SFFS948 May   2025 MSPM0L1227-Q1 , MSPM0L1228-Q1 , MSPM0L2227-Q1 , MSPM0L2228-Q1

 

  1.   1
  2. 1Introduction
    1.     Trademarks
  3. 2 MSPM0Lx22x-Q1 Hardware Component Functional Safety Capability
  4. 3Development Process for Management of Systematic Faults
    1. 3.1 TI New-Product Development Process
    2. 3.2 TI Functional Safety Development Process
  5. 4 MSPM0Lx22x-Q1 Component Overview
    1. 4.1 Targeted Applications
    2. 4.2 Hardware Component Functional Safety Concept
    3. 4.3 Functional Safety Constraints and Assumptions
  6. 5Description of Hardware Component Parts
    1. 5.1  ADC
    2. 5.2  Comparator
    3. 5.3  CPU
    4. 5.4  RAM
    5. 5.5  FLASH
    6. 5.6  GPIO
    7. 5.7  DMA
    8. 5.8  SPI
    9. 5.9  I2C
    10. 5.10 UART
    11. 5.11 Timers (TIMx)
    12. 5.12 Power Management Unit (PMU)
    13. 5.13 Clock Module (CKM)
    14. 5.14 Events
    15. 5.15 IOMUX
    16. 5.16 VREF
    17. 5.17 WWDT and IWDT
    18. 5.18 CRC
  7. 6 MSPM0Lx22x-Q1 Management of Random Faults
    1. 6.1 Fault Reporting
    2. 6.2 Functional Safety Mechanism Categories
    3. 6.3 Description of Functional Safety Mechanisms
      1. 6.3.1  ADC1, COMP1, DMA1, GPIO2, TIM2, I2C2, IOMUX1, SPI2, UART2, SYSCTL5, CPU4, CRC1, EVENT1, REF1, WDT1, VBAT2:Periodic Read of Static Configuration Registers
      2. 6.3.2  ADC2: Software Test of Functionality
      3. 6.3.3  ADC3: ADC Trigger Overflow Check
      4. 6.3.4  ADC4: Window Comparator
      5. 6.3.5  ADC5: Test of Window Comparator
      6. 6.3.6  ADC6: ADC Trigger, Output Plausibility Checks
      7. 6.3.7  COMP3: External Pin Input to COMP
      8. 6.3.8  COMP4: Comparator Hysteresis
      9. 6.3.9  WDT: Windowed Watchdog Timer
      10. 6.3.10 WDT2: WWDT Counter Check
      11. 6.3.11 WDT3: WWDT Software Test
      12. 6.3.12 WDT4: Redundant WDT
      13. 6.3.13 IWDT: Independent Watchdog Timer
      14. 6.3.14 REF2: VREF to ADC Reference Input
      15. 6.3.15 CPU1: CPU Test Using Software Test Library
      16. 6.3.16 CPU2: Software Test of CPU Data Busses
      17. 6.3.17 CPU3: Software Diversified Redundancy
      18. 6.3.18 SYSMEM1: Software Read of Memory, DMA Write
      19. 6.3.19 SYSMEM2: DMA Read from SRAM, CPU Write
      20. 6.3.20 SYSMEM7: ECC Protection on SRAM
      21. 6.3.21 SYSMEM8: ECC Logic Test
      22. 6.3.22 SYSMEM9: RAM Software Test
      23. 6.3.23 FLASH1: Flash Single-Error Correction, Double-Error Detection Mechanism
      24. 6.3.24 FLASH2: Flash CRC
      25. 6.3.25 FXBAR2: Periodic Software Read Back of Flash Data
      26. 6.3.26 FXBAR3: Software Test of ECC Checker Logic
      27. 6.3.27 FXBAR4: Write Protection of Flash
      28. 6.3.28 DMA2: Software Test of DMA Function
      29. 6.3.29 DMA3: Software DMA Channel Test
      30. 6.3.30 DMA4: CRC Check of the Transferred Data
      31. 6.3.31 GPIO1: Online Monitoring Using I/O Loopback
      32. 6.3.32 GPIO3: GPIO Multiple (Redundant) Inputs/Outputs
      33. 6.3.33 TIM1: Test for PWM Generation
      34. 6.3.34 TIM3: Test for Fault Generation
      35. 6.3.35 TIM4: Fault Detection to Take the PWMs to Safe State
      36. 6.3.36 TIM5: Input Capture on Two or More Timer Instances
      37. 6.3.37 TIM6: Timer Period Monitoring
      38. 6.3.38 I2C1: Software Test of I2C Function Using Internal Loopback Mechanism
      39. 6.3.39 I2C3, SPI4, UART3, MCAN2: Information Redundancy Techniques Including End-to-End Safing
      40. 6.3.40 I2C4, SPI5, UART4: Transmission Redundancy
      41. 6.3.41 I2C5, UART5: Timeout Monitoring
      42. 6.3.42 I2C6: Test of CRC Function
      43. 6.3.43 I2C7: Packet Error Check in SMBUS Mode
      44. 6.3.44 IOMUX2: IOMUX Coverage as Part of Other IP Safety Mechanisms
      45. 6.3.45 SPI1: Software Test of SPI Function
      46. 6.3.46 SPI3: SPI Periodic Safety Message Exchange
      47. 6.3.47 UART1: Software Test of UART Function
      48. 6.3.48 UART6: UART Error Flags
      49. 6.3.49 UART7: UART Glitch filter
      50. 6.3.50 SYSCTL1: MCLK Monitor
      51. 6.3.51 SYSCTL2: HFCLK Start-Up Monitor
      52. 6.3.52 SYSCTL3: LFCLK Monitor
      53. 6.3.53 SYSCTL8: Brownout Reset (BOR) Supervisor
      54. 6.3.54 SYSCTL9: FCC Counter Logic to Calculate Clock Frequencies
      55. 6.3.55 SYSCTL10: External Voltage Monitor
      56. 6.3.56 SYSCTL11: Boot Process Monitor
      57. 6.3.57 SYSCTL14: Brownout Voltage Monitor
      58. 6.3.58 SYSCTL15: External Voltage Monitor
      59. 6.3.59 SYSCTL16: External Watchdog Timer
      60. 6.3.60 CRC: CRC Checker
      61. 6.3.61 VBAT1: VBAT Supply Monitor
      62. 6.3.62 Safety Mechanisms Covering PIN Failures
      63. 6.3.63 Safety Mechanisms Covering Common Cause Failures
  8.   A Summary of Recommended Functional Safety Mechanism Usage
  9.   B Distributed Developments
    1.     B.1 How the Functional Safety Lifecycle Applies to TI Functional Safety Products
    2.     B.2 Activities Performed by Texas Instruments
    3.     B.3 Information Provided
  10.   C Revision History

4.3 Functional Safety Constraints and Assumptions

In creating a functional Safety Element out of Context (SEooC) concept and doing the functional safety analysis, TI generates a series of assumptions on system level design, functional safety concept, and requirements. These assumptions (sometimes called Assumptions of Use) are listed below. Additional assumptions about the detailed implementation of safety mechanisms are separately located in Section 6.3.

The MSPM0Lx22x-Q1 Functional Safety Analysis was done under the following system assumptions:

  • [SA_1] The MSPM0Lx22x-Q1 MCU has interfaces to external sensors.
  • [SA_2] The MSPM0Lx22x-Q1 MCU has interfaces to external actuators.
  • [SA_3] The MSPM0Lx22x-Q1 MCU has interfaces to communicate with an external host controller.
  • [SA_4] The MSPM0Lx22x-Q1 MCU has a programmable CPU to execute a controller function taking sensor inputs and controlling an actuator.
  • [SA_5] The system integrator reviews the recommended diagnostics in the safety analysis report (FMEDA) and safety manual and determines the appropriate diagnostics to include in the system. These diagnostics are implemented according to the device safety manual and data sheet.
  • [SA_6] The external power supply provides the appropriate power on for each of the power inputs. These rails are monitored for deviations outside the device specifications and a reset asserts, if the voltage is outside the range.
  • [SA_7] The MSPM0Lx22x-Q1 MCU monitors failures on the external clock (if present).
  • [SA_8] The MSPM0Lx22x-Q1 MCU monitors failures on external sensors.
  • [SA_9] The MSPM0Lx22x-Q1 MCU monitors failures on external actuators.
  • [SA_10] In case of internal errors in the MSPM0Lx22x-Q1 MCU or the interfacing sensors and actuators, the MSPM0Lx22x-Q1 MCU can be reset. The host controller monitors communication loss and determines that the MSPM0Lx22x-Q1 MCU is in a faulted state.
  • [SA_11] The system integrator provisions an actuator disable-mechanism controller by the host controller.
  • [SA_12] The system is assumed to require architectural metrics (random fault) complying to (up to) ASIL-B.
  • [SA_14] The system is assumed to have a FTTI > 10ms.
  • [SA_15] The system integrator connects VBAT and VDD power pins to the same power source.
  • [SA_16] The system integrator considers all potential failure modes and mitigation measures associated with communication interfaces while implementing any end-to-end communication protection diagnostics techniques.
  • [SA_16] The DEBUG function is considered as not safety critical.
  • [SA_17] The RTC function is considered as not safety critical.
  • [SA_18] The AES function is considered as not safety critical.
  • [SA_19] The TRNG function is considered as not safety critical.
  • [SA_20] The TAMPER function is considered as not safety critical.
  • [SA_21] The BACKUP function is considered as not safety critical.
  • [SA_22] The LCD function is considered as not safety critical.
  • [SA_23] The KEYSTORE function is considered as not safety critical.
  • [SA_24] The QM IPs are not used in safety-critical applications.
  • [SA_25] TI assumes that the internal low power modes are not used in safety-critical applications.
  • [SA_26] The system integrator considers all potential failure modes and mitigation measures associated with communication interfaces while implementing any end-to-end communication protection diagnostics techniques.
  • [COEX0] The following components are assumed not safety related (NSR components):
    • RTC
    • TRNG
    • AES
    • TAMPER
    • BACKUP RAM
    • LCD
    • KEYSTORE
    • DFT
    • DEBUG
  • [COEX1] TI recommends that unused components are disabled in the application software.
  • [COEX2] TI recommends that the unused interrupt sources of components are disabled.
  • [COEX3] TI recommends that DMA unused triggers of components are disabled.
  • [COEX4] TI recommends that unused fault inputs in timers are disabled.
  • [COEX5] If external safety mechanisms are used, the system integrator is responsible for completing a dependent failure analysis at the system level.
  • [COEX6] TI assumes that the NSR components are not used in the safety context.
  • [COEX7] TI recommends that debug is disabled in safety-critical applications.
  • [COEX8] TI recommends that a default interrupt service routine is coded for even the unused interrupts.
  • [COEX9] TI recommends that the application does not use IPs as the trigger source of other IPs when those IPs are not safety related.
  • [COEX10] TI recommends that the application does not program flash during safety-critical tasks.

There are some safety mechanisms required to cover dependent failures, refer to section on Section 6.3.63 for more details.

During integration activities these assumptions of use and integration guidelines described for this component shall be considered. Use caution if one of the above functional safety assumptions on this component cannot be met, as some identified gaps can be unresolvable at the system level.