SPRUI78D March   2019  – January 2022 TMS320F28075 , TMS320F28075-Q1 , TMS320F28076 , TMS320F28374D , TMS320F28374S , TMS320F28375D , TMS320F28375S , TMS320F28375S-Q1 , TMS320F28376D , TMS320F28376S , TMS320F28377D , TMS320F28377D-Q1 , TMS320F28377S , TMS320F28377S-Q1 , TMS320F28378D , TMS320F28378S , TMS320F28379D , TMS320F28379D-Q1 , TMS320F28379S

 

  1.   Trademarks
  2. Introduction
    1. 1.1 About This Document
    2. 1.2 Acronyms Used in This Document
    3. 1.3 C2000 Architecture and Product Overview
      1. 1.3.1 TMS320F2837xD Delfino MCU
      2. 1.3.2 TMS320F2837xS Delfino MCU
      3. 1.3.3 TMS320F2807x Piccolo MCU
  3. System Integrator Development Interface Agreement
    1. 2.1 Safety Enabled Design Packages for Functional Safety Applications
    2. 2.2 System Integrator Activities
      1. 2.2.1 Operational and Environmental Constraints
      2. 2.2.2 Safety Concept Definition
      3. 2.2.3 Safety Concept Implementation
      4. 2.2.4 Verification of Safety Concept Including Safety Metric Calculation
    3. 2.3 Product Safety Constraints
    4. 2.4 Suggestions for Improving Freedom From Interference
    5. 2.5 Suggestions for Addressing Common Cause Failures
    6. 2.6 Support for System Integrator Activities
  4. C2000 Development Process for Management of Systematic Faults
    1. 3.1 TI's Hardware Development Process
    2. 3.2 Yogitech fRMethodology Enhanced Development Process
    3. 3.3 TI’s Enhanced Safety Development Process
    4. 3.4 C2000 Diagnostics Libraries
      1. 3.4.1 TMS320F2837xD TMS320F2837xS TMS320F2807x Diagnostic Software Library (SDL)
      2. 3.4.2 C2000 CLA STL (CLA-STL)
  5. TMS320F2837xD/S and TMS320F2807x MCU Architecture for Management of Random Faults
    1. 4.1 Functional Safety Concept
      1. 4.1.1 VDA E-GAS Monitoring Concept
      2. 4.1.2 Fault Tolerant Time Interval (FTTI)
    2. 4.2 TMS320F2837xD/S and TMS320F2807x MCU Safety Philosophy
      1. 4.2.1 TMS320F2837xD MCU Safety Philosophy
      2. 4.2.2 TMS320F2837xS and TMS320F2807x MCU Safety Philosophy
      3. 4.2.3 Assumed Safety Requirements
      4. 4.2.4 C2000 MCU Safe State
      5. 4.2.5 Operating States
      6. 4.2.6 Management of Faults
  6. Brief Description of Safety Elements
    1. 5.1 C2000 MCU Infrastructure Components
      1. 5.1.1 Power Supply
      2. 5.1.2 Clock
      3. 5.1.3 Reset
      4. 5.1.4 System Control Module and Configuration Registers
      5. 5.1.5 Efuse Static Configuration
      6. 5.1.6 JTAG Debug, Trace, Calibration, and Test Access
    2. 5.2 Processing Elements
      1. 5.2.1 C28x Central Processing Unit (CPU)
      2. 5.2.2 Control Law Accelerator
    3. 5.3 Memory (Flash, SRAM and ROM)
      1. 5.3.1 Embedded Flash Memory
      2. 5.3.2 Embedded SRAM
      3. 5.3.3 Embedded ROM
    4. 5.4 On-Chip Communication Including Bus-Arbitration
      1. 5.4.1 Device Interconnect
      2. 5.4.2 Direct Memory Access (DMA)
      3. 5.4.3 Inter Processor Communication (IPC)
      4. 5.4.4 Enhanced Peripheral Interrupt Expander (ePIE) Module
      5. 5.4.5 Dual Zone Code Security Module (DCSM)
      6. 5.4.6 CrossBar (X-BAR)
      7. 5.4.7 Timer
    5. 5.5 Digital I/O
      1. 5.5.1 General-Purpose Input/Output (GPIO) and Pinmuxing
      2. 5.5.2 Enhanced Pulse Width Modulators (ePWM)
      3. 5.5.3 High Resolution PWM (HRPWM)
      4. 5.5.4 Enhanced Capture (eCAP)
      5. 5.5.5 Enhanced Quadrature Encoder Pulse (eQEP)
      6. 5.5.6 Sigma Delta Filter Module (SDFM)
      7. 5.5.7 External Interrupt (XINT)
    6. 5.6 Analogue I/O
      1. 5.6.1 Analog-to-Digital Converter (ADC)
      2. 5.6.2 Buffered Digital to Analog Converter (DAC)
      3. 5.6.3 Comparator Subsystem (CMPSS)
    7. 5.7 Data Transmission
      1. 5.7.1 Controller Area Network (DCAN)
      2. 5.7.2 Serial Peripheral Interface (SPI)
      3. 5.7.3 Serial Communication Interface (SCI)
      4. 5.7.4 Inter-Integrated Circuit (I2C)
      5. 5.7.5 Multi-Channel Buffered Serial Port (MCBSP)
      6. 5.7.6 External Memory Interface (EMIF)
    8. 5.8 Not Safety Related Elements
  7. Brief Description of Diagnostics
    1. 6.1 C2000 MCU Infrastructure Components
      1. 6.1.1  Clock Integrity Check Using CPU Timer
      2. 6.1.2  Clock Integrity Check Using HRPWM
      3. 6.1.3  EALLOW and MEALLOW Protection for Critical Registers
      4. 6.1.4  Efuse Autoload Self-Test
      5. 6.1.5  Efuse ECC
      6. 6.1.6  Efuse ECC Logic Self-Test
      7. 6.1.7  External Clock Monitoring via XCLKOUT
      8. 6.1.8  External Monitoring of Warm Reset (XRSn)
      9. 6.1.9  External Voltage Supervisor
      10. 6.1.10 External Watchdog
      11. 6.1.11 Glitch Filtering on Reset Pins
      12. 6.1.12 Hardware Disable of JTAG Port
      13. 6.1.13 Internal Watchdog (WD)
      14. 6.1.14 Lock Mechanism for Control Registers
      15. 6.1.15 Missing Clock Detect (MCD)
      16. 6.1.16 NMIWD Reset Functionality
      17. 6.1.17 NMIWD Shadow Registers
      18. 6.1.18 Multi-Bit Enable Keys for Control Registers
      19. 6.1.19 Online Monitoring of Temperature
      20. 6.1.20 Periodic Software Read Back of Static Configuration Registers
      21. 6.1.21 Peripheral Clock Gating (PCLKCR)
      22. 6.1.22 Peripheral Soft Reset (SOFTPRES)
      23. 6.1.23 PLL Lock Profiling Using On-Chip Timer
      24. 6.1.24 Reset Cause Information
      25. 6.1.25 Software Read Back of Written Configuration
      26. 6.1.26 Software Test of ERRORSTS Functionality
      27. 6.1.27 Software Test of Missing Clock Detect Functionality
      28. 6.1.28 Software Test of Reset
      29. 6.1.29 Software Test of Watchdog(WD) Operation
    2. 6.2 Processing Elements
      1. 6.2.1  CLA Handling of Illegal Operation and Illegal Results
      2. 6.2.2  CLA Liveness Check Using CPU
      3. 6.2.3  CPU Hardware Built-In Self-Test (HWBIST)
      4. 6.2.4  CPU Hardware Built-In Self-Test (HWBIST) Auto-Coverage
      5. 6.2.5  CPU Hardware Built-In Self-Test (HWBIST) Fault Injection Capability
      6. 6.2.6  CPU Hardware Built-In Self-Test (HWBIST) Timeout Feature
      7. 6.2.7  CPU Handling of Illegal Operation, Illegal Results and Instruction Trapping
      8. 6.2.8  Reciprocal Comparison by Software
      9. 6.2.9  Software Test of CLA
      10. 6.2.10 Stack Overflow Detection
      11. 6.2.11 VCU CRC Check of Static Memory Contents
      12. 6.2.12 VCU CRC Auto Coverage
      13. 6.2.13 Disabling of Unused CLA Task Trigger Sources
    3. 6.3 Memory (Flash, SRAM and ROM)
      1. 6.3.1  Bit Multiplexing in Flash Memory Array
      2. 6.3.2  Bit Multiplexing in SRAM Memory Array
      3. 6.3.3  Data Scrubbing to Detect/Correct Memory Errors
      4. 6.3.4  Flash ECC
      5. 6.3.5  Flash Program Verify and Erase Verify Check
      6. 6.3.6  Software Test of ECC Logic
      7. 6.3.7  Software Test of Flash Prefetch, Data Cache and Wait-States
      8. 6.3.8  Access Protection Mechanism for Memories
      9. 6.3.9  SRAM ECC
      10. 6.3.10 SRAM Parity
      11. 6.3.11 Software Test of Parity Logic
      12. 6.3.12 Software Test of SRAM
    4. 6.4 On-Chip Communication Including Bus-Arbitration
      1. 6.4.1  1oo2 Software Voting Using Secondary Free Running Counter
      2. 6.4.2  DMA Overflow Interrupt
      3. 6.4.3  Event Timestamping Using IPC Counter
      4. 6.4.4  Maintaining Interrupt Handler for Unused Interrupts
      5. 6.4.5  Majority Voting and Error Detection of Link Pointer
      6. 6.4.6  PIE Double SRAM Comparison Check
      7. 6.4.7  PIE Double SRAM Hardware Comparison
      8. 6.4.8  Power-Up Pre-Operational Security Checks
      9. 6.4.9  Software Check of X-BAR Flag
      10. 6.4.10 Software Test of ePIE Operation Including Error Tests
      11. 6.4.11 Disabling of Unused DMA Trigger Sources
      12. 6.4.12 IPC 64-Bit Counter Value Plausibility Check
    5. 6.5 Digital I/O
      1. 6.5.1  ECAP Application Level Safety Mechanism
      2. 6.5.2  ePWM Application Level Safety Mechanism
      3. 6.5.3  ePWM Fault Detection Using XBAR
      4. 6.5.4  ePWM Synchronization Check
      5. 6.5.5  eQEP Application Level Safety Mechanisms
      6. 6.5.6  eQEP Quadrature Watchdog
      7. 6.5.7  eQEP Software Test of Quadrature Watchdog Functionality
      8. 6.5.8  Hardware Redundancy
      9. 6.5.9  HRPWM Built-In Self-Check and Diagnostic Capabilities
      10. 6.5.10 Information Redundancy Techniques
      11. 6.5.11 Monitoring of ePWM by eCAP
      12. 6.5.12 Monitoring of ePWM by ADC
      13. 6.5.13 Online Monitoring of Interrupts and Events
      14. 6.5.14 SDFM Comparator Filter for Online Monitoring
      15. 6.5.15 SD Modulator Clock Fail Detection Mechanism
      16. 6.5.16 Software Test of Function Including Error Tests
    6. 6.6 Analogue I/O
      1. 6.6.1 ADC Information Redundancy Techniques
      2. 6.6.2 ADC Input Signal Integrity Check
      3. 6.6.3 ADC Signal Quality Check by Varying Acquisition Window
      4. 6.6.4 CMPSS Ramp Generator Functionality Check
      5. 6.6.5 DAC to ADC Loopback Check
      6. 6.6.6 DAC to Comparator Loopback Check
      7. 6.6.7 Opens/Shorts Detection Circuit for ADC
      8. 6.6.8 VDAC Conversion by ADC
      9. 6.6.9 Disabling Unused Sources of SOC Inputs to ADC
    7. 6.7 Data Transmission
      1. 6.7.1  Bit Error Detection
      2. 6.7.2  CRC in Message
      3. 6.7.3  DCAN Acknowledge Error Detection
      4. 6.7.4  DCAN Form Error Detection
      5. 6.7.5  DCAN Stuff Error Detection
      6. 6.7.6  EMIF Access Latency Profiling Using On-Chip Timer
      7. 6.7.7  EMIF Access Protection Mechanism
      8. 6.7.8  EMIF Asynchronous Memory Timeout Protection Mechanism
      9. 6.7.9  I2C Access Latency Profiling Using On-Chip Timer
      10. 6.7.10 Information Redundancy Techniques Including End-to-End Safeing
      11. 6.7.11 I2C Data Acknowledge Check
      12. 6.7.12 McBSP Receiver Overrun Detection
      13. 6.7.13 McBSP Receiver Sync Error Detection
      14. 6.7.14 McBSP Transmitter Sync Error Detection
      15. 6.7.15 McBSP Transmitter Underflow Detection
      16. 6.7.16 Parity in Message
      17. 6.7.17 SCI Break Error Detection
      18. 6.7.18 SCI Frame Error Detection
      19. 6.7.19 SCI Overrun Error Detection
      20. 6.7.20 Software Test of Function Using I/O Loopback
      21. 6.7.21 SPI Data Overrun Detection
      22. 6.7.22 Transmission Redundancy
  8. Safety Architecture Configurations
  9. Terms and Definitions
  10. Summary of Safety Features and Diagnostics
  11. 10References
  12. 11Revision History

6.5.16 Software Test of Function Including Error Tests

A software test can be utilized to test basic functionality of the module and to inject diagnostic errors and check for proper error response. Such a test can be executed at boot or periodically. Software requirements necessary are defined by the software implemented by the system integrator.

Ideas for creating some module specific tests functionality and error tests are given below:

  • SDFM functionality can be checked by sending a known input test sequence to the C2000 MCU, process it using the digital decimation filters and cross check the value against a known value. For detecting faults in comparator interrupt generation logic, a test pattern can be created to configure the high/low threshold register values to min/max values respectively. Interrupt should always be generated with such a configuration.
  • DMA functionality can be checked by transferring a known good data from a source memory to the destination memory and checking for data integrity after the transfer. The transfer can be initiated using the software trigger available (CONTROL.PERINTFRC). On chip timer can be used to profile the time required for such a data transfer.
  • EMIF functionality can be checked by moving a known good data from an external memory to the internal memory and vice versa and checking for data consistency using CRC or other mechanisms. The test should be repeated for all the masters having access to the external memories. In addition, the test should provide coverage to all the interface pins used for connecting external memory to the C2000 MCU.
  • Software test of input and output X-BAR module can be performed by having a loop created (output X-BAR can be used as stimulus to input X-BAR) using the input and output X-BAR, sending a known test sequence at the input and observing it at the final output. Integrity of ePWM X-BAR can be checked by sending the test stimulus and observing the response using ePWM trip or sync functionality.
  • Software test of XINT functionality can be checked by configuring the input X-BAR and forcing the corresponding GPIO register to generate an interrupt. The diagnostic coverage can be enhanced by performing checks for the polarity (XINTxCR.POLARITY) and enable (XINTxCR.ENABLE) functionality as well.
  • IPC functionality can be checked by using interrupts or polling method by periodically sending test commands and message as defined by software. Time stamping information using the IPCCOUNTERH/L can be embedded along with the message to estimate the delay in communication.
  • ECAP and EQEP functionality can be checked by looping back the PWM or GPIO outputs to the respective module inputs, providing a known good sequence as required by the module and observing the module output. In the case of ECAP, the test can be done internally with the help of input X-BAR.
  • ROM prefetch functionality can be checked using similar techniques as given in Section 6.3.7.
  • The PWM module consists of Time-Base (TB), Counter Compare (CC), Action Qualifier (AQ), Dead-Band Generator (DB), PWM Chopper (PC), Trip Zone (TZ), Event Trigger (ET) and Digital Compare (DC) sub-modules. The individual sub-modules can be tested by providing suitable stimulus using PWM and observing the response using one of the capture (time stamping) modules (eCAP, XINT, eQEP, and so forth). It is recommended to cover the various register values associated with application configuration while performing the software test. Due to the regular linear nature of the various sub-modules, it is possible to get high coverage using a software test.
  • A software test of SRAM wrapper logic should provide diagnostic coverage for arbitration between various masters having access to the particular SRAM and correct functioning of access protection. This is in addition to the test used to provide coverage of SRAM bit cells (see Section 6.3.12).
  • The interconnect (INC) functionality can be tested by writing complementary data-patterns like 0xA5A5,0x5A5A, and so forth from processing units viz CPU and CLA, and reading back it from registers of the IPs’ connected via different bridges .The read-back data can be compared with expected golden values to ensure fault-free interconnect operation. This exercise can be repeated for different data width types of accesses (16/32 bits) and wide address ranges as applicable using both CPU and CLA. The CPU accesses can be repeated for different instances of peripherals used in application connected to various bridges as shown in Figure 1-1.
  • DAC has a set of control registers that can be checked by writing complementary data-patterns like 0xA5A5, 0x5A5A, and so forth in 16-bit access mode. All the registers can be read back and compared to expected values. Registers can be checked for reset feature by configuring the registers to 0xA5A5 pattern, asserting soft reset of DAC, reading back the registers and comparing the read back value with the expected reset value. Lock register can be checked to ensure it is set-once. Also, the registers which are getting locked must not update when written. To test core functionality of the DAC module, it can be configured using software to provide a set of predetermined voltage levels. These voltage levels can be measured by external or internal ADC and results thus obtained can be cross checked against the expected value to ensure proper operation. Extreme corner values of DAC as per application can be programmed and tested to check the successful conversion of digital to analog module across a valid range.
  • Comparator sub-system (CMPSS) has a set of registers which can be checked by writing complementary data-patterns like 0xA5A5, 0x5A5A, and so forth in both 16 and 32 bit access modes. These can be read back and compared against expected values. These accesses can be covered by applicable masters viz. DMA, CLA and CPU. Features of the CMPSS module such as ramp decrement can be checked for counting down of RAMPDLYA after it is loaded from RAMPDLYS by a rising PWMSYNC signal. It should be ensured that the decrementer reduces to zero and stays there until next reload from RAMPDLYS. Extreme values of RAMPDLYS can be configured before count down. Digital filter CTRIPHFILCTL/CTRIPLFILCTL registers can be checked by configuring them to a variety of N and T values, and then verifying COMPHSTS/COMPLSTS changes with change in filter output. Applicable range of filter clock pre-scaler values (CTRIPLFILCLKCTL) can be exercised to ensure that filter samples correctly.
  • The general operation of the CPU-Timers can be tested by a software test by loading 32-bit counter register TIMH from period register PRDH, starts decrementing of the counter on every clock cycle. When counter reaches zero a timer interrupt output generates an interrupt pulse. While testing the timer functionality vary the Timer Prescale Counter (TPR) value and also vary input clocks by selecting clock source as SYSCLK, INTOSC1, INTOSC2, XTAL, or AUXPLLCLK. Test interrupts generation capability at the end of the timer counting. Check for the time overflow flag and Timer reload (TRB) functions in TCR register for correct functioning.
  • A software test function in DCSM can be implemented independently in zone1, zone2 and unsecured zone to check DCSM functionality. Device security configurations are loaded from OTP to DCSM during the device boot phase. The test function can implement access filtering checks (read-write and execute permissions) to RAMs and flash sectors belonging to the same zone and different zone. An additional check for EXEONLY configuration can also be implemented for the RAMs and flash sectors to ensure that all access other than execute access is blocked.