How it Works
Texas Instruments
Loading...
TMS320F28002
User Manual
90 pgs2.52 Mb0
Table of contents
Loading...

Texas Instruments TMS320F28002 User Manual

www.ti.com
Table of Contents
Functional Safety Information
Safety Manual for TMS320F28002x
ABSTRACT
This document is a safety manual for the Texas Instruments TMS320F28002x safety critical real time microcontroller product family. The product family utilizes a common safety architecture that is implemented in multiple application-focused products.

Table of Contents

1 Introduction.............................................................................................................................................................................3
3 TI Development Process for Management of Systematic Faults....................................................................................... 4
3.1 TI New-Product Development Process.............................................................................................................................. 4
3.2 TI Safety Development Process.........................................................................................................................................5
4 TMS320F28002x Product Overview...................................................................................................................................... 7
4.1 C2000 Architecture and Product Overview........................................................................................................................ 7
4.2 Functional Safety Concept................................................................................................................................................. 8
4.3 C2000 Safety Diagnostics Libraries................................................................................................................................. 16
4.4 TMS320F28002x MCU Safety Implementation................................................................................................................16
5 Brief Description of Safety Elements..................................................................................................................................17
5.1 TMS320F28002x MCU Infrastructure Components.........................................................................................................18
5.2 Processing Elements....................................................................................................................................................... 21
5.3 Memory (Flash, SRAM and ROM)................................................................................................................................... 22
5.4 On-Chip Communication Including Bus-Arbitration..........................................................................................................24
5.5 Digital I/O......................................................................................................................................................................... 27
5.6 Analog I/O........................................................................................................................................................................ 29
5.7 Data Transmission........................................................................................................................................................... 30
6 Brief Description of Diagnostics......................................................................................................................................... 34
6.1 TMS320F28002x MCU Infrastructure Components.........................................................................................................34
6.2 Processing Elements....................................................................................................................................................... 39
6.3 Memory (Flash, SRAM and ROM)................................................................................................................................... 41
6.4 On-Chip Communication Including Bus-Arbitration..........................................................................................................44
6.5 Digital I/O......................................................................................................................................................................... 46
6.6 Analog I/O........................................................................................................................................................................ 52
6.7 Data Transmission........................................................................................................................................................... 55
7 References............................................................................................................................................................................ 61
A Safety Architecture Configurations....................................................................................................................................62
A.1 Safety Architecture Configurations.................................................................................................................................. 62
B.1 How the Functional Safety Lifecycle Applies to Functional Safety-Compliant Products..................................................66
B.2 Activities Performed by Texas Instruments......................................................................................................................66
B.3 Information Provided........................................................................................................................................................67
C Summary of Safety Features and Diagnostics..................................................................................................................68
C.1 Summary of Safety Features and Diagnostics................................................................................................................ 68
D Glossary................................................................................................................................................................................89
D.1 Glossary...........................................................................................................................................................................89
List of Figures
Figure 3-1. TI New-Product Development Process..................................................................................................................... 5
Figure 4-3. TMS320F28002x MCU With Safety Features........................................................................................................... 9
Figure 4-4. Relationship Between DTI, Fault Reaction Time and FTTI..................................................................................... 10
SPRUIT5 – APRIL 2021
Submit Document Feedback
Copyright © 2021 Texas Instruments Incorporated
Safety Manual for TMS320F28002x 1
Trademarks
Figure 4-5. TMS320F28002x MCU Safe State Definition.......................................................................................................... 11
Figure 4-7. TMS320F28002x MCU CPU Start-Up Sequence................................................................................................... 13
Figure 4-9. Safety Concept Implementation.............................................................................................................................. 17
Figure 6-2. ePWM Fault Detection Using X-BAR...................................................................................................................... 46
Figure 6-3. Monitoring of ePWM by ADC.................................................................................................................................. 49
Figure 6-4. HRCAP Calibration..................................................................................................................................................51
Figure 6-6. DAC to ADC Loopback............................................................................................................................................53
Figure 6-7. ADC Open-Shorts Detection Circuit........................................................................................................................ 54
www.ti.com
List of Tables
Table 1-1. Products Supported by This Safety Manual................................................................................................................3
Table 3-1. Functional Safety Activities Overlaid on top of TI's Standard Development Process................................................. 6
Table B-1. Activities Performed by Texas Instruments versus Performed by the customer.......................................................66
Table B-2. Product Functional Safety Documentation............................................................................................................... 67
Table C-2. Summary of Safety Features and Diagnostic...........................................................................................................68
Table D-1. Glossary................................................................................................................................................................... 89
Trademarks
C2000™ is a trademark of Texas Instruments. All trademarks are the property of their respective owners.
2 Safety Manual for TMS320F28002x SPRUIT5 – APRIL 2021
Copyright © 2021 Texas Instruments Incorporated
Submit Document Feedback
www.ti.com
Introduction

1 Introduction

This document is a safety manual for the Texas Instruments TMS320F28002x safety critical real time microcontroller product family. The product family utilizes a common safety architecture that is implemented in multiple application focused products.
Product configurations supported by this safety manual include silicon revision A of the following products listed in Table 1-1 . The device revision can be determined by the REVID field of the device identification registers outlined in [14].
Table 1-1. Products Supported by This Safety Manual
Orderable Devices Supported Safety Integrity Level
TMS320F280025PN QM
TMS320F280025CPN QM
TMS320F280023PN QM
TMS320F280023CPN QM
TMS320F280025PM QM
TMS320F280025CPM QM
TMS320F280024PM QM
TMS320F280024CPM QM
TMS320F280023PM QM
TMS320F280023CPM QM
TMS320F280022PM QM
TMS320F280025PT QM
TMS320F280025CPT QM
TMS320F280023PT QM
TMS320F280023CPT QM
TMS320F280021PT QM
This Safety Manual provides information needed by system developers to assist in the creation of a safety critical system using a supported TMS320F28002x MCU. This document contains:
An overview of the component architecture
An overview of the development process used to decrease the probability of systematic failures
An overview of the functional safety architecture for management of random failures
The details of architecture partitions and implemented functional safety mechanisms
The following information is documented in the Detailed Safety Analysis Report (SAR) for TMS320F28002x C2000™ Safety Critical Microcontrollers, which is only available under Functional Safety NDA and is not repeated in this document:
Failure rates (FIT) of the component
Fault model used to estimate device failure rates suitable to enable calculation of customized failure rates
Functional safety metrics of the hardware component for targeted standards (viz. IEC 61508:2010 and ISO 26262:2018)
Quantitative functional safety analysis (also known as FMEDA, Failure Modes, Effects, and Diagnostics Analysis) with detail of the different parts of the component, allowing for customized application of functional safety mechanisms
Assumptions used in the calculation of functional safety metrics
Results of assessments of compliance to targeted standards
It is expected that the user of this document should have a general familiarity with the TMS320F28002x product families. More information can be found at www.ti.com/C2000.
This document is intended to be used in conjunction with the pertinent data sheets, technical reference manuals, and other documentation for the products being supplied.
SPRUIT5 – APRIL 2021
Submit Document Feedback
Safety Manual for TMS320F28002x 3
Copyright © 2021 Texas Instruments Incorporated
TMS320F28002x Product Safety Capability and Constraints
www.ti.com
For information which is beyond the scope of the listed deliverables, contact your TI sales representative or
www.ti.com.

2 TMS320F28002x Product Safety Capability and Constraints

This section summarizes the TMS320F28002x product safety capability. Each TMS320F28002x product:
Is offered as a functional Safety Element Out Of Context (SEooC)
Was assessed to have met the relevant systematic capability compliance requirements of IEC 61508:2010 and ISO 26262:2018 and
– Achieves systematic integrity of SIL-3 and ASIL-D
Contains multiple features to support Freedom From Interference (FFI) for mixed-criticality of safety requirements assigned to the different sub-elements
The TMS320F28002x MCUs are Type B devices, as defined in IEC 61508-2:2010
This device claims no hardware fault tolerance, (for example, no claims of HFT > 0), as defined in IEC 61508:2010
However, Dual channel with two F28002x devices (common safety card architecture) or one F28002x paired with second channel integrated in the drive MCU can help to meet HFT=1 topologies with SFF>90%.
– This helps to build system level drive safety in various industrial motor control applications per
IEC61800-5-2 and to meet IEC61508 SIL3, IEC62061 SILCL3, ISO 13849 PLe CAT4 standards.
For safety components developed according to many safety standards, it is expected that the component safety manual will provide a list of product safety constraints. For a simple component or more complex components developed for a single application, this is a reasonable response. However, the TMS320F28002x MCU product family is both a complex design and is not developed targeting a single, specific application. Therefore, a single set of product safety constraints cannot govern all viable uses of the product
Note
This functional safety assessment of this component is not yet complete.

3 TI Development Process for Management of Systematic Faults

For functional safety development, it is necessary to manage both systematic and random faults. Texas Instruments follows a new-product development process for all of its components which helps to decrease the probability of systematic failures. This new-product development process is described in Section 3.1. Components being designed for functional safety applications will additionally follow the requirements of TI's functional safety development process, which is described in Section 3.2.

3.1 TI New-Product Development Process

Texas Instruments has been developing components for automotive and industrial markets since 1996. Automotive markets have strong requirements regarding quality management and product reliability. The TI new-product development process features many elements necessary to manage systematic faults. Additionally, the documentation and reports for these components can be used to assist with compliance to a wide range of standards for customer’s end applications including automotive and industrial systems (for example, ISO 26262-4:2018, IEC 61508-2:2010).
This component was developed using TI’s new product development process, which has been certified as compliant to ISO 9001 / IATF 16949 as assessed by Bureau Veritas (BV).
The standard development process breaks development into phases:
Assess
Plan
Create
Validate
4 Safety Manual for TMS320F28002x SPRUIT5 – APRIL 2021
Copyright © 2021 Texas Instruments Incorporated
Submit Document Feedback
Copyright © 2018, Texas Instruments Incorporated
Assess
Review
Plan
Review
Create
Review
Validate
Review
& Release
To Market
Periodic
Post-Release
Reviews
Phase 1:
Assess
Phase 2:
Plan
Phase 3:
Create
Phase 4: Validate
Sustain
Identify New
Product
Opportunities
Develop Project
Plan
IC Design &
Layout
Develop Product
Specification
IC Design
Verification
Manage Project Execution and Risks
Develop Test and Validation HW/SW
Develop Datasheet and other
Documentation
Product Support
Product
Monitoring
IC Valdiation
IC Qualification
www.ti.com
Figure 3-1 shows the standard process.
TI Development Process for Management of Systematic Faults

3.2 TI Safety Development Process

The TI functional safety development flow derives from ISO 26262:2018 and IEC 61508:2010 a set of requirements and methodologies to be applied to semiconductor development. This flow is combined with TI's standard new product development process to develop Functional Safety-Compliant components. The details of this functional safety development flow are described in the TI internal specification - Functional Safety Hardware.
Key elements of the TI functional safety-development flow are as follows:
Assumptions on system level design, functional safety concept, and requirements based on TI's experience
Qualitative and quantitative functional safety analysis techniques including analysis of silicon failure modes
Base FIT rate estimation based on multiple industry standards and TI manufacturing data
Documentation of functional safety work products during the component development
Integration of lessons learned through multiple functional safety component developments, functional safety
Table 3-1 lists the functional safety development activities that are overlaid on top of the standard development
flow in Figure 3-1.
For more information about which functional safety lifecycle activities TI performs, see Appendix B.
Figure 3-1. TI New-Product Development Process
with components in functional safety applications
and application of functional safety mechanisms
standard working groups, and the expertise of TI customers
SPRUIT5 – APRIL 2021
Submit Document Feedback
Copyright © 2021 Texas Instruments Incorporated
Safety Manual for TMS320F28002x 5
TI Development Process for Management of Systematic Faults www.ti.com
The customer facing work products derived from this Functional Safety-Compliant process are applicable to many other functional safety standards beyond ISO 26262:2018 and IEC 61508:2010.
Table 3-1. Functional Safety Activities Overlaid on top of TI's Standard Development Process
Assess Plan Create Validate Sustain and End-of-Life
Determine if functional
safety process execution
is required
Nominate a functional
safety manager
End of Phase Audit
Define component target
SIL/ASIL capability
Generate functional safety
plan
Verify the functional safety
plan
Initiate functional safety
case
Analyze target
applications to generate
system level functional
safety assumptions
End of Phase Audit
Develop component
level functional safety
requirements
Include functional safety
requirements in design
specification
Verify the design
specification
Start functional safety
design
Perform qualitative
analysis of design (failure
mode analysis)
Verify the qualitative
analysis
Verify the functional safety
design
Perform quantitative
analysis of design (i.e.
FMEDA)
Verify the quantitative
analysis
Iterate functional safety
design as necessary
End of Phase Audit
Validate functional safety
design in silicon
Characterize the functional
safety design
Qualify the functional
safety design (per AEC-
Q100)
Finalize functional safety
case
Perform assessment of
project
Release functional safety
manual
Release functional safety
analysis report
Release functional safety
report
End of Phase Audit
Document any reported
issues (as needed)
Perform incident reporting
of sustaining operations
(as needed)
Update work products (as
needed)
6 Safety Manual for TMS320F28002x SPRUIT5 – APRIL 2021
Copyright © 2021 Texas Instruments Incorporated
Submit Document Feedback
www.ti.com
TMS320F28002x Product Overview

4 TMS320F28002x Product Overview

4.1 C2000 Architecture and Product Overview

The TMS320F28002x devices are powerful 32-bit real time floating-point microcontroller unit (MCU) designed for advanced closed-loop control applications in automotive and industrial applications.

4.1.1 TMS320F28002x MCU

TMS320F28002x supports C28x as the processing element that boosts system performance for closed loop control applications. This is a powerful 32-bit real time floating-point microcontroller unit (MCU) that lets system integrator to access crucial control peripherals, differentiated analog, and nonvolatile memory on a single device.
The C28x CPU is further boosted by the Floating-Point Unit (FPU), Trigonometric Math Unit (TMU), Nonlinear Proportional Integral Derivative (NLPID) control, Fast Integer Division (FINTDIV) and Cyclic Redundancy Check (VCRC) accelerators. FPU supports IEEE754 floating point operations. TMU enables fast execution of algorithms with trigonometric operations common in transforms and torque loop calculations. NLPID enables fast execution of Nonlinear PID controls. The VCRC engine reduces the time for complex math operations common in encoded applications. Users may refer to Enhancing the Computational Performance of the C2000™
Microcontroller Family to see how the on-chip hardware math enhancements can be employed to increase the
performance of the MCU in many real-time applications.
The TMS320F28002x supports up to 128KB (64KW) of on-chip flash memory with error correction code (ECC) and up to 24KB (12KW) of SRAM with parity or ECC.
Figure 4-1. Functional Block Diagram of TMS320F28002x MCU
SPRUIT5 – APRIL 2021
Submit Document Feedback
Safety Manual for TMS320F28002x 7
Copyright © 2021 Texas Instruments Incorporated
Sensor
Processing
Element
Actuator
S
Remote
Controller
MCU
A
Remote
Controller
S
Remote
Controller
A
Remote
Controller
Sensor
Actuator
Processing Element
TMS320F28002x Product Overview
www.ti.com
Performance analog and control peripherals are also integrated to further enable system consolidation. Two independent 12-bit ADCs provide precise and efficient management of multiple analog signals, which ultimately boosts system throughput. The Comparator Subsystem (CMPSS) with windowed comparators allows for protection of power stages when current limit conditions are exceeded or not met. Other analog and control peripherals include the Enhanced Pulse Width Modulation (ePWM), Enhanced Capture (eCAP) and Enhanced Quadrature Encoder Pulse (eQEP).
Peripherals such as Controller Area Network (CAN) modules (ISO11898-1/CAN 2.0B-compliant), Inter-Integrated Communication (I2C) Bus, Local Interconnect Network (LIN), Serial Communications Interface (SCI), Serial Peripheral Interface (SPI), Power Management Bus (PMBus) Interface, and Fast Serial Interface (FSI) extend connectivity of TMS320F28002x MCU. The Fast Serial Interface (FSI) module is a serial communication peripheral capable of reliable high-speed communication across isolation devices.
The device configurations supported by this safety manual for TMS320F28002x MCUs is outlined in the
TMS320F28002x Real-time Microcontrollers Data Manual. Not all variants are available in all packages or all
temperature grades. To confirm availability, contact your local Texas Instruments sales and marketing.

4.2 Functional Safety Concept

To stay as general as possible, the safety concept assumes the MCU playing the role of a processing unit (or part of it) and connected to remote controller(s) by means of a communication bus as shown in Figure 4-2. The communication bus is directly or indirectly connected to sensor(s) and actuator(s).
IEC 61508-1:2010 defines a compliant item as any item (for example an element) on which a claim is being made with respect to the clauses of IEC 61508:2010 series. A system including TMS320F28002x microcontroller as indicated by Figure 4-2 can be used in a compliant item according to IEC 61508:2010.
Figure 4-2. Definition of the TMS320F28002x MCU Used in a Compliant Item
8 Safety Manual for TMS320F28002x SPRUIT5 – APRIL 2021
Copyright © 2021 Texas Instruments Incorporated
Submit Document Feedback
www.ti.com
TMS320F28002x Product Overview

4.2.1 TMS320F28002x MCU Safety Features

Due to the inherent versatility of the device architecture, several software voting based safety configurations are possible. Some of the safety configurations possible with TMS320F28002x for improving diagnostic coverage are explained in Table A-1. While implementing these configurations, system integrator needs to consider the potential common mode failures and address them in an appropriate manner. This may suitably be modified to adapt to TMS320F28002x requirements based on the availability of processing units. (As stated earlier, the device claims no hardware fault tolerance, (for example, no claims of HFT > 0), as defined in IEC 61508:2010).
The major safety features of TMS320F28002x are shown in Figure 4-3.
Figure 4-3. TMS320F28002x MCU With Safety Features

4.2.2 Fault Tolerant Time Interval (FTTI)

Various safety mechanisms in the devices are either always-on (see CPU Handling of Illegal Operation, Illegal
Results and Instruction Trapping and so forth) or executed periodically (see CPU Hardware Built-In Self-Test (HWBIST) ,VCRC Check of Static Memory Contents, and so forth) by the application software. The time
between the executions of online diagnostic tests by a safety mechanism is termed as Diagnostic test interval (DTI). Once the fault is detected, depending on the fault reaction of the associated fault (for example, external system reaction to ERRORSTS pin assertion), the system will enter in the safe-state. The time-span in which a fault or faults can be present in a system before a hazardous event occurs is called Fault Tolerant Time Interval
(FTTI) as defined in ISO 26262. This is similar to Process Safety Time (PST) defined in IEC 61508. Figure 4-4
illustrates the relationship between DTI, Fault Reaction Time and FTTI.
SPRUIT5 – APRIL 2021
Submit Document Feedback
Safety Manual for TMS320F28002x 9
Copyright © 2021 Texas Instruments Incorporated
Fault
Normal Operation Unsafe State
Safe State
Fault Detection
Hazard Avoided
T <= DTI
Fault Reaction
Time
FTTI
TMS320F28002x Product Overview
www.ti.com
Figure 4-4. Relationship Between DTI, Fault Reaction Time and FTTI
The frequency and extent of each of the checks in the application should be consistent with the Fault Tolerant Time Interval (FTTI).The checks should be such that single point faults of the microcontroller should be detected and responded to, such that the TMS320F28002x MCU enters a safe state within the FTTI budget. The microcontroller on detection of a fault enters into one of the safe states as illustrated in Figure 4-5. An example of a diagnostic for single point faults is ECC/Parity for memories.
The proposed functional safety concept, subsequent functional safety features and configurations explained in this document are for reference purpose only. The system and equipment designer or manufacturer is responsible to ensure that the end systems (and any Texas Instruments hardware or software components incorporated in the systems) meet all applicable safety, regulatory and system-level performance requirements.

4.2.3 TMS320F28002x MCU Safe State

Referring to Figure 4-5, the safe state of the TMS320F28002x MCU is defined as the one in which:
TMS320F28002x MCU Reset is asserted
Power supply to TMS320F28002x MCU is disabled using an external supervisor as a result of a critical failure. In general, a power supply failure is not considered in detail in this analysis as it is assumed that the system level functionality exists to manage this condition.
External system is informed using one of C2000 MCU’s IO pins as a result of a check failure (for example, ERRORSTS pin is asserted).
Output of the TMS320F28002x MCU driving the actuator is forced to inactive mode as a result of a check failure (for example, GPIO pins corresponding to the mission function is tri-stated).
10 Safety Manual for TMS320F28002x SPRUIT5 – APRIL 2021
Copyright © 2021 Texas Instruments Incorporated
Submit Document Feedback
www.ti.com
TMS320F28002x Product Overview
SPRUIT5 – APRIL 2021
Submit Document Feedback
Figure 4-5. TMS320F28002x MCU Safe State Definition
Safety Manual for TMS320F28002x 11
Copyright © 2021 Texas Instruments Incorporated
Powered
Off
Reset
State
Cold Boot
Warm
Boot
Pre-
Operational
Operational
Power removed
Power applied
Chip Pin Reset
released
Defined Safe State
conditions
CPU1 Reset
released
Device boot phaseCPUSS operation
Safe State
XRSn = 0
TMS320F28002x Product Overview
Figure 4-6. TMS320F28002x MCU Device Operating States
www.ti.com

4.2.4 Operating States

The C2000 MCU products have a common architectural definition of operating states. These operating states should be observed by the system developer in their software and system level design concepts. The operating states state machine is shown in Figure 4-6. The operating states can be classified into device boot phase and CPU Subsystem (CPUSS) operation phase.
The various states of the device operating states state machine are:
Powered Off - This is the initial operating state of TMS320F28002x MCU. No power is applied to either core or I/O power supply and the device is non-functional. An external supervisor can perform this action (power-down the TMS320F28002x MCU) in any of the TMS320F28002x MCU states as response to a system level fault condition or a fault condition indicated by the TMS320F28002x MCU.
Reset State – In this state, the device reset is asserted either using the external pins or using any of the internal sources.
Safe State – In the Safe state, the device is either not performing any functional operations or an internal fault condition is indicated using the device I/O pins.
Cold Boot - In the cold boot state, key analog elements, digital control logic, and debug logic are initialized. The CPU remains powered but in reset. When the cold boot process is completed, the reset of the CPU is internally released, leading to the warm boot stage.
Warm Boot - The CPU begins execution from Boot ROM during the warm boot stage.
Pre-operational - Transfer of control from boot code to customer code takes place during this phase. Application specific configurations (for example, clock frequency, peripheral enable, pinmux, and so forth) are performed in this phase. Boot time self-test/proof-test required to ensure proper device operation is performed during this phase. See Power-Up Pre-Operational Security Checks for details.
Operational – This marks the system exiting the pre-operational state and entering the functional state. The device is capable of supporting safety critical functionality during operational mode.
12 Safety Manual for TMS320F28002x SPRUIT5 – APRIL 2021
Copyright © 2021 Texas Instruments Incorporated
Submit Document Feedback
Cold Boot
Power
Applied
Efuse autoload
(cold boot phase)
Boot ROM
execution and
security
initialization
(Warm boot phase)
Reset
Released
Customer
Code Starts
Operational Phase
Pre Operational Phase
Warm Boot
TI boot code execution. Can be characterized
based on device configuration Customer code Self-test code
Pre operational checks by CPU1
(Verify RAM, Flash, Watchdog,
CPU, %RRW520«..)
XRSn
Internal
Reset
Boot ROM
Customer pre-operational checks
ERROR_STS
(active-low)
Efuse Autoload
Customer application code
Security Init
Analog (DAC,
ADC, OSC) Init
Bootmode SelPwr Mgmt init
Boot exception
init
x Device Powerdown x Assertion of XRSn pin x Assertion of CPU Reset x NMI and assertion of ERRORSTS pin x CPU Interrupt
www.ti.com
The device start-up timeline for both the CPUs are shown in Figure 4-7.
TMS320F28002x Product Overview
Figure 4-7. TMS320F28002x MCU CPU Start-Up Sequence

4.2.5 Management of Faults

The TMS320F28002x MCU product architecture provides different levels of fault indication from internal safety mechanisms using CPU Interrupt, Non Maskable Interrupt (NMI), assertion of ERRORSTS pin, assertion of CPU input reset and assertion of warm reset (XRSn). The fault response is the action that is taken by the TMS320F28002x MCU or system when a fault is indicated. Multiple potential fault responses are possible during a fault indication. The system integrator is responsible to determine which fault response should be taken to ensure consistency with the system safety concept. The fault indication ordered in terms of severity (device power down being the most severe) is shown in Figure 4-8.
Figure 4-8. Fault Response Severity
Device Powerdown: This is the highest priority fault response where the external component (see
Section 4.4.1) detects malfunctioning of the device or other system components and powers down the
TMS320F28002x MCU. From this state, it is possible to re-enter cold boot to attempt recovery.
Assertion of XRSn: The XRSn reset could be generated from an internal or external monitor that detects a critical fault having potential to violate safety goal. Internal sources generate this fault response when the TMS320F28002x MCU is not able to handle the internal fault condition by itself (for example, CPU1 (master CPU) is not able to handle NMI by itself). From this state, it is possible to re-enter cold boot and attempt recovery.
SPRUIT5 – APRIL 2021
Submit Document Feedback
Copyright © 2021 Texas Instruments Incorporated
Safety Manual for TMS320F28002x 13
TMS320F28002x Product Overview
www.ti.com
Assertion of CPU Reset: CPU Reset changes the state of the CPU from pre-operational or operational state to warm boot phase. The CPU Reset is generated from an internal monitor that detects any security violations. Security violations may be the effect of a fault condition.
Non Maskable Interrupt (NMI) and assertion of ERRORSTS pin: C28x CPU supports a Non Maskable Interrupt (NMI), which has a higher priority than all other interrupts. The TMS320F28002x MCU is equipped with a NMIWD module responsible for generating NMI to the C28x CPU. ERRORSTS pin will also be asserted along with NMI. Depending on the system level requirements, the fault can be handled either internal to the TMS320F28002x MCU using software or at the system level using the ERRORSTS pin information.
CPU Interrupt: CPU interrupt allows events external to the CPU to generate a program sequence context transfer to an interrupt handler where software has an opportunity to manage the fault. The peripheral interrupt expansion (PIE) block multiplexes multiple interrupt sources into a smaller set of CPU interrupt inputs.

4.2.6 Suggestions for Improving Freedom From Interference

The following techniques and safety measures may be useful for improving independence of function when using the TMS320F28002x MCU:
1. Hold peripherals clocks disabled if the available peripherals are unused (CLK14-Peripheral Clock Gating
(PCLKCR)).
2. Hold peripherals in reset if the available peripherals are unused (SYS7-Peripheral Soft Reset (SOFTPRES)).
3. Power down the analog components cores if they are not used.
4. When possible, separate critical I/O functions by using non adjacent I/O pins/balls.
5. Partition the memory as per the application requirements to respective processing units and configure the
Access Protection Mechanism for Memories, for each memory instance such that only the permitted masters
have access to memory.
6. The Dual Code Security Module (DCSM) can be used for functional safety where functions with different
safety integrity levels can be executed from different security zones (zone1, zone2, and unsecured zone), acting as firewalls and thus mitigating the risk due to interference from one secure zone to another. For more information, please refer to Achieving Coexistence of Safety Functions for EV/HEV Using C2000™ MCUs
7. TMS320F28002x supports master access control for each peripheral. After programming peripheral access
protection registers, each master can exclusively control the peripheral to safeguard usage by particular application against errant writes or corruption by other masters in the system. This is enabled using the dedicated access control bits per peripheral which allow or protect against the access from given master. Each peripheral has two bit qualifier per master to decode the access allowed. For details refer to PERIPH_AC_REGS Registers in TMS320F28002x Technical Reference Manual.
8. ADC11-Disabling Unused Sources of SOC Inputs to ADC can help avoid interference from unused
peripherals to disturb functionality of ADC.
9. DMA9-Disabling of Unused DMA Trigger Sources will help minimize interference caused by unintentional
DMA transfers.
10. To avoid interference from spurious activity on MCU’s debug port, JTAG1-Hardware Disable of JTAG Port
can be used.
11. Safety applications running on the CPU can be interfered by unintentional faulty interrupt events to PIE
module. PIE7-Maintaining Interrupt Handler for Unused Interrupts and PIE8-Online Monitoring of Interrupts
and Events will detect such interfering failures.
12. MCU resources in supporting CPU execution such as memory, interrupt controller, and so forth could
be impacted by resources from lower safety integrity safety functions coexisting on same MCU. Safety mechanisms such as SRAM16-Information Redundancy Techniques, SRAM11-Access Protection
Mechanism for Memories SRAM17-CPU Handling of Illegal Operation, Illegal Results and Instruction Trapping will be able to detect such interference.
13. Critical configuration registers could be victim of interference from bus masters on MCU which implements
lower safety integrity functions. These can be protected by SYS1-Multi-Bit Enable Keys for Control
Registers, SYS2-Lock Mechanism for Control Registers, SYS8-EALLOW and MEALLOW Protection for Critical Registers.
14 Safety Manual for TMS320F28002x SPRUIT5 – APRIL 2021
Copyright © 2021 Texas Instruments Incorporated
Submit Document Feedback
www.ti.com
TMS320F28002x Product Overview

4.2.7 Suggestions for Addressing Common Cause Failures

System Integrator needs to execute a common cause failure analysis to consider possible dependent/common cause failures on the sub-elements of the TMS320F28002x MCU, including pin level connections.
Consider a relevant list of dependent failure initiators, such as the lists found in ISO 26262-11:2018. Analysis of dependent failures should include common cause failures among functional redundant parts and also between functions and the respective safety mechanisms.
Verify that the dependent failure analysis considers the impact of the software tasks running on the TMS320F28002x MCU, including hardware and software interactions.
Verify that the dependent failure analysis considers the impact of the pin or ball level interactions on the TMS320F28002x MCU package, including aspects related to the selected I/O multiplexing.
The following may be useful for addressing the common cause failures when using the TMS320F28002x MCU:
1. Redundant functions and safety mechanism can be impacted by common power failure. A common cause
failure on power source can be detected by PWR1-External Voltage Supervisor, PWR2-External Watchdog.
2. In general, a clock source which is common to redundant functions should be monitored and any failures
on the same can be detected by safety mechanisms such as CLK1-Missing Clock Detect (MCD), CLK2-
Clock Integrity Check Using CPU Timer, CLK5-External Clock Monitoring via XCLKOUT and CLK8-Periodic Software Read Back of Static Configuration Registers. Specifically, to avoid common clock failure affecting Internal Watchdog (WD) and CPU, it is recommended to use either INTOSC2 or X1/X2 as clock source to
PLL.
3. Failure of common reset signal to redundant functions can be detected by RST1-External Monitoring of
Warm Reset (XRSn), RST2-Reset Cause Information.
4. Common cause failure on Interconnect logic could impact both redundant functions and also safety
mechanism in same way. In addition to other safety mechanisms, INC1-Software Test of Function Including
Error Tests can be implemented to detect faults on interconnect logic.
5. Common cause failure could impact two functions used in a redundant way. In case the of communication
peripherals, module specific Information Redundancy Techniques Including End-to-End Safing can be implemented to detect common cause failures, for example, CAN2-Information Redundancy Techniques
Including End-to-End Safing , SPI2-Information Redundancy Techniques Including End-to-End Safing , SCI3-Information Redundancy Techniques Including End-to-End Safing and I2C3-Information Redundancy Techniques Including End-to-End Safing .
6. Use different voltage references and SOC trigger sources for ADC (see Section 6.5.8)
7. Use ePWM modules from different sync groups for implementing Hardware Redundancy
8. Use GPIO pins from different groups when implementing Hardware Redundancy for GPIO pins
SPRUIT5 – APRIL 2021
Submit Document Feedback
Safety Manual for TMS320F28002x 15
Copyright © 2021 Texas Instruments Incorporated
TMS320F28002x Product Overview
www.ti.com

4.3 C2000 Safety Diagnostics Libraries

The diagnostics library designed for the F28002x family of devices is Software Diagnostic Library (SDL). This library is designed to help TI customers, using the F28002x, develop functionally safe systems that can comply with a wide range of standards for end products in the appliance (IEC 60730) market. The SDL provides examples for several safety mechanisms provided in the safety manual.
Table 4-1. F28002x Diagnostic Library details
Library
SDL Examples Only N/A
Permanent
Fault Diagnostic
Coverage
Systematic
Capability
Compliance
Description
The SDL provides examples of several safety mechanisms described in the safety manual
The SDL is an integral part of the overall safety related collateral provided by TI. The SDL examples are developed using a Baseline Quality software development flow and are not required to be compliant with any particular standard. As such, the SDL is not certified. Users are expected to study and adapt the provided examples into their safety related applications and are responsible to for their own product level third party certifications. The SDL is a collection of library modules and examples intended to demonstrate implementations of several of the software diagnostics and software tests of diagnostics described in this document. Additionally, the SDL and accompanying Compliance Support Package (CSP) is provided to assist customers develop systems that address requirements of IEC 60730, IEC 60335, ISO 26262 and IEC 61508 and other functional safety standards. The SDL is available in C2000Ware under /libraries/diagnostic.

4.4 TMS320F28002x MCU Safety Implementation

4.4.1 Assumed Safety Requirements

The following assumed safety requirements need to be implemented using external components by the Level 3 checker.
External voltage monitor to supervise the power supply provided to the TMS320F28002x MCU
External Watchdog timer that can be used for diagnostic purposes
Components required for taking the system to safe state as per the TMS320F28002x MCU safe state defined in Section 4.2.3.
4.4.1.1 Example Safety Concept Implementation Options on TMS320F28002x MCU
TMS320F28002x class of devices supports C28x processing unit. The safety functions, which ensure that each safety goal can be met, can be implemented by the C28x. HWBIST can be used for diagnostic coverage for the processing units (ISO 26262-5:2018, Table D.4 and IEC 61508-2:2010, Table A.4). Safety mechanisms such as ,
Internal Watchdog (WD) and so forth, can also be utilized. For common cause failures such as clock, power and
reset, an external watchdog should be used. Here are some definitions:
Intended Function: Control application implemented on TMS320F28002x (PFC, DCDC, traction-inverter etc.)
Safety Function: Achieves risk reduction and implemented for safety goals identified from HARA – Example: prevent over-current, over/under voltage, over temperature, forward/reverse torque etc.)
– Shall meet >= 90% SPFM for both permanent and transient faults
Diagnostic Function: Ensures safety-function will operate correctly when required – Shall meet >= 60% LFM for ISO 26262:2018 (ASIL-B compliance targeted) systems
The following is a reference safety concept option which can be implemented on TMS320F28002x.
16 Safety Manual for TMS320F28002x SPRUIT5 – APRIL 2021
Copyright © 2021 Texas Instruments Incorporated
Submit Document Feedback
www.ti.com
4.4.1.1.1 Safety Concept Implementation
TMS320F28002x Product Overview
Figure 4-9. Safety Concept Implementation
Intended Function: can be implemented on C28x
Use CPU10-Information redundancy techniques, CPU2-CPU Hardware Built-In Self-Test (HWBIST) to ensure the safety function is executed correctly
Safety Function: Implement using hardware modules such as ADC-PPB, CMPSS, CLB, and so forth. – SPFM of the safety goal can be met by hardware redundancy between the modules used in implementing
safety function, ADC10-Hardware redundancy techniques, CMPSS3-Hardware redundancy techniques and Periodic Software Read Back of Static Configuration Registers and so forth.
Diagnostic Function: Implement with hardware modules such as ADC-PPB, CMPSS, CLB, and so forth – LFM can be met by Software Test of Function Including Error Tests and so forth.

5 Brief Description of Safety Elements

This section contains a brief description of the elements on the TMS320F28002x MCU device family, organized based on the classification of parts of generic hardware of a system [8] as indicated in Figure 5-1. For a full functional description of any of these modules, see the device-specific technical reference manual. The brief description of the hardware part is followed by the list of primary safety mechanisms that can be employed to provide diagnostic coverage to the hardware part. Some safety standards have the requirement to provide diagnostic coverage for the primary diagnostic measures (for example, Latent Fault Metric requirement from ISO 26262:2018). These measures are called as test of diagnostics. Primary diagnostics of type “Software” and “Hardware/Software” involves execution of the software on the processing units and also use many of the MCU parts like Interconnect, Memory (Flash, SRAM and ROM) and TMS320F28002x MCU infrastructure components (Clock, Power, Reset and JTAG). In order to ensure integrity of the implemented primary diagnostics and their associated diagnostic coverage values, measures to protect execution of primary diagnostics on respective processing units needs to be implemented. Appropriate combination of test of diagnostics is recommended to be implemented for parts of the MCU contributing the successful operation of the processing units. For diagnostics for these parts, see the respective sections in this safety manual.
In case, separate test of diagnostic measures exist for a primary diagnostic measure, they are mentioned along with the respective hardware part.
SPRUIT5 – APRIL 2021
Submit Document Feedback
Safety Manual for TMS320F28002x 17
Copyright © 2021 Texas Instruments Incorporated
D.2 E/E System
D.2 E/E System
D.11
Sensor
D.11
Sensor
D.3
Connector
D.3
Connector
D.7 Digital I.
D.7 Analogue I.
D.8 Bus interface
D.9 Power Supply
D.4
Processing Unit
D.3 Relay
D.7 Digital O.
D.7 Analogue O.
D.3
Connector
D.3
Connector
D.3
Connector
D.12
Actuator
D.12
Actuator
D.12
Actuator
D.6 RAM D.5 ROM D.10 Clock
Brief Description of Safety Elements
www.ti.com
Figure 5-1. Generic Hardware of a System

5.1 TMS320F28002x MCU Infrastructure Components

5.1.1 Power Supply

The C2000 MCU device family requires an external device to supply the necessary voltage and current for proper operation. Separate voltage rails are available for core (1.2 V), Analog (3.3 V), Flash (3.3 V) and I/O logic (3.3 V). Following mechanisms can be used to improve the diagnostic coverage of C2000 MCU power supply.
External Voltage Supervisor
External Watchdog (using GPIO or a serial interface)
Internal Watchdog (WD)
Brownout Reset (BOR)
Multi-Bit Enable Keys for Control Registers
Lock Mechanism for Control Registers
Software Read Back of Written Configuration
Periodic Software Read Back of Static Configuration Registers
Online Monitoring of Temperature
EALLOW and MEALLOW Protection for Critical Registers
Having independent voltage supervision at system level is an assumption used while performing safety analysis.
Devices can be implemented with multiple power rails that are intended to be ganged together on the system PCB. For proper operation of power diagnostics, it is recommended to implement one voltage supervisor per ganged rail.
Common mode failure analysis of the external voltage supervisor along with TMS320F28002x MCU is useful to determine dependencies in the voltage generation and supervision circuitry.
Customer can consider using TI's TPS6538x power supply and safety companion device for voltage supervision at system level.
Note
18 Safety Manual for TMS320F28002x SPRUIT5 – APRIL 2021
Copyright © 2021 Texas Instruments Incorporated
Submit Document Feedback
www.ti.com
Brief Description of Safety Elements

5.1.2 Clock

The TMS320F28002x MCU device family products are primarily synchronous logic devices and as such require clock signals for proper operation. The clock management logic includes clock sources, clock generation logic including clock multiplication by phase lock loops (PLLs), clock dividers, and clock distribution logic. The registers that are used to program the clock management logic are located in the system control module. The following tests can be applied as diagnostics for this module (to provide diagnostic coverage on a specific function):
Missing Clock Detect (MCD)
Clock Integrity Check Using CPU Timer
Clock Integrity Check Using HRPWM
Dual clock comparator (DCC) - Type0
External Monitoring of Clock via XCLKOUT
Internal Watchdog (WD)
External Watchdog
Periodic Software Read Back of Static Configuration Registers
Software Read Back of Written Configuration
PLL Lock Profiling Using On-Chip Timer
Peripheral Clock Gating (PCLKCR)
Efuse CRC
Hardware disable of JTAG port
The following tests can be applied as test-for-diagnostics on this module to meet Latent Fault Metric Requirements:
Software Test of Watchdog (WD) Operation
Software Test of Missing Clock Detect Functionality
Note
Higher diagnostic coverage can be obtained by setting tighter bounds when checking clock integrity using Timer2.
TI recommends the use of an external watchdog over an internal watchdog for mitigating the risk due to common mode failure. TI also recommends the use of a program sequence, windowed, or question and answer watchdog as opposed to a single threshold watchdog due to the additional failure modes that can be detected by a more advanced watchdog.
Driving a high-frequency clock output on the XCLKOUT pin may have EMI implications. The selected clock needs to be scaled suitably before sending out through IO.

5.1.3 System PLL

The TMS320F28002x MCU device family products are primarily synchronous logic devices and as such require clock signals for proper operation. One of the important module for clock generation logic is the clock multiplication by phase lock loops (PLL).
The following tests can be applied as diagnostics for this module (to provide diagnostic coverage on a specific function):
Clock integrity check using DCC
PLL lock indication
Internal Watchdog (WD)
External Watchdog
Software test of DCC functionality including error tests
External monitoring of Clock
Interleaving of FSM states
Hardware disable of JTAG port
The following tests can be applied as test-for-diagnostics on this module to meet Latent Fault Metric Requirements:
SPRUIT5 – APRIL 2021
Submit Document Feedback
Copyright © 2021 Texas Instruments Incorporated
Safety Manual for TMS320F28002x 19
Brief Description of Safety Elements
www.ti.com
Software test of functionality including error tests
Software test of Watchdog (WD) operation

5.1.4 Reset

The power-on reset (PORn) generates an internal warm reset signal to reset the majority of digital logic as part of the boot process. The warm reset can also be provided at device level as an I/O pin (XRSn) with open drain implementation. Diagnostic capabilities like NMI watchdog and Watchdog are capable of issuing a warm reset. For more information on the reset functionality, see the device-specific data sheet.
The following tests can be applied as diagnostics for this module to provide diagnostic coverage on a specific function.
External Monitoring of Warm Reset (XRSn)
Reset Cause Information
Software Test of Reset
Glitch Filtering on Reset Pins
NMIWD Shadow Registers
Periodic Software Read Back of Static Configuration Registers
Software Read Back of Written Configuration
NMIWD Reset Functionality
Peripheral Soft Reset (SOFTPRES)
Internal Watchdog (WD)
External Watchdog
The following tests can be applied as test-for-diagnostics on this module to meet Latent Fault Metric Requirements:
Software Test of Watchdog (WD) Operation
Note
Internal watchdogs are not a viable option for reset diagnostics as the monitored reset signals interact with the internal watchdogs.
Customer can consider using TI TPS6538x power supply and safety companion device for reset supervision at system level.

5.1.5 System Control Module and Configuration Registers

The system control module contains the memory-mapped registers to configure clock, analog peripherals settings and other system related controls. The system control module is also responsible for generating the synchronization of system resets and delivering the warm reset (XRSn). The configuration registers include the registers within peripherals that are not required to be updated periodically.
The following tests can be applied as diagnostics for this module (to provide diagnostic coverage on a specific function):
Multi-Bit Enable Keys for Control Registers
Lock Mechanism for Control Registers
Software Read Back of Written Configuration
Periodic Software Read Back of Static Configuration Registers
Online Monitoring of Temperature
Peripheral Clock Gating (PCLKCR)
Peripheral Soft Reset (SOFTPRES)
EALLOW and MEALLOW Protection for Critical Registers
Software Test of ERRORSTS Functionality
20 Safety Manual for TMS320F28002x SPRUIT5 – APRIL 2021
Copyright © 2021 Texas Instruments Incorporated
Submit Document Feedback
www.ti.com
Brief Description of Safety Elements
Note
Review the Clock and Reset sections as these features are closely controlled by the system control module.
Customer can consider using TI TPS6538x power supply and safety companion device for ERRORSTS pin supervision at system level.

5.1.6 Efuse Static Configuration

The TMS320F28002x MCU device family supports a boot time configuration of certain functionality (such as trim values for analog macros) with the help of Efuse structures. The Efuses are read automatically after power-on reset by an autoload function.
The following tests can be applied as diagnostics for this module (to provide diagnostic coverage on a specific function):
Efuse Autoload Self-Test
Efuse ECC
The following tests can be applied as a test-for-diagnostic on this module:
Efuse ECC Logic Self-Test
SRAM Parity
Software Test of SRAM
VCRC Auto Coverage

5.1.7 JTAG Debug, Trace, Calibration, and Test Access

The TMS320F28002x MCU device family supports debug, test, and calibration implemented over an IEEE
1149.1 JTAG debug port. The physical debug interface is internally connected to a TI debug logic (ICEPICK), which arbitrates access to test, debug, and calibration logic. Boundary scan is connected in parallel to the ICEPICK to support usage without preamble scan sequences for easiest manufacturing board test. The following tests can be applied as diagnostics for this module (to provide diagnostic coverage on a specific function):
Hardware Disable of JTAG Port
Internal Watchdog (WD)
External Watchdog

5.2 Processing Elements

5.2.1 C28x Central Processing Unit (CPU)

The CPU is a 32-bit fixed-point processor with Floating point, CRC Unit (VCRC) and Trigonometric Math Unit (TMU) co-processors. This device draws from the best features of digital signal processing; reduced instruction set computing (RISC); and microcontroller architectures, firmware, and tool sets. The CPU features include a modified Harvard architecture and circular addressing. The RISC features are single-cycle instruction execution, and register-to-register operations. The modified Harvard architecture of the CPU enables instruction and data fetches to be performed in parallel. The CPU does this over six separate address/data buses. Its unique architecture makes it amenable to integrate safety features external to CPU but on chip, to provide improved diagnostic coverage.

5.2.2 Diagnostics for CPU

The following tests can be applied as diagnostics for this module (to provide diagnostic coverage on a specific function):
CPU Hardware Built-In Self-Test (HWBIST)
Periodic Software Read Back of Static Configuration Registers
Access Protection Mechanism for Memories
Hardware Disable of JTAG Port
CPU Handling of Illegal Operation, Illegal Results and Instruction Trapping
Internal Watchdog (WD)
External Watchdog
Information Redundancy Techniques
SPRUIT5 – APRIL 2021
Submit Document Feedback
Copyright © 2021 Texas Instruments Incorporated
Safety Manual for TMS320F28002x 21
Brief Description of Safety Elements
Stack Overflow Detection
Embedded Real Time Analysis and Diagnostic (ERAD)
The following tests can be applied as test-for-diagnostics on this module:
CPU Hardware Built-In Self-Test (HWBIST) Auto Coverage
CPU Hardware Built-In Self-Test (HWBIST) Fault Injection Capability
CPU Hardware Built-In Self-Test (HWBIST) Timeout Feature
VCRC Auto Coverage
Inbuilt hardware redundancy in ERAD bus comparator module
Note
Measures to mitigate Common Cause Failure in CPU Subsystem: Common-cause failures are one of the important failure modes when a safety-related design is implemented in a silicon device. The contribution of hardware and software dependent failures is estimated on a qualitative basis because no general and sufficiently reliable method exists for quantifying such failures. System Integrator should perform a detailed analysis based on the inputs from ISO 26262-11:2018, Section 4.7 and IEC 61508-2:2010 Annex E (BetaIC method).

5.2.3 Floating Point Unit (FPU)

The FPU extends the capabilities of C28x CPU by adding registers and instructions to support IEEE single­precision floating-point operations. For more details on programming FPU please refer to TMS320C28x
Extended Instruction Sets Technical Reference Manual
www.ti.com
The following tests can be applied as diagnostics for this module (to provide diagnostic coverage on a specific function):
CPU Hardware Built-In Self-Test (HWBIST)
Internal Watchdog (WD)
External Watchdog
Information Redundancy Techniques
Stack Overflow Detection
Embedded Real Time Analysis and Diagnostic (ERAD)
Hardware Disable of JTAG Port
The following tests can be applied as test-for-diagnostics on this module to meet Latent Fault Metric Requirements:
CPU Hardware Built-In Self-Test (HWBIST) Auto Coverage
CPU Hardware Built-In Self-Test (HWBIST) Fault Injection Capability
CPU Hardware Built-In Self-Test (HWBIST) Timeout Feature

5.3 Memory (Flash, SRAM and ROM)

5.3.1 Embedded Flash Memory

The embedded Flash memory is a non-volatile memory that is tightly coupled to the C28x CPU. Each CPUSS have its own dedicated flash memory. The Flash memory is not accessible by DMA. The Flash memory is primarily used for CPU instruction access, though data access is also possible. Access to the Flash memory can take multiple CPU cycles depending upon the device frequency and flash wait state configuration. Flash wrapper logic provides prefetch and data cache to improve performance.
22 Safety Manual for TMS320F28002x SPRUIT5 – APRIL 2021
Copyright © 2021 Texas Instruments Incorporated
Submit Document Feedback
www.ti.com
Brief Description of Safety Elements

5.3.2 Diagnostics for Embedded Flash

The following tests can be applied as diagnostics for this module (to provide diagnostic coverage on a specific function):
Flash ECC
VCRC Check of Static Memory Contents
Bit Multiplexing in Flash Memory Array
Periodic Software Read Back of Static Configuration Registers
Software Read Back of Written Configuration
Flash Program Verify and Erase Verify Check
Software Test of Flash Prefetch, Data Cache and Wait-States
Internal Watchdog (WD)
External Watchdog
CPU Handling of Illegal Operation, Illegal Results and Instruction Trapping
Information Redundancy Techniques
The following tests can be applied as test-for-diagnostics on this module:
Software Test of ECC Logic
VCRC Auto Coverage

5.3.3 Embedded SRAM

The TMS320F28002x MCU device family has the following types of SRAMs with different characteristics.
Dedicated to each CPU (M0, M1)
Local Shared RAM (LSx RAM)
Global Shared RAM (GSx RAM)
All these RAMs are highly configurable to achieve control for write access and fetch access from different masters. All dedicated RAMs are enabled with the ECC feature (both data and address) and shared RAMs are enabled with the Parity (both data and address) feature. Each RAM has its own controller which implements access protection, security related features and ECC/Parity features for that RAM.
The following tests can be applied as diagnostics for this module (to provide diagnostic coverage on a specific function):
SRAM ECC
SRAM Parity
Software Test of SRAM
Bit Multiplexing in SRAM Memory Array
Periodic Software Read Back of Static Configuration Registers
Software Read Back of Written Configuration
Data Scrubbing to Detect/Correct Memory Errors
VCRC Check of Static Memory Contents
Software Test of Function Including Error Tests
Access Protection Mechanism for Memories
Lock Mechanism for Control Registers
Information Redundancy Techniques
CPU Handling of Illegal Operation, Illegal Results and Instruction Trapping
Internal Watchdog (WD)
External Watchdog
Memory Power-On Self-Test (MPOST)
Background CRC
SPRUIT5 – APRIL 2021
Submit Document Feedback
Safety Manual for TMS320F28002x 23
Copyright © 2021 Texas Instruments Incorporated
Brief Description of Safety Elements
www.ti.com
The following tests can be applied as a test-for-diagnostic on this module:
Software Test of ECC Logic
Software Test of Parity Logic
VCRC Auto Coverage
Watchdog for Background CRC

5.3.4 Embedded ROM

The TMS320F28002x MCU device family has the following types of ROMs:
Boot ROM helps to boot the device and contain functions for security initialization, device calibration and support different boot modes
Secure ROM functions are not developed to meet any systematic capability compliance (ISO 26262-6:2018/IEC 61508-3:2010) and should not be used in functional safety applications.
The following tests can be applied as diagnostics for this module (to provide diagnostic coverage on a specific function):
VCRC Check of Static Memory Contents
Periodic Software Read Back of Static Configuration Registers
Software Read Back of Written Configuration
Software Test of Function Including Error Tests
CPU Handling of Illegal Operation, Illegal Results and Instruction Trapping
Internal Watchdog (WD)
External Watchdog
Power-Up Pre-Operational Security Checks
Memory Power-On Self-Test (MPOST)
The following tests can be applied as a test-for-diagnostic on this module:
VCRC Auto Coverage

5.4 On-Chip Communication Including Bus-Arbitration

5.4.1 Device Interconnect

The device interconnects links the multiples masters and slaves within the device. The device interconnect logic comprises of static master selection muxes, dynamic arbiters and protocol convertors required for various bus masters (CPU, DMA) to transact with the peripherals and memories.
The following tests can be applied as diagnostics for this module (to provide diagnostic coverage on a specific function):
Software Test of Function Including Error Tests
Internal Watchdog (WD)
External Watchdog
Periodic Software Read Back of Static Configuration Registers
Software Read Back of Written Configuration
CPU Handling of Illegal Operation, Illegal Results and Instruction Trapping
Transmission Redundancy
Hardware Redundancy
EALLOW and MEALLOW Protection for Critical Registers
Timeout detection through ERAD counter
The following tests can be applied as test-for-diagnostics on this module.
Software test of functionality including error tests
24 Safety Manual for TMS320F28002x SPRUIT5 – APRIL 2021
Copyright © 2021 Texas Instruments Incorporated
Submit Document Feedback
www.ti.com
Brief Description of Safety Elements

5.4.2 Direct Memory Access (DMA)

The direct memory access (DMA) module provides a hardware method of transferring data between peripherals and/or memory without intervention from the CPU, thereby freeing up bandwidth for other system functions. Additionally, the DMA has the capability to orthogonally rearrange the data as it is transferred as well as “ping-pong” data between buffers. These features are useful for structuring data into blocks for optimal CPU processing.
The following tests can be applied as diagnostics for this module (to provide diagnostic coverage on a specific function):
Information Redundancy Techniques
Transmission Redundancy
Periodic Software Read Back of Static Configuration Registers
Software Read Back of Written Configuration
Software Test of Function Including Error Tests
DMA Overflow Interrupt
Access Protection Mechanism for Memories
Software Test of Function Including Error Tests
Disabling of Unused DMA Trigger Sources

5.4.3 Enhanced Peripheral Interrupt Expander (ePIE) Module

The enhanced Peripheral Interrupt Expander (ePIE) module is used to interface peripheral interrupts to the C28x CPU. It provides configurable masking on a per interrupt basis. The PIE module includes a local SRAM that is used to hold the address of the interrupt handler per interrupt.
The following tests can be applied as diagnostics for this module (to provide diagnostic coverage on a specific function):
PIE Double SRAM Hardware Comparison
Software Test of SRAM
Software Test of ePIE Operation Including Error Tests
Periodic Software Read Back of Static Configuration Registers
Software Read Back of Written Configuration
Maintaining Interrupt Handler for Unused Interrupts
Online Monitoring of Interrups and Events
The following tests can be applied as a test-for-diagnostic on this module:
PIE Double SRAM Comparison Check

5.4.4 Dual Zone Code Security Module (DCSM)

The dual code security module (DCSM) is a security feature incorporated in this device. It prevents access and visibility to on-chip secure memories (and other secure resources) to unauthorized persons. It also prevents duplication and reverse engineering of proprietary code.
The following tests can be applied as diagnostics for this module (to provide diagnostic coverage on a specific function):
Multi-Bit Enable Keys for Control Registers
Majority Voting and Error Detection of Link Pointer
Periodic Software Read Back of Static Configuration Registers
Software Test of Function Including Error Tests
Software Read Back of Written Configuration
CPU Handling of Illegal Operation, Illegal Results and Instruction Trapping
VCRC Check of Static Memory Contents
External Watchdog
Hardware Redundancy
The following test can be applied as a test-for-diagnostic on this module:
VCRC Auto Coverage
SPRUIT5 – APRIL 2021
Submit Document Feedback
Copyright © 2021 Texas Instruments Incorporated
Safety Manual for TMS320F28002x 25
Brief Description of Safety Elements
www.ti.com

5.4.5 CrossBar (X-BAR)

The crossbars (X-BAR) provide flexibility to connect device inputs, outputs, and internal resources in a variety of configurations. The device contains a total of four X-BARs: Input X-BAR, Output X-BAR, CLB X-BAR and ePWM X-BAR. The Input X-BAR has access to every GPIO and can route each signal to any (or multiple) of the IP blocks (for example, ADC, eCAP, ePWM, and so forth). This flexibility relieves some of the constraints on peripheral muxing by just requiring any GPIO pin to be available. The ePWM X-BAR is connected to the Digital Compare (DC) sub-module of each ePWM module for actions such as trip zones. The GPIO Output X-BAR takes signals from inside the device and brings them out to a GPIO. The CLB X-BAR has eight outputs that are connected to the CLB global mux as AUXSIGx.
The following tests can be applied as diagnostics for this module (to provide diagnostic coverage on a specific function):
Software Test of Function Including Error Tests
Hardware Redundancy
Periodic Software Read Back of Static Configuration Registers
Software Read Back of Written Configuration
Software Check of X-BAR Flag

5.4.6 Timer

The CPU subsystem is provided with three 32-bit CPU-Timers (TIMER0/1/2). The module provides the Operating System (OS) timer for the device. The OS timer function is used to generate internal event triggers or interrupts as needed to provide periodic operation of safety critical functions. The capabilities of the module enable it to be used for clock monitoring as well.
The following tests can be applied as diagnostics for this module (to provide diagnostic coverage on a specific function):
1oo2 Software Voting Using Secondary Free Running Counter
Periodic Software Read Back of Static Configuration Registers
Software Read Back of Written Configuration
Software Test of Function Including Error Tests

5.4.7 Configurable Logic Block

The Configurable logic block (CLB) is a collection of blocks that can be interconnected using software to implement custom digital logic functions or enhance existing on-chip peripherals. The CLB is able to enhance existing peripherals through a set of crossbar interconnections, which provide a high level of connectivity to existing control peripherals such as enhanced pulse width modulators (ePWM), enhanced capture modules (eCAP), and enhanced quadrature encoder pulse modules (eQEP). The crossbars also allow the CLB to be connected to external GPIO pins. In this way, the CLB can be configured to interact with device peripherals to perform small logical functions such as comparators, or to implement custom serial data exchange protocols. Through the CLB, functions that would otherwise be accomplished using external logic devices can now be implemented inside the MCU. CLB can be used to implement Absolute or Incremental Position Encoders used for Motor control applications.
The CLB peripheral is configured through the CLB tool. More information on the CLB tool, available examples, application reports and users guide are avaialble in C2000Ware under \utilities\clb_tool.
The following tests can be applied as diagnostics for this module (to provide diagnostic coverage on a specific function):
Software Test of CLB Function including Error Tests
Hardware Redundancy
Monitoring of CLB by eCAP or eQEP
Periodic Software Read Back of static Configuration Registers
Software Read Back of Written Configuration
Lock Mechanism of Control Regsiters
Internal Watchdog (WD)
Periodic Read Back of SPI Buffer
26 Safety Manual for TMS320F28002x SPRUIT5 – APRIL 2021
Copyright © 2021 Texas Instruments Incorporated
Submit Document Feedback
www.ti.com
Brief Description of Safety Elements
Hardware Disable of JTAG Port

5.5 Digital I/O

5.5.1 General-Purpose Input/Output (GPIO) and Pinmuxing

The General Purpose Input/Output (GPIO) module provides software configurable mapping of internal module I/O functionality to device pins. These pins can be individually selected to operate as digital I/O (also called GPIO mode), or connected to one of several peripheral I/O signals.
The following tests can be applied as diagnostics for this module (to provide diagnostic coverage on a specific function):
Lock Mechanism for Control Registers
Periodic Software Read Back of Static Configuration Registers
Software Read Back of Written Configuration
Software Test of Function Using I/O Loopback
Hardware Redundancy

5.5.2 Enhanced Pulse Width Modulators (ePWM)

The enhanced Pulse Width Modulator (ePWM) peripheral is a key element in digital motor control and power electronic systems. Some of the ePWM module instances support a High-Resolution Pulse Width Modulator (HRPWM) mode to improve the time resolution. For more information on the ePWM instances supporting the HRPWM mode, see the device-specific data sheet and reference manual.
The following tests can be applied as diagnostics for this module (to provide diagnostic coverage on a specific function):
Software Test of Function Including Error Tests
Hardware Redundancy
Monitoring of ePWM by eCAP
Periodic Software Read Back of Static Configuration Registers
Software Read Back of Written Configuration
Lock Mechanism for Control Registers
ePWM Fault Detection using XBAR
ePWM Synchronization Check
ePWM Application Level Safety Mechanism
Online Monitoring of Interrupts and Events
Monitoring of ePWM by ADC

5.5.3 High Resolution PWM (HRPWM)

HRPWM module extends the time resolution capabilities of the conventionally derived digital pulse width modulator (PWM). HRPWM is typically used when PWM resolution falls below ~ 9-10 bits. The HRPWM is based on micro edge positioner (MEP) technology. MEP logic is capable of positioning an edge very finely by sub-dividing one coarse system clock of a conventional PWM generator. The time step accuracy is of the order of 150 ps.
The following tests can be applied as diagnostics for this module (to provide diagnostic coverage on a specific function):
HRPWM Built-In Self-Check and Diagnostic Capabilities
Hardware Redundancy
Monitoring of ePWM by eCAP
Periodic Software Read Back of Static Configuration Registers
Software Read Back of Written Configuration
Lock Mechanism for Control Registers

5.5.4 Enhanced Capture (eCAP)

The enhanced CAPture (eCAP) module provides input capture functionality for systems where accurate timing of external events is important. The eCAP module features include speed measurements of rotating machinery (for example, toothed sprockets sensed via Hall sensors), elapsed time measurements between position sensor
SPRUIT5 – APRIL 2021
Submit Document Feedback
Copyright © 2021 Texas Instruments Incorporated
Safety Manual for TMS320F28002x 27
Loading...
+ 63 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use