SFFS222 October   2023 TMS320F2800153-Q1 , TMS320F2800154-Q1 , TMS320F2800155-Q1 , TMS320F2800156-Q1 , TMS320F2800157 , TMS320F2800157-Q1

 

  1.   1
  2.   Trademarks
  3. 1Introduction
  4. 2TMS320F280015x Hardware Component Functional Safety Capability
  5. 3TI Development Process for Management of Systematic Faults
    1. 3.1 TI New-Product Development Process
    2. 3.2 TI Functional Safety Development Process
  6. 4TMS320F280015x Component Overview
    1. 4.1 C2000 Architecture and Product Overview
      1. 4.1.1 TMS320F280015x MCU
    2. 4.2 Functional Safety Concept
      1. 4.2.1 VDA E-GAS Monitoring Concept With TMS320F280015x MCU
      2. 4.2.2 Fault Tolerant Time Interval (FTTI)
      3. 4.2.3 TMS320F280015x MCU Safe State
      4. 4.2.4 Operating States
    3. 4.3 C2000 Safety Diagnostics Libraries
      1. 4.3.1 Assumptions of Use - F280015x Self-Test Libraries
      2. 4.3.2 Operational Details - F280015x Self-Test Libraries
        1. 4.3.2.1 Operational Details – C28x Self-Test Library
        2. 4.3.2.2 Operational Details – SDL
      3. 4.3.3 C2000 Safety STL Software Development Flow
    4. 4.4 TMS320F280015x MCU Safety Implementation
      1. 4.4.1 Assumed Safety Requirements
      2. 4.4.2 Example Safety Concept Implementation Options on TMS320F280015x MCU
        1. 4.4.2.1 Safety Concept Implementation: Option 1
        2. 4.4.2.2 Safety Concept Implementation: Option 2
  7. 5Description of Safety Elements
    1. 5.1 TMS320F280015x MCU Infrastructure Components
      1. 5.1.1 Power Supply
      2. 5.1.2 Clock
      3. 5.1.3 APLL
      4. 5.1.4 Reset
      5. 5.1.5 System Control Module and Configuration Registers
      6. 5.1.6 JTAG Debug, Trace, Calibration, and Test Access
    2. 5.2 Processing Elements
      1. 5.2.1 C28x Central Processing Unit (CPU)
    3. 5.3 Memory (Flash, SRAM and ROM)
      1. 5.3.1 Embedded Flash Memory
      2. 5.3.2 Embedded SRAM
      3. 5.3.3 Embedded ROM
    4. 5.4 On-Chip Communication Including Bus-Arbitration
      1. 5.4.1 Device Interconnect
      2. 5.4.2 Enhanced Peripheral Interrupt Expander (ePIE) Module
      3. 5.4.3 Dual Zone Code Security Module (DCSM)
      4. 5.4.4 CrossBar (X-BAR)
      5. 5.4.5 Timer
    5. 5.5 Digital I/O
      1. 5.5.1 General-Purpose Input/Output (GPIO) and Pinmuxing
      2. 5.5.2 Enhanced Pulse Width Modulators (ePWM)
      3. 5.5.3 High Resolution PWM (HRPWM)
      4. 5.5.4 Enhanced Capture (eCAP)
      5. 5.5.5 Enhanced Quadrature Encoder Pulse (eQEP)
      6. 5.5.6 External Interrupt (XINT)
    6. 5.6 Analog I/O
      1. 5.6.1 Analog-to-Digital Converter (ADC)
      2. 5.6.2 Comparator Subsystem (CMPSS)
    7. 5.7 Data Transmission
      1. 5.7.1 Controller Area Network (DCAN)
      2. 5.7.2 Controller Area Network (MCAN, CAN FD)
      3. 5.7.3 Serial Peripheral Interface (SPI)
      4. 5.7.4 Serial Communication Interface (SCI)
      5. 5.7.5 Inter-Integrated Circuit (I2C)
      6. 5.7.6 Local Interconnect Network (LIN)
  8. 6Management of Random Faults
    1. 6.1 Fault Reporting
    2. 6.2 Suggestions for Improving Freedom From Interference
    3. 6.3 Suggestions for Addressing Common Cause Failures
    4. 6.4 Description of Functional Safety Mechanisms
      1. 6.4.1 TMS320F280015x MCU Infrastructure Components
        1. 6.4.1.1  Clock Integrity Check Using DCC
        2. 6.4.1.2  Clock Integrity Check Using CPU Timer
        3. 6.4.1.3  Clock Integrity Check Using HRPWM
        4. 6.4.1.4  EALLOW Protection for Critical Registers
        5. 6.4.1.5  External Monitoring of Clock via XCLKOUT
        6. 6.4.1.6  External Monitoring of Warm Reset (XRSn)
        7. 6.4.1.7  External Voltage Supervisor
        8. 6.4.1.8  External Watchdog
        9. 6.4.1.9  Glitch Filtering on Reset Pins
        10. 6.4.1.10 Hardware Disable of JTAG Port
        11. 6.4.1.11 Lockout of JTAG Access Using OTP
        12. 6.4.1.12 Internal Watchdog (WD)
        13. 6.4.1.13 Lock Mechanism for Control Registers
        14. 6.4.1.14 Missing Clock Detect (MCD)
        15. 6.4.1.15 NMIWD Reset Functionality
        16. 6.4.1.16 NMIWD Shadow Registers
        17. 6.4.1.17 Multi-Bit Enable Keys for Control Registers
        18. 6.4.1.18 Online Monitoring of Temperature
        19. 6.4.1.19 Periodic Software Read Back of Static Configuration Registers
        20. 6.4.1.20 Peripheral Clock Gating (PCLKCR)
        21. 6.4.1.21 Peripheral Soft Reset (SOFTPRES)
        22. 6.4.1.22 Software Test of Reset - Type 1
        23. 6.4.1.23 PLL Lock Profiling Using On-Chip Timer
        24. 6.4.1.24 Reset Cause Information
        25. 6.4.1.25 Software Read Back of Written Configuration
        26. 6.4.1.26 Software Test of ERRORSTS Functionality
        27. 6.4.1.27 Software Test of Missing Clock Detect Functionality
        28. 6.4.1.28 Software Test of Watchdog (WD) Operation
        29. 6.4.1.29 Dual-Clock Comparator (DCC) - Type 2
        30. 6.4.1.30 PLL Lock Indication
        31. 6.4.1.31 Software Test of DCC Functionality Including Error Tests
        32. 6.4.1.32 Software Test of PLL Functionality Including Error Tests
        33. 6.4.1.33 Interleaving of FSM States
        34. 6.4.1.34 Brownout Reset (BOR)
      2. 6.4.2 Processing Elements
        1. 6.4.2.1  CPU Handling of Illegal Operation, Illegal Results and Instruction Trapping
        2. 6.4.2.2  Software Test of CPU
        3. 6.4.2.3  Stack Overflow Detection
        4. 6.4.2.4  VCRC Check of Static Memory Contents
        5. 6.4.2.5  VCRC Auto Coverage
        6. 6.4.2.6  Hardware Redundancy Using Lockstep Compare Module (LCM)
        7. 6.4.2.7  Self-test Logic for LCM
        8. 6.4.2.8  LCM Compare Error Forcing Mode
        9. 6.4.2.9  LCM MMR Parity
        10. 6.4.2.10 Test of LCM MMR Parity
        11. 6.4.2.11 Lockstep Self-test Mux Select Logic Fault Detection
        12. 6.4.2.12 Redundancy in LCM Comparator
      3. 6.4.3 Memory (Flash, SRAM and ROM)
        1. 6.4.3.1  Bit Multiplexing in Flash Memory Array
        2. 6.4.3.2  Bit Multiplexing in SRAM Memory Array
        3. 6.4.3.3  Data Scrubbing to Detect/Correct Memory Errors
        4. 6.4.3.4  Flash ECC
        5. 6.4.3.5  Flash Program Verify and Erase Verify Check
        6. 6.4.3.6  Flash Program/Erase Protection
        7. 6.4.3.7  Flash Wrapper Error and Status Reporting
        8. 6.4.3.8  Prevent 0 to 1 Transition Using Program Command
        9. 6.4.3.9  On-demand Software Program Verify and Blank Check
        10. 6.4.3.10 CMDWEPROT* and Program Command Data Buffer Registers Self-Clear After Command Execution
        11. 6.4.3.11 ECC Generation and Checker Logic is Separate in Hardware
        12. 6.4.3.12 Auto ECC Generation Override
        13. 6.4.3.13 Software Test of ECC Logic
        14. 6.4.3.14 Software Test of Flash Prefetch, Data Cache and Wait-States
        15. 6.4.3.15 Access Protection Mechanism for Memories
        16. 6.4.3.16 SRAM ECC
        17. 6.4.3.17 SRAM Parity
        18. 6.4.3.18 Software Test of Parity Logic
        19. 6.4.3.19 Software Test of SRAM
        20. 6.4.3.20 Memory Power-On Self-Test (MPOST)
        21. 6.4.3.21 ROM Parity
      4. 6.4.4 On-Chip Communication Including Bus-Arbitration
        1. 6.4.4.1 1oo2 Software Voting Using Secondary Free Running Counter
        2. 6.4.4.2 Maintaining Interrupt Handler for Unused Interrupts
        3. 6.4.4.3 Power-Up Pre-Operational Security Checks
        4. 6.4.4.4 Majority Voting and Error Detection of Link Pointer
        5. 6.4.4.5 Software Check of X-BAR Flag
        6. 6.4.4.6 Software Test of ePIE Operation Including Error Tests
      5. 6.4.5 Digital I/O
        1. 6.4.5.1  eCAP Application Level Safety Mechanism
        2. 6.4.5.2  ePWM Application Level Safety Mechanism
        3. 6.4.5.3  ePWM Fault Detection Using X-BAR
        4. 6.4.5.4  ePWM Synchronization Check
        5. 6.4.5.5  eQEP Application Level Safety Mechanism
        6. 6.4.5.6  eQEP Quadrature Watchdog
        7. 6.4.5.7  eQEP Software Test of Quadrature Watchdog Functionality
        8. 6.4.5.8  Hardware Redundancy
        9. 6.4.5.9  HRPWM Built-In Self-Check and Diagnostic Capabilities
        10. 6.4.5.10 Information Redundancy Techniques
        11. 6.4.5.11 Monitoring of ePWM by eCAP
        12. 6.4.5.12 Monitoring of ePWM by ADC
        13. 6.4.5.13 Online Monitoring of Periodic Interrupts and Events
        14. 6.4.5.14 Software Test of Function Including Error Tests
        15. 6.4.5.15 QMA Error Detection Logic
      6. 6.4.6 Analog I/O
        1. 6.4.6.1 ADC Information Redundancy Techniques
        2. 6.4.6.2 ADC Input Signal Integrity Check
        3. 6.4.6.3 ADC Signal Quality Check by Varying Acquisition Window
        4. 6.4.6.4 CMPSS Ramp Generator Functionality Check
        5. 6.4.6.5 DAC to ADC Loopback Check
        6. 6.4.6.6 Opens/Shorts Detection Circuit for ADC
        7. 6.4.6.7 Disabling Unused Sources of SOC Inputs to ADC
      7. 6.4.7 Data Transmission
        1. 6.4.7.1  Information Redundancy Techniques Including End-to-End Safing
        2. 6.4.7.2  Bit Error Detection
        3. 6.4.7.3  CRC in Message
        4. 6.4.7.4  DCAN Acknowledge Error Detection
        5. 6.4.7.5  DCAN Form Error Detection
        6. 6.4.7.6  DCAN Stuff Error Detection
        7. 6.4.7.7  PWM Trip by MCAN
        8. 6.4.7.8  MCAN Acknowledge Error Detection
        9. 6.4.7.9  MCAN Form Error Detection
        10. 6.4.7.10 MCAN Stuff Error Detection
        11. 6.4.7.11 Timeout on FIFO Activity
        12. 6.4.7.12 Timestamp Consistency Checks
        13. 6.4.7.13 Tx-Event Checks
        14. 6.4.7.14 Interrupt on Message RAM Access Failure
        15. 6.4.7.15 Software Test of Function Including Error Tests Using EPG
        16. 6.4.7.16 I2C Access Latency Profiling Using On-Chip Timer
        17. 6.4.7.17 I2C Data Acknowledge Check
        18. 6.4.7.18 Parity in Message
        19. 6.4.7.19 SCI Break Error Detection
        20. 6.4.7.20 Frame Error Detection
        21. 6.4.7.21 Overrun Error Detection
        22. 6.4.7.22 Software Test of Function Using I/O Loopback
        23. 6.4.7.23 SPI Data Overrun Detection
        24. 6.4.7.24 Transmission Redundancy
        25. 6.4.7.25 LIN Physical Bus Error Detection
        26. 6.4.7.26 LIN No-Response Error Detection
        27. 6.4.7.27 LIN Checksum Error Detection
        28. 6.4.7.28 Data Parity Error Detection
        29. 6.4.7.29 LIN ID Parity Error Detection
        30. 6.4.7.30 PMBus Protocol CRC in Message
        31. 6.4.7.31 Clock Timeout
        32. 6.4.7.32 Communication Access Latency Profiling Using On-Chip Timer
  9. 7References
  10.   A Summary of Safety Features and Diagnostics
  11.   B Distributed Developments
    1.     B.1 How the Functional Safety Lifecycle Applies to Functional Safety-Compliant Products
    2.     B.2 Activities Performed by Texas Instruments
    3.     B.3 Information Provided

6.3 Suggestions for Addressing Common Cause Failures

System Integrator needs to execute a common cause failure analysis to consider possible dependent/common cause failures on the sub-elements of the TMS320F280015x MCU, including pin level connections.

  1. Consider a relevant list of dependent failure initiators, such as the lists found in ISO 26262-11:2018. Analysis of dependent failures should include common cause failures among functional redundant parts and also between functions and the respective safety mechanisms.
  2. Verify that the dependent failure analysis considers the impact of the software tasks running on the TMS320F280015x MCU, including hardware and software interactions.
  3. Verify that the dependent failure analysis considers the impact of the pin or ball level interactions on the TMS320F280015x MCU package, including aspects related to the selected I/O multiplexing.

The following should be considered for addressing the common cause failures when using the TMS320F280015x MCU:

  1. Redundant functions and safety mechanism can be impacted by common power failure. A common cause failure on power source can be detected by PWR1-External Voltage Supervisor, PWR2-External Watchdog.
  2. In general, a clock source which is common to redundant functions should be monitored and any failures on the same can be detected by safety mechanisms such as CLK1-Missing Clock Detect (MCD), CLK17-Dual-Clock Comparator (DCC), CLK2-Clock Integrity Check Using CPU Timer, CLK5-External Clock Monitoring via XCLKOUT and CLK8-Periodic Software Read Back of Static Configuration Registers. Specifically, to avoid common clock failure affecting Internal Watchdog (WD) and CPU, it is recommended to use either INTOSC2 or X1/X2 as clock source to PLL.
  3. Failure of common reset signal to redundant functions can be detected by RST1-External Monitoring of Warm Reset (XRSn), RST2-Reset Cause Information.
  4. Common cause failure on Interconnect logic could impact both redundant functions and also functional safety mechanism in same way. In addition to other safety mechanisms, INC1-Software Test of Function Including Error Tests can be implemented to detect faults on interconnect logic.
  5. Common cause failure could impact two functions used in a redundant way. In case the of communication peripherals, module specific Information Redundancy Techniques Including End-to-End Safing can be implemented to detect common cause failures, for example, CAN2-Information Redundancy Techniques Including End-to-End Safing, SPI2-Information Redundancy Techniques Including End-to-End Safing, SCI3-Information Redundancy Techniques Including End-to-End Safing, I2C3-Information Redundancy Techniques Including End-to-End Safing.
  6. Use different voltage references and SOC trigger sources for ADC (see Section 6.4.5.8).
  7. Use ePWM modules from different sync groups for implementing Hardware Redundancy.
  8. Use nonadjacent GPIO pins from different groups when implementing Hardware Redundancy for GPIO pins.
千亿体育app官网登录(中国)官方网站IOS/安卓通用版/手机APP | 米乐app下载官网(中国)|ios|Android/通用版APP最新版 | 米乐|米乐·M6(中国大陆)官方网站 | 千亿体育登陆地址 | 华体会体育(中国)HTH·官方网站 | 千赢qy国际_全站最新版千赢qy国际V6.2.14安卓/IOS下载 | 18新利网v1.2.5|中国官方网站 | bob电竞真人(中国官网)安卓/ios苹果/电脑版【1.97.95版下载】 | 千亿体育app官方下载(中国)官方网站IOS/安卓/手机APP下载安装 |