SPRUI78D March   2019  – January 2022 TMS320F28075 , TMS320F28075-Q1 , TMS320F28076 , TMS320F28374D , TMS320F28374S , TMS320F28375D , TMS320F28375S , TMS320F28375S-Q1 , TMS320F28376D , TMS320F28376S , TMS320F28377D , TMS320F28377D-Q1 , TMS320F28377S , TMS320F28377S-Q1 , TMS320F28378D , TMS320F28378S , TMS320F28379D , TMS320F28379D-Q1 , TMS320F28379S

 

  1.   Trademarks
  2. Introduction
    1. 1.1 About This Document
    2. 1.2 Acronyms Used in This Document
    3. 1.3 C2000 Architecture and Product Overview
      1. 1.3.1 TMS320F2837xD Delfino MCU
      2. 1.3.2 TMS320F2837xS Delfino MCU
      3. 1.3.3 TMS320F2807x Piccolo MCU
  3. System Integrator Development Interface Agreement
    1. 2.1 Safety Enabled Design Packages for Functional Safety Applications
    2. 2.2 System Integrator Activities
      1. 2.2.1 Operational and Environmental Constraints
      2. 2.2.2 Safety Concept Definition
      3. 2.2.3 Safety Concept Implementation
      4. 2.2.4 Verification of Safety Concept Including Safety Metric Calculation
    3. 2.3 Product Safety Constraints
    4. 2.4 Suggestions for Improving Freedom From Interference
    5. 2.5 Suggestions for Addressing Common Cause Failures
    6. 2.6 Support for System Integrator Activities
  4. C2000 Development Process for Management of Systematic Faults
    1. 3.1 TI's Hardware Development Process
    2. 3.2 Yogitech fRMethodology Enhanced Development Process
    3. 3.3 TI’s Enhanced Safety Development Process
    4. 3.4 C2000 Diagnostics Libraries
      1. 3.4.1 TMS320F2837xD TMS320F2837xS TMS320F2807x Diagnostic Software Library (SDL)
      2. 3.4.2 C2000 CLA STL (CLA-STL)
  5. TMS320F2837xD/S and TMS320F2807x MCU Architecture for Management of Random Faults
    1. 4.1 Functional Safety Concept
      1. 4.1.1 VDA E-GAS Monitoring Concept
      2. 4.1.2 Fault Tolerant Time Interval (FTTI)
    2. 4.2 TMS320F2837xD/S and TMS320F2807x MCU Safety Philosophy
      1. 4.2.1 TMS320F2837xD MCU Safety Philosophy
      2. 4.2.2 TMS320F2837xS and TMS320F2807x MCU Safety Philosophy
      3. 4.2.3 Assumed Safety Requirements
      4. 4.2.4 C2000 MCU Safe State
      5. 4.2.5 Operating States
      6. 4.2.6 Management of Faults
  6. Brief Description of Safety Elements
    1. 5.1 C2000 MCU Infrastructure Components
      1. 5.1.1 Power Supply
      2. 5.1.2 Clock
      3. 5.1.3 Reset
      4. 5.1.4 System Control Module and Configuration Registers
      5. 5.1.5 Efuse Static Configuration
      6. 5.1.6 JTAG Debug, Trace, Calibration, and Test Access
    2. 5.2 Processing Elements
      1. 5.2.1 C28x Central Processing Unit (CPU)
      2. 5.2.2 Control Law Accelerator
    3. 5.3 Memory (Flash, SRAM and ROM)
      1. 5.3.1 Embedded Flash Memory
      2. 5.3.2 Embedded SRAM
      3. 5.3.3 Embedded ROM
    4. 5.4 On-Chip Communication Including Bus-Arbitration
      1. 5.4.1 Device Interconnect
      2. 5.4.2 Direct Memory Access (DMA)
      3. 5.4.3 Inter Processor Communication (IPC)
      4. 5.4.4 Enhanced Peripheral Interrupt Expander (ePIE) Module
      5. 5.4.5 Dual Zone Code Security Module (DCSM)
      6. 5.4.6 CrossBar (X-BAR)
      7. 5.4.7 Timer
    5. 5.5 Digital I/O
      1. 5.5.1 General-Purpose Input/Output (GPIO) and Pinmuxing
      2. 5.5.2 Enhanced Pulse Width Modulators (ePWM)
      3. 5.5.3 High Resolution PWM (HRPWM)
      4. 5.5.4 Enhanced Capture (eCAP)
      5. 5.5.5 Enhanced Quadrature Encoder Pulse (eQEP)
      6. 5.5.6 Sigma Delta Filter Module (SDFM)
      7. 5.5.7 External Interrupt (XINT)
    6. 5.6 Analogue I/O
      1. 5.6.1 Analog-to-Digital Converter (ADC)
      2. 5.6.2 Buffered Digital to Analog Converter (DAC)
      3. 5.6.3 Comparator Subsystem (CMPSS)
    7. 5.7 Data Transmission
      1. 5.7.1 Controller Area Network (DCAN)
      2. 5.7.2 Serial Peripheral Interface (SPI)
      3. 5.7.3 Serial Communication Interface (SCI)
      4. 5.7.4 Inter-Integrated Circuit (I2C)
      5. 5.7.5 Multi-Channel Buffered Serial Port (MCBSP)
      6. 5.7.6 External Memory Interface (EMIF)
    8. 5.8 Not Safety Related Elements
  7. Brief Description of Diagnostics
    1. 6.1 C2000 MCU Infrastructure Components
      1. 6.1.1  Clock Integrity Check Using CPU Timer
      2. 6.1.2  Clock Integrity Check Using HRPWM
      3. 6.1.3  EALLOW and MEALLOW Protection for Critical Registers
      4. 6.1.4  Efuse Autoload Self-Test
      5. 6.1.5  Efuse ECC
      6. 6.1.6  Efuse ECC Logic Self-Test
      7. 6.1.7  External Clock Monitoring via XCLKOUT
      8. 6.1.8  External Monitoring of Warm Reset (XRSn)
      9. 6.1.9  External Voltage Supervisor
      10. 6.1.10 External Watchdog
      11. 6.1.11 Glitch Filtering on Reset Pins
      12. 6.1.12 Hardware Disable of JTAG Port
      13. 6.1.13 Internal Watchdog (WD)
      14. 6.1.14 Lock Mechanism for Control Registers
      15. 6.1.15 Missing Clock Detect (MCD)
      16. 6.1.16 NMIWD Reset Functionality
      17. 6.1.17 NMIWD Shadow Registers
      18. 6.1.18 Multi-Bit Enable Keys for Control Registers
      19. 6.1.19 Online Monitoring of Temperature
      20. 6.1.20 Periodic Software Read Back of Static Configuration Registers
      21. 6.1.21 Peripheral Clock Gating (PCLKCR)
      22. 6.1.22 Peripheral Soft Reset (SOFTPRES)
      23. 6.1.23 PLL Lock Profiling Using On-Chip Timer
      24. 6.1.24 Reset Cause Information
      25. 6.1.25 Software Read Back of Written Configuration
      26. 6.1.26 Software Test of ERRORSTS Functionality
      27. 6.1.27 Software Test of Missing Clock Detect Functionality
      28. 6.1.28 Software Test of Reset
      29. 6.1.29 Software Test of Watchdog(WD) Operation
    2. 6.2 Processing Elements
      1. 6.2.1  CLA Handling of Illegal Operation and Illegal Results
      2. 6.2.2  CLA Liveness Check Using CPU
      3. 6.2.3  CPU Hardware Built-In Self-Test (HWBIST)
      4. 6.2.4  CPU Hardware Built-In Self-Test (HWBIST) Auto-Coverage
      5. 6.2.5  CPU Hardware Built-In Self-Test (HWBIST) Fault Injection Capability
      6. 6.2.6  CPU Hardware Built-In Self-Test (HWBIST) Timeout Feature
      7. 6.2.7  CPU Handling of Illegal Operation, Illegal Results and Instruction Trapping
      8. 6.2.8  Reciprocal Comparison by Software
      9. 6.2.9  Software Test of CLA
      10. 6.2.10 Stack Overflow Detection
      11. 6.2.11 VCU CRC Check of Static Memory Contents
      12. 6.2.12 VCU CRC Auto Coverage
      13. 6.2.13 Disabling of Unused CLA Task Trigger Sources
    3. 6.3 Memory (Flash, SRAM and ROM)
      1. 6.3.1  Bit Multiplexing in Flash Memory Array
      2. 6.3.2  Bit Multiplexing in SRAM Memory Array
      3. 6.3.3  Data Scrubbing to Detect/Correct Memory Errors
      4. 6.3.4  Flash ECC
      5. 6.3.5  Flash Program Verify and Erase Verify Check
      6. 6.3.6  Software Test of ECC Logic
      7. 6.3.7  Software Test of Flash Prefetch, Data Cache and Wait-States
      8. 6.3.8  Access Protection Mechanism for Memories
      9. 6.3.9  SRAM ECC
      10. 6.3.10 SRAM Parity
      11. 6.3.11 Software Test of Parity Logic
      12. 6.3.12 Software Test of SRAM
    4. 6.4 On-Chip Communication Including Bus-Arbitration
      1. 6.4.1  1oo2 Software Voting Using Secondary Free Running Counter
      2. 6.4.2  DMA Overflow Interrupt
      3. 6.4.3  Event Timestamping Using IPC Counter
      4. 6.4.4  Maintaining Interrupt Handler for Unused Interrupts
      5. 6.4.5  Majority Voting and Error Detection of Link Pointer
      6. 6.4.6  PIE Double SRAM Comparison Check
      7. 6.4.7  PIE Double SRAM Hardware Comparison
      8. 6.4.8  Power-Up Pre-Operational Security Checks
      9. 6.4.9  Software Check of X-BAR Flag
      10. 6.4.10 Software Test of ePIE Operation Including Error Tests
      11. 6.4.11 Disabling of Unused DMA Trigger Sources
      12. 6.4.12 IPC 64-Bit Counter Value Plausibility Check
    5. 6.5 Digital I/O
      1. 6.5.1  ECAP Application Level Safety Mechanism
      2. 6.5.2  ePWM Application Level Safety Mechanism
      3. 6.5.3  ePWM Fault Detection Using XBAR
      4. 6.5.4  ePWM Synchronization Check
      5. 6.5.5  eQEP Application Level Safety Mechanisms
      6. 6.5.6  eQEP Quadrature Watchdog
      7. 6.5.7  eQEP Software Test of Quadrature Watchdog Functionality
      8. 6.5.8  Hardware Redundancy
      9. 6.5.9  HRPWM Built-In Self-Check and Diagnostic Capabilities
      10. 6.5.10 Information Redundancy Techniques
      11. 6.5.11 Monitoring of ePWM by eCAP
      12. 6.5.12 Monitoring of ePWM by ADC
      13. 6.5.13 Online Monitoring of Interrupts and Events
      14. 6.5.14 SDFM Comparator Filter for Online Monitoring
      15. 6.5.15 SD Modulator Clock Fail Detection Mechanism
      16. 6.5.16 Software Test of Function Including Error Tests
    6. 6.6 Analogue I/O
      1. 6.6.1 ADC Information Redundancy Techniques
      2. 6.6.2 ADC Input Signal Integrity Check
      3. 6.6.3 ADC Signal Quality Check by Varying Acquisition Window
      4. 6.6.4 CMPSS Ramp Generator Functionality Check
      5. 6.6.5 DAC to ADC Loopback Check
      6. 6.6.6 DAC to Comparator Loopback Check
      7. 6.6.7 Opens/Shorts Detection Circuit for ADC
      8. 6.6.8 VDAC Conversion by ADC
      9. 6.6.9 Disabling Unused Sources of SOC Inputs to ADC
    7. 6.7 Data Transmission
      1. 6.7.1  Bit Error Detection
      2. 6.7.2  CRC in Message
      3. 6.7.3  DCAN Acknowledge Error Detection
      4. 6.7.4  DCAN Form Error Detection
      5. 6.7.5  DCAN Stuff Error Detection
      6. 6.7.6  EMIF Access Latency Profiling Using On-Chip Timer
      7. 6.7.7  EMIF Access Protection Mechanism
      8. 6.7.8  EMIF Asynchronous Memory Timeout Protection Mechanism
      9. 6.7.9  I2C Access Latency Profiling Using On-Chip Timer
      10. 6.7.10 Information Redundancy Techniques Including End-to-End Safeing
      11. 6.7.11 I2C Data Acknowledge Check
      12. 6.7.12 McBSP Receiver Overrun Detection
      13. 6.7.13 McBSP Receiver Sync Error Detection
      14. 6.7.14 McBSP Transmitter Sync Error Detection
      15. 6.7.15 McBSP Transmitter Underflow Detection
      16. 6.7.16 Parity in Message
      17. 6.7.17 SCI Break Error Detection
      18. 6.7.18 SCI Frame Error Detection
      19. 6.7.19 SCI Overrun Error Detection
      20. 6.7.20 Software Test of Function Using I/O Loopback
      21. 6.7.21 SPI Data Overrun Detection
      22. 6.7.22 Transmission Redundancy
  8. Safety Architecture Configurations
  9. Terms and Definitions
  10. Summary of Safety Features and Diagnostics
  11. 10References
  12. 11Revision History

8 Terms and Definitions

  • IEC 60730: The IEC 60730 standard covers mechanical, electrical, electronic, EMC, and abnormal operation of ac appliances. It is used in the design of design of white goods and other appliances to improve customer safety using software test libraries developed in accordance with this standard.
  • IEC 61508: Functional safety standard for E/E/PE safety-related systems. This is intended to be a basic functional safety standard applicable to all kinds of industry. It defines functional safety as: “part of the overall safety relating to the EUC (Equipment Under Control) and the EUC control system which depends on the correct functioning of the E/E/PE safety-related systems, other technology safety-related systems and external risk reduction facilities” [4].
  • ISO 13849: provides safety requirements and guidance for the design and integration of safety-related parts of control systems (SRP/CS), including software design.
  • M out of N (MooN) architecture: A safety instrumented system where ‘M’ channels out of ‘N’ channels are required for functionally safe operation. (for example, 2oo3, 2 out of 3 architecture, where majority voting is used to implement a safety function).
    GUID-B87B68AE-2E71-45BD-836D-2B79A31A03C9-low.gif Figure 8-1 ISO 26262 Illustration of Item, System, Component, Hardware Part and Software Unit
  • M out of N Channel Architecture with diagnostics (MooND).
  • Functional Safety: Part of the overall safety relating to the EUC and the EUC control system that depends on the correct functioning of the E/E/PE safety-related systems and other risk reduction measures
  • Item: system or array of systems to implement a function at the vehicle level, to which ISO 26262 is applied (for example, power steering of a car).
  • Element: System or part of a system including components, hardware, software, hardware parts, and software units.
  • System: set of elements that relates at least a sensor, a controller and an actuator with one another
  • Component: Non-system level element that is logically and technically separable and is comprised of hardware parts and software units.
  • Hardware part: Hardware that cannot be subdivided (for example, CPU).
  • Software unit: Atomic level software component of the software architecture that can be subjected to stand-alone testing (for example, SRAM test module).
  • Failure: termination of the ability of an element, to perform a function as required.
  • Failure mode: manner in which an element or an item fails.
  • Single Point Fault: Fault in an element that is not covered by a safety mechanism and that leads directly to the violation of a safety goal.
  • Single-point failure: Failure that results from a single-point fault and that leads directly to the violation of a safety goal.
  • Multiple-point fault: Individual fault that, in combination with other independent faults, leads to a multiple-point failure.
  • Multiple-point failure: Failure resulting from the combination of several independent faults, which leads directly to the violation of a safety goal. For a multiple-point failure to directly violate a safety goal, presence of all independent faults is necessary.
  • Multiple-point fault detection interval: time span to detect multiple-point fault before it can contribute to a multiple-point failure.
  • Latent fault: multiple-point fault whose presence is not detected by a safety mechanism nor perceived by the driver within the multiple-point fault detection interval.
  • Functional Safety Assessment: Investigation, based on evidence, to judge the functional safety achieved by one or more E/E/PE safety-related systems and/or other risk reduction measures.
  • Functional Safety Audit: Systematic and independent examination to determine whether the procedures specific to the functional safety requirements to comply with the planned arrangements are implemented effectively and are suitable to achieve the specified objectives.
  • Hazard and Risk Analysis (IEC 61508)/Hazard Analysis and Risk Assessment (ISO 26262): An end equipment level functional safety analysis that is used to identify safety functions and/or functional safety goals. This process also establishes the SIL (IEC 61508) or ASIL (ISO 26262), which defines the level of risk reduction necessary per safety function and/or functional safety goal.
  • Process Tailoring: The act of changing a development process or functional safety lifecycle to match needs of a business engagement. Requirements can be moved from phase to phase or performed by other developers, but removal of process requirements is not allowed.
  • Quality Managed: Describes a design element which is developed compliant to applicable quality standards but is not developed compliant to applicable functional safety standards. It may be possible to use a quality managed design element in a specific functional safety design contingent upon results of a functional safety qualification.
  • Safety Requirement Decomposition: Safety requirements decomposition is the process in which safety requirements are split into a series of redundant safety requirements at a lower level of abstraction in order to support tailoring of the SIL (ISO 61508)/ASIL (ISO 26262) compliance requirements of design elements at the lower level of abstraction. For example, a requirement for a peripheral function with high safety integrity might be addressed by redundant instances of a peripheral with lower safety integrity.
  • For the full list of applicable terms and their definitions for ISO 26262, see the ISO 26262-1:2018, Road vehicles — Functional safety — Part 1: Vocabulary.
  • For the full list of applicable terms and their definitions for IEC 61508, see the IEC 61508, Functional safety of electrical/electronic/programmable electronic safety-related systems – Part 4: Definitions and abbreviations.