SLLU312A July   2019  – May 2022 TCAN4550-Q1

 

  1.   TCAN4550-Q1 Functional Safety-Manual
  2.   Trademarks
  3. 1Introduction
  4. 2Product Functional Safety-Capability
  5. 3Product Overview
    1. 3.1 Block Diagram
    2. 3.2 Target Applications
      1. 3.2.1 Diagnostic Features
        1. 3.2.1.1 Mode Overview
        2. 3.2.1.2 Sleep Wake Error Timer (SWE)
        3. 3.2.1.3 Undervoltage
        4. 3.2.1.4 Thermal Shut Down
        5. 3.2.1.5 CAN Bus Communication
          1. 3.2.1.5.1 M_CAN
        6. 3.2.1.6 Processor Communication
          1. 3.2.1.6.1 SPI Integrity
            1. 3.2.1.6.1.1 SPI Scratchpad
            2. 3.2.1.6.1.2 SPIERR
            3. 3.2.1.6.1.3 M_CAN Forced Dominant and Recessive
            4. 3.2.1.6.1.4 SPI and FIFO
            5. 3.2.1.6.1.5 ECC for Memory
          2. 3.2.1.6.2 Timeout Watchdog
          3. 3.2.1.6.3 Floating Pins
          4. 3.2.1.6.4 RST Pin
          5. 3.2.1.6.5 Interrupt and Internal Fault Detection
  6. 4Development Process for Management of Systematic Faults
    1. 4.1 TI New-Product Development Process
  7. 5Revision History

3.2.1.2 Sleep Wake Error Timer (SWE)

The sleep wake error (SWE) timer is a four minute timer that is used to place the device into Sleep mode due to certain faults. The SWE timer is used to help mitigate certain faults shown by items 1, 4, 5 and 6 in Figure 3-5 and is considered safety mechanism SM-01.

The TCAN4550-Q1 fail-safe feature is used in order to reduce node power consumption in case of a system issue. Fail-safe is the method the device uses to enter Sleep mode from various other modes when specific issues arise. This feature uses the SWE timer to determine if the node processor can communicate to the TCAN4550-Q1. The SWE timer is default enabled through the SWE_DIS; 16'h0800[1] = 0 but can be disabled by writing a one to this bit. Even when the timer is disabled, the timer automatically works for power up and power on resets. Fail-safe feature is default disabled but can be enabled by writing a one to 16'h0800[13], FAIL-SAFE_EN.

Upon power up the SWE timer, tINACTIVE, starts and the processor has typically four minutes to configure the TCAN4550-Q1, clear the PWRON flag or configure the device for Normal mode; see Figure 3-7. This feature cannot be disabled. If the device has not had the PWRON flag cleared or been placed into Normal mode, it enters Sleep mode. The device wakes up if the CAN bus provides a WUP or a local wake event takes place, thus entering Standby mode. Once in Standby mode, tSILENCE and tINACTIVE timers starts. If tINACTIVE expires, the device re-enters Sleep mode.

The second failure mechanism that causes the device to use the fail-safe feature, if enabled, is when the device receives a CANINT, CAN bus wake (WUP) or WAKE pin (LWU), while in Sleep mode such that the device leaves Sleep mode and enters Standby mode. The processor has four minutes to clear the flags and place the device into Normal mode. If this does not happen the device enters Sleep mode.

The third failure mechanism that can trigger the failsafe feature is a silent CAN bus. If the CANSLNT flag persists for tINACTIVE. Examples of events that could create this are the CLKIN or crystal stops working, the processor is no longer working and not able to exercise the SPI bus, a go-to-sleep command comes in and the processor is not able to receive it or is not able to respond. See Figure 3-7.

GUID-71ED1EA7-4146-474E-A411-1A2335BA6D8B-low.gifFigure 3-7 Fail-safe Feature State Diagram