Texas Instruments TCAN4550-Q1 Reference Manual

Technical Reference Manual

SLLU312–July 2019

TCAN4550-Q1 Functional Safety-Manual

This document is the safety-manual for the Texas Instruments TCAN4550-Q1 device. The manual
provides information to help developers integrate the TCAN4550-Q1 device into safety-related systems.

Contents

1 Introduction ................................................................................................................... 2

2 Product Functional Safety-Capability...................................................................................... 2

3 Product Overview............................................................................................................ 2

4 Development Process for Management of Systematic Faults........................................................ 21

List of Figures

1 CAN Bus States.............................................................................................................. 3

2 TCAN4550-Q1 Mixed Signal Functional Block Diagram ............................................................... 4

3 Digital Core Block Diagram and Clock Tree ............................................................................. 5

4 General Purpose Application............................................................................................... 6

5 Potential Failure Points ..................................................................................................... 6

6 State Diagram................................................................................................................ 8

7 Fail-safe Feature State Diagram ......................................................................................... 10

8 SPI and M_CAN Test Modes............................................................................................. 12

9 CAN Transceiver Test Mode ............................................................................................. 13

10 Timing for RST Pin in Normal and Standby Modes ................................................................... 17

11 Timing for RST Pin in Sleep Mode....................................................................................... 18

12 TI New-Product Development Process.................................................................................. 21

1 Potential Failure Points and Section ..................................................................................... 7

2 Safety-Mechanisms.......................................................................................................... 7

3 Mode Overview .............................................................................................................. 9

4 Under Voltage Lockout ................................................................................................... 11

5 Driver Function Table...................................................................................................... 11

6 Receiver Function Table Normal and Standby Modes................................................................ 12

7 Watchdog Registers and Descriptions .................................................................................. 16

8 Terminal Bias ............................................................................................................... 16

9 Internal SPI Status Field Descriptions (Address h000C) ............................................................. 18

10 Interrupts Field Descriptions (Address h0820) ......................................................................... 19

11 MCAN Interrupts Field Descriptions (Address h0824)................................................................. 20

SLLU312–July 2019

Submit Documentation Feedback

List of Tables

Copyright © 2019, Texas Instruments Incorporated

TCAN4550-Q1 Functional Safety-Manual

1

Introduction

Trademarks

All trademarks are the property of their respective owners.

1 Introduction

The system and equipment manufacturer or designer (as a user of this document) is responsible to ensure
that their systems (and any TI hardware or software components incorporated in the systems) meet all
applicable safety, regulatory and system-level performance requirements. All application and safety­related information in this document (including application descriptions, suggested safety-measures,
suggested TI products, and other materials) is provided for reference only. Users understand and agree
that their use of TI components in safety-critical applications is entirely at their risk, and that user (as a
buyer) agrees to defend, indemnify, and hold harmless TI from any and all damages, claims, suits, or
expense resulting from such use.

This document is a safety-manual for the Texas Instruments TCAN4550-Q1 aCAN FD controller with
integrated transceiver for safety-critical applications. The safety-manual provides information to help
system developers create safety-related systems using a supported TCAN4550-Q1. This document
contains:

• An overview of the product architecture

• An overview of the development process used to reduce systematic failures

• An overview of the safety architecture for management of random failures

• The details of architecture partitions, implemented safety mechanisms, and recommended usage
The Safety Analysis Report documents the following information, which is not covered in this document:

• Failure rates estimation

• Qualitative failure analysis (design FMEA and pin-FMEA)

• Quantitative failure analysis (quantitative FMEDA)

• Safety metrics calculated per targeted standards per system example implementation
TI expects that the user of this document has a general familiarity with the TCAN4550-Q1 device. This

document is intended to be used in conjunction with the pertinent data sheets and other documentation.
This partition of technical content is intended to simplify development, reduce duplication of content, and
avoid confusion as compared to the definition of safety-manual as seen in IEC 61508:2010.

www.ti.com

2 Product Functional Safety-Capability

The TCAN4550-Q1 safety-capability is QM, Quality Managed, per ISO 26262:2018. The TCAN4550-Q1
was developed with Quality Managed product development process and qualified according to AEC Q100
Grade 1.

3 Product Overview

The TCAN4550-Q1 is a CAN FD controller with an integrated CAN FD transceiver supporting data rates
up to 8 Mbps. The CAN FD controller meets the specifications of the ISO 11898-1:2015 high speed
Controller Area Network (CAN) data link layer and meets the physical layer requirements of the ISO
11898-2:2016 High Speed Controller Area Network (CAN) specification providing an interface between the
CAN bus and the host system supporting both classical CAN and CAN FD up to 8 megabits per second
(Mbps). The TCAN4550-Q1 provides CAN FD transceiver functionality: differential transmit capability to
the bus and differential receive capability from the bus. The device includes many protection features
providing device and CAN bus robustness. The device can also wake up via remote wake up using the
CAN bus implementing the ISO 11898-2:2016 Wake Up Pattern (WUP). Input/Output support for 3.3 V
and 5 V microprocessors using the VIOpin for a seamless interface. The TCAN4550-Q1 has a Serial
Peripheral Interface (SPI) that connects to a local microprocessor for the device configuration,
transmission and reception of CAN frames. The SPI interface supports clock rates up to 18 MHz.

The CAN bus has two logical states during operation: recessive and dominant. See Figure 1

2

TCAN4550-Q1 Functional Safety-Manual

Copyright © 2019, Texas Instruments Incorporated

Submit Documentation Feedback

SLLU312–July 2019

Recessive Dominant Recessive

Time, t

Typical Bus Voltage

Normal Mode

Standby Mode (Low

Power)

CANL

CANH

V

diff

V

diff

www.ti.com

In the recessive bus state, the bus is biased to a common mode of about 2.5 V via the high resistance
internal input resistors of the receiver of each node. Recessive is equivalent to logic high and is typically a
differential voltage on the bus of almost 0 V. The recessive state is also the idle state.

In the dominant bus state, the bus is driven differentially by one or more drivers. Current flows through the
termination resistors and generates a differential voltage on the bus. Dominant is equivalent to logic low
and is a differential voltage on the bus greater than the minimum threshold for a CAN dominant. A
dominant state overwrites the recessive state.

During arbitration, multiple CAN nodes may transmit a dominant bit at the same time. In this case the
differential voltage of the bus may be greater than the differential voltage of a single driver.

Transceivers with low power Standby Mode have a third bus state where the bus terminals are weakly
biased to ground via the high resistance internal resistors of the receiver. See Figure 1 and Figure 2.

Many of the pins can be configured for multiple purposes. Much of the parametric data is based on
internal links like the TXD/RXD_INT which represent the TXD and RXD of a standalone CAN transceiver.
The TCAN4550-Q1 has a test mode that maps these signals to an external pin in order to perform
compliance testing on the transceiver (TXD/RXD_INT_PHY) and CAN controller (TXD/RXD_INT_CAN)
independently.

Product Overview

Figure 1. CAN Bus States

SLLU312–July 2019

Submit Documentation Feedback

Copyright © 2019, Texas Instruments Incorporated

TCAN4550-Q1 Functional Safety-Manual

3

VSUP

VCCOUT

WAKEINH

RST

Crystal Osc

OSCIN

OSCOUT

INH

CTRL

CANH

CANL

RCVR

DRIVER

WUP RCVR

WUP/LUP

LOGIC

+ 32-Bit register

Comparator + analog

filter

WU

Clock from crystal osc/oscin

VCCOUT

Powerup

V3P6INT_SLEEP

V1P5INT_SLEEP

BG_1P25

ISRC_10U

V5INT

1.5V LDO

FLTR

WAKE

ISRC_10U

BG_1P25

V1P5INT

V1P5INT

V1P5INT_SLEEP

VCCOUT

VCCOUT

V3P6INT_SLEEP

VIO1

V1P5INT

WKRQ_nINT

CLKOUT/GPO1

SCLK

NCS

MOSI
MISO

NINT

Digital CORE

+

SRAM

GPO2

GND

VIO1

V5INT

Power and Control

CAN Transceiver and ControlSPI, M_CAN and Memory

Product Overview

3.1 Block Diagram

The TCAN4550-Q1 is a mixed signal device containing both analog and digital cores. The device
integrates the Bosch M_CAN revision 3.2.1.1 controller which is not covered in this document. Figure 2
and Figure 3 are the high level mixed signal and digital core functional block diagrams. CCLK is internally
connected to the crystal/CLKIN.

www.ti.com

4

Figure 2. TCAN4550-Q1 Mixed Signal Functional Block Diagram

TCAN4550-Q1 Functional Safety-Manual

Copyright © 2019, Texas Instruments Incorporated

Submit Documentation Feedback

SLLU312–July 2019

Main_core

mcan_core

supporting

blocks
(arbiter, time
stamp, driver

etc)

SPI

ECC

Controller

core

MCAN controller

Crystal

CCLK

Message

RAM

Watchdog

Register Map/

Interrupt

Logic

INH,
Device
Modes

FSM

Internal

Osc

SPI

High Power

(Standby/

Normal)

CAN
transceiver
logic, DTO

timer, bus

biasing

DFT

clock

WAKE

logic

Bus

biasing,

t

SILENT

timer

Sleep_core

DFT

www.ti.com

Product Overview

Figure 3. Digital Core Block Diagram and Clock Tree

3.2 Target Applications

The TCAN4550-Q1 is targeted at general-purpose automotive applications.
Examples of these types of applications include but are not limited to the applications that follow:

• General purpose applications where processor does not support CAN FD. See Figure 4

• CAN FD port expander

Figure 5 provides potential failure points that have diagnostic or test ability mechanisms. See Table 1 for

each potential failure point and subsection discussing this failure point.

SLLU312–July 2019

Submit Documentation Feedback

Copyright © 2019, Texas Instruments Incorporated

TCAN4550-Q1 Functional Safety-Manual

5

LM53635

Buck

3.3V, 3A

TPS57140

Buck

5V, 1.5A

TPS65917

PMIC

Processor

Without

CAN-FD Controller

Load SW

TPS22965

DDR3 Mem

TCAN4550

V

BAT

SPI

GPIO

3.3 V

12 V to 18 V

V

SUP

V

IO

INH

EN

EN

3.3 V

OSC1

WD

M_CAN

CAN-FD

Controller

Filters

100 NŸ

WAKE

33k 

3.3 V

2-wire

CAN

bus

Optional:

Terminating

Node

Filtering,

Transient and

ESD

5 V

3k 

CANH

CANL

10 µF

300 nF

GND

GND

22

nF

GND

V

CCOUT

FLTR

Add
Decoupling
Caps for All

Power

Connections

10

11

12

15
17

18

16

1

40 MHz

OSC2

20

1

4

3

2

5

6

RST

7

8

9

LM53635

Buck

3.3V, 3A

TPS57140

Buck

5V, 1.5A

TPS65917

PMIC

Processor

Without

CAN-FD Controller

Load SW

TPS22965

DDR3 Mem

TCAN4550RGY-Q1

V

BAT

SPI

GPIO

3.3 V

12 V to 18 V

V

SUP

V

IO

INH

EN

EN

3.3 V

Many V

OSC1

WD

CAN-FD

Controller

Filters

100 NŸ

WAKE

33k 

3.3 V

2-wire

CAN

bus

Optional:

Terminating

Node

Filtering,

Transient and

ESD

5 V

3k 

CANH

CANL

10 µF

300 nF

GND

GND

22

nF

GND

V

CCOUT

FLTR

Add
Decoupling
Caps for All

Power

Connections

10

11

12

15
17

18

16

1

40 MHz

OSC2

20

RST

Product Overview

www.ti.com

6

TCAN4550-Q1 Functional Safety-Manual

Figure 4. General Purpose Application

Figure 5. Potential Failure Points

Copyright © 2019, Texas Instruments Incorporated

Submit Documentation Feedback

SLLU312–July 2019

www.ti.com

Table 1. Potential Failure Points and Section Figure 5

Potential

Failure

Point

from

Potential

Failure Point

Description

Section

Figure 5

Loss of clock

1

input

See Section 3.2.1.2 and Section 3.2.1.3

2 CAN bus See Section 3.2.1.3, Section 3.2.1.4, Section 3.2.1.5 and Section 3.2.1.6.5
3 Watchdog See Section 3.2.1.6.2

SPI/Processor

4

communication
5 Loss of V
6 Loss of V

See Section 3.2.1.6.1, Section 3.2.1.2, Section 3.2.1.3, Section 3.2.1.6.2, Section 3.2.1.6.3 and

Section 3.2.1.6.5

See Section 3.2.1.2, Section 3.2.1.3 and Section 3.2.1.6.5

SUP

See Section 3.2.1.2, Section 3.2.1.3 and Section 3.2.1.6.5

IO

7 RST pin failure See Section 3.2.1.6.3 and Section 3.2.1.6.4

M_CAN

8

Controller
9 Loss of V

See Section 3.2.1.5 and Section 3.2.1.6.5
See Section 3.2.1.3, Section 3.2.1.4 and Section 3.2.1.6.5

CCOUT

Table 2. Safety-Mechanisms

Product Overview

Safety-Mechanism

#

SM-01

SM-02 UV

SM-03 UV

SM-04 UV

Sleep Wake Error Timer
(SWE)t

Name Description Safety-Manual Section

Timer used for inactivity of expected functions.

INACTIVE

SUP

IO

CCOUT

Puts the device into Sleep mode
V

undervoltage detection and Interrupt

SUP

16'h0820[22]
VIOundervoltage detection and Interrupt

16'h820[21]
V

undervoltage detection and Interrupt

CCOUT

16'h0820[22]
SM-05 TSD Thermal Shutdown and Interrupt 16'h0820[19] 3.2.1.4
SM-06 IOS CAN bus short circuit current limiter 3.2.1.5
SM-07 SPI & M_CAN Test Mode Test Mode 3.2.1.5

SM-08

SM-09

SM-10

SPI & M_CAN Loop Back
Test Mode 1

SPI & M_CAN Loop Back
Test Mode 2

CAN Transceiver Test
Mode

Test Mode 3.2.1.5

Test Mode 3.2.1.5

Test Mode 3.2.1.5

Protocol Error in Data Phase; 16'h1050[28] points
SM-11 PED interrupt

to 16'h1044[10:8] DLEC[2:0]; Data Phase Last

Error Code
SM-12 PEA interrupt

SM-13 BEU interrupt

Protocol Error in Arbitration Phase; 16'h1050[27]

points to 16'h1044[2:0] LEC[2:0]; Last Error Code

Bit Error Uncorrected; 16'h1050[21] Message

RAM bit error detected, uncorrected
SM-14 Scratchpad write/read 3.2.1.6.1.1
SM-15 SPIERR flag SPI error detection and Interrupt 16'h0820[3] 3.2.1.6.1.2

SM-16

M_CAN forced dominant

and recessive
SM-17 SPI and FIFO TX and RX event FIFO 3.2.1.6.1.4
SM-18 ECC for Memory ECCERR detection and Interrupt 16'h0820[16] 3.2.1.6.1.5
SM-19 Timeout Watchdog WDTO detection and Interrupt 16'h0820[18] 3.2.1.6.2
SM-20 SCLK internal pull-up Floating pins 3.2.1.6.3
SM-21 SDI internal pull-up Floating pins 3.2.1.6.3

3.2.1.2

3.2.1.3

3.2.1.3

3.2.1.3

3.2.1.5 .1

3.2.1.5 .1

3.2.1.5 .1

3.2.1.6.1.3

SLLU312–July 2019

Submit Documentation Feedback

Copyright © 2019, Texas Instruments Incorporated

TCAN4550-Q1 Functional Safety-Manual

7