SPRADF6A December   2023  – May 2024 AM2432 , AM2434 , AM6421 , AM6422 , AM6441 , AM6442

 

  1.   1
  2.   Abstract
  3. 1Functional Safety Goals and Safety Concepts
  4. 2HARA and Safety Concept Assessment Stage
  5. 3SIL and ASIL Classification
  6. 4Random and Systematic Faults
  7. 5AM243x and AM64x: Safety Diagnostics and Examples
  8. 6AM243x and AM64x: Safety MCU With FFI Support
  9. 7Safety Element Out of Context
  10. 8Functional Safety Resources and Examples

5 AM243x and AM64x: Safety Diagnostics and Examples

TI’s AM243x microcontrollers and AM64x processors were specifically designed to support functional safety in a wide range of applications including Programmable Logic Controllers (PLCs), motor control, industrial communication gateways, and robotics. The AM243x and AM64x series have device options targeting SIL-2 random fault capability (≤ 100 FIT of dangerous undetected faults) and SIL-3 systematic capability. At the system-level, when combined with an external safety processor, the AM243x and AM64x can assist system integrators in achieving up to SIL-3 HFT = 1. Hardware Fault Tolerance (HFT) = 1 means the system can maintain the safety concept in the event of a single point hardware failure.

To meet SIL-2 random fault metrics, the AM243x and AM64x make extensive use of safety diagnostics. Device-level safety diagnostics fall into 3 categories as shown in Figure 5-1.

AM6442 Safety Diagnostics CategoriesFigure 5-1 Safety Diagnostics Categories

Single-Error Correcting Double-Error Detecting (SECDED) is a common hardware diagnostic used to detect memory errors. This diagnostic does exactly as the name implies, correcting single-bit memory errors and detecting 2-bit and even some 3-bit memory errors. Both the AM243x and AM64x have SECDED on all on-chip memories.

CRC or Cyclic Reduction Check is a software diagnostic used to detect data transmission errors. A CRC value is calculated based on the data packet prior to transmission and then re-calculated at the receiving end. If the calculations do not match, the data was corrupted during the transmission. Both calculations are done in software and implementing the software is the responsibility of the system integrator.

An example of a hardware + software diagnostics is an internal watchdog timer. Watchdog timers are counters implemented in silicon that count down from an initial value to zero. The processor being monitored runs a program that periodically resets the watchdog timer, preventing the timer from ever reaching zero. If the watchdog reaches zero, the assumption is the processor has locked up and needs to be reset, put into a safe state, or be reset and put into a safe state.

All safety faults are routed to AM64x and AM243x Error Signaling Module (ESM), providing a centralized fault management and reporting system. The ESM module classifies errors based on severity and allows the system integrator to program the response to each error. Response options include asserting the Safety Error pin (Figure 6-3), generating a high- or low-priority interrupt, or asserting the Safety Error pin and generating an interrupt.

A complete list of hardware and software diagnostics supported by the AM243x and AM64x can be found in the functional safety manual.