SFFS700 May   2024 TMS320F28P650DH , TMS320F28P650DK , TMS320F28P650SH , TMS320F28P650SK , TMS320F28P659DH-Q1 , TMS320F28P659DK-Q1 , TMS320F28P659SH-Q1

 

  1.   1
  2. 1Introduction
  3.   Trademarks
  4. 2Hardware Component Functional Safety Capability
  5. 3TI Development Process for Management of Systematic Faults
    1. 3.1 TI New-Product Development Process
    2. 3.2 TI Functional Safety Development Process
  6. 4TMS320F28P65x Component Overview
    1. 4.1 Targeted Applications
    2. 4.2 Hardware Component Functional Safety Concept
      1. 4.2.1 VDA E-GAS Monitoring Concept
      2. 4.2.2 Fault Tolerant Time Interval (FTTI)
      3. 4.2.3 TMS320F28P65x MCU Safe State
      4. 4.2.4 Operating States
      5. 4.2.5 TMS320F28P65x MCU Safety Implementation
        1. 4.2.5.1 Assumed Safety Requirements
        2. 4.2.5.2 Example Safety Concept Implementation Options on TMS320F28P65x MCU
          1. 4.2.5.2.1 Safety Concept Implementation: Option 1
          2. 4.2.5.2.2 Safety Concept Implementation: Option 2
          3. 4.2.5.2.3 Safety Concept Implementation: Option 3
          4. 4.2.5.2.4 Safety Concept Implementation: Option 4
          5. 4.2.5.2.5 Safety Concept Implementation: Option 5
          6. 4.2.5.2.6 Safety Concept Implementation: Option 6
      6. 4.2.6 TMS320F28P65x Diagnostic Libraries
        1. 4.2.6.1 Assumptions of Use: F28P65x Self-Test Libraries
        2. 4.2.6.2 Operational Details: F28P65x Self-Test Libraries
          1. 4.2.6.2.1 Operational Details: C28x Self-Test Library
          2. 4.2.6.2.2 Operational Details: CLA Self-Test Library
          3. 4.2.6.2.3 Operational Details - Software Diagnostic Libraries
        3. 4.2.6.3 C2000 Safety STL Software Development Flow
    3. 4.3 Functional Safety Constraints and Assumptions
  7. 5Description of Safety Elements
    1. 5.1 C2000 MCU Infrastructure Components
      1. 5.1.1 Power Supply
      2. 5.1.2 Clock
      3. 5.1.3 APLL
      4. 5.1.4 Reset
      5. 5.1.5 System Control Module and Configuration Registers
      6. 5.1.6 JTAG Debug, Trace, Calibration, and Test Access
      7. 5.1.7 Advanced Encryption Standard (AES) Accelerator
    2. 5.2 Processing Elements
      1. 5.2.1 C28x Central Processing Unit (CPU)
      2. 5.2.2 Control Law Accelerator (CLA)
    3. 5.3 Memory (Flash, SRAM and ROM)
      1. 5.3.1 Embedded Flash Memory
      2. 5.3.2 Embedded SRAM
      3. 5.3.3 Embedded ROM
    4. 5.4 On-Chip Communication Including Bus-Arbitration
      1. 5.4.1 Device Interconnect
      2. 5.4.2 Direct Memory Access (DMA)
      3. 5.4.3 Inter Processor Communication (IPC)
      4. 5.4.4 Enhanced Peripheral Interrupt Expander (ePIE) Module
      5. 5.4.5 Dual Zone Code Security Module (DCSM)
      6. 5.4.6 CrossBar (X-BAR)
      7. 5.4.7 Timer
      8. 5.4.8 Configurable Logic Block (CLB)
    5. 5.5 Digital I/O
      1. 5.5.1 General-Purpose Input/Output (GPIO) and Pin Muxing
      2. 5.5.2 Enhanced Pulse Width Modulators (ePWM)
      3. 5.5.3 High Resolution PWM (HRPWM)
      4. 5.5.4 Enhanced Capture (eCAP)
      5. 5.5.5 High Resolution Capture (HRCAP)
      6. 5.5.6 Enhanced Quadrature Encoder Pulse (eQEP)
      7. 5.5.7 Sigma Delta Filter Module (SDFM)
      8. 5.5.8 External Interrupt (XINT)
    6. 5.6 Analog I/O
      1. 5.6.1 Analog-to-Digital Converter (ADC)
      2. 5.6.2 Buffered Digital-to-Analog Converter (DAC)
      3. 5.6.3 Comparator Subsystem (CMPSS)
    7. 5.7 Data Transmission
      1. 5.7.1  Controller Area Network (DCAN)
      2. 5.7.2  Controller Area Network (MCAN, CAN FD)
      3. 5.7.3  Ethernet for Control Automation Technology (EtherCAT)
      4. 5.7.4  Serial Peripheral Interface (SPI)
      5. 5.7.5  Serial Communication Interface (SCI)
      6. 5.7.6  Universal Asynchronous Receiver/Transmitter (UART)
      7. 5.7.7  Local Interconnect Network (LIN)
      8. 5.7.8  Inter-Integrated Circuit (I2C)
      9. 5.7.9  Fast Serial Interface (FSI)
      10. 5.7.10 Power Management Bus Module (PMBus)
      11. 5.7.11 External Memory Interface (EMIF)
    8. 5.8 Not Safety Related Elements
  8. 6Management of Random Faults
    1. 6.1 Fault Reporting
    2. 6.2 Suggestions for Improving Freedom From Interference
    3. 6.3 Suggestions for Addressing Common Cause Failures
    4. 6.4 Descriptions of Functional Safety Mechanisms
      1. 6.4.1 C2000 MCU Infrastructure Components
        1. 6.4.1.1  Clock Integrity Check Using DCC
        2. 6.4.1.2  Clock Integrity Check Using CPU Timer
        3. 6.4.1.3  Clock Integrity Check Using HRPWM
        4. 6.4.1.4  EALLOW and MEALLOW Protection for Critical Registers
        5. 6.4.1.5  External Clock Monitoring via XCLKOUT
        6. 6.4.1.6  External Monitoring of Warm Reset (XRSn)
        7. 6.4.1.7  External Voltage Supervisor
        8. 6.4.1.8  External Watchdog
        9. 6.4.1.9  Brownout Reset (BOR)
        10. 6.4.1.10 Glitch Filtering on Reset Pins
        11. 6.4.1.11 Hardware Disable of JTAG Port
        12. 6.4.1.12 Lockout of JTAG Access Using OTP
        13. 6.4.1.13 Internal Watchdog (WD)
        14. 6.4.1.14 Lock Mechanism for Control Registers
        15. 6.4.1.15 Missing Clock Detect (MCD)
        16. 6.4.1.16 NMIWD Reset Functionality
        17. 6.4.1.17 NMIWD Shadow Registers
        18. 6.4.1.18 Multibit Enable Keys for Control Registers
        19. 6.4.1.19 Online Monitoring of Temperature
        20. 6.4.1.20 Periodic Software Read Back of Static Configuration Registers
        21. 6.4.1.21 Peripheral Clock Gating (PCLKCR)
        22. 6.4.1.22 Peripheral Soft Reset (SOFTPRES)
        23. 6.4.1.23 Peripheral Access Protection – Type 1
        24. 6.4.1.24 Software Test of Reset – Type 1
        25. 6.4.1.25 PLL Lock Profiling Using On-Chip Timer
        26. 6.4.1.26 Reset Cause Information
        27. 6.4.1.27 Software Read Back of Written Configuration
        28. 6.4.1.28 Software Test of ERRORSTS Functionality
        29. 6.4.1.29 Software Test of Missing Clock Detect Functionality
        30. 6.4.1.30 Software Test of Watchdog (WD) Operation
        31. 6.4.1.31 Dual Clock Comparator (DCC) – Type 2
        32. 6.4.1.32 PLL Lock Indication
        33. 6.4.1.33 Software Test of DCC Functionality Including Error Tests
        34. 6.4.1.34 Software Test of PLL Functionality Including Error Tests
        35. 6.4.1.35 Interleaving of FSM States
        36. 6.4.1.36 Decryption of Encrypted Data Output Using Same KEY and IV
        37. 6.4.1.37 Software Test of Standalone GHASH Operation
      2. 6.4.2 Processing Elements
        1. 6.4.2.1  CPU Handling of Illegal Operation, Illegal Results and Instruction Trapping
        2. 6.4.2.2  Reciprocal Comparison by Software
        3. 6.4.2.3  Software Test of CPU
        4. 6.4.2.4  CPU Hardware Built-In Self-Test (HWBIST)
        5. 6.4.2.5  CPU Hardware Built-In Self-Test (HWBIST) Auto-Coverage
        6. 6.4.2.6  CPU Hardware Built-In Self-Test (HWBIST) Fault Injection Capability
        7. 6.4.2.7  CPU Hardware Built-In Self-Test (HWBIST) Timeout Feature
        8. 6.4.2.8  Software Test of CLA
        9. 6.4.2.9  CLA Handling of Illegal Operation and Illegal Results
        10. 6.4.2.10 CLA Liveness Check Using CPU
        11. 6.4.2.11 Disabling of Unused CLA Task Trigger Sources
        12. 6.4.2.12 Stack Overflow Detection
        13. 6.4.2.13 VCRC Check of Static Memory Contents
        14. 6.4.2.14 VCRC Auto Coverage
        15. 6.4.2.15 Hardware Redundancy Using Lockstep Compare Module (LCM)
        16. 6.4.2.16 Self-Test Logic for LCM
        17. 6.4.2.17 LCM Compare Error Forcing Mode
        18. 6.4.2.18 LCM MMR Parity
        19. 6.4.2.19 Test of LCM MMR Parity
        20. 6.4.2.20 Lockstep Self-test Mux Select Logic Fault Detection
        21. 6.4.2.21 Redundancy in LCM Comparator
        22. 6.4.2.22 Embedded Real Time Analysis and Diagnostic (ERAD)
        23. 6.4.2.23 Inbuilt Hardware Redundancy in ERAD Bus Comparator Module
      3. 6.4.3 Memory (Flash, SRAM and ROM)
        1. 6.4.3.1  Bit Multiplexing in Flash Memory Array
        2. 6.4.3.2  Bit Multiplexing in SRAM Memory Array
        3. 6.4.3.3  Data Scrubbing to Detect and Correct Memory Errors
        4. 6.4.3.4  Flash ECC
        5. 6.4.3.5  Flash Program Verify and Erase Verify Check
        6. 6.4.3.6  Flash Program and Erase Protection
        7. 6.4.3.7  Flash Wrapper Error and Status Reporting
        8. 6.4.3.8  Prevent 0 to 1 Transition Using Program Command
        9. 6.4.3.9  On-Demand Software Program Verify and Blank Check
        10. 6.4.3.10 CMDWEPROT* and Program Command Data Buffer Registers Self-Clear After Command Execution
        11. 6.4.3.11 ECC Generation and Checker Logic is Separate in Hardware
        12. 6.4.3.12 Auto ECC Generation Override
        13. 6.4.3.13 Software Test of ECC Logic
        14. 6.4.3.14 Software Test of Flash Prefetch, Data Cache and Wait-States
        15. 6.4.3.15 Access Protection Mechanism for Memories
        16. 6.4.3.16 SRAM ECC
        17. 6.4.3.17 SRAM Parity
        18. 6.4.3.18 Software Test of Parity Logic
        19. 6.4.3.19 Software Test of SRAM
        20. 6.4.3.20 Memory Power-On Self-Test (MPOST)
        21. 6.4.3.21 Background CRC
        22. 6.4.3.22 Watchdog for Background CRC
        23. 6.4.3.23 ROM Parity
        24. 6.4.3.24 Redundant Parity Engine
      4. 6.4.4 On-Chip Communication Including Bus-Arbitration
        1. 6.4.4.1  1oo2 Software Voting Using Secondary Free Running Counter
        2. 6.4.4.2  DMA Overflow Interrupt
        3. 6.4.4.3  Event Timestamping Using IPC Counter
        4. 6.4.4.4  Maintaining Interrupt Handler for Unused Interrupts
        5. 6.4.4.5  Majority Voting and Error Detection of Link Pointer
        6. 6.4.4.6  PIE Double SRAM Comparison Check
        7. 6.4.4.7  PIE Double SRAM Hardware Comparison
        8. 6.4.4.8  Power-Up Pre-Operational Security Checks
        9. 6.4.4.9  Software Check of X-BAR Flag
        10. 6.4.4.10 Software Test of ePIE Operation Including Error Tests
        11. 6.4.4.11 Disabling of Unused DMA Trigger Sources
        12. 6.4.4.12 Software Test of CLB Function Including Error Tests
        13. 6.4.4.13 Monitoring of CLB by eCAP or eQEP
        14. 6.4.4.14 Periodic Software Read Back of SPI Buffer
        15. 6.4.4.15 IPC 64-Bit Counter Value Plausibility Check
      5. 6.4.5 Digital I/O
        1. 6.4.5.1  ECAP Application Level Safety Mechanism
        2. 6.4.5.2  ePWM Application Level Safety Mechanism
        3. 6.4.5.3  ePWM Fault Detection Using XBAR
        4. 6.4.5.4  ePWM Synchronization Check
        5. 6.4.5.5  Online MINMAX Monitoring of TRIP Events
        6. 6.4.5.6  Fault Avoidance Using Minimum Dead Band
        7. 6.4.5.7  Fault Avoidance Using Illegal Combo Logic
        8. 6.4.5.8  Diode Emulation Mode Monitoring
        9. 6.4.5.9  eQEP Application Level Safety Mechanisms
        10. 6.4.5.10 eQEP Quadrature Watchdog
        11. 6.4.5.11 eQEP Software Test of Quadrature Watchdog Functionality
        12. 6.4.5.12 Hardware Redundancy
        13. 6.4.5.13 HRPWM Built-In Self-Check and Diagnostic Capabilities
        14. 6.4.5.14 Information Redundancy Techniques
        15. 6.4.5.15 Monitoring of ePWM by eCAP
        16. 6.4.5.16 Monitoring of ePWM by ADC
        17. 6.4.5.17 Online Monitoring of Interrupts and Events
        18. 6.4.5.18 SDFM Comparator Filter for Online Monitoring
        19. 6.4.5.19 SD Modulator Clock Fail Detection Mechanism
        20. 6.4.5.20 Software Test of Function Including Error Tests
        21. 6.4.5.21 Monitoring of HRPWM by HRCAP
        22. 6.4.5.22 HRCAP Calibration Logic Test Feature
        23. 6.4.5.23 QMA Error Detection Logic
      6. 6.4.6 Analog I/O
        1. 6.4.6.1  ADC Information Redundancy Techniques
        2. 6.4.6.2  ADC Input Signal Integrity Check
        3. 6.4.6.3  ADC Signal Quality Check by Varying Acquisition Window
        4. 6.4.6.4  Hardware Redundancy with ADC Safety Checker
        5. 6.4.6.5  Hardware Redundancy of ADC Safety Checker
        6. 6.4.6.6  Disabling Unused Sources of SOC Inputs to ADC
        7. 6.4.6.7  CMPSS Ramp Generator Functionality Check
        8. 6.4.6.8  DAC to ADC Loopback Check
        9. 6.4.6.9  DAC to Comparator Loopback Check
        10. 6.4.6.10 Opens/Shorts Detection Circuit for ADC
        11. 6.4.6.11 VDAC Conversion by ADC
      7. 6.4.7 Data Transmission
        1. 6.4.7.1  Bit Error Detection
        2. 6.4.7.2  CRC in Message
        3. 6.4.7.3  DCAN Acknowledge Error Detection
        4. 6.4.7.4  DCAN Form Error Detection
        5. 6.4.7.5  DCAN Stuff Error Detection
        6. 6.4.7.6  PWM Trip by MCAN
        7. 6.4.7.7  MCAN Stuff Error Detection
        8. 6.4.7.8  MCAN Form Error Detection
        9. 6.4.7.9  MCAN Acknowledge Error Detection
        10. 6.4.7.10 Timeout on FIFO Activity
        11. 6.4.7.11 Timestamp Consistency Checks
        12. 6.4.7.12 Tx-Event Checks
        13. 6.4.7.13 Interrupt on Message RAM Access Failure
        14. 6.4.7.14 Software Test of Function Including Error Tests Using EPG
        15. 6.4.7.15 EMIF Access Latency Profiling Using On-Chip Timer
        16. 6.4.7.16 EMIF Access Protection Mechanism
        17. 6.4.7.17 EMIF Asynchronous Memory Timeout Protection Mechanism
        18. 6.4.7.18 I2C Access Latency Profiling Using On-Chip Timer
        19. 6.4.7.19 Information Redundancy Techniques Including End-to-End Safing
        20. 6.4.7.20 I2C Data Acknowledge Check
        21. 6.4.7.21 Parity in Message
        22. 6.4.7.22 Break Error Detection
        23. 6.4.7.23 Frame Error Detection
        24. 6.4.7.24 Overrun Error Detection
        25. 6.4.7.25 Software Test of Function Using I/O Loopback
        26. 6.4.7.26 SPI Data Overrun Detection
        27. 6.4.7.27 Transmission Redundancy
        28. 6.4.7.28 Data Parity Error Detection
        29. 6.4.7.29 LIN Physical Bus Error Detection
        30. 6.4.7.30 LIN No-Response Error Detection
        31. 6.4.7.31 LIN Checksum Error Detection
        32. 6.4.7.32 LIN ID Parity Error Detection
        33. 6.4.7.33 Communication Access Latency Profiling Using On-Chip Timer
        34. 6.4.7.34 FSI Data Overrun and Underrun Detection
        35. 6.4.7.35 FSI Frame Overrun Detection
        36. 6.4.7.36 FSI CRC Framing Checks
        37. 6.4.7.37 FSI ECC Framing Checks
        38. 6.4.7.38 FSI Frame Watchdog
        39. 6.4.7.39 FSI RX Ping Watchdog
        40. 6.4.7.40 FSI Tag Monitor
        41. 6.4.7.41 FSI Frame Type Error Detection
        42. 6.4.7.42 FSI End of Frame Error Detection
        43. 6.4.7.43 FSI Register Protection Mechanisms
        44. 6.4.7.44 PMBus Protocol CRC in Message
        45. 6.4.7.45 PMBus Clock Timeout
        46. 6.4.7.46 EtherCAT MDIO Command Error Indication
        47. 6.4.7.47 EtherCAT Sync-Manager
        48. 6.4.7.48 EtherCAT Working Counter Error Indication
        49. 6.4.7.49 EtherCAT Frame Error Indication
        50. 6.4.7.50 EtherCAT Physical Layer Error Indication
        51. 6.4.7.51 PDI Timeout Error Indication
        52. 6.4.7.52 EtherCAT EEPROM CRC Error Indication
        53. 6.4.7.53 EtherCAT EEPROM Not Done Error Indication
        54. 6.4.7.54 EtherCAT Data Link Error Indication
        55. 6.4.7.55 EtherCAT Phy Link Error Indication
        56. 6.4.7.56 Sync, GPO Monitoring Using External Monitor
        57. 6.4.7.57 EtherCAT Enhanced Link Detection With LED
        58. 6.4.7.58 HW Redundancy of GPIO, FMMU, Sync Manager and SYNC OUT
  9. 7References
  10.   A Summary of Safety Features and Diagnostics
  11.   B Distributed Developments
    1.     B.1 How the Functional Safety Life Cycle Applies to Functional Safety-Compliant Products
    2.     B.2 Activities Performed by Texas Instruments
    3.     B.3 Information Provided

4.3 Functional Safety Constraints and Assumptions

In creating a functional Safety Element out of Context (SEooC) concept and doing the functional safety analysis, TI generates a series of assumptions on system level design, functional safety concept, and requirements. These assumptions (sometimes called Assumptions of Use) are listed below. Additional assumptions about the detailed implementation of safety mechanisms are separately located in Section 6.4.

The TMS320F28P65x Functional Safety Analysis was done under the following system assumptions:

  • [SA_1] The system integrator shall follow all requirements in the component data sheet.
  • [SA_2] The system shall be configured to allow this device to activate or communicate with assigned actuators to maintain proper operating state of the external system based on input from assigned sensors.
  • [SA_3] If the system is in a fault detected state, software may attempt to recover from the fault before a safety goal is violated. Software shall be configured to put the system into a safe state, if unable to recover from a fault, before the violation of a safety goal occurs.
  • [SA_4] The system integrator shall review the recommended diagnostics in the Safety Manual and Safety Analysis Report (FMEDA), and determine the appropriate diagnostics to include in their system. These diagnostics shall be implemented according to the device Safety Manual and datasheet.
  • [SA_5] The software shall initialize the continuous diagnostics and periodically run the test-for-diagnostics in alignment with the system safety concept including Fault Tolerant Time Interval (FTTI), Process Safety Time (PST), and Multi-Point Fault Detection Time Interval (MPFDTI).
  • [SA_6] The power supply to this device shall provide the appropriate power on each of the power inputs. These rails shall be monitored for deviations outside the device specifications.
  • [SA_7] The power supply or other external monitoring device(s) shall monitor the device error pins and transition the system to a safe state after an unrecoverable error is indicated.
  • [SA_8] The power supply or other external monitoring device shall monitor the device to provide coverage for diagnosing power faults. A watchdog is an example technique to achieve this diagnostic.
  • [SA_9] The power supply or other external monitoring device shall be used as a parallel path to disable downstream actuators in situations such as before the device is capable to perform a safety function (i.e. device startup) or when device faults have been detected that would compromise the decision making capability of the device (i.e. MCU fault conditions).
  • [SA_10] A system concept appropriate to the targeted ASIL/SIL level shall be chosen to detect faults in the execution of the code running on the CPUs related to the safety function. This concept shall also take into consideration shared modules (i.e. RAM, flash, ADCs, etc.). Examples include, but are not limited to, reciprocal comparison by software, watchdogs, etc.
  • [SA_11] System configuration and implementation checks shall be performed by the system integrator.
  • [SA_12] Availability of system function is not a safety requirement. When the system is off or in reset, it shall be in a safe state.
  • [SA_13] Device power sequencing requirements shall not be considered to be safety critical.
  • [SA_14] The system integrator shall review the SEooC analysis and integrate it into the system level safety analysis, the diagnostics shall be applied as needed with respect to the system safety goals and requirements, and integration testing shall be performed.
  • [SA_15] The system integrator shall analyze the other components in the system with respect to the safety concept and will implement diagnostics on those components as needed with respect to that safety concept.
  • [SA_16] The safety function is considered to operate in high/continuous demand mode of operation (per IEC 61508). (Note this does not exclude the option of operating in low demand mode. This assumption is made to provide a baseline for judgment of the Safety Integrity Level targets.)
  • [SA_17] This device is considered to be a type B safety-related element or subsystem (per IEC 61508). Additionally, the F28P65x MCU claims no hardware fault tolerance (HFT = 0), as defined in IEC 61508:2010.
  • [SA_18] The safety function shall not begin until the software enables it after this device has successfully completed its startup sequence, run any required integrity checks, and is in a normal mode of operation.
  • [SA_19] Debug and Design For Test (DFT) logic shall be disabled during operation of a safety function.

During integration activities these assumptions of use and integration guidelines described for this component shall be considered. Use caution if one of the above functional safety assumptions on this component cannot be met, as some identified gaps may be unresolvable at the system level.
千亿体育app官网登录(中国)官方网站IOS/安卓通用版/手机APP | 米乐app下载官网(中国)|ios|Android/通用版APP最新版 | 米乐|米乐·M6(中国大陆)官方网站 | 千亿体育登陆地址 | 华体会体育(中国)HTH·官方网站 | 千赢qy国际_全站最新版千赢qy国际V6.2.14安卓/IOS下载 | 18新利网v1.2.5|中国官方网站 | bob电竞真人(中国官网)安卓/ios苹果/电脑版【1.97.95版下载】 | 千亿体育app官方下载(中国)官方网站IOS/安卓/手机APP下载安装 |