# User's Guide Implementing IEC 60730 / UL 1998 Compliance for C2000 Real-Time Microcontrollers



#### ABSTRACT

Motor drives, white goods, appliances, and other equipment can become unsafe to operate if one of their components fail. These equipments are subject to the testing and qualification requirements of the International Electrotechnical Commission (IEC). Specifically, the IEC 60730-1 "Automatic electrical controls for household and similar use" safety standard. Similar practices are followed in the United States leveraging UL 1998 "Safety Software in Programmable Components."

The aspects most relevant to microcontrollers (MCUs) are IEC 60730 Annex H and UL 1998 Annex A.2, which detail the diagnostic test requirements to support safe function of home appliances.

This document provides a high-level overview of these specifications as applied to an MCU and describes how C2000<sup>™</sup> functional safety features can be leveraged to meet the diagnostic test requirements.

# **Table of Contents**

| 1 Introduction                                                    | 2  |
|-------------------------------------------------------------------|----|
| 2 Overview of IEC 60730 and UL 1998 Classifications               | 2  |
| 2.1 C2000 Capability by Device Family                             | 4  |
| 3 C2000 Safety Collateral                                         | 4  |
| 3.1 Getting Started                                               | 4  |
| 3.2 Functional Safety Manuals                                     |    |
| 3.3 Software Collateral                                           | 6  |
| 4 Implementing Acceptable Measures on C2000 Real-Time MCUs        | 7  |
| 4.1 Implementation Steps                                          | 7  |
| 4.2 Example Mapping                                               |    |
| 4.3 Additional Best Practices                                     |    |
| 5 Mapping Acceptable Control Measures to C2000 Unique Identifiers | 9  |
| 5.1 Unique Identifier Reference                                   | 10 |
| 5.2 CPU Related Faults                                            | 11 |
| 5.3 Interrupt Related Faults                                      | 12 |
| 5.4 Clock Related Faults                                          |    |
| 5.5 Memory Related Faults                                         |    |
| 5.6 Internal Data Path Faults                                     |    |
| 5.7 Input/Output Related Faults                                   |    |
| 5.8 Communication, Monitoring Devices, and Custom Chip Faults     |    |
| 6 Glossary                                                        | 17 |
| 7 References                                                      |    |
|                                                                   |    |

# Trademarks

C2000<sup>™</sup> is a trademark of Texas Instruments.

All trademarks are the property of their respective owners.



# **1** Introduction

Motor drives, white goods, appliances, and other equipment may become unsafe to operate if one of their components fail. These equipments are subject to the testing and qualification requirements of the International Electrotechnical Commission (IEC). Specifically, the IEC 60730-1 standard covers automatic electrical controls for household and similar use.

Although compliance to IEC 60730 is attained at a system level, understanding the correct criteria for choosing a microcontroller is important to achieve compliance. The use of electronic components such as microcontrollers (MCU) is addressed by Table H.1 in Annex H of IEC 60730 "Requirements for electronic controls". Annex H specifies acceptable diagnostic techniques and measures applicable to an MCU in order to support the safe function of equipment.

While IEC 60730 is primarily used in Europe, similar practices are followed in the United States leveraging UL 1998 "Safety Software in Programmable Components." Table A2.1 in Appendix A, provides examples of acceptable measures for microelectonic hardware failure modes that are consistent with the requirements of IEC 60730 Table H.1. These requirements are derived from the IEC 61508 standard, "Functional safety of electrical/ electronic/programmable electronic (E/E/PE) systems."

# 2 Overview of IEC 60730 and UL 1998 Classifications

To create a foundation for fault control techniques, both the IEC 60730 and UL 1998 specifications divide products into classes. The class assignment is determined by a hazard and risk analysis applied to the specific control. This analysis is based on both the likelihood of the failure and the resulting consequence of the failure.



Figure 2-1. IEC 60730 Annex H

IEC 60730 defines 3 classes: A, B and C:

- · Class A: controls are not related to safety
- Class B: controls intended to prevent unsafe operation
- · Class C: controls intended to prevent dangerous hazards



UL 1998 defines two classes: 1 and 2. UL 1998 class 1 is comparable to IEC 60730 class B and UL 1998 class 2 is comparable to IEC 60730 class C. For class definitions and examples, see Table 2-1.

| Class                                                                                                                                                                                      | Definition #none#                                                                                                                                                                                                      | Examples                                    |  |
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------|--|
| IEC 60730 class A"H.2.22.1 class A control function - control functions which<br>are not intended to be relied upon for the safety of the<br>application"Room thermostats, temper          |                                                                                                                                                                                                                        | Room thermostats, temperature control.      |  |
| IEC 60730 class B<br>and                                                                                                                                                                   | "H.2.22.2 class B control function - control functions which<br>are intended to prevent an unsafe state of the appliance.<br>Note: Failure of the control function will not lead directly to<br>a hazardous situation. | Thermal cut-out. Door locks for laundry     |  |
| UL 1998 class 1                                                                                                                                                                            | "A3.1 Software Class 1: Sections of software intended to control function to reduce the likelihood of a risk associated with the equipment."                                                                           | equipment.                                  |  |
| IEC 60730 class C<br>and                                                                                                                                                                   | "H.2.22.3 class C control function - control functions which<br>are intended to prevent special hazards such as explosion<br>or whose failure could directly cause a hazard in the<br>appliance"                       | Automatic burner controls. Thermal cut-outs |  |
| UL 1998 class 2 "A3.2 Software Class 2 – Sections of software intended control functions to reduce the likelihood of special risks (for example, explosion) associated with the equipment. |                                                                                                                                                                                                                        | for a closed water heater system.           |  |

#### Table 2-1. Class Definitions and Examples

The standards define the components that must be tested along with examples of acceptable measures to detect faults/errors of that component. Depending on the class, the components to test include the CPU, clocks, volatile and non-volatile memory, internal data path, I/O and communication interfaces (Table 2-2). In general, for each component there are a few types of measures that the developer can choose from to verify/test component functionality. These suggested measures can be:

- Hardware-based
- Software-based
- · A combination of both hardware- and software-based

The implementation of IEC 60730 acceptable measures are meant to detect, and prevent, unsafe conditions and hazards associated with the equipment. These requirements are derived from the IEC 61508 standard "Functional safety of electrical/electronic/programmable electronic (E/E/PE) systems." The focus of IEC 61508 is how to apply, design, and maintain automatic protection systems called safety-related systems.

|                        |                                      | Hardware Fault / Error to Detect <sup>(1)</sup> |                                                   |
|------------------------|--------------------------------------|-------------------------------------------------|---------------------------------------------------|
| Component to be Tested |                                      | Class B / 1                                     | Class C / 2                                       |
|                        | 1.1 Registers                        | Stuck-at                                        | DC fault                                          |
|                        | 1.2 Instruction decode and execution | N/A <sup>(2)</sup>                              | Wrong decode and execution                        |
| 1. CPU                 | 1.3 Program counter                  | Stuck-at                                        | DC fault                                          |
|                        | 1.4 Addressing                       | N/A                                             | DC fault                                          |
|                        | 1.5 Data paths                       | N/A                                             | DC fault                                          |
| 2. Interrupts          |                                      | None or too frequent                            | None or too frequent related to different sources |
| 3. Clock               |                                      | Wrong frequency                                 | Wrong frequency                                   |
|                        | 4.1 Non-volatile                     | All single bit faults                           | All single and double bit errors                  |
| 4. Memory              | 4.2 Volatile                         | DC fault                                        | DC fault and dynamic cross links                  |
|                        | 4.3 Addressing                       | Stuck at                                        | DC fault                                          |
| E Internal data sath   | 5.1 Data                             | Stuck-at                                        | DC fault                                          |
| 5. Internal data path  | 5.2 Addressing                       | Wrong address                                   | Wrong address, multiple addressing                |

Table 2-2. Summary of Failure Modes Described by IEC 60730 / UL 1998



#### Table 2-2. Summary of Failure Modes Described by IEC 60730 / UL 1998 (continued)

|                                                                          |                                                  | Hardware Fault / Error to Detect <sup>(1)</sup>                    |                                                                    |
|--------------------------------------------------------------------------|--------------------------------------------------|--------------------------------------------------------------------|--------------------------------------------------------------------|
| Component to be Tested                                                   |                                                  | Class B / 1                                                        | Class C / 2                                                        |
| 6.1 Data                                                                 |                                                  | All single-bit and double bit errors                               | All single-bit, double-bit and triple-bit errors                   |
| 6. External communication                                                | 6.2 Addressing                                   | Wrong address                                                      | Wrong and multiple addressing                                      |
| communication                                                            | 6.3 Timing                                       | Wrong point in time                                                | Wrong point in time                                                |
|                                                                          |                                                  | Wrong sequence                                                     | Wrong sequence                                                     |
|                                                                          | 7.1 Digital I/O                                  | Open and short circuit or as specified in the product standard     | Open and short circuit or as specified in the product standard     |
| 7. Input/output<br>periphery                                             | 7.2 Analog I/O<br>7.2.1 A/D and D/A<br>converter | Open and short circuit or as specified in the product standard     | Open and short circuit or as specified in the product standard     |
|                                                                          | 7.2 Analog I/O<br>7.2.2 Analog multiplexer       | Wrong addressing                                                   | Wrong addressing                                                   |
| 8. Monitoring devices and comparators                                    |                                                  | N/A                                                                | Any output outside the static and dynamic functional specification |
| 9. Components not covered by 1-8.<br>Custom chips, ASIC, GAL, Gate array |                                                  | Any output outside the static and dynamic functional specification | Any output outside the static and dynamic functional specification |

(1) Reference: IEC 60730-1 Table H.1 and UL 1998 Table A.2

(2) N/A (not applicable): detection of this error/fault is not required by the standards for this specific class.

# 2.1 C2000 Capability by Device Family

The C2000 device capability in Table 2-3 is derived based on IEC 60730 example fault/error detection methods mapped to suggested device diagnostics and functional-safety features. This mapping is described in the remainder of this document.

| Table 2-3. IEC 60730 / UL 1998 Capability per C2000 Device Family |
|-------------------------------------------------------------------|
|-------------------------------------------------------------------|

| Device Family    | Class B / 1 | Class C / 2 |
|------------------|-------------|-------------|
| F28002x          | ✓           | 1           |
| F28003x          | ✓           | 1           |
| F28004x          | ✓           | ✓           |
| F2807x           | √           | ✓           |
| F2837xD, F2837xS | √           | ✓           |
| F2838x           | ✓           | ✓<br>✓      |

# 3 C2000 Safety Collateral

TI provides safety-related collateral to aid in system development and assessment. This section describes collateral that can be leveraged to meet IEC 60730 and UL 1998.

# 3.1 Getting Started

4

To become familiar with C2000 functional safety capabilities the following documents are recommended:

- C2000<sup>™</sup> Safety Mechanisms: introduction to C2000 device features that supports functional safety.
- Industrial Functional Safety for C2000 Real-Time Microcontrollers: highlights specific-device capabilities, collateral, and documentation to support industrial functional-safety standards.

The next level of collateral is further discussed in this chapter:

- Functional Safety Manuals (FSMs): comprehensive, device-specific, functional-safety related documentation.
- Diagnostic and self-test software collateral.



#### Note

The F2806x, F2803x, F2805x, F2802x, F2833x and F2823x C2000 families are not included in this document. For these devices, see the *Safety Manual for C2000 MCUs in IEC60730 Safety Applications User's Guide.* 

# 3.2 Functional Safety Manuals

The equipment designer and manufacturer are responsible for ensuring a system meets all applicable safety, regulatory, and performance requirements. Most C2000 Functional Safety Manuals are part of a Functional Safety-Compliant design package to aid in compliance with ISO 26262 or IEC 61508 functional safety standards.

A subset of the safety manual can aid in designing for IEC 60730 requirements. Topics of interest to the IEC 60730-focused designer are listed in Table 3-1. Additional topics not directly applicable to IEC 60730 may also be helpful.

| The IEC 60730-focused developer should pay particular attention to:      | Additional topics may be helpful. These include:                       |  |
|--------------------------------------------------------------------------|------------------------------------------------------------------------|--|
| Description of suggested safety features and diagnostics that are mapped | Product overview.                                                      |  |
| to IEC 60730 acceptable measures in Section 5.                           | Device architecture drawing with safety features highlighted.          |  |
| Guidelines for implementing diagnostics.                                 | Comprehensive list of all safety features and diagnostics.             |  |
| Description of the software diagnostic library and self-test libraries.  | List of safety features specific to peripherals.                       |  |
| While some Unique IDs may not map directly to IEC 60730, or may          | Descriptions of diagnostics, test for diagnostics, and fault avoidance |  |
| only provide partial coverage, implementation is highly-recommended.     | measures.                                                              |  |
| Examples of such best-practices are discussed in Section 4.3.            | Suggestions for improving freedom from interference.                   |  |
|                                                                          | Suggestions for addressing common cause failures                       |  |
|                                                                          |                                                                        |  |

#### Table 3-1. Functional Safety Manual Topics

Within the functional safety manual, a C2000 Unique Identifier (Unique ID) identifies specific safety features and diagnostics. These diagnostics can be divided into:

- A safety diagnostic
- A test of a safety diagnostic
- A fault avoidance technique

The implementation can be:

- Hardware: implemented in TI silicon
- · Software: must be implemented in the application software
- Hardware plus software: requires both hardware implemented in silicon and software within the application
- · System: implemented externally to the microcontroller

This document is meant to aid in mapping a IEC 60730 requirement to a suggested C2000 Unique IDs (Section 5). The system designer can then reference the Functional Safety Manual's description and implementation suggestions for each Unique ID. This approach is described in Section 5.



#### Figure 3-1. Mapping Acceptable Measures to C2000 Functional Safety Manuals



# 3.3 Software Collateral

While C2000 devices have several hardware safety features, the application level diagnostic software adds value to the hardware features. C2000 provides the following safety-related software packages:

- C28x Self-Test Library (C28x\_STL)
- CLA Self-Test Library (CLA\_STL)
- Software Diagnostic Library (SDL)

#### Features:

#### Software Diagnostic Library

- A collection of C-callable, optimized, independent test functions.
- Called and managed by the user's application.
- When a failure is detected, the application determines the systemappropriate action.
- Each function executes a specific task to verify the functionality of a component.
- Leverages safety mechanisms consistent with safety standards.
- Has minimal impact on the MCU's real-time control performance.
- The User's Guide includes benchmarks.
- Supports power-on test, periodic test, or both.
- Demonstrates library usage and configuration of diagnostic features.

#### Availability:

- F2837xS, F2837xD and F2807x download here
- Other device SDLs are in C2000Ware. See the libraries/diagnostic directory.

# Examples include:

- CAN message RAM March and parity logic test
- CRC code for communications and memory tests
- Interface to CPU HWBIST capabilities
- PIE RAM redundancy test
- Clock frequency test
- CPU register test
- PIE RAM redundancy test

Refer to the safety manual's C2000 Safety Diagnostics Libraries chapter.

#### C28x and CLA Self-Test Libraries

The self-test libraries (STL) check the CPU's logic integrity using the CPU itself. The STLs are independently assessed by TÜV SÜD and found to be suitable for being integrated into safety related systems up to ASIL D and SIL 3 according to ISO 26262:2018 and IEC 61508:2010 respectively.

#### C28X\_STL Features:

- Represents a safety mechanism with the capability to detect permanent faults of the C28x CPU.
- Covers the CPU, FPU, TMU, VCU, and VCRC instruction sets.
- Supports only start-up testing.
- Available for Class-C, SIL-2 and SIL-3 capable-devices without hardware built-in self test (HWBIST).
- Includes a user's guide and compliance support package (CSP).

#### Availability:

6

The CLA\_STL and C28X\_STL are not released on TI.com. Contact your TI representative to request access.

# CLA\_STL Features: Represents a safety mechanism with the capability to detect permanent

- faults of the Control Law Accelerator (CLA).
- Covers the CLA register bank, control unit, datapath, and so forth.
- Supports both start-up and periodic testing.
- Applies to any device with a CLA.
- Includes a user's guide and compliance support package (CSP).

#### permanent • Represe faults of



# 4 Implementing Acceptable Measures on C2000 Real-Time MCUs

This section details a step-by-step approach to identifying functional safety diagnostics and software to implement IEC 60730 and UL 1998 acceptable measures.

# 4.1 Implementation Steps

To plan implementation of an acceptable measure, the suggested steps are:

| Step   | Description                                                                                                                                                                                                                                                                                                  | References                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
|--------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Step 1 | Map acceptable measures to C2000 Unique IDs:<br>The specifications typically present the developer with a<br>choice of acceptable measures to detect a specific fault. This<br>document presents a mapping of some acceptable measures<br>to Unique IDs. In some cases more than one Unique ID may<br>apply. |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
| Step 2 | <b>Plan the implementation:</b><br>Read the description and guidelines, or suggestions, for<br>implementing Unique ID. You will also learn if the Unique ID<br>implementation is based on hardware, software or both.                                                                                        | Device-specific Functional Safety Manual: Summary of Safety Features and Diagnostics                                                                                                                                                                                                                                                                                                                                                                                                                                                      |
| Step 3 | Identify supporting software:<br>Identify if the Unique ID is supported by the SDL or an STL.                                                                                                                                                                                                                | <ul> <li>Device-specific Functional Safety Manual: Safety<br/>Diagnostics Libraries</li> <li>This document: Section 3.3</li> <li>SDL or STL documentation</li> </ul>                                                                                                                                                                                                                                                                                                                                                                      |
|        | In some cases, a Unique ID is not supported by an SDL/STL<br>module. This occurs when the Unique ID corresponds<br>to a hardware mechanism with minimal, or no, software<br>requirements, or the Unique ID requires a system-dependent<br>implementation.                                                    | <ul> <li>In these cases reference:</li> <li>1. The FSM Unique ID description for<br/>implementation guidance and suggestions.</li> <li>2. The C2000Ware Software Development Kit<br/>software examples to implement the requirements<br/>based on the FSM guidance. For example: <ul> <li>Populating PIE vectors, including unused<br/>vectors.</li> <li>Embedded real-time analysis and diagnostic<br/>module (ERAD) examples.</li> <li>VCRC module library to calculate CRCs.</li> <li>Peripheral configuration.</li> </ul> </li> </ul> |
| Step 4 | Identify additional Unique IDs to implement:<br>Some IDs may not directly map to IEC 60370 but are<br>still highly recommended. Many of these are hardware<br>implementations and take little overhead in a system.                                                                                          | <ul> <li>Device-specific Functional Safety Manual</li> <li>This document: Section 4.3</li> </ul>                                                                                                                                                                                                                                                                                                                                                                                                                                          |

# 4.2 Example Mapping

8

Table 4-1, shows examples of mapping acceptable measures to C2000 Unique IDs. The specifications give the option to use one or more acceptable measures for the given class. It is up to the system designer to determine what is best suited for the application. In addition, a class C measure can be used to detect a class B fault/error. Therefore in example 1, the system designer could also use the acceptable measures for class C shown in example 2.

| Table 4-1. Examples of Mapping to Unique IDs and Implementation Guidance               |                                                                                                                                                                                                                                                                                           |                                                                                                                                                                                                                                                                                                                    |
|----------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Example                                                                                | Acceptable Measure to C2000 Unique ID 1                                                                                                                                                                                                                                                   | Implementation Guidance (FSM)                                                                                                                                                                                                                                                                                      |
| Example 1:<br>Component: CPU registers<br>Device: F28003x<br>Class: B fault "Stuck at" | <ul> <li>Maps to unique IDs for the measure "periodic self-test":</li> <li>CPU2: CPU hardware built-in self test (HWBIST)</li> <li>CLA2: Software test of CLA</li> <li>Note: The specifications indicate that a class C measure can also be selected to cover a class B fault.</li> </ul> | <ul> <li>The FSM describes:</li> <li>Diagnostic coverage information.</li> <li>How testing can be applied to check the integrity of each CPU</li> <li>Details on implementing the test</li> <li>Refers the developer to the diagnostic and self-test software documentation.</li> </ul>                            |
| Example 2:<br>Component: CPU registers<br>Device: F28003x<br>Class: C fault "DC fault" | <ul> <li>Maps to the IDs:</li> <li>CPU1/CLA1: Reciprocal comparison by software for the acceptable measure "reciprocal comparison"</li> <li>CPU2: CPU hardware built-in self-test (HWBIST) for the acceptable measure "internal error detection"</li> </ul>                               | <ul> <li>The FSM:</li> <li>Describes the HWBIST hardware feature.</li> <li>Provides ideas for implementing<br/>reciprocal comparison. This diagnostic is<br/>highly system dependent.</li> <li>Refers the developer to the diagnostic<br/>software documentation for the HWIBST<br/>software interface.</li> </ul> |

1. For more information, see the tables in Section 5.

# 4.3 Additional Best Practices

This document is focused on C2000 Unique IDs that specifically map to IEC 60730 and UL 1998 requirements. The device-specific safety manual includes additional information that may assist the system designer. Review of the following functional safety manual sections is highly recommended:

- Suggestions For Improving Freedom from Interference
- Suggestions for Addressing Common Cause Failures
- Summary of Safety Features and Diagnostics
  - Fault avoidance techniques
  - Low/zero overhead hardware diagnostics
  - Tests of safety features and diagnostics.

Table 4-2 lists some examples. To determine additional best practices for your specific device family, refer to the device-specific functional safety manual.

|                                         | Example C2000 Unique ID <sup>(1)</sup> | Description                                                                                          |
|-----------------------------------------|----------------------------------------|------------------------------------------------------------------------------------------------------|
|                                         | CLK14                                  | Peripheral clock gating.                                                                             |
|                                         | CPU6                                   | Disable of JTAG port.                                                                                |
|                                         | DMA9                                   | Disabling of unused DMA trigger sources                                                              |
|                                         | FLASH3 <sup>(2)</sup>                  | Bit multiplexing in flash memory array                                                               |
| Fault avoidance                         | RST2                                   | Reset cause information                                                                              |
|                                         | SRAM4 <sup>(2)</sup>                   | Bit multiplexing in SRAM memory array                                                                |
|                                         | SYS1 <sup>(2)</sup>                    | Multi-bit enable keys for control registers.                                                         |
|                                         | SYS2                                   | Lock mechanism for control registers                                                                 |
|                                         | SYS7                                   | Peripheral soft reset (SOFTPRES).                                                                    |
|                                         | CLK1                                   | Missing clock detect                                                                                 |
|                                         | CPU8                                   | Internal watchdog                                                                                    |
|                                         | CPU5                                   | Access protection mechanism for memories                                                             |
| Zero or low overhead / hardware feature | CPU14                                  | Stack overflow detection                                                                             |
|                                         | PIE7                                   | Maintain interrupt handlers for unused interrupts                                                    |
|                                         | PWM8                                   | ePWM fault detection using X-BAR                                                                     |
|                                         | SYS8                                   | EALLOW/MEALLOW protection for critical registers                                                     |
|                                         | PWR1                                   | External voltage supervisor                                                                          |
|                                         | CLK7                                   | External watchdog                                                                                    |
| Best practices / highly recommended     | SRAM7                                  | Data scrubbing to detect/correct memory errors                                                       |
|                                         | CLK10                                  | Testing of a feature / diagnostic. CLK10, for example, is a software test of the watchdog operation. |

Table 4-2. Example Additional Unique IDs of Interest

(1) A safety feature or diagnostic may be referenced by multiple IDs. For example, CPU5 is also CLA9, SRAM11, and DMA8 along with other IDs. This table only lists one of the IDs for simplicity.

(2) Enabled by default and cannot be disabled.

# **5 Mapping Acceptable Control Measures to C2000 Unique Identifiers**

The proposed mapping in this document is for reference. The system and equipment designer, or manufacturer, is responsible to ensure the end system meets the IEC 60730 / UL 1998 requirements.

#### Note

This section references IEC 60370 Annex H table H.1 and UL 1998 Appendix A table A.2 as they apply to microcontrollers. While these two tables are compatible, the exact wording may differ. For specific wording, clarifications, and definitions, see an original copy of the specifications.

The mapping is summarized the following tables:

#### Table 5-1. Acceptable Measure to Unique Identifier Mapping

| Component                                                                        | Section     |
|----------------------------------------------------------------------------------|-------------|
| CPU                                                                              | Section 5.2 |
| Interrupt related faults                                                         | Section 5.3 |
| Clock faults                                                                     | Section 5.4 |
| Memory                                                                           | Section 5.5 |
| Internal data path faults                                                        | Section 5.6 |
| Input and output periphery faults                                                | Section 5.7 |
| Other faults: external communication, monitoring devices, and custom chip faults | Section 5.8 |



#### When reviewing the acceptable measure to Unique ID tables, reference the following documentation:

| IEC | C 60730 / UL 1998 specifications:                                   | Device-specific Functional Safety Manual:                                                  |  |
|-----|---------------------------------------------------------------------|--------------------------------------------------------------------------------------------|--|
| •   | Specific definitions of acceptable control measures for each class. | C2000 Unique ID definitions. Refer to the Summary of Safety Features                       |  |
| •   | Additional acceptable control measures not listed here.             | and Diagnostics chapter for a short description and a link to a longer                     |  |
| •   | Clarifications and other notes not included here.                   | explanation with implementation guidance.                                                  |  |
|     |                                                                     | Supporting software.                                                                       |  |
|     |                                                                     | Once done, do not forget to review the additional best practices described in Section 4.3. |  |

Section 5.1 includes a summary of Unique IDs referenced in this section. For further details, see the device-specific Functional Safety Manual.

#### 5.1 Unique Identifier Reference

Table 5-2 is a summary of Unique IDs referenced in this section. For further details, see the device-specific Functional Safety Manual.

Note

- IDs in Table 5-2 may not apply to every C2000 device family. To determine if an ID applies to your device, see the mapping tables and functional safety manual.
- If the mapping tables reference an ID not listed here it was an oversight. For more information, see the device-specific Functional Safety Manual.

| Unique ID | Short Description                                                       | Notes / Software Support                                          |
|-----------|-------------------------------------------------------------------------|-------------------------------------------------------------------|
| ADC2      | DAC to ADC loopback check                                               |                                                                   |
| ADC8      | ADC input signal integrity check                                        |                                                                   |
| ADC10     | Hardware redundancy                                                     |                                                                   |
| CAN3      | SRAM Parity                                                             |                                                                   |
| CLA1      | Software reciprocal comparison                                          |                                                                   |
| CLA2      | Software test of CPU                                                    | CLA_STL                                                           |
| CLA3      | Handling of illegal operation and illegal results                       |                                                                   |
| CLK2      | Integrity using CPU timer                                               | SDL module: STL_OSC_CT                                            |
| CLK3      | Integrity using HRPWM                                                   | SDL module: STL_OSC_HR                                            |
| CLK4      | Dual clock comparator (DCC type0)                                       |                                                                   |
| CLK16     | Dual clock comparator (DCC type1)                                       | Note: DCC type 1 is identical to type 2.                          |
| CLK17     | Dual clock comparator (DCC type2)                                       |                                                                   |
| CPU1      | Software reciprocal comparison                                          |                                                                   |
| CPU2      | Hardware built-in test of CPU                                           | SDL module: STL_HWBIST                                            |
| CPU3      | Software test of CPU                                                    | C28X_STL                                                          |
| CPU7      | Handling of illegal operation, illegal results and instruction trapping |                                                                   |
| DCSM2     | Majority voting and error detection of link pointer                     |                                                                   |
| ECAT6     | SRAM parity                                                             |                                                                   |
| EFUSE2    | EFUSE ECC (data only)                                                   |                                                                   |
| FLASH1    | Flash ECC (data + address)                                              |                                                                   |
| FLASH2    | VCU CRC check of memory                                                 | SDL module: STL_CRC                                               |
| FLASH6    | Software test of ECC logic                                              | SDL modules: sdl_ex_ram_ecc_parity_test and sdl_ex_flash_ecc_test |
| GPIO4     | Software test of function using I/O loopback                            |                                                                   |
| GPIO5     | Hardware redundancy                                                     |                                                                   |
| INC1      | Software test of function including error tests                         |                                                                   |

#### Table 5-2. Summary of Referenced C2000 Unique IDs

| Unique ID   | Short Description                                     | Notes / Software Support                                                                                                                                                                                                                                                                                                                                                |
|-------------|-------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| INC8        | Transmission redundancy                               |                                                                                                                                                                                                                                                                                                                                                                         |
| INC9        | Hardware redundancy                                   |                                                                                                                                                                                                                                                                                                                                                                         |
| MCAN8       | SRAM ECC (data + address)                             |                                                                                                                                                                                                                                                                                                                                                                         |
| PIE1        | PIE double SDRAM hardware comparison                  |                                                                                                                                                                                                                                                                                                                                                                         |
| PIE2        | Software test of SRAM                                 |                                                                                                                                                                                                                                                                                                                                                                         |
| PIE3        | Software test of ePIE including error tests           |                                                                                                                                                                                                                                                                                                                                                                         |
| PIE6        | PIE double SRAM comparison check                      | SDL module: STL_PIE_RAM                                                                                                                                                                                                                                                                                                                                                 |
| PIE8        | Online monitoring of interrupts and events            |                                                                                                                                                                                                                                                                                                                                                                         |
| PIE13       | Hardware redundancy using lockstep compare            |                                                                                                                                                                                                                                                                                                                                                                         |
| ROM1        | VCU CRC check of memory                               | SDL module: STL_CRC                                                                                                                                                                                                                                                                                                                                                     |
| ROM9        | Background CRC for CLA program ROM                    |                                                                                                                                                                                                                                                                                                                                                                         |
| ROM10       | Memory power-on Self-test (MPOST)                     |                                                                                                                                                                                                                                                                                                                                                                         |
| ROM15       | ROM parity                                            |                                                                                                                                                                                                                                                                                                                                                                         |
| SRAM1       | SRAM ECC (data + address)                             |                                                                                                                                                                                                                                                                                                                                                                         |
| SRAM2       | SRAM Parity                                           |                                                                                                                                                                                                                                                                                                                                                                         |
| SRAM3       | Software test of SRAM                                 | SDL module: STL_March                                                                                                                                                                                                                                                                                                                                                   |
| SRAM8       | VCU CRC check of memory                               | SDL module: STL_CRC                                                                                                                                                                                                                                                                                                                                                     |
| SRAM14      | Software test of parity logic                         | SDL modules: sdl_ex_ram_ecc_parity_test                                                                                                                                                                                                                                                                                                                                 |
| STL_CPU_REG | CPU register test example from the diagnostic library | For a device that does not include HWBIST, a<br>periodic test of the CPU registers can be performed.<br>STL_CPU_REG does not map to a C2000 Unique ID<br>directly. STL_CPU_REG refers to an example CPU<br>register test within the diagnostic library. This example<br>is also provided for other devices if needed. Refer to<br>the diagnostic library documentation. |

# Table 5-2. Summary of Referenced C2000 Unique IDs (continued)

# 5.2 CPU Related Faults

# Table 5-3. CPU Faults

| ent                 | (1)                      | <del>〔</del> |                     | Acceptable Measure <sup>(2)</sup> |                  | С      | 2000 Unique | IDs <sup>(3)</sup> |         |
|---------------------|--------------------------|--------------|---------------------|-----------------------------------|------------------|--------|-------------|--------------------|---------|
| CPU<br>Component    | Class B/1 <sup>(1)</sup> | Class C/2    | Definition          | Description                       | F2837x<br>F2807x | F2838x | F28004x     | F28002x            | F28003x |
|                     |                          |              | H.2.16.5            | Functional test                   | -                | -      | CPU3        | -                  | -       |
|                     |                          |              | A5.5                |                                   | CLA2             | CLA2   | CLA2        | -                  | CLA2    |
|                     | rq                       |              |                     |                                   | CPU2             | CPU2   | -           | CPU2               | CPU2    |
| <u>ی</u>            |                          |              | H.2.16.6<br>A5.6    | Periodic self-test                | CLA2             | CLA2   | CLA2        | -                  | CLA2    |
| Registers           |                          |              | / 10.0              |                                   | -                | -      | -           | -                  | -       |
| Reg                 |                          |              | H.2.18.15           | Reciprocal comparison             | CPU1             | CPU1   | CPU1        | -                  | CPU1    |
|                     | 3                        |              | A7.1.19             | Reciprocal companison             | CLA1             | CLA1   | CLA1        | -                  | CLA1    |
|                     |                          | rq           | H.2.18.3<br>A7.1.6  | Independent hardware comparator   | -                | -      | -           | -                  | -       |
|                     |                          |              | H.2.18.9<br>A7.1.10 | Internal error detection          | CPU2             | CPU2   | -           | CPU2               | CPU2    |
| e                   |                          |              | H.2.18.15           | Designated comparison             | CPU1             | CPU1   | CPU1        | -                  | CPU1    |
| decode<br>tion      |                          |              | A7.1.19             | Reciprocal comparison             | CLA1             | CLA1   | CLA1        | -                  | CLA1    |
| ction de<br>xecutio | execu                    | rq           | H.2.18.3<br>A7.1.6  | Independent hardware comparator   | -                | -      | -           | -                  | -       |
| struc<br>id ey      |                          | .            |                     |                                   | CPU2             | CPU2   | -           | CPU2               | CPU2    |
| 2 Instr<br>and      |                          |              | H.2.18.9<br>A7.1.10 | Internal error detection          | CPU7             | CPU7   | CPU7        | CPU7               | CPU7    |
| 1.2                 |                          |              | AL. 1. 10           |                                   | CLA3             | CLA3   | CLA3        | -                  | CLA3    |



|                     |                          |           |                        | Table 5-3. CPU Fa                                       | aults (con       | tinued)      |              |                    |                      |                       |              |              |      |   |              |
|---------------------|--------------------------|-----------|------------------------|---------------------------------------------------------|------------------|--------------|--------------|--------------------|----------------------|-----------------------|--------------|--------------|------|---|--------------|
| ent                 | (1)                      | (1)       |                        | Acceptable Measure <sup>(2)</sup>                       |                  | С            | 2000 Unique  | IDs <sup>(3)</sup> |                      |                       |              |              |      |   |              |
| CPU<br>Component    | Class B/1 <sup>(1)</sup> | Class C/2 | Definition             | Description                                             | F2837x<br>F2807x | F2838x       | F28004x      | F28002x            | F28003x              |                       |              |              |      |   |              |
|                     |                          |           | H.2.16.5<br>A5.5       | Functional test                                         | -<br>CLA2        | -<br>CLA2    | CPU3<br>CLA2 | -                  | -<br>CLA2            |                       |              |              |      |   |              |
| nter                | rq                       |           | H.2.16.6<br>A5.6       | Periodic self-test                                      | CPU2             | CPU2         | -            | CPU2               | CPU2                 |                       |              |              |      |   |              |
| 1.3 Program counter |                          |           | H.2.18.10.4<br>A7.1.13 | Time slot monitoring                                    | PIE8             | PIE8         | PIE8         | PIE8               | PIE8                 |                       |              |              |      |   |              |
| Progra              |                          |           | H.2.18.10.3<br>A7.1.14 | Independent time-slot monitoring and logical monitoring | PIE8             | PIE8         | PIE8         | PIE8               | PIE8                 |                       |              |              |      |   |              |
| 1.3                 | rq                       | rq        | H.2.18.15<br>A7.1.19   | Reciprocal comparison                                   | CPU1<br>CLA1     | CPU1<br>CLA1 | CPU1<br>CLA1 | -                  | CPU1<br>CLA1         |                       |              |              |      |   |              |
|                     |                          |           | H.2.18.3<br>A7.1.6     | Independent hardware comparator                         | -                | -            | -            | -                  | -                    |                       |              |              |      |   |              |
| sing                |                          |           | H.2.18.15<br>A7.1.19   | Reciprocal comparison                                   | CPU1<br>CLA1     | CPU1<br>CLA1 | CPU1<br>CLA1 | -                  | CPU1<br>CLA1         |                       |              |              |      |   |              |
| Addressing          |                          | rq        | H.2.18.3<br>A7.1.6     | Independent HW comparator                               | -                | -            | -            | -                  | -                    |                       |              |              |      |   |              |
| 1.4 /               |                          |           | H.2.18.9<br>A7.1.10    | Internal error detection                                | CPU2             | CPU2         | -            | CPU2               | CPU2                 |                       |              |              |      |   |              |
| sh                  |                          |           |                        |                                                         |                  |              |              |                    | H.2.18.15<br>A7.1.19 | Reciprocal comparison | CPU1<br>CLA1 | CPU1<br>CLA1 | CPU1 | - | CPU1<br>CLA1 |
| Data paths          |                          | rq        | H.2.18.3<br>A7.1.6     | Independent hardware comparator                         | -                | -            | CLA1         | -                  | -                    |                       |              |              |      |   |              |
| 1.5 [               | 1.5 D                    |           | H.2.18.9<br>A7.1.10    | Internal error detection                                | CPU2             | CPU2         | -            | CPU2               | CPU2                 |                       |              |              |      |   |              |

# (1) rq: coverage of the failure mode (refer to Table 2-2) is required by the standards for the indicated class. More than one acceptable measure may be available to choose from.

(2) Refer to the IEC / UL specifications for a complete list of acceptable measures and their definitions.

(3) Refer to the Functional Safety Manual for a description and implementation suggestions for each ID.

# 5.3 Interrupt Related Faults

### Table 5-4. Interrupt Faults to Unique ID Mapping

| ent        | (1)       | (1)       |                        | Acceptable Measure <sup>(2)</sup>            | -                | C2000 U | nique IDs <sup>(3)</sup> |         |         |
|------------|-----------|-----------|------------------------|----------------------------------------------|------------------|---------|--------------------------|---------|---------|
| Component  | Class B/1 | Class C/2 | Definition             | Description                                  | F2837x<br>F2807x | F2838x  | F28004x                  | F28002x | F28003x |
|            |           |           |                        |                                              | PIE1             | PIE1    | PIE1                     | PIE1    | PIE1    |
|            |           |           | H.2.16.5               | Functional test                              | PIE2             | PIE2    | PIE2                     | PIE2    | PIE2    |
|            | rq        |           | A5.5                   |                                              | PIE3             | PIE3    | PIE3                     | PIE3    | PIE3    |
|            | 19        |           |                        |                                              | PIE6             | PIE6    | PIE6                     | PIE6    | PIE6    |
| Interrupts |           |           | H.2.18.10.4<br>A7.1.13 | Time slot monitoring                         | PIE8             | PIE8    | PIE8                     | PIE8    | PIE8    |
|            |           |           | H.2.18.15              | Regiptered comparison                        | CPU1             | CPU1    | CPU1                     | -       | CPU1    |
| 3          |           |           | A7.1.19                | Reciprocal comparison                        | CLA1             | CLA1    | CLA1                     | -       | CLA1    |
|            |           | rq        | H.2.18.3<br>A7.1.6     | Independent hardware comparator              | -                | -       | -                        | -       | -       |
|            |           |           | H.2.18.10.3<br>A7.1.14 | Independent time-slot and logical monitoring | PIE8             | PIE8    | PIE8                     | PIE8    | PIE8    |

(1) rq: coverage of the failure mode (refer to Table 2-2) is required by the standards for the indicated class. More than one acceptible measure may be available to choose from.

(2) Refer to the IEC / UL specifications for a complete list of acceptable measures and their definitions.



(3) Refer to the Functional Safety Manual for a description and implementation suggestions for each ID.

# **5.4 Clock Related Faults**

| ent       | (1)       | (1)       |                        | Acceptable Measure <sup>(2)</sup> |                  |        | 000 Unique ID | s <sup>(3)</sup> |         |
|-----------|-----------|-----------|------------------------|-----------------------------------|------------------|--------|---------------|------------------|---------|
| Component | Class B/1 | Class C/2 | Definition             | Description                       | F2837x<br>F2807x | F2838x | F28004x       | F28002x          | F28003x |
|           | ra        |           | H.2.18.10.1<br>A7.1.11 | Frequency monitoring              | CLK3             | CLK3   | CLK3          | CLK3             | CLK3    |
|           | rq        |           | H.2.18.10.4<br>A7.1.13 | Time-slot monitoring              | PIE8             | PIE8   | PIE8          | PIE8             | PIE8    |
| Clock     |           |           |                        |                                   | CLK2             | CLK2   | CLK2          | CLK2             | CLK2    |
|           |           |           |                        |                                   | CLK5             | CLK5   | CLK5          | CLK5             | CLK5    |
| ς.        |           | ra        | H.2.18.15              | Independent hardware comparator   | -                | -      | CLK4          | -                | -       |
|           |           | rq        | A7.1.6                 |                                   | -                | CLK16  | -             | CLK17            | CLK17   |
|           |           |           |                        |                                   | -                | APLL1  | -             | -                | APLL1   |
|           |           |           |                        |                                   | -                | APLL7  | -             | -                | APLL7   |

#### Table 5-5. Clock Faults to Unique ID Mapping

(1) rq: coverage of the failure mode (refer to Table 2-2) is required by the standards for the indicated class. More than one acceptible measure may be available to choose from.

(2) Refer to the IEC / UL specifications for a complete list of acceptable measures and their definitions.

(3) Refer to the Functional Safety Manual for a description and implementation suggestions for each ID.

#### 5.5 Memory Related Faults

#### Table 5-6. Memory Faults to Unique ID Mapping

| ent              | <b>E</b>  | Ξ         |                      | Acceptable Measure <sup>(2)</sup>  | -                | C2     | 2000 Unique I | Ds <sup>(3)</sup> |         |
|------------------|-----------|-----------|----------------------|------------------------------------|------------------|--------|---------------|-------------------|---------|
| Component        | Class B/1 | Class C/2 | Definition           | Description                        | F2837x<br>F2807x | F2838x | F28004x       | F28002x           | F28003x |
|                  |           |           | H.2.19.3.2<br>A7.2.5 | Multiple checksum                  | -                | -      | ROM10         | ROM10             | ROM10   |
|                  | rq        |           | H2.19.8.2<br>A7.3.2  | Word protection, single-bit parity | -                | -      | -             | -                 | ROM15   |
|                  |           |           | H.2.18.15            | Reginregel comparison              | CPU1             | CPU1   | CPU1          | -                 | CPU1    |
|                  |           |           | A7.1.19              | Reciprocal comparison              | CLA1             | CLA1   | CLA1          | -                 | CLA1    |
| /olatile         |           |           | H.2.18.3<br>A7.1.6   | Independent hardware comparator    | -                | -      | -             | -                 | -       |
| 4.1 Non-volatile |           |           | H.2.19.5<br>A7.2.8   | Redundant memory with comparison   | DCSM2            | DCSM2  | DCSM2         | DCSM2             | DCSM2   |
| 4.               |           | rq        |                      |                                    | FLASH2           | FLASH2 | FLASH2        | FLASH2            | FLASH2  |
|                  |           |           | H.2.19.4.2           | Periodic CRC, double word          | ROM1             | ROM1   | ROM1          | ROM1              | ROM1    |
|                  |           |           | A7.2.7               | renouic CRC, double word           | -                | -      | ROM9          | -                 | -       |
|                  |           |           |                      |                                    | -                | -      | -             | -                 | ROM13   |
|                  |           |           | H2.19.8.1            | Word protection with multi-bit     | FLASH1           | FLASH1 | FLASH1        | FLASH1            | FLASH1  |
|                  |           |           | A7.3.1               | redundancy                         | EFUSE2           | EFUSE2 | EFUSE2        | EFUSE2            | EFUSE2  |



| ent                                               | (Ξ)       | <b>()</b> |                      | Acceptable Measure <sup>(2)</sup>                       |                  | C      | 2000 Unique | IDs <sup>(3)</sup> |         |
|---------------------------------------------------|-----------|-----------|----------------------|---------------------------------------------------------|------------------|--------|-------------|--------------------|---------|
| Component                                         | Class B/1 | Class C/2 | Definition           | Description                                             | F2837x<br>F2807x | F2838x | F28004x     | F28002x            | F28003x |
|                                                   |           |           | H.2.19.6<br>A7.2.9   | Periodic static memory test                             | SRAM3            | SRAM3  | SRAM3       | SRAM3              | SRAM3   |
|                                                   |           |           |                      |                                                         | SRAM2            | SRAM2  | SRAM2       | SRAM2              | -       |
|                                                   | rq        |           | H2.19.8.2            | Word protection, single-bit parity                      | CAN3             | CAN3   | CAN3        | CAN3               | CAN3    |
| 4.2 Volatile                                      |           |           | A7.3.2               |                                                         | -                | ECAT6  | -           | -                  | -       |
| 4.2                                               |           |           | H2.19.5<br>A7.2.8    | Redundant memory with comparison                        | PIE1             | PIE1   | PIE1        | PIE1               | PIE1    |
|                                                   |           | rq        | H.2.19.8.1           | Word protection, multi-bit redundancy                   | SRAM1            | SRAM1  | SRAM1       | SRAM1              | SRAM1   |
|                                                   |           |           | A7.3.1               | word protection, multi-bit redundancy                   | -                | MCAN8  | -           | -                  | MCAN8   |
| $\sim$                                            |           |           |                      |                                                         | SRAM2            | SRAM2  | SRAM2       | SRAM2              | -       |
| non                                               |           |           | H2.19.8.2<br>A7.2.9  | Word protection, single-bit parity                      | -                | -      | -           | -                  | ROM15   |
| mer                                               | rq        |           |                      |                                                         | CAN3             | CAN3   | CAN3        | CAN3               | CAN3    |
| ıtile                                             |           |           |                      |                                                         | -                | ECAT6  | -           | -                  | -       |
| vola                                              |           |           |                      |                                                         | -                | -      | -           | -                  | -       |
| -uor                                              |           |           |                      |                                                         | SRAM8 (4)        | SRAM8  | SRAM8       | SRAM8              | SRAM8   |
| nd r                                              |           |           |                      |                                                         | -                | SRAM24 | -           | SRAM24             | SRAM24  |
| ile a                                             |           |           | H.2.19.4.2           | Periodic CRC - double word                              | FLASH2           | FLASH2 | FLASH2      | FLASH2             | FLASH2  |
| olat                                              |           |           | A7.2.7               | Periodic CRC - double word                              | ROM1             | ROM1   | ROM1        | ROM1               | ROM1    |
| y<br>V                                            |           | rq        |                      |                                                         | -                | -      | ROM9        | -                  | -       |
| ssin                                              |           |           |                      |                                                         | -                | -      | -           | -                  | ROM13   |
| 4.3 Addressing (volatile and non-volatile memory) |           |           |                      |                                                         | FLASH1           | FLASH1 | FLASH1      | FLASH1             | FLASH1  |
| 3 Ac                                              |           |           | H.2.19.8.1<br>A7.3.1 | Word protection, multi-bit redundancy including address | SRAM1            | SRAM1  | SRAM1       | SRAM1              | SRAM1   |
| 4.                                                |           |           | /                    |                                                         |                  | MCAN8  |             |                    | MCAN8   |

# Table 5-6. Memory Faults to Unique ID Mapping (continued)

(1) rq: coverage of the failure mode (refer to Table 2-2) is required by the standards for the indicated class. More than one acceptable measure may be available to choose from.

(2) Refer to the IEC / UL specifications for a complete list of acceptable measures and their definitions.

(3) Refer to the Functional Safety Manual for a description and implementation suggestions for each ID.

(4) The F2807x device does not have a VCRC module. The CRC is performed by the CPU. Refer to the device-specific software diagnostic library.

# 5.6 Internal Data Path Faults

### Table 5-7. Internal Data Path Faults to Unique ID Mapping

| ent        | (1)       | 3         |                      | Acceptable Measure <sup>(2)</sup>                                |                                          | •                                        | 2000 Unique                              | IDs <sup>(3)</sup>                       |                                          |
|------------|-----------|-----------|----------------------|------------------------------------------------------------------|------------------------------------------|------------------------------------------|------------------------------------------|------------------------------------------|------------------------------------------|
| Component  | Class B/1 | Class C/2 | Definition           | Description                                                      | F2837x<br>F2807x                         | F2838x                                   | F28004x                                  | F28002x                                  | F28003x                                  |
|            | rq        |           | H.2.19.8.2<br>A7.3.2 | Word protection with single-bit parity                           | SRAM2<br>-                               | SRAM2<br>-                               | SRAM2<br>-                               | SRAM2<br>-                               | -<br>ROM15                               |
|            |           |           | H.2.18.15<br>A7.1.19 | Reciprocal comparison                                            | CPU1<br>CLA1                             | CPU1<br>CLA1                             | CPU1<br>CLA1                             | -                                        | CPU1<br>CLA1                             |
|            |           |           | H.2.18.3<br>A7.1.6   | Independent hardware comparator                                  | -                                        | -                                        | -                                        | -                                        | -                                        |
| ata        |           |           | H.2.19.8.1<br>A7.3.1 | Word protection with multi-bit redundancy including the address  | FLASH1<br>SRAM1                          | FLASH1<br>SRAM1                          | FLASH1<br>SRAM1                          | FLASH1<br>SRAM1                          | FLASH1<br>SRAM1                          |
| 5.1 Data   |           | rq        | H.2.18.22<br>A7.1.24 | Testing pattern                                                  | SRAM3<br>SRAM13<br>SRAM14<br>FLASH6<br>- | SRAM3<br>SRAM13<br>SRAM14<br>FLASH6<br>- | SRAM3<br>SRAM13<br>SRAM14<br>FLASH6<br>- | SRAM3<br>SRAM13<br>SRAM14<br>FLASH6<br>- | SRAM3<br>SRAM13<br>SRAM14<br>FLASH6<br>- |
|            |           |           | H.2.18.14<br>A7.1.18 | Protocol test                                                    | INC1<br>INC8<br>INC9                     | INC1<br>INC8<br>INC9                     | INC1<br>INC8<br>INC9                     | INC1<br>INC8<br>INC9                     | INC1<br>INC8<br>INC9                     |
|            | rq        |           | H.2.19.8.2<br>A7.3.2 | Word protection with single bit redundancy including the address | SRAM2                                    | SRAM2                                    | SRAM2                                    | SRAM2                                    | -                                        |
| ing        |           |           | H.2.18.15<br>A7.1.19 | Reciprocal comparison                                            | CPU1<br>CLA1                             | CPU1<br>CLA1                             | CPU1<br>CLA1                             | -                                        | CPU1<br>CLA1                             |
| Addressing |           |           | H.2.18.3<br>A7.1.6   | Independent hardware comparator                                  | -                                        | -                                        | -                                        | -                                        | -                                        |
| 5.2 A      |           | rq        | H.2.19.8.1<br>A7.1.6 | Word protection with multi-bit redundancy including the address  | FLASH1<br>SRAM1                          | FLASH1<br>SRAM1                          | FLASH1<br>SRAM1                          | FLASH1<br>SRAM1                          | FLASH1<br>SRAM1                          |
|            |           |           | H.2.18.22<br>A7.1.24 | Testing pattern including the address                            | FLASH6                                   | FLASH6                                   | FLASH6                                   | FLASH6                                   | FLASH6                                   |

(1) rq: coverage of the failure mode (refer to Table 2-2) is required by the standards for the indicated class. More than one acceptable measure may be available to choose from.

(2) Refer to the IEC / UL specifications for a complete list of acceptable measures and their definitions.

(3) Refer to the Functional Safety Manual for a description and implementation suggestions for each ID.

# 5.7 Input/Output Related Faults

### Table 5-8. Input/Output Periphery Faults to Unique ID Mapping

| ent         | (1)                    | (1)       |                      | Acceptable Measure <sup>(2)</sup> |                  | C20    | 00 Unique ID | s <sup>(3)</sup> |         |
|-------------|------------------------|-----------|----------------------|-----------------------------------|------------------|--------|--------------|------------------|---------|
| Component   | Class B/1<br>Class C/2 | Class C/2 | Definition           | Description                       | F2837x<br>F2807x | F2838x | F28004x      | F28002x          | F28003x |
|             | rq                     |           | H.2.18.13<br>A7.1.17 | Plausibility check                | GPIO4            | GPIO4  | GPIO4        | GPIO4            | GPIO4   |
| Digital I/O |                        |           | H.2.18.8<br>A7.1.9   | Input comparison                  | GPIO5            | GPIO5  | GPIO5        | GPIO5            | GPIO5   |
| 7.1 Dig     |                        | rq        | H.2.18.11<br>A7.1.15 | Multiple parallel outputs         | GPIO5            | GPIO5  | GPIO5        | GPIO5            | GPIO5   |
|             |                        |           | H.2.18.12<br>A7.1.16 | Output verification               | GPIO4            | GPIO4  | GPIO4        | GPIO4            | GPIO4   |



|                                            |           |           | Table 5              | -8. Input/Output Periphery Faul   | ts to Uniq       | ue ID Mapp | oing (conti   | nued)             |         |
|--------------------------------------------|-----------|-----------|----------------------|-----------------------------------|------------------|------------|---------------|-------------------|---------|
| ent                                        | (1)       | (1)       |                      | Acceptable Measure <sup>(2)</sup> |                  | C20        | 000 Unique IE | )s <sup>(3)</sup> |         |
| Component                                  | Class B/1 | Class C/2 | Definition           | Description                       | F2837x<br>F2807x | F2838x     | F28004x       | F28002x           | F28003x |
| rter                                       | rq        |           | H.2.18.13            | Plausibility check                | ADC2             | ADC2       | ADC2          | ADC2              | ADC2    |
| /O<br>converter                            | I'Y       |           | A7.1.17              |                                   | ADC8             | ADC8       | ADC8          | ADC8              | ADC8    |
| 7.2 Analog I/O<br>7.2.1 A/D and D/A cor    |           | rq        | H.2.18.8<br>A7.1.9   | Input comparison                  | ADC10            | ADC10      | ADC10         | ADC10             | ADC10   |
| sxer                                       | rq        |           | H.2.18.13            | Plausibility check                | ADC2             | ADC2       | ADC2          | ADC2              | ADC2    |
| /O<br>tiple                                | 14        |           | A7.1.17              |                                   | ADC8             | ADC8       | ADC8          | ADC8              | ADC8    |
| 7.2 Analog I/O<br>7.2.2 Analog multiplexer |           | rq        | H.2.18.15<br>A7.1.19 | Input comparison                  | ADC10            | ADC10      | ADC10         | ADC10             | ADC10   |

(1) rq: coverage of the failure mode (refer to Table 2-2) is required by the standards for the indicated class. More than one acceptable measure may be available to choose from.

(2) Refer to the IEC / UL specifications for a complete list of acceptable measures and their definitions.

(3) Refer to the Functional Safety Manual for a description and implementation suggestions for each ID.

# 5.8 Communication, Monitoring Devices, and Custom Chip Faults Table 5-9. External Communication, Monitoring Devices, and Custom Chip Faults

| Component                                                                            | Class B/1<br>Class C/2 | Acceptable Measure    | C2000 Unique IDs                                                                                                                                                             |
|--------------------------------------------------------------------------------------|------------------------|-----------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 6. Data                                                                              | Refer t                | to the 60730 standard | For communication port safety mechanisms, see the device-specific functional safety                                                                                          |
| 6.2 Addressing                                                                       |                        |                       | manual. While this list is too long to replicate, a few examples are:                                                                                                        |
| 6.3 Timing                                                                           | -                      |                       | Software test using looopback                                                                                                                                                |
| lete timing                                                                          |                        |                       | CRC framing / message checks                                                                                                                                                 |
|                                                                                      |                        |                       | ECC framing checks                                                                                                                                                           |
|                                                                                      |                        |                       | Checksum error detection                                                                                                                                                     |
|                                                                                      |                        |                       | Data overrun and underrunn detection                                                                                                                                         |
|                                                                                      |                        |                       | Physical bus error detection                                                                                                                                                 |
|                                                                                      |                        |                       | Timeout on FIFO activity                                                                                                                                                     |
| 8. Monitoring<br>devices and<br>comparators                                          | Refer t                | to the 60730 standard | Requirement and implementation is system-dependent. For safety mechanisms which might be leveraged in your implementation, see the device-specific functional-safety manual. |
| Components not<br>covers by items<br>1-8. Custom chips<br>(ASIC, GAL, gate<br>array) | Refer t                | to the 60730 standard | Requirement and implementation is system-dependent. For safety mechanisms which might be leveraged in your implementation, see the device-specific functional-safety manual. |

#### Glossary

# 6 Glossary

### Table 6-1. Terms and Definitions

| Terminology and<br>Abbreviations | Definition                                                                                                                                                                                                                         |
|----------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| A.x                              | Reference from the UL 1998 standard. For example: A.7.1.19 is a specific definition found in appendix A of the standard.                                                                                                           |
| C28x                             | A C2000 central processing unit.                                                                                                                                                                                                   |
| CLA                              | C2000 Control Law Accelerator: an independent 32-bit floating-point processor.                                                                                                                                                     |
| CLA PROM                         | Program ROM for the CLA CPU                                                                                                                                                                                                        |
| CLB                              | C2000 Configurable Logic Block                                                                                                                                                                                                     |
| Class B / 1                      | IEC 60730 Class B and UL 1998 Class 1. Class assigned based on a functional safety assessment. Refer to c.                                                                                                                         |
| Class C / 2                      | IEC 60730 Class C and UL 1998 Class 2: Class assigned based on a functional safety assessment.<br>Refer to Table 2-1.                                                                                                              |
| CLK                              | Clock                                                                                                                                                                                                                              |
| CPU                              | Central Processing Unit                                                                                                                                                                                                            |
| CPU Timer                        | C2000 general timer peripheral                                                                                                                                                                                                     |
| CRC                              | Cyclic Redundancy Check                                                                                                                                                                                                            |
| DC fault                         | (IEC/UL) Short circuits between signals.                                                                                                                                                                                           |
| DCC                              | C2000 dual clock comparitors                                                                                                                                                                                                       |
| DCSM                             | C2000 dual code-security module                                                                                                                                                                                                    |
| ECC                              | Error correction code                                                                                                                                                                                                              |
| E/E/PE                           | (IEC/UL) Electrical/Electronic/Programmable Electronic                                                                                                                                                                             |
| EMC                              | (IEC/UL) Electromagnetic compatibility                                                                                                                                                                                             |
| ePIE                             | C2000 enhanced peripheral interrupt expansion block. May also be referred to as PIE.                                                                                                                                               |
| ePWM                             | C2000 enhanced Pulse Width Modulation peripheral. May also be referred to as PWM.                                                                                                                                                  |
| FPU                              | Floating-point Unit instruction set extension to the C28x CPU                                                                                                                                                                      |
| FSM                              | <ul> <li>This document uses FSM to indicate a Functional Safety Manual (Section 3.2).</li> <li>(IEC/UL) FSM is used to indicate Functional Safety Management.</li> </ul>                                                           |
| GPIO                             | C2000 general purpose input/output pin                                                                                                                                                                                             |
| Н.х                              | Reference from the IEC 60730 standard. For example: H.2.16.5 is a specific definition found in annex H of the standard.                                                                                                            |
| HRPWM                            | High-resolution feature of the C2000 ePWM module                                                                                                                                                                                   |
| HW                               | Hardware (the microcontroller)                                                                                                                                                                                                     |
| HWBIST                           | C2000 hardware built-in self test                                                                                                                                                                                                  |
| IEC                              | International Electrotechnical Commission                                                                                                                                                                                          |
| IEC 60730                        | The terms "IEC 60730", "UL 1998", "IEC / UL standards", "60730" and "the standards" are used interchangeably to refer to both:                                                                                                     |
|                                  | IEC60730-1 Edition 5.0 2013-11, Annex H and Table H.1 (H.11.12.7 of edition 3) – "Acceptable                                                                                                                                       |
|                                  | measures to address fault/errors"                                                                                                                                                                                                  |
|                                  | <ul> <li>The UL Standard for Safety for Software in Programmable Components, UL 1998, Third Edition,<br/>Dated December 18, 2013, Appendix A and Table A2.1 – "Coverage for microelectronic hardware<br/>failure modes"</li> </ul> |
| IEC 61508                        | IEC 61508 Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems,<br>International Electrotechnical Commission, Edition 2.0 2010.                                                               |
| ISO 26262                        | ISO 26262–Road Vehicles-Functional Safety, International Standard ISO, vol. 26262, 2018.                                                                                                                                           |
| IEC / UL                         | Short for the standards or indicates something taken from the standards. Such as (IEC/UL) marked definitions in this list. See IEC 60730                                                                                           |
| MPOST                            | Memory power-on self-test                                                                                                                                                                                                          |
| PIE                              | See ePIE.                                                                                                                                                                                                                          |
| PWM                              | See ePWM.                                                                                                                                                                                                                          |



# Table 6-1. Terms and Definitions (continued)

| Terminology and<br>Abbreviations | Definition                                                                                                                                                                       |
|----------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| PEST                             | Periodic self-test                                                                                                                                                               |
| POST                             | Power-on self-test                                                                                                                                                               |
| ROM                              | Read only memory                                                                                                                                                                 |
| SDL                              | Software Diagnostic Library                                                                                                                                                      |
| SRAM                             | Static random-access memory                                                                                                                                                      |
| STL                              | Self-Test Library                                                                                                                                                                |
| Stuck-at                         | (IEC/UL) An open circuit fault or non-varying signal level                                                                                                                       |
| SW                               | Software                                                                                                                                                                         |
| ТІ                               | Texas Instruments Inc.                                                                                                                                                           |
| TMU                              | Trigonometric Math Unit instruction set extension to the C28x CPU                                                                                                                |
| UL                               | Underwriters Laboratories Inc.                                                                                                                                                   |
| UL 1998                          | See IEC 60730                                                                                                                                                                    |
| Unique ID                        | A C2000 unique identifier assigned to a functional safety feature or diagnostic in the functional safety manual. For example CLK2 or GPIO4.                                      |
| VCRC                             | Refer to VCU                                                                                                                                                                     |
| VCU                              | Instruction set extension to the C28x CPU. Part of the added instructions are CRC calculation specific. The CRC instructions are supported on some devices as simply the "VCRC". |

# 7 References

#### Note

The device-specific Functional Safety Manual can be located in the technical documentation section of the device product folder. Product folder URLs are of the form *ti.com/product/<device>*. For example: www.ti.com/product/TMS320F280049.

- 1. *IEC 60730-1 Automatic Electrical Controls Part1: General Requirements*, International Electrotechnical Commission, Edition, Edition 5.0 2013-11
- 2. UL 1998 Standard for Safety for Software in Programmable Components, ANSI/UL, Third Edition, December 18 2013
- 3. Texas Instruments: C2000 Academy Online Training
- 4. Texas Instruments: C2000Ware Software Development Kit for C2000 MCUs
- 5. Texas Instruments: Industrial Functional Safety for C2000™ Real-Time Microcontrollers
- 6. Texas Instruments: C2000<sup>™</sup> Safety Mechanisms
- 7. Texas Instruments: C2000<sup>™</sup> Hardware Built-In Self-Test
- 8. Texas Instruments: C2000<sup>™</sup> CPU Memory Built-In Self-Test
- 9. Texas Instruments: C2000<sup>™</sup> Memory Power-On Self-Test (M-POST)
- 10. Texas Instruments: Embedded Real-Time Analysis and Response for Control Applications (ERAD)

# IMPORTANT NOTICE AND DISCLAIMER

TI PROVIDES TECHNICAL AND RELIABILITY DATA (INCLUDING DATA SHEETS), DESIGN RESOURCES (INCLUDING REFERENCE DESIGNS), APPLICATION OR OTHER DESIGN ADVICE, WEB TOOLS, SAFETY INFORMATION, AND OTHER RESOURCES "AS IS" AND WITH ALL FAULTS, AND DISCLAIMS ALL WARRANTIES, EXPRESS AND IMPLIED, INCLUDING WITHOUT LIMITATION ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT OF THIRD PARTY INTELLECTUAL PROPERTY RIGHTS.

These resources are intended for skilled developers designing with TI products. You are solely responsible for (1) selecting the appropriate TI products for your application, (2) designing, validating and testing your application, and (3) ensuring your application meets applicable standards, and any other safety, security, regulatory or other requirements.

These resources are subject to change without notice. TI grants you permission to use these resources only for development of an application that uses the TI products described in the resource. Other reproduction and display of these resources is prohibited. No license is granted to any other TI intellectual property right or to any third party intellectual property right. TI disclaims responsibility for, and you will fully indemnify TI and its representatives against, any claims, damages, costs, losses, and liabilities arising out of your use of these resources.

TI's products are provided subject to TI's Terms of Sale or other applicable terms available either on ti.com or provided in conjunction with such TI products. TI's provision of these resources does not expand or otherwise alter TI's applicable warranties or warranty disclaimers for TI products.

TI objects to and rejects any additional or different terms you may have proposed.

Mailing Address: Texas Instruments, Post Office Box 655303, Dallas, Texas 75265 Copyright © 2023, Texas Instruments Incorporated