SLLA475 December   2020 TCAN1144-Q1 , TCAN1146-Q1

 

  1. 1TCAN1144-Q1 and TCAN1146-Q1 Functional Safety Manual
  2. 2Trademarks
  3. 3Introduction
  4. 4TCAN114x-Q1 Hardware Component Functional Safety Capability
  5. 5Development Process for Management of Systematic Faults
    1. 5.1 TI New-Product Development Process
  6. 6TCAN1144-Q1 and TCAN1146-Q1 Component Overview
    1. 6.1 Targeted Applications
    2. 6.2 Hardware Component Functional Safety Concept
    3. 6.3 Functional Safety Constraints and Assumptions
  7. 7Description of Hardware Component Parts
    1. 7.1 CAN Transceiver
    2. 7.2 Digital Core
    3. 7.3 EEPROM
    4. 7.4 Power Control IP
      1. 7.4.1 Voltage Monitors
    5. 7.5 Thermal Shut Down
    6. 7.6 Digital Input/Outputs
  8. 8TCAN1144-Q1 and TCAN1146-Q1 Management of Random Faults
    1. 8.1 Fault Reporting
    2. 8.2 Functional Safety Mechanism Categories
    3. 8.3 Description of Functional Safety Mechanisms
      1. 8.3.1 CAN Communication
        1. 8.3.1.1 SM-1: CAN bus fault diagnostic
        2. 8.3.1.2 SM-2: Thermal shutdown; TSD
        3. 8.3.1.3 SM-3: CAN bus short circuit limiter, IOS
        4. 8.3.1.4 SM-4: CAN TXD pin dominant state timeout; tTXD_DTO
        5. 8.3.1.5 SM-17: CAN protocol
      2. 8.3.2 Supply Voltage Rail Monitoring
        1. 8.3.2.1 SM-5: VCC undervoltage; UVCC
        2. 8.3.2.2 SM-6: VSUP supply undervoltage; UVSUP
        3. 8.3.2.3 SM-7: VIO supply undervoltage; UVIO
      3. 8.3.3 SPI/Processor Communication
        1. 8.3.3.1 SM-8: Timout, Window or Q&A watchdog error - Normal mode
        2. 8.3.3.2 SM-9: SPI communication error; SPIERR
        3. 8.3.3.3 SM-10: Scratchpad write/read
        4. 8.3.3.4 SM-11: Sleep Wake Error Timer; tINACTIVE
      4. 8.3.4 Device Internal EEPROM
        1. 8.3.4.1 SM-12: Internal memory CRC; CRC_EEPROM
      5. 8.3.5 Floating Pins
        1. 8.3.5.1 SM-13: SCLK internal pull-up to VIO
        2. 8.3.5.2 SM-14: SDI internal pull-up to VIO
        3. 8.3.5.3 SM-15: nCS internal pull-up to VIO
        4. 8.3.5.4 SM-16: TXD internal pull-up to VIO
          1.        B Revision History

A Summary of Recommended Functional Safety Mechanism Usage

Table A-2 summarizes the functional safety mechanisms present in hardware or recommend for implementation in software or at the system level as described in Section 7. Table A-1 describes each column in Table A-2 and gives examples of what content could appear in each cell.

Table A-1 Legend of Functional Safety Mechanisms
Functional Safety MechanismDescription
TI Safety Mechanism Unique IdentifierA unique identifier assigned to this safety mechanism for easier tracking.
Safety Mechanism NameThe full name of this safety mechanism.
Safety Mechanism CategorySafety Mechanism - This test provides coverage for faults on the primary function. It may also provide coverage on another safety mechanism.
Test for Safety Mechanism - This test provides coverage for faults of a safety mechanism only. It does not provide coverage on the primary function.
Fault Avoidance - This is typically a feature used to improve the effectiveness of a related safety mechanism.
Safety Mechanism TypeCan be either hardware, software, a combination of both hardware and software, or system. See Section 8.2 for more details.
Safety Mechanism Operation IntervalThe timing behavior of the safety mechanism with respect to the test interval defined for a functional safety requirement / functional safety goal. Can be either continuous, or on-demand.
Continuous - the safety mechanism constantly monitors the hardware-under-test for a failure condition.
Periodic or On-Demand - the safety mechanism is executed periodically, when demanded by the application. This includes Built-In Self-Tests that are executed one time per drive cycle or once every few hours.
Test Execution TimeTime period required for the safety mechanism to complete, not including error reporting time.
Note: Certain parameters are not set until there is a concrete implementation in a specific component. When component specific information is required, the component data sheet should be referenced.
Note: For software-driven tests, the majority contribution of the Test Execution Time is often software implementation-dependent.
Action on Detected FaultThe response that this safety mechanism takes when an error is detected.
Note: For software-driven tests, the Action on Detected Fault may depend on software implementation.
Time to ReportTypical time required for safety mechanism to indicate a detected fault to the system
Note: For software-driven tests, the majority contribution of the Time to Report is often software implementation-dependent
Table A-2 Summary of Functional Safety Mechanisms
TI Safety Mechanism Unique IdentifierSafety Mechanism NameSafety Mechanism CategorySafety Mechanism TypeSafety Mechanism Operation IntervalTest Execution TimeAction on Detected FaultTime to Report
SM-1CAN bus faultSafety Mechanism Component Hardware Functional Safety MechanismsContinuous - In normal mode150 nsinterrupt bits in registers 8'h50[7], 8'h50[3] and register 8'h54[6:0] and indicates an CAN Bus fault50 ns
SM-2Thermal shutdown; TSDSafety Mechanism Component Hardware Functional Safety MechanismsContinuous - all modes except for sleep4.4 μs [turn off the CAN transceiver and set the interrupt bit registers 8'h50[7], 8'h50[5] and 8'h52[1] indicating junction temperature exceeded and enters fail-safe mode or TSD protected mode1.1 μs
SM-3CAN bus short circuit limiter, IOSSafety Mechanism Component Hardware Functional Safety MechanismsContinuous - all modes except for sleepNALimits the current throught the CANH and CANL pins.NA
SM-4CAN TXD pin dominant state timeout; tTXD_DTOSafety Mechanism Component Hardware Functional Safety MechanismsContinuous - In normal mode3.5 msthe device will turn off the CAN transceiver and indicate the the fault at 8'h50[7], 8'h50[6] and 8'h51[0]1.1 μs
SM-5VCC undervoltage; UVCCSafety Mechanism Component Hardware Functional Safety MechanismsContinuous - all modes except for sleep330 msDevice enters programmed mode, sleep or fail-safe mode, sets interrupt registers 8'h50[7], 8'h50[5] and 8'h52[2] and indicates UVCC condition1.1 μs
SM-6VSUP supply undervoltage; UVSUPSafety Mechanism Component Hardware Functional Safety MechanismsContinuous - all modes except for sleep2.2 μsDevice enters programmed mode, sleep or fail-safe mode, sets interrupt registers 8'h50[7], 8'h50[5] and 8'h52[4] and indicates UVSUP condition1.1 μs
SM-7VIO supply undervoltage; UVIOSafety Mechanism Component Hardware Functional Safety MechanismsContinuous - all modes except for sleep330 msDevice enters programmed mode, UVIO protected or fail-safe mode, sets interrupt registers 8'h50[7], 8'h50[5] and 8'h52[3] and indicates UVIO condition back to MCU with nINT pin1.1 μs
SM-8Timout, Window or Q&A watchdog error - Normal mode Safety Mechanism Component Hardware Functional Safety MechanismsContinuousProgrammable Increments WD error counter and if exceeded programmed value will enter programmed mode, restart or fail-safe mode, set WD interrupt and indicate back to MCU with nINT pin1.1 μs
SM-9SPI communication error; SPIERRSafety Mechanism Component Hardware Functional Safety MechanismsContinuous50 ns after rising edge of nCSThe device shall monitor MCU SPI communication utilizing clock count check and if there are too many or not enough clock signals the MCU write to the device will be blocked and 8'h50[7], 8'h50[4] and 8'h53[7]1.1 μs
SM-10Scratchpad write/readSafety Mechanism Component Hardware Functional Safety MechanismsContinuous when VIO is present and is MCU initiatedSPI clock rate dependent as a write plus data followed by a read and data requiredUsing the TCAN114x scratchpad, 8'h0F[7:0], by the processor makes it possible to write and read back data to determine SPI communication is validNA
SM-11Sleep Wake Error Timer; tINACTIVESafety Mechanism Component Hardware Functional Safety MechanismsContinuous5 minIf tINACTIVE times out and fail-safe mode (FSM) is enabled, the device will enter FSM and will indicate the fault at 8'h50[7], 8'h50[4] and 8'h53[5]. If not enabled, the device will enter sleep mode.1.1 μs
SM-12Internal memory CRC; CRC_EEPROMSafety Mechanism Component Hardware Functional Safety MechanismsPeriodic - Exiting fail-safe and sleep modes425 μsThe device will attempt to load and CRC check the EEPROM up to eight times and if fail it will indicate the the fault at 8'h50[7], 8'h50[4] and 8'h53[0]1.1 μs
SM-13SCLK internal pull-up to VIOSafety Mechanism Component Hardware Functional Safety MechanismsContinuous NAAvoids floating pinNA
SM-14SDI internal pull-up to VIOSafety Mechanism Component Hardware Functional Safety MechanismsContinuous NAAvoids floating pinNA
SM-15nCS internal pull-up to VIOSafety Mechanism Component Hardware Functional Safety MechanismsContinuous NAAvoids floating pinNA
SM-16 TXD internal pull-up to VIO Safety Mechanism Component Hardware Functional Safety Mechanisms Continuous NA Avoids floating pin NA
SM-17CAN protocolSafety MechanismSystem Functional Safety MechanismPeriodicNACAN protocol has several mechanism that will make sure the data provided is correct, like CRC. If incorrect the processor will disregard the CAN packetsNA