SFFS624B March   2024  â€“ August 2025 MSPM0G3105 , MSPM0G3105-Q1 , MSPM0G3106 , MSPM0G3106-Q1 , MSPM0G3107 , MSPM0G3107-Q1 , MSPM0G3505 , MSPM0G3505-Q1 , MSPM0G3506 , MSPM0G3506-Q1 , MSPM0G3507 , MSPM0G3507-Q1

 

  1.   1
  2. 1Introduction
    1.     Trademarks
  3. 2 MSPM0G3x0x-Q1 Hardware Component Functional Safety Capability
  4. 3Development Process for Management of Systematic Faults
    1. 3.1 TI New-Product Development Process
    2. 3.2 TI Functional Safety Development Process
  5. 4 MSPM0G3x0x-Q1 Component Overview
    1. 4.1 Targeted Applications
    2. 4.2 Hardware Component Functional Safety Concept
    3. 4.3 Functional Safety Constraints and Assumptions
  6. 5Description of Hardware Component Parts
    1. 5.1  ADC
    2. 5.2  Comparator
    3. 5.3  DAC
    4. 5.4  OPA
    5. 5.5  CPU
    6. 5.6  RAM
    7. 5.7  FLASH
    8. 5.8  GPIO
    9. 5.9  DMA
    10. 5.10 SPI
    11. 5.11 I2C
    12. 5.12 UART
    13. 5.13 Timers (TIMx)
    14. 5.14 Power Management Unit (PMU)
    15. 5.15 Clock Module (CKM)
    16. 5.16 CAN-FD
    17. 5.17 Events
    18. 5.18 IOMUX
    19. 5.19 VREF
    20. 5.20 WWDT
    21. 5.21 CRC
  7. 6 MSPM0G3x0x-Q1 Management of Random Faults
    1. 6.1 Fault Reporting
    2. 6.2 Functional Safety Mechanism Categories
    3. 6.3 Description of Functional Safety Mechanisms
      1. 6.3.1  ADC1, COMP1, DAC1, DMA1, GPIO2, TIM2, I2C2, IOMUX1, SPI2, UART2, SYSCTL5, MCAN3, CPU4, CRC1, EVENT1, REF1, WDT1: Periodic Read of Static Configuration Registers
      2. 6.3.2  ADC2: Software Test of Functionality
      3. 6.3.3  ADC3: ADC Trigger Overflow Check
      4. 6.3.4  ADC4: Window Comparator
      5. 6.3.5  ADC5: Test of Window Comparator
      6. 6.3.6  ADC6: ADC Trigger, Output Plausibility Checks
      7. 6.3.7  OA2: Test of OA Using Internal DAC as a Driver
      8. 6.3.8  OA3: ADC Monitoring of OA Output
      9. 6.3.9  COMP2: Software Test of Comparator Using Internal DAC
      10. 6.3.10 COMP3: External Pin Input to COMP
      11. 6.3.11 COMP4: Comparator Hysteresis
      12. 6.3.12 COMP5: Redundant Comparator
      13. 6.3.13 WDT: Windowed Watchdog Timer
      14. 6.3.14 WDT2: WWDT Counter Check
      15. 6.3.15 WDT3: WWDT Software Test
      16. 6.3.16 WDT4: Redundant WDT
      17. 6.3.17 REF2: VREF to ADC Reference Input
      18. 6.3.18 CPU1: CPU Test Using Software Test Library
      19. 6.3.19 CPU2: Software Test of CPU Data Buses
      20. 6.3.20 CPU3: Software Diversified Redundancy
      21. 6.3.21 SYSMEM1: Software Read of Memory, DMA Write
      22. 6.3.22 SYSMEM2: DMA Read from SRAM, CPU Write
      23. 6.3.23 SYSMEM3: Parity Logic Test
      24. 6.3.24 SYSMEM4: Parity Protection on SRAM
      25. 6.3.25 SYSMEM9: RAM Software Test
      26. 6.3.26 FLASH1: FLASH Single Error Correction, Double Error Detection Mechanism
      27. 6.3.27 FLASH2: Flash CRC
      28. 6.3.28 FXBAR2: Periodic Software Read Back of Flash Data
      29. 6.3.29 FXBAR3: Software Test of ECC Checker Logic
      30. 6.3.30 FXBAR4: Write Protection of Flash
      31. 6.3.31 DAC2: DAC Test Using Internal ADC as DAC Output Checker
      32. 6.3.32 DAC3: DAC FIFO Underrun Interrupt
      33. 6.3.33 DMA2: Software Test of DMA Function
      34. 6.3.34 DMA3: Software DMA Channel Test
      35. 6.3.35 DMA4: CRC Check of the Transferred Data
      36. 6.3.36 GPIO1: GPIO Test Using Pin I/O Loopback
      37. 6.3.37 GPIO3: GPIO Multiple (Redundant) Inputs/Outputs
      38. 6.3.38 TIM1: Test for PWM Generation
      39. 6.3.39 TIM3: Test for Fault Generation
      40. 6.3.40 TIM4: Fault Detection to Take the PWMs to Safe State
      41. 6.3.41 TIM5: Input Capture on Two or More Timer Instances
      42. 6.3.42 TIM6: Timer Period Monitoring
      43. 6.3.43 I2C1: Software Test of I2C Function Using Internal Loopback Mechanism
      44. 6.3.44 I2C3, SPI4, UART3, MCAN2: Information Redundancy Techniques Including End-to-End Safing
      45. 6.3.45 I2C4, SPI5, UART4: Transmission Redundancy
      46. 6.3.46 I2C5, UART5: Timeout Monitoring
      47. 6.3.47 I2C6: Test of CRC Function
      48. 6.3.48 I2C7: Packet Error Check in SMBUS Mode
      49. 6.3.49 IOMUX2: IOMUX Coverage as Part of Other IP Safety Mechanisms
      50. 6.3.50 SPI1: Software Test of SPI Function
      51. 6.3.51 SPI3: SPI Periodic Safety Message Exchange
      52. 6.3.52 UART1: Software Test of UART Function
      53. 6.3.53 UART6: UART Error Flags
      54. 6.3.54 UART7: UART Glitch filter
      55. 6.3.55 SYSCTL1: MCLK Monitor
      56. 6.3.56 SYSCTL2: HFCLK Start-Up Monitor
      57. 6.3.57 SYSCTL3: LFCLK Monitor
      58. 6.3.58 SYSCTL6: SYSPLL Start-Up Monitor
      59. 6.3.59 SYSCTL8: Brownout Reset (BOR) Supervisor
      60. 6.3.60 SYSCTL9: FCC Counter Logic to Calculate Clock Frequencies
      61. 6.3.61 SYSCTL10: External Voltage Monitor
      62. 6.3.62 SYSCTL11: Boot Process Monitor
      63. 6.3.63 SYSCTL14: Brownout Voltage Monitor
      64. 6.3.64 SYSCTL15: External Voltage Monitor
      65. 6.3.65 SYSCTL16: External Watchdog Timer
      66. 6.3.66 MCAN1: Software test of function using I/O Loopback
      67. 6.3.67 MCAN4: SRAM ECC
      68. 6.3.68 MCAN5: Software Test of ECC Check Logic
      69. 6.3.69 MCAN6: MCAN Timeout Function
      70. 6.3.70 MCAN7: MCAN Timestamp Function
      71. 6.3.71 CRC: CRC Checker
      72. 6.3.72 EVENT2: Interrupt Connectivity Check
      73. 6.3.73 Safety Mechanisms Covering PIN Failures
      74. 6.3.74 Safety Mechanisms Covering Common Cause Failures
  8.   A Summary of Recommended Functional Safety Mechanism Usage
  9.   B Distributed Developments
    1.     B.1 How the Functional Safety Lifecycle Applies to TI Functional Safety Products
    2.     B.2 Activities Performed by Texas Instruments
    3.     B.3 Information Provided
  10.   C Revision History

4.3 Functional Safety Constraints and Assumptions

In creating a functional Safety Element out of Context (SEooC) concept and doing the functional safety analysis, TI generates a series of assumptions on system level design, functional safety concept, and requirements. These assumptions (sometimes called Assumptions of Use) are listed below. Additional assumptions about the detailed implementation of safety mechanisms are separately located in Section 6.3.

The MSPM0G3x0x-Q1 Functional Safety Analysis was done under the following system assumptions:

  • [SA_1] The MSPM0G3x0x-Q1 MCU has interfaces to external sensors.
  • [SA_2] The MSPM0G3x0x-Q1 MCU has interfaces to external actuators.
  • [SA_3] The MSPM0G3x0x-Q1 MCU has interfaces to communicate with an external host controller.
  • [SA_4] The MSPM0G3x0x-Q1 MCU has a programmable CPU to execute a controller function taking sensor inputs and controlling an actuator.
  • [SA_5] The system integrator reviews the recommended diagnostics in the safety analysis report (FMEDA) and safety manual and determines the appropriate diagnostics to include in the system. These diagnostics are implemented according to the device safety manual and data sheet.
  • [SA_6] The external power supply provides the appropriate power on for each of the power inputs. These rails are monitored for deviations outside the device specifications and a reset asserts, if the voltage is outside the range.
  • [SA_7] The MSPM0G3x0x-Q1 MCU monitors failures on the external clock (if present).
  • [SA_8] The MSPM0G3x0x-Q1 MCU monitors failures on external sensors.
  • [SA_9] The MSPM0G3x0x-Q1 MCU monitors failures on external actuators.
  • [SA_10] In case of internal errors in the MSPM0G3x0x-Q1 MCU or the interfacing sensors and actuators, the MSPM0G3x0x-Q1 MCU can be reset. The host controller monitors communication loss and determines that the MSPM0G3x0x-Q1 MCU is in a faulted state.
  • [SA_11] The system integrator provisions an actuator disable-mechanism controller by the host controller.
  • [SA_12] The system is assumed to require architectural metrics (random fault) complying to (up to) ASIL B.
  • [SA_14] The system is assumed to have a FTTI > 10ms.
  • [SA_16] The DEBUG function is considered as not safety critical.
  • [SA_17] The RTC function is considered as not safety critical.
  • [SA_18] The AES function is considered as not safety critical.
  • [SA_19] The TRNG function is considered as not safety critical.
  • [SA_24] The QM IPs are not used in safety-critical applications.
  • [SA_25] TI assumes that the internal low power modes are not used in safety-critical applications.
  • [SA_26] The system integrator considers all potential failure modes and mitigation measures associated with communication interfaces while implementing any end-to-end communication protection diagnostics techniques.
  • [SA_27] The MATHACL function shall be considered as not safety critical.
  • [SA_28] The GPAMP function shall be considered as not safety critical.
  • [COEX0] The following components are assumed not safety related (NSR components):
    • RTC
    • TRNG
    • AES
    • DFT
    • DEBUG
    • MATHACL
  • [COEX1] TI recommends that unused components are disabled in the application software.
  • [COEX2] TI recommends that the unused interrupt sources of components are disabled.
  • [COEX3] TI recommends that DMA unused triggers of components are disabled.
  • [COEX4] TI recommends that unused fault inputs in timers are disabled.
  • [COEX5] If external safety mechanisms are used, the system integrator is responsible for completing a dependent failure analysis at the system level.
  • [COEX6] TI assumes that the NSR components are not used in the safety context.
  • [COEX7] TI recommends that debug is disabled in safety-critical applications.
  • [COEX8] TI recommends that a default interrupt service routine is coded for even the unused interrupts.
  • [COEX9] TI recommends that the application does not use IPs as the trigger source of other IPs when those IPs are not safety related.
  • [COEX10] TI recommends that the application does not program flash during safety-critical tasks.

There are some safety mechanisms required to cover dependent failures, refer to the section on Section 6.3.74 for more details.

During integration activities these assumptions of use and integration guidelines described for this component shall be considered. Use caution if one of the above functional safety assumptions on this component cannot be met, as some identified gaps can be unresolvable at the system level.