SLLA535 December   2022 TLIN1431-Q1

 

  1. 1Introduction
    1.     Trademarks
  2. 2TLIN1431x-Q1 Hardware Component Functional Safety Capability
  3. 3Development Process for Management of Systematic Faults
    1. 3.1 TI New-Product Development Process
    2. 3.2 TI Functional Safety Development Process
  4. 4TLIN1431x-Q1 Component Overview
    1. 4.1 Targeted Applications
    2. 4.2 Hardware Component Functional Safety Concept
    3. 4.3 Functional Safety Constraints and Assumptions
  5. 5Description of Hardware Component Parts
    1. 5.1 LIN Transceiver
    2. 5.2 Digital Core
    3. 5.3 Power Control IP
    4. 5.4 Digital Input/Output Pins and High-side Switch
  6. 6TLIN1431x-Q1 Management of Random Faults
    1. 6.1 Fault Reporting
    2. 6.2 Functional Safety Mechanism Categories
    3. 6.3 Description of Functional Safety Mechanisms
      1. 6.3.1 LIN Bus and Communication
        1. 6.3.1.1 SM-1: LIN TXD Pin Dominant State Timeout
        2. 6.3.1.2 SM-2: LIN Bus Stuck Dominant System Fault: False Wake Up Lockout
        3. 6.3.1.3 SM-3: LIN Bus Short Circuit Limiter
        4. 6.3.1.4 SM-20: LIN Internal pull-up to VSUP
        5. 6.3.1.5 SM-22: LIN Protocol
      2. 6.3.2 Voltage Rail Monitoring
        1. 6.3.2.1 SM-4: VCC and Transceiver Thermal Shutdown
        2. 6.3.2.2 SM-5: VCC Under-voltage
        3. 6.3.2.3 SM-6: VCC Over-voltage
        4. 6.3.2.4 SM-7: VCC Short to Ground
        5. 6.3.2.5 SM-8: VSUP Under-voltage
      3. 6.3.3 Processor Communication
        1. 6.3.3.1 SM-9 and SM-10: Watchdog
          1. 6.3.3.1.1 SM-9: Standby Mode Long Window Timeout Watchdog
          2. 6.3.3.1.2 SM-10: Normal Mode Watchdog
        2. 6.3.3.2 SM-11: SPI CRC
        3. 6.3.3.3 SM-12: SPI Communication Error; SPIERR
        4. 6.3.3.4 SM-13: Scratchpad Write/Read Register
        5. 6.3.3.5 SM-14: Sleep Wake Error Timer; tINACT_FS
      4. 6.3.4 Digital Input/Output Pins and High-side Switch
        1. 6.3.4.1 SM-15: CLK internal pull-up to VINT
        2. 6.3.4.2 SM-16: SDI internal pull-up to VINT
        3. 6.3.4.3 SM-17: nCS Internal pull-up to VINT
        4. 6.3.4.4 SM-18: DIV_ON Internal pull-down to GND
        5. 6.3.4.5 SM-19: TXD Internal pull-up to VINT
        6. 6.3.4.6 SM-21: nRST Internal pull-up to VINT
        7. 6.3.4.7 SM-23: HSS Over Current Detect
        8. 6.3.4.8 SM-24: HSS Open Load Detect
          1.        A Summary of Recommended Functional Safety Mechanism Usage
            1.         B Distributed Developments
              1.          B.1 How the Functional Safety Lifecycle Applies to TI Functional Safety Products
              2.          B.2 Activities Performed by Texas Instruments
              3.          B.3 Information Provided
                1.           C Revision History

A Summary of Recommended Functional Safety Mechanism Usage

Table A-2 summarizes the functional safety mechanisms present in hardware or recommend for implementation in software or at the system level as described in Section 5. Table A-1 describes each column in Table A-2 and gives examples of what content could appear in each cell.

Table A-1 Legend of Functional Safety Mechanisms
Functional Safety MechanismDescription
TI Safety Mechanism Unique IdentifierA unique identifier assigned to this safety mechanism for easier tracking.
Safety Mechanism NameThe full name of this safety mechanism.
Safety Mechanism CategorySafety Mechanism - This test provides coverage for faults on the primary function. It may also provide coverage on another safety mechanism.

Test for Safety Mechanism - This test provides coverage for faults of a safety mechanism only. It does not provide coverage on the primary function.

Fault Avoidance - This is typically a feature used to improve the effectiveness of a related safety mechanism.

Safety Mechanism TypeCan be either hardware, software, a combination of both hardware and software, or system. See Section 6.2 for more details.
Safety Mechanism Operation IntervalThe timing behavior of the safety mechanism with respect to the test interval defined for a functional safety requirement / functional safety goal. Can be either continuous, or on-demand.

Continuous - the safety mechanism constantly monitors the hardware-under-test for a failure condition.

Periodic or On-Demand - the safety mechanism is executed periodically, when demanded by the application. This includes Built-In Self-Tests that are executed one time per drive cycle or once every few hours.

Test Execution TimeTime period required for the safety mechanism to complete, not including error reporting time.

Note: Certain parameters are not set until there is a concrete implementation in a specific component. When component specific information is required, the component data sheet should be referenced.

Note: For software-driven tests, the majority contribution of the Test Execution Time is often software implementation-dependent.

Action on Detected FaultThe response that this safety mechanism takes when an error is detected.

Note: For software-driven tests, the Action on Detected Fault may depend on software implementation.

Time to ReportTypical time required for safety mechanism to indicate a detected fault to the system.

Note: For software-driven tests, the majority contribution of the Time to Report is often software implementation-dependent.

Table A-2 Summary of Functional Safety Mechanisms
TI Safety Mechanism Unique IdentifierSafety Mechanism NameSafety Mechanism CategorySafety Mechanism TypeSafety Mechanism Operation IntervalTest Execution TimeAction on Detected FaultTime to Report
SM-1LIN TXD pin dominant state timeout; tTXD_DTOSafety MechanismComponent Hardware Functional Safety MechanismsContinuous - In normal and fast mode80 msThe device monitors the TXD pin for a stuck dominant for tTXD_DTO then the device turns off the LIN transceiver and indicate the fault at register h'5A[6].

3 µs

SM-2LIN bus stuck dominantSafety MechanismComponent Hardware Functional Safety MechanismsContinuous - In normal and fast mode3 µsUpon entering sleep mode, the device detects the state of the LIN bus. If the bus is dominant, the wake-up logic is locked out until a valid recessive on the bus “clears” the bus stuck dominant, preventing excessive current use.3 µs
SM-3LIN bus short circuit limiter, IBUS_LIMSafety MechanismComponent Hardware Functional Safety MechanismsPeriodicNALimits the current through the LIN pin.NA
SM-4VCC and Transceiver thermal shutdown; TSDSafety MechanismComponent Hardware Functional Safety MechanismsContinuous - All modes except for sleep mode10 µsTurn off the CAN transceiver and set the interrupt bit registers h'50[7], h'50[5] and h'52[1] indicating junction temperature exceeded and indicate an interrupt back to the MCU using the nINT pin and enter fail-safe mode or TSD protected mode.3 µs
SM-5VCC under voltage; UVCCSafety MechanismComponent Hardware Functional Safety MechanismsContinuous - All modes except for sleep mode4 msDevice enters programmed mode, restart or fail-safe, sets interrupt bits and indicates UVCC condition back to MCU with nINT pin, 8'h52[2] UVCC interrupt.3 µs
SM-6VCC over-voltage; OVCCSafety MechanismComponent Hardware Functional Safety MechanismsContinuous - All modes except for sleep mode150 µsDevice enters programmed mode, fail-safe or sleep mode, sets interrupt bits and indicates OVCC condition back to MCU with nINT pin, 8'h52[5] OVCC interrupt.3 µs
SM-7VCC short to ground; VCCSCSafety MechanismComponent Hardware Functional Safety MechanismsContinuous - All modes except for sleep mode125 µsDevice enters programmed mode, fail-safe or sleep mode, sets interrupt bits and indicates VCCSC condition back to MCU with nINT pin, 8'h53[3] VCCSC interrupt.3 µs
SM-8VSUP supply under voltage; UVSUPSafety MechanismComponent Hardware Functional Safety MechanismsContinuous - All modes except for sleep mode125 µsDevice enters UVSUP state and sets interrupt, 8'h52[4] UVSUP letting processor know that this event took place.3 µs
SM-9Standby long timeout WD; tINITWDSafety MechanismComponent Hardware Functional Safety MechanismsPeriodic - Upon entering standby mode.200 msMissing window cause an interrupt flag to be set and indication back to MCU with nINT pin and setting interrupt 8'h51[7] WD.5 µs
SM-10Timeout or window watchdog error - Normal modeSafety MechanismComponent Hardware Functional Safety MechanismsContinuousProgrammable 4 ms to 20 sIncrements WD error counter and if exceeded programmed value enters programmed mode, restart or fail-safe mode, set WD interrupt and indicate back to MCU with nINT pin and setting interrupt 8'h51[7] WD.5 µs
SM-11SPI CRC ErrorSafety MechanismComponent Hardware Functional Safety MechanismsContinuous8 µsThe device shall monitor MCU SPI communication utilizing 8-bit CRC and if the CRC is invalid the MCU write to the device is blocked. Interrupt 8'h53[4] CRCERR is set.2 µs
SM-12SPI communication error; SPIERRSafety MechanismComponent Hardware Functional Safety MechanismsContinuous8 µsThe device shall monitor MCU SPI communication utilizing clock count check and if too many or not enough clock signals the MCU write to the device is blocked and interrupt bit set and indicated fault back to MCU with the nINT pin and interrupt 8'h53[7] SPIERR is set.2 µs
SM-13Scratchpad write/readSafety MechanismComponent Hardware Functional Safety MechanismsContinuous16 µsUsing the scratchpad, h'F[7:0], by the processor makes it possible to write and read back data for the purpose of verifying SPI communication.16 µs
SM-14Sleep Wake Error Timer; tINACT_FSSafety MechanismComponent Hardware Functional Safety MechanismsContinuousProgrammable 30 seconds to 10 min Default 5 minThe Sleep Wake Error timer is used to determine if inactivity indicated loss of communication with MCU and causes the device to transition to either fail-safe mode or sleep mode. Interrupt 8'h51[4] WKERR is set along with 8'h52[7] SMS and/or 8'h53[5] FSM as applicable.5 µs
SM-15CLK internal pull-up to VINTSafety MechanismComponent Hardware Functional Safety MechanismsContinuous

NA

Avoids floating pin.

NA

SM-16SDI internal pull-up to VINTSafety MechanismComponent Hardware Functional Safety MechanismsContinuousNAAvoids floating pin.NA
SM-17nCS internal pull-up to VINTSafety MechanismComponent Hardware Functional Safety MechanismsContinuousNAAvoids floating pin.NA
SM-18DIV_ON internal pull-downSafety MechanismComponent Hardware Functional Safety MechanismsContinuousNAAvoids floating pin.NA
SM-19TXD internal pull-up to VINTSafety MechanismComponent Hardware Functional Safety MechanismsContinuousNAAvoids floating pin causing LIN bus being stuck dominant.NA
SM-20LIN internal pull-up to VSUPSafety MechanismComponent Hardware Functional Safety MechanismsContinuousNAAvoids floating pin causing LIN bus being stuck dominant.NA
SM-21nRST internal pull-up to VINTSafety MechanismComponent Hardware Functional Safety MechanismsContinuousNAAvoids floating pin, indicates to processor a UVCC event, watchdog failure event and device in restart mode. Also utilized as a device power on reset input.NA
SM-22LIN protocolSafety MechanismSystem Functional Safety MechanismPeriodicNALIN protocol has several mechanisms that makes sure the data provided is correct, like checksum. If incorrect the processor disregards the LIN data.NA
SM-23HSS Current LimitSafety MechanismComponent Hardware Functional Safety MechanismsContinuous - when on20 µsTurns off the HSS to avoid damage and interrupt 8'h5A[3] HSSOC is set.3 µs
SM-24HSS Open Load DetectSafety MechanismComponent Hardware Functional Safety Mechanisms Continuous - when on80 µsIndicates to processor that there is an open load on HSS and interrupt 8'h5A[2] HSSOL is set.3 µs