SLLU312A July   2019  – May 2022 TCAN4550-Q1

 

  1.   TCAN4550-Q1 Functional Safety-Manual
  2.   Trademarks
  3. 1Introduction
  4. 2Product Functional Safety-Capability
  5. 3Product Overview
    1. 3.1 Block Diagram
    2. 3.2 Target Applications
      1. 3.2.1 Diagnostic Features
        1. 3.2.1.1 Mode Overview
        2. 3.2.1.2 Sleep Wake Error Timer (SWE)
        3. 3.2.1.3 Undervoltage
        4. 3.2.1.4 Thermal Shut Down
        5. 3.2.1.5 CAN Bus Communication
          1. 3.2.1.5.1 M_CAN
        6. 3.2.1.6 Processor Communication
          1. 3.2.1.6.1 SPI Integrity
            1. 3.2.1.6.1.1 SPI Scratchpad
            2. 3.2.1.6.1.2 SPIERR
            3. 3.2.1.6.1.3 M_CAN Forced Dominant and Recessive
            4. 3.2.1.6.1.4 SPI and FIFO
            5. 3.2.1.6.1.5 ECC for Memory
          2. 3.2.1.6.2 Timeout Watchdog
          3. 3.2.1.6.3 Floating Pins
          4. 3.2.1.6.4 RST Pin
          5. 3.2.1.6.5 Interrupt and Internal Fault Detection
  6. 4Development Process for Management of Systematic Faults
    1. 4.1 TI New-Product Development Process
  7. 5Revision History

3.2.1.5 CAN Bus Communication

CAN bus communication, shown as fault 2, is a main concern in a system. This can happen due to many different mechanisms. Some have been covered in the previous sections of this document. The Bosch M_CAN core has a CRC checker that validates the CAN data so corrupted data does not get transferred to the node processor from the bus. The M_CAN core also provide two loop back test modes that allow the implementer to determine if the data transmitted and received through the core are the same; see Figure 3-8 loop back test mode 1 and 2. These three SPI↔M_CAN test modes are safety mechanism SM-07, SM-08 and SM-09. If an error is detected there are two other test modes that can be used to determine if the error is in the digital core or the transceiver; see Figure 3-8 and Figure 3-9. Driver and receiver function test modes map the internal TXD_INT_PHY, RXD_INT_PHY and EN_INT signals to GPIO to drive and receive data to CAN bus. Table 3-5 and Table 3-6 provide information on CAN bus state when using transceiver test mode and is considered safety mechanism SM-10. Diagnostic tools like dominant state timeout which makes sure the bus is not stuck dominant if the TXD_INT_PHY signal is stuck low. The M_CAN signals TXD_INT_CAN and RXD_INT_CAN can be mapped to GPIO as an aid in diagnostic to determine if the expected data is transmitted from SPI through M_CAN core and vise versa. Table 3-5 and Table 3-6 provide information on CAN bus state when using transceiver test mode.

The TCAN4550-Q1 provides CAN bus short circuit current limiting and is considered safety mechanism SM-06. These also mitigate potential faults 4 and 8.

Table 3-5 Driver Function Table
DEVICE MODETXD_INT INPUTBUS OUTPUTSDRIVEN BUS STATE
CANHCANL
NormalLHLDominant
H or OpenZZBiased Recessive
StandbyXZZWeak Pull to GND
SleepXZZWeak Pull to GND
Table 3-6 Receiver Function Table Normal and Standby Modes
DEVICE MODECAN DIFFERENTIAL INPUTS
VID = VCANH – VCANL		BUS STATERXD_INT TERMINAL
NormalVID ≥ 0.9 VDominantL
0.5 V < VID < 0.9 VUndefinedUndefined
VID ≤ 0.5 VRecessiveH
Standby/SleepVID ≥ 1.15 VDominantSee TCAN4550-Q1 data sheet figure 24 for more detial
0.4 V < VID < 1.15 VUndefined
VID ≤ 0.4 VRecessive
AnyOpen (VID ≈ 0 V)OpenH
GUID-5350394D-9B67-449E-AF78-1819632A00BC-low.gifFigure 3-8 SPI and M_CAN Test Modes
GUID-2119F0C4-23A3-4C12-87D7-029CD4ACA452-low.gifFigure 3-9 CAN Transceiver Test Mode