10. 6.6.10 Information Redundancy Techniques
      11. 6.6.11 Monitoring of ePWM by eCAP
      12. 6.6.12 Monitoring of ePWM by ADC
      13. 6.6.13 Online Monitoring of Interrupts and Events
      14. 6.6.14 SDFM Comparator Filter for Online Monitoring
      15. 6.6.15 SD Modulator Clock Fail Detection Mechanism
      16. 6.6.16 Software Test of Function Including Error Tests
      17. 6.6.17 Monitoring of HRPWM by HRCAP
      18. 6.6.18 HRCAP Calibration Logic Test Feature
      19. 6.6.19 QMA Error Detection Logic
    7. 6.7 Analog I/O
      1. 6.7.1 ADC Information Redundancy Techniques
      2. 6.7.2 ADC Input Signal Integrity Check
      3. 6.7.3 ADC Signal Quality Check by Varying Acquisition Window
      4. 6.7.4 CMPSS Ramp Generator Functionality Check
      5. 6.7.5 DAC to ADC Loopback Check
      6. 6.7.6 DAC to Comparator Loopback Check
      7. 6.7.7 Opens/Shorts Detection Circuit for ADC
      8. 6.7.8 VDAC Conversion by ADC
      9. 6.7.9 Disabling Unused Sources of SOC Inputs to ADC
    8. 6.8 Data Transmission
      1. 6.8.1  Controller Area Network (MCAN, CAN-FD)
        1. 6.8.1.1 PWM Trip by MCAN
        2. 6.8.1.2 MCAN Stuff Error Detection
        3. 6.8.1.3 MCAN Form Error Detection
        4. 6.8.1.4 MCAN Acknowledge Error Detection
        5. 6.8.1.5 Timeout on FIFO Activity
        6. 6.8.1.6 Timestamp Consistency Checks
        7. 6.8.1.7 Tx-Event Checks
        8. 6.8.1.8 Interrupt on Message RAM Access Failure
      2. 6.8.2  ECAT
        1. 6.8.2.1  EtherCAT MDIO Command Error Indication
        2. 6.8.2.2  EtherCAT Sync-Manager
        3. 6.8.2.3  EtherCAT Working Counter Error Indication
        4. 6.8.2.4  EtherCAT Frame Error Indication
        5. 6.8.2.5  EtherCAT Physical Layer Error Indication
        6. 6.8.2.6  PDI Timeout Error Indication
        7. 6.8.2.7  EtherCAT EEPROM CRC Error Indication
        8. 6.8.2.8  EtherCAT EEPROM Not Done Error Indication
        9. 6.8.2.9  EtherCAT Data Link Error Indication
        10. 6.8.2.10 EtherCAT Phy Link Error Indication
        11. 6.8.2.11 Sync, GPO Monitoring Using External Monitor
        12. 6.8.2.12 EtherCAT Enhanced Link Detection With LED
        13. 6.8.2.13 HW Redundancy of GPIO, FMMU, Sync Manager and SYNC OUT
      3. 6.8.3  Bit Error Detection
      4. 6.8.4  CRC in Message
      5. 6.8.5  DCAN Acknowledge Error Detection
      6. 6.8.6  DCAN Form Error Detection
      7. 6.8.7  DCAN Stuff Error Detection
      8. 6.8.8  EMIF Access Latency Profiling Using On-Chip Timer
      9. 6.8.9  EMIF Access Protection Mechanism
      10. 6.8.10 EMIF Asynchronous Memory Timeout Protection Mechanism
      11. 6.8.11 I2C Access Latency Profiling Using On-Chip Timer
      12. 6.8.12 Information Redundancy Techniques Including End-to-End Safing
      13. 6.8.13 I2C Data Acknowledge Check
      14. 6.8.14 McBSP Receiver Overrun Detection
      15. 6.8.15 McBSP Receiver Sync Error Detection
      16. 6.8.16 McBSP Transmitter Sync Error Detection
      17. 6.8.17 McBSP Transmitter Underflow Detection
      18. 6.8.18 Parity in Message
      19. 6.8.19 SCI Break Error Detection
      20. 6.8.20 SCI Frame Error Detection
      21. 6.8.21 SCI Overrun Error Detection
      22. 6.8.22 Software Test of Function Using I/O Loopback
      23. 6.8.23 SPI Data Overrun Detection
      24. 6.8.24 Transmission Redundancy
      25. 6.8.25 FSI Data Overrun/Underrun Detection
      26. 6.8.26 FSI Frame Overrun Detection
      27. 6.8.27 FSI CRC Framing Checks
      28. 6.8.28 FSI ECC Framing Checks
      29. 6.8.29 FSI Frame Watchdog
      30. 6.8.30 FSI RX Ping Watchdog
      31. 6.8.31 FSI Tag Monitor
      32. 6.8.32 FSI Frame Type Error Detection
      33. 6.8.33 FSI End of Frame Error Detection
      34. 6.8.34 FSI Register Protection Mechanisms
      35. 6.8.35 PMBus Protocol CRC in Message
      36. 6.8.36 Clock Timeout
  9. 7References
  10.   A Safety Architecture Configurations
  11.   B Distributed Developments
    1.     B.1 How the Functional Safety Life Cycle Applies to Functional Safety-Compliant Products
    2.     B.2 Activities Performed by Texas Instruments
    3.     B.3 Information Provided
  12.   C Terms and Definitions
  13.   D Summary of Safety Features and Diagnostics
  14.   E Glossary
  15.   F Revision History

3.4.2.1 TMS320F2838xS Safety Philosophy

TMS320F2838xS devices has a single CPU subsystem. The CPU subsystem has a pair of diverse processing units (C28x and CLA) with different hardware architecture, instruction set and software tools. Any of the two processing units can be used to execute main function (Level 1 of VDA E-gas concept).

The second processing unit of the CPU subsystem can be used for implementing Level 2 monitoring as illustrated in Figure 3-6. Due to diversity of the processing units, a 1oo1D architecture can be implemented using “reciprocal comparison by software in separate processing units” providing high diagnostic coverage for the processing units (ISO26262-5, Table D.4 and IEC61508-2, Table A.4). Heterogeneous CPU cores minimize possibility of common mode failures while implementing this reciprocal comparison thereby improving confidence in its Diagnostic Coverage. This implementation will have a single independent processing channel for TMS320F2838xS.

The product safety philosophy is explained based on 1oo1D safety configuration implemented using reciprocal comparison and other hardware diagnostics. Figure 3-5 illustrates safety partitioning based on the diagnostics employed. The various layers implemented are:

  • Reciprocal Comparison Layer (RED) – This is the region of logic used for all processing operations. This logic has a one processing unit executing the main functionality (Level 1), second processing unit with specific assumptions of use and other hardware diagnostic elements executing monitoring functionality (Level 2). The memories closely coupled with C28x and CLA are protected with either ECC or parity. This region with high diagnostic coverage for both single point faults and latent faults can be used for performing software diagnostic on other design elements. The diverse processing (C28x and CLA) have different hardware architecture, instruction set and software tools. However, they share common power, clock, reset, bus and infrastructure elements. System integrator needs to independently perform common cause failure analysis and freedom from interference analysis and implement the necessary safety measures (for example, External Watchdog, Access Protection Mechanism for Memories, and so forth) to address the concerns which may come up from the analysis.
  • Blended Layer (BLACK) – This is the region of logic that includes safety critical peripherals. This region has a mix of (predominantly) software and hardware diagnostics. Application protocols (for example, end-to-end Safing techniques used in communication protocols) and application related checks (for example, measured values falls within the safe operating limit) are used to support functionally safe operation.
  • Offline Layer (BLUE) – This region of logic has very limited or no integrated hardware diagnostics. Many features in this layer (for example, debug, test, calibration functions, and so forth) are used for production test or application debug and not used during regular operation. Techniques are employed to avoid freedom from interference to main application by the logic elements in this layer.

Due to the inherent versatility of the device architecture, several software voting based safety configurations are possible. Some of the safety configurations possible with TMS320F2838xD for improving diagnostic coverage are explained in Table A-1. While implementing these configurations, system integrator needs to consider the potential common mode failures and address them in an appropriate manner. This may suitably be modified to adapt to TMS320F2838xS requirements based on the availability of processing units. (As stated earlier, the device claims no hardware fault tolerance, (for example, no claims of HFT > 0), as defined in IEC 61508:2010).

GUID-20220922-SS0I-HTWH-L3HS-Z6B5W0CJTXRM-low.png Figure 3-5 C2000 F2838x Real Time Controller With Safety Features
千亿体育app官网登录(中国)官方网站IOS/安卓通用版/手机APP | 米乐app下载官网(中国)|ios|Android/通用版APP最新版 | 米乐|米乐·M6(中国大陆)官方网站 | 千亿体育登陆地址 | 华体会体育(中国)HTH·官方网站 | 千赢qy国际_全站最新版千赢qy国际V6.2.14安卓/IOS下载 | 18新利网v1.2.5|中国官方网站 | bob电竞真人(中国官网)安卓/ios苹果/电脑版【1.97.95版下载】 | 千亿体育app官方下载(中国)官方网站IOS/安卓/手机APP下载安装 |