Texas Instruments TMS320F28004 User Manual
www.ti.com
Table of Contents
User’s Guide
Safety Manual for TMS320F28004x
Vanjari, Ashish
ABSTRACT
This document is a safety manual for the Texas Instruments TMS320F28004x safety critical microcontroller
product family. The product family utilizes a common safety architecture that is implemented in multiple
application-focused products.
Table of Contents
1 Introduction.............................................................................................................................................................................3
2 TMS320F28004x Product Safety Capability and Constraints............................................................................................. 5
3 TI Development Process for Management of Systematic Faults....................................................................................... 5
3.1 TI New-Product Development Process.............................................................................................................................. 5
3.2 TI Functional Safety Development Process....................................................................................................................... 6
4 TMS320F28004x Product Overview...................................................................................................................................... 8
4.1 C2000 Architecture and Product Overview........................................................................................................................ 8
4.2 Functional Safety Concept................................................................................................................................................. 9
4.3 C2000 Safety Diagnostics Libraries................................................................................................................................. 19
4.4 TMS320F28004x MCU Safety Implementation................................................................................................................23
5 Brief Description of Safety Elements..................................................................................................................................26
5.1 TMS320F28004x MCU Infrastructure Components.........................................................................................................26
5.2 Processing Elements....................................................................................................................................................... 29
5.3 Memory (Flash, SRAM and ROM)................................................................................................................................... 30
5.4 On-Chip Communication Including Bus-Arbitration..........................................................................................................32
5.5 Digital I/O......................................................................................................................................................................... 35
5.6 Analogue I/O.................................................................................................................................................................... 37
5.7 Data Transmission........................................................................................................................................................... 39
6 Brief Description of Diagnostics......................................................................................................................................... 42
6.1 TMS320F28004x MCU Infrastructure Components.........................................................................................................42
6.2 Processing Elements....................................................................................................................................................... 47
6.3 Memory (Flash, SRAM and ROM)................................................................................................................................... 50
6.4 On-Chip Communication Including Bus-Arbitration..........................................................................................................53
6.5 Digital I/O......................................................................................................................................................................... 54
6.6 Analogue I/O.................................................................................................................................................................... 62
6.7 Data Transmission........................................................................................................................................................... 66
7 References............................................................................................................................................................................ 71
A Safety Architecture Configurations....................................................................................................................................72
B Distributed Developments...................................................................................................................................................75
B.1 How the Functional Safety Lifecycle Applies to Functional Safety-Compliant Products..................................................75
B.2 Activities Performed by Texas Instruments......................................................................................................................75
B.3 Information Provided........................................................................................................................................................76
C Terms and Definitions..........................................................................................................................................................77
D Summary of Safety Features and Diagnostics..................................................................................................................79
E Glossary.............................................................................................................................................................................. 104
Revision History.................................................................................................................................................................... 104
List of Figures
Figure 3-1. TI New-Product Development Process..................................................................................................................... 6
Figure 4-1. Functional Block Diagram of TMS320F28004x MCU................................................................................................8
SPRUID8C – AUGUST 2019 – REVISED SEPTEMBER 2020
Submit Document Feedback
Copyright © 2020 Texas Instruments Incorporated
Safety Manual for TMS320F28004x 1
Trademarks
Figure 4-2. Definition of the TMS320F28004x MCU Used in a Compliant Item.......................................................................... 9
Figure 4-3. E-GAS System Overview From Standard............................................................................................................... 10
Figure 4-4. VDA E-Gas Monitoring Concept Applied to F28004x MCU.....................................................................................11
Figure 4-5. TMS320F28004x MCU With Safety Features......................................................................................................... 12
Figure 4-6. Relationship Between FDTI, Fault Reaction Time and FTTI...................................................................................13
Figure 4-7. Illustration of FTTI................................................................................................................................................... 13
Figure 4-8. TMS320F28004x MCU Safe State Definition..........................................................................................................14
Figure 4-9. TMS320F28004x MCU Device Operating States....................................................................................................15
Figure 4-10. TMS320F28004x MCU CPU Start-Up Sequence................................................................................................. 16
Figure 4-11. Fault Response Severity........................................................................................................................................16
Figure 4-12. TI Software Development Lifecycle - Quality Level...............................................................................................22
Figure 4-13. Safety Concept Implementation Option 1..............................................................................................................24
Figure 4-14. Safety Concept Implementation Option 2..............................................................................................................25
Figure 5-1. Generic Hardware of a System............................................................................................................................... 26
Figure 6-1. CLA Liveness Check............................................................................................................................................... 47
Figure 6-2. Stack Overflow Monitoring...................................................................................................................................... 49
Figure 6-3. CLAPROMCRC Functional Diagram.......................................................................................................................52
Figure 6-4. ePWM Fault Detection Using X-BAR...................................................................................................................... 55
Figure 6-5. Monitoring of ePWM by ADC.................................................................................................................................. 58
Figure 6-6. HRCAP Calibration..................................................................................................................................................61
Figure 6-7. QMA Module Block Diagram................................................................................................................................... 62
Figure 6-8. DAC to ADC Loopback............................................................................................................................................63
Figure 6-9. Testing PGA Using ADC and DAC.......................................................................................................................... 64
Figure 6-10. ADC Open-Shorts Detection Circuit...................................................................................................................... 65
Figure C-1. ISO 26262 Illustration of Item, System, Component, Hardware Part and Software Unit........................................77
www.ti.com
List of Tables
Table 1-1. Products Supported by This Safety Manual................................................................................................................3
Table 3-1. Functional Safety Activities Overlaid on Top of TI's Standard Development Process................................................ 7
Table 4-1. DC and SCC Targeted for F28004x Diagnostic Libraries......................................................................................... 19
Table 4-2. Tools Required for Integration of the F28004x STL.................................................................................................. 19
Table 4-3. API Mapping............................................................................................................................................................. 21
Table 4-4. MD5 Signatures for C28x-STL..................................................................................................................................22
Table 4-5. MD5 Signatures for CLA-STL................................................................................................................................... 23
Table 6-1. ADC Open-Shorts Detection Circuit Truth Table.......................................................................................................65
Table A-1. Safety Architecture Configurations........................................................................................................................... 72
Table B-1. Activities Performed by Texas Instruments versus Performed by the Customer......................................................75
Table B-2. Product Functional Safety Documentation............................................................................................................... 76
Table D-1. Summary Table Legend........................................................................................................................................... 79
Table D-2. Summary of Safety Features and Diagnostic...........................................................................................................80
Table E-1. Glossary................................................................................................................................................................. 104
Trademarks
C2000™ is a trademark of Texas Instruments.
All other trademarks are the property of their respective owners.
2 Safety Manual for TMS320F28004x SPRUID8C – AUGUST 2019 – REVISED SEPTEMBER 2020
Copyright © 2020 Texas Instruments Incorporated
Submit Document Feedback
www.ti.com Introduction
1 Introduction
WARNING
The TMS320F28004x is being offered as a Functional Safety Compliant Safety Element out of
Context (SEooC) product. This implies that TMS320F28004x was developed in compliance with TI's
ISO-9001/IATF-16949 compliant hardware product development process. Subsequently, this product
was independently assessed to meet a systematic capability compliance of ASIL D (according to
ISO-26262:2018) and SIL 3 (according to IEC-61508:2010), see the Texas Instrument's functional
safety hardware development process. As such, this safety manual is intended to be informative only
to help explain how to use the features of TMS320F28004x device to assist the system designer in
achieving a given ASIL or SIL level. System designers are responsible for evaluating this device in
the context of their system and determining the system-level ASIL or SIL coverage achieved therein.
The products supported by this document have been assessed to be meet a systematic capability compliance of
ASIL D (according to ISO 26262) and SIL 3 (according to IEC 61508). For more information, see the Texas
Instrument's functional safety hardware development process.
This Functional Safety Manual is part of the Functional Safety-Compliant design package to aid customers who
are designing systems in compliance with ISO26262 or IEC61508 functional safety standards.
This document is a safety manual for the Texas Instruments TMS320F28004x safety critical microcontroller
product family. The product family utilizes a common safety architecture that is implemented in multiple
application focused products.
Product configurations supported by this safety manual include silicon revision B of the following products listed
in Table 1-1. The device revision can be determined by the REVID field of the device identification registers
outlined in the product data sheet.
Table 1-1. Products Supported by This Safety Manual
Orderable Devices Supported Safety Integrity Level
F280048CPMQR ASIL B
F280048PMQR ASIL B
F280049CPMS ASIL B
F280049CPZQR ASIL B
F280049CPZS ASIL B
F280049PMS ASIL B
F280049PMSR ASIL B
F280049PZQ ASIL B
F280049PZQR ASIL B
F280049PZS ASIL B
F280049PZSR ASIL B
F280040CPMQR QM
F280040PMQR QM
F280041CPMS QM
F280041CPZQR QM
F280041CPZS QM
F280041CRSHSR QM
F280041PMS QM
F280041PMSR QM
F280041PZQR QM
F280041PZS QM
F280041PZSR QM
SPRUID8C – AUGUST 2019 – REVISED SEPTEMBER 2020
Submit Document Feedback
Copyright © 2020 Texas Instruments Incorporated
Safety Manual for TMS320F28004x 3
Introduction
www.ti.com
Table 1-1. Products Supported by This Safety Manual (continued)
Orderable Devices Supported Safety Integrity Level
F280041RSHSR QM
F280045PMS QM
F280045PMSR QM
F280045PZS QM
F280045PZSR QM
F280045RSHSR QM
F280049CRSHSR QM
F280049CRSHS QM
F280049RSHSR QM
This Functional Safety Manual provides information needed by system developers to assist in the creation of a
safety critical system using a supported TMS320F28004x MCU. This document contains:
• An overview of the component architecture
• An overview of the development process used to decrease the probability of systematic failures
• An overview of the functional safety architecture for management of random failures
• The details of architecture partitions and implemented functional safety mechanisms
The following information is documented in the Detailed Safety Analysis Report (SAR) for TMS320F28004x
C2000™ Safety Critical Microcontrollers, which is only available under Functional Safety NDA and is not
repeated in this document:
• Failure rates (FIT) of the component
• Fault model used to estimate device failure rates to enable calculation of customized failure rates
• Functional safety metrics of the hardware component for targeted standards (viz. IEC 61508:2010 and ISO
26262:2018)
• Quantitative functional safety analysis (also known as FMEDA, Failure Modes, Effects, and Diagnostics
Analysis) with detail of the different parts of the component, allowing for customized application of functional
safety mechanisms
• Assumptions used in the calculation of functional safety metrics
It is expected that the user of this document should have a general familiarity with the TMS320F28004x product
families. More information can be found at www.ti.com/C2000.
This document is intended to be used in conjunction with the pertinent data sheets, technical reference manuals,
and other documentation for the products being supplied.
For information which is beyond the scope of the listed deliverables, please contact your TI sales representative
or www.ti.com.
4 Safety Manual for TMS320F28004x SPRUID8C – AUGUST 2019 – REVISED SEPTEMBER 2020
Copyright © 2020 Texas Instruments Incorporated
Submit Document Feedback
www.ti.com
TMS320F28004x Product Safety Capability and Constraints
2 TMS320F28004x Product Safety Capability and Constraints
This section summarizes the TMS320F28004x product safety capability. Each TMS320F28004x product:
• Is offered as a functional Safety Element Out Of Context (SEooC)
• Was assessed to have met the relevant systematic capability compliance requirements of IEC 61508:2010
and ISO 26262:2018 and
– Achieves systematic integrity of SIL 3 and ASIL D
• In addition, the device can meet hardware architectural metrics up to ASIL B by implementing proper safety
concept (for example, Reciprocal Comparison by Software).
• Contains multiple features to support Freedom From Interference (FFI) for mixed-criticality of safety
requirements assigned to the different sub-elements
• The TMS320F28004x MCUs are Type B devices, as defined in IEC 61508-2:2010
• This device claims no hardware fault tolerance, (for example, no claims of HFT > 0), as defined in IEC
61508:2010
• For safety components developed according to many safety standards, it is expected that the component
functional safety manual will provide a list of product safety constraints. For a simple component or more
complex components developed for a single application, this is a reasonable response. However, the
TMS320F28004x MCU product family is both a complex design and is not developed targeting a single,
specific application. Therefore, a single set of product safety constraints cannot govern all viable uses of the
product
Note
The functional safety assessment of this component is not yet complete.
3 TI Development Process for Management of Systematic Faults
For functional safety development, it is necessary to manage both systematic and random faults. Texas
Instruments follows a new-product development process for all of its components which helps to decrease the
probability of systematic failures. This new-product development process is described in Section 3.1.
Components being designed for functional safety applications will additionally follow the requirements of TI's
functional safety development process, which is described in Section 3.2.
3.1 TI New-Product Development Process
Texas Instruments has been developing components for automotive and industrial markets since 1996.
Automotive markets have strong requirements regarding quality management and product reliability. The TI newproduct development process features many elements necessary to manage systematic faults. Additionally, the
documentation and reports for these components can be used to assist with compliance to a wide range of
standards for customer’s end applications including automotive and industrial systems (e.g ISO 26262-4:2018,
IEC 61508-2:2010).
This component was developed using TI’s new product development process which has been certified as
compliant to ISO 9001 / IATF 16949 as assessed by Bureau Veritas (BV).
The standard development process breaks development into phases:
• Assess
• Plan
• Create
• Validate
SPRUID8C – AUGUST 2019 – REVISED SEPTEMBER 2020
Submit Document Feedback
Copyright © 2020 Texas Instruments Incorporated
Safety Manual for TMS320F28004x 5
Copyright © 2018, Texas Instruments Incorporated
Assess
Review
Plan
Review
Create
Review
Validate
Review
& Release
To Market
Periodic
Post-Release
Reviews
Phase 1:
Assess
Phase 2:
Plan
Phase 3:
Create
Phase 4:
Validate
Sustain
Identify New
Product
Opportunities
Develop Project
Plan
IC Design &
Layout
Develop Product
Specification
IC Design
Verification
Manage Project Execution and Risks
Develop Test and Validation HW/SW
Develop Datasheet and other
Documentation
Product Support
Product
Monitoring
IC Valdiation
IC Qualification
TI Development Process for Management of Systematic Faults
Figure 3-1 shows the standard process.
www.ti.com
3.2 TI Functional Safety Development Process
The TI functional safety development flow derives from ISO 26262:2018 and IEC 61508:2010 a set of
requirements and methodologies to be applied to semiconductor development. This flow is combined with TI's
standard new product development process to develop Functional Safety-Compliant components. The details of
this functional safety development flow are described in the TI internal specification - Functional Safety
Hardware.
Key elements of the TI functional safety-development flow are as follows:
• Assumptions on system level design, functional safety concept, and requirements based on TI's experience
• Qualitative and quantitative functional safety analysis techniques including analyses of silicon failure modes
• Base FIT rate estimation based on multiple industry standards and TI manufacturing data
• Documentation of functional safety work products during the component development
• Integration of lessons learned through multiple functional safety component developments, functional safety
6 Safety Manual for TMS320F28004x SPRUID8C – AUGUST 2019 – REVISED SEPTEMBER 2020
with components in functional safety applications
and application of functional safety mechanisms
standard working groups, and the expertise of TI customers
Figure 3-1. TI New-Product Development Process
Copyright © 2020 Texas Instruments Incorporated
Submit Document Feedback
www.ti.com TI Development Process for Management of Systematic Faults
Table 3-1 lists these functional safety development activities that are overlaid atop the standard development
flow in Figure 3-1.
For more information about which functional safety lifecycle activities TI performs, see Appendix B.
The customer facing work products derived from this Functional Safety-Compliant process are applicable to
many other functional safety standards beyond ISO 26262:2018 and IEC 61508:2010.
Table 3-1. Functional Safety Activities Overlaid on Top of TI's Standard Development Process
Assess Plan Create Validate Sustain and End-of-Life
Determine if functional
safety process execution
is required
Nominate a functional
safety manager
End of Phase Audit
Define component target
SIL/ASIL capability
Generate functional safety
plan
Verify the functional safety
plan
Initiate functional safety
case
Analyze target
applications to generate
system level functional
safety assumptions
End of Phase Audit
Develop component level
functional safety
requirements
Include functional safety
requirements in design
specification
Verify the design
specification
Start functional safety
design
Perform qualitative
analysis of design (i.e.
failure mode analysis)
Verify the qualitative
analysis
Verify the functional safety
design
Perform quantitative
analysis of design (i.e.
FMEDA)
Verify the quantitative
analysis
Iterate functional safety
design as necessary
End of Phase Audit
Validate functional safety
design in silicon
Characterize the functional
safety design
Qualify the functional
safety design (per AEC-
Q100)
Finalize functional safety
case
Perform assessment of
project
Release functional safety
manual
Release functional safety
analysis report
Release functional safety
report
End of Phase Audit
Document any reported
issues (as needed)
Perform incident reporting
of sustaining operations
(as needed)
Update work products (as
needed)
SPRUID8C – AUGUST 2019 – REVISED SEPTEMBER 2020
Submit Document Feedback
Copyright © 2020 Texas Instruments Incorporated
Safety Manual for TMS320F28004x 7
Global Shared RAM - Parity
32KW (64KB)
C28x
TMU+FPU+VCU-I
M0 - 1KW (2KB)
M1 - 1KW (2KB)
Boot - 32KW (64KB)
Flash - ECC
C28x RAM - ECC
PIE
CPU Timer0
CPU Timer1
CPU Timer2
10 MHz INTOSC1, INTOSC2
10–20 MHz Crystal Oscillator
NMI Watchdog
Missing Clock Detect
PLL
CLA
(Type 2)
CLA MSG RAM - Parity
DMA
(6 Channels)
3x 12-Bit ADC
8x ePWM
(16 Hi-Res Channels)
7x eCAP
2x eQEP
(CW/CCW Support)
4x SD Filters
1x I2C
7x CMPSS
2x Buffered DAC
7x PGA
1x PMBUS
2x SPI
Windowed Watchdog
LS0–LS7
8x (2KW [4KB])
GS0–GS3
4x (8KW
[16KB])
2x SCI
2x CAN
C28x ROM
DCSM OTP
GPIO
Secure - 64KW (128KB)
Secure
Memories
Flash BANK0 - 16 Sectors
64KW (128KB)
Flash BANK1 - 16 Sectors
64KW (128KB)
CLA to CPU - 128W
CPU to CLA - 128W
1x LIN
CLA ROM
Local Shared RAM - Parity
16KW (32KB)
Data Bridge Data Bridge Data Bridge Data Bridge Data Bridge Data Bridge
Result
Configuration
Program
48KW (96KB)
Data
4KW (8KB)
Copyright © 2017, Texas Instruments Incorporated
Configuration
Data
TMS320F28004x Product Overview
www.ti.com
4 TMS320F28004x Product Overview
p
4.1 C2000 Architecture and Product Overview
The TMS320F28004x devices are powerful 32-bit floating-point microcontroller unit (MCU) designed for
advanced closed-loop control applications in automotive and industrial applications.
4.1.1 TMS320F28004x MCU
TMS320F28004x supports C28x and CLA as processing elements that boosts system performance for closed
loop control applications. This is a powerful 32-bit floating-point microcontroller unit (MCU) that lets system
integrator to access crucial control peripherals, differentiated analog, and nonvolatile memory on a single device.
The C28x CPU is further boosted by the Trigonometric Math Unit (TMU) accelerator that enables fast execution
of algorithms with trigonometric operations common in transforms and torque loop calculations. The Viterbi,
Complex Math and CRC Unit (VCU) accelerator reduces the time for complex math operations common in
encoded applications. Users may refer to Accelerators: Enhancing the Capabilities of the C2000™ MCU Family
to see how the accelerators can be employed to increase the performance of the MCU in many real-time
applications.
The CLA is an independent 32-bit floating-point accelerator that runs at the same frequency as the main C28x
CPU, responding to peripheral triggers with minimum event latency and executing code concurrently with the
main CPU.
The TMS320F28004x supports up to 256KB (128KW) of on-chip flash memory with error correction code (ECC)
and up to 100KB (50KW) of SRAM with parity or ECC.
Figure 4-1. Functional Block Diagram of TMS320F28004x MCU
8 Safety Manual for TMS320F28004x SPRUID8C – AUGUST 2019 – REVISED SEPTEMBER 2020
Copyright © 2020 Texas Instruments Incorporated
Submit Document Feedback
Sensor
Processing
Element
Actuator
S
Remote
Controller
MCU
A
Remote
Controller
S
Remote
Controller
A
Remote
Controller
Sensor
Actuator
Processing Element
www.ti.com
TMS320F28004x Product Overview
High performance analog and control peripherals are also integrated to further enable system consolidation.
Three independent 12-bit ADCs provide precise and efficient management of multiple analog signals, which
ultimately boosts system throughput. The new sigma-delta filter module (SDFM) works in conjunction with the
sigma-delta modulator to enable isolated current shunt measurements. The Comparator Subsystem (CMPSS)
with windowed comparators allows for protection of power stages when current limit conditions are exceeded or
not met. Other analog and control peripherals include the Digital-to-Analog Converter (DAC), Enhanced Pulse
Width Modulation (ePWM), Enhanced Capture (eCAP), Enhanced Quadrature Encoder Pulse (eQEP) and
Programmable Gain Amplifier (PGA). The Programmable Gain Amplifier (PGA) is used to amplify an input
voltage for the purpose of increasing the effective resolution of the downstream ADC and CMPSS modules.
Peripherals such as Controller Area Network (CAN) modules (ISO11898-1/CAN 2.0B-compliant), Inter-Integrated
Communication (I2C) Bus, Local Interconnect Network (LIN), Serial Communications Interface (SCI), Serial
Peripheral Interface (SPI), Power Management Bus (PMBus) Interface, and Fast Serial Interface (FSI) extend
connectivity of TMS320F28004x MCU. The Fast Serial Interface (FSI) module is a serial communication
peripheral capable of reliable high-speed communication across isolation devices.
The device configurations supported by this safety manual for TMS320F28004x MCUs is outlined in the
TMS320F28004x Microcontrollers Data Sheet. Not all variants are available in all packages or all temperature
grades. To confirm availability, contact your local Texas Instruments sales and marketing.
4.2 Functional Safety Concept
To stay as general as possible, the functional safety concept assumes the MCU playing the role of a processing
unit (or part of it) and connected to remote controller(s) by means of a communication bus as shown in Figure
4-2. The communication bus is directly or indirectly connected to sensor(s) and actuator(s).
IEC 61508-1:2010 defines a compliant item as any item (for example an element) on which a claim is being
made with respect to the clauses of IEC 61508:2010 series. A system including TMS320F28004x microcontroller
as indicated by Figure 4-2 can be used in a compliant item according to IEC 61508:2010.
Figure 4-2. Definition of the TMS320F28004x MCU Used in a Compliant Item
SPRUID8C – AUGUST 2019 – REVISED SEPTEMBER 2020
Submit Document Feedback
Copyright © 2020 Texas Instruments Incorporated
Safety Manual for TMS320F28004x 9
Level 1
ECU Functions
Level 2
Function Monitoring
Level 3
Fault Reaction
Memory Test
Level 2
Quest Spec.
Test Data
Function Spec
Instruction Test
Response
Contribution
Linking
Monitor Modules
Function
Controller
Monitoring
Controller
Input
Signals
Power
Determining Output
Stages/
Safety-Relevant
Bus Communication
Enable
Enable
Program Flow Check
Question Answer
TMS320F28004x Product Overview
www.ti.com
4.2.1 VDA E-GAS Monitoring Concept With TMS320F28004x MCU
The standardized E-GAS monitoring concept [6] for engine management systems generated by the German
VDA working group “E-Gas-Arbeitskreis” is an example of a well-trusted safety-architecture that may be used for
applications other than engine management systems provided it fits the purpose of the new application in terms
of diagnosis feasibility, environment constraints, time constraints, robustness, and so forth [7]. For more
information, see Figure 4-3.
Figure 4-3. E-GAS System Overview From Standard
10 Safety Manual for TMS320F28004x SPRUID8C – AUGUST 2019 – REVISED SEPTEMBER 2020
Copyright © 2020 Texas Instruments Incorporated
Submit Document Feedback
Monitor
Safe
State
Level 1
Primary
Input
Signals
Main Function
Level 2
Monitoring Function
Program Flow
Level 3
Verify Sequence
CLA
Device Self-Test
Q&A Monitor
Diagnostics
Real-Time Control
Fault-Response
External
Monitor
Safety Related
Fault Detection
Monitoring Sequence
Monitor
cross-check
28X
C2000
Q & A
Q & A
28X
C2000
www.ti.com
TMS320F28004x Product Overview
The MCU device family supports heterogeneous asymmetric architecture and their functional safety features
lend themselves to an E-GAS concept implementation at system level as indicated in Figure 4-4. In the first level
(Level 1), the functions required for the system mission are computed. Second level (Level 2) checks the correct
formation in first level based on selected set of parameters. Third level (Level 3) implements an additional
external monitoring element, for the correct carrying out of the mission in the first level and/or monitoring in the
second level. The exact functional safety implementation and the modules used for realizing Level 1 and Level 2
and the external monitoring device for realizing Level 3 are left to the system designer.
Figure 4-4. VDA E-Gas Monitoring Concept Applied to F28004x MCU
SPRUID8C – AUGUST 2019 – REVISED SEPTEMBER 2020
Submit Document Feedback
Copyright © 2020 Texas Instruments Incorporated
Safety Manual for TMS320F28004x 11
TMS320F28004x Product Overview
www.ti.com
Due to the inherent versatility of the device architecture, several software voting based functional safety
configurations are possible. Some of the functional safety configurations possible with TMS320F28004x for
improving diagnostic coverage are explained in Table A-1. While implementing these configurations, system
integrator needs to consider the potential common mode failures and address them in an appropriate manner.
This may suitably be modified to adapt to TMS320F28004x requirements based on the availability of processing
units. (As stated earlier, the device claims no hardware fault tolerance, (for example, no claims of HFT > 0), as
defined in IEC 61508:2010).
The major safety features of TMS320F28004x are shown in Figure 4-5.
Figure 4-5. TMS320F28004x MCU With Safety Features
12 Safety Manual for TMS320F28004x SPRUID8C – AUGUST 2019 – REVISED SEPTEMBER 2020
Copyright © 2020 Texas Instruments Incorporated
Submit Document Feedback
Fault
Normal Operation Unsafe State
Safe State
Fault Detection
Hazard
Avoided
T <= FDTI
Fault Reaction
Time
FTTI
Check OK
Check OK
Check NOT OK
Level2/Level3
function
Level1
function
Cross check Period (Tcc)
FTTI Budget for the MCU
Delay for MCU to
enter safe state,
Td
Tcc + Td < FTTI
www.ti.com
TMS320F28004x Product Overview
4.2.2 Fault Tolerant Time Interval (FTTI)
Various functional safety mechanisms in the devices are either always-on (see CPU Handling of Illegal
Operation, Illegal Results and Instruction Trapping, and so forth) or executed periodically (see VCU CRC Check
of Static Memory Contents, and so forth) by the application software. The maximum time that a safety
mechanism will take to detect a fault is termed as Fault Diagnostic Test Time Interval (FDTI). Once the fault is
detected, depending on the fault reaction of the associated fault (for example, external system reaction to
ERRORSTS pin assertion), the system will enter in the safe-state. The time-span in which a fault or faults can be
present in a system before a hazardous event occurs is called Fault Tolerant Time Interval (FTTI) as defined in
ISO 26262. This is similar to Process Safety Time (PST) defined in IEC 61508. Figure 4-6 illustrates the
relationship between FDTI, Fault Reaction Time and FTTI.
The frequency and extent of each of the Level 2 and Level 3 checks in E-GAS monitoring concept should be
consistent with the Fault Tolerant Time Interval (FTTI). Figure 4-7 illustrates the frequency of the required
checks. The checks should be such that single point faults of the microcontroller should be detected and
responded to, such that the TMS320F28004x MCU enters a safe state within the FTTI budget. The
microcontroller on detection of a fault enters into one of the safe states as illustrated in Figure 4-8. An example
of a diagnostic for single point faults is ECC/Parity for memories.
Figure 4-6. Relationship Between FDTI, Fault Reaction Time and FTTI
Figure 4-7. Illustration of FTTI
Copyright © 2020 Texas Instruments Incorporated
SPRUID8C – AUGUST 2019 – REVISED SEPTEMBER 2020
Submit Document Feedback
Safety Manual for TMS320F28004x 13
+ -
TMS320F28004x
XRSn
Input
Output
ERRORSTS
3.Reset state: MCU is
kept in reset
+ -
TMS320F28004x
XRSn
Input
Output
ERRORSTS
2.Safe state: Power supply cut-off or
not in proper operating range.
+ -
TMS320F28004x
XRSn
Input
Output
Tristated
ERRORSTS
5.Safe state: MCU
Output is tristated
+ -
TMS320F28004x
XRSn
Input
Output
ERRORSTS
4. Safe state: ERRORSTS
pin is asserted
+ -
TMS320F28004x
XRSn
Input
Output
ERRORSTS
1.Proper Operational State
TMS320F28004x Product Overview
www.ti.com
The proposed functional safety concept, subsequent functional safety features and configurations explained in
this document are for reference purpose only. The system and equipment designer or manufacturer is
responsible to ensure that the end systems (and any Texas Instruments hardware or software components
incorporated in the systems) meet all applicable safety, regulatory and system-level performance requirements.
4.2.3 TMS320F28004x MCU Safe State
Referring to Figure 4-8, the safe state of the TMS320F28004x MCU is defined as the one in which:
• TMS320F28004x MCU Reset is asserted
• Power supply to TMS320F28004x MCU is disabled using an external supervisor as a result of Level 3 check
failure. In general, a power supply failure is not considered in detail in this analysis as it is assumed that the
system level functionality exists to manage this condition.
• External system is informed using one of C2000 MCU’s IO pins as a result of Level 2 check failure (for
example, ERRORSTS pin is asserted).
• Output of the TMS320F28004x MCU driving the actuator is forced to inactive mode as a result of Level 2
check failure (for example, GPIO pins corresponding to the mission function is tri-stated).
Figure 4-8. TMS320F28004x MCU Safe State Definition
14 Safety Manual for TMS320F28004x SPRUID8C – AUGUST 2019 – REVISED SEPTEMBER 2020
Copyright © 2020 Texas Instruments Incorporated
Submit Document Feedback
Powered
Off
Reset
State
Cold Boot
Warm
Boot
Pre-
Operational
Operational
Power removed
Power applied
Chip Pin Reset
released
Defined Safe State
conditions
CPU1 Reset
released
Device boot phaseCPUSS operation
Safe State
XRSn = 0
www.ti.com
TMS320F28004x Product Overview
Figure 4-9. TMS320F28004x MCU Device Operating States
4.2.4 Operating States
The C2000 MCU products have a common architectural definition of operating states. These operating states
should be observed by the system developer in their software and system level design concepts. The operating
states state machine is shown in Figure 4-9. The operating states can be classified into device boot phase and
CPU Subsystem (CPUSS) operation phase.
The various states of the device operating states state machine are:
• Powered Off - This is the initial operating state of TMS320F28004x MCU. No power is applied to either core
or I/O power supply and the device is non-functional. An external supervisor can perform this action (powerdown the TMS320F28004x MCU) in any of the TMS320F28004x MCU states as response to a system level
fault condition or a fault condition indicated by the TMS320F28004x MCU.
• Reset State – In this state, the device reset is asserted either using the external pins or using any of the
internal sources.
• Safe State – In the Safe state, the device is either not performing any functional operations or an internal fault
condition is indicated using the device I/O pins.
• Cold Boot - In the cold boot state, key analog elements, digital control logic, and debug logic are initialized.
The CPU remains powered but in reset. When the cold boot process is completed, the reset of the CPU is
internally released, leading to the warm boot stage.
• Warm Boot - The CPU begins execution from Boot ROM during the warm boot stage.
• Pre-operational - Transfer of control from boot code to customer code takes place during this phase.
Application specific configurations (for example, clock frequency, peripheral enable, pinmux, and so forth) are
performed in this phase. Boot time self-test/proof-test required to ensure proper device operation is
performed during this phase. For details, see ROM8-Power-Up Pre-Operational Security.
• Operational – This marks the system exiting the pre-operational state and entering the functional state. The
device is capable of supporting safety critical functionality during operational mode.
SPRUID8C – AUGUST 2019 – REVISED SEPTEMBER 2020
Submit Document Feedback
Copyright © 2020 Texas Instruments Incorporated
Safety Manual for TMS320F28004x 15
Cold Boot
Power
Applied
Efuse autoload
(cold boot phase)
Boot ROM
execution and
security
initialization
(Warm boot phase)
Reset
Released
Customer
Code Starts
Operational Phase
Pre Operational Phase
Warm Boot
TI boot code execution. Can be characterized
based on device configuration Customer code Self-test code
Pre operational checks by CPU1
(Verify RAM, Flash, Watchdog,
CPU, %RRW520«..)
XRSn
Internal
Reset
Boot ROM
Customer pre-operational checks
ERROR_STS
(active-low)
Efuse Autoload
Customer application code
Security Init
Analog (DAC,
ADC, OSC) Init
Bootmode SelPwr Mgmt init
Boot exception
init
x Device Powerdown
x Assertion of XRSn pin
x Assertion of CPU Reset
x NMI and assertion of ERRORSTS pin
x CPU Interrupt
TMS320F28004x Product Overview
The device start-up timeline for both the CPUs are shown in Figure 4-10.
www.ti.com
Figure 4-10. TMS320F28004x MCU CPU Start-Up Sequence
4.2.5 Management of Faults
The TMS320F28004x MCU product architecture provides different levels of fault indication from internal safety
mechanisms using CPU Interrupt, Non Maskable Interrupt (NMI), assertion of ERRORSTS pin, assertion of CPU
input reset and assertion of warm reset (XRSn). The fault response is the action that is taken by the
TMS320F28004x MCU or system when a fault is indicated. Multiple potential fault responses are possible during
a fault indication. The system integrator is responsible to determine which fault response should be taken to
ensure consistency with the system safety concept. The fault indication ordered in terms of severity (device
power down being the most severe) is shown in Figure 4-11.
Figure 4-11. Fault Response Severity
• Device Powerdown: This is the highest priority fault response where the external component (see Section
4.4.1) detects malfunctioning of the device or other system components and powers down the
TMS320F28004x MCU. From this state, it is possible to re-enter cold boot to attempt recovery.
• Assertion of XRSn: The XRSn reset could be generated from an internal or external monitor that detects a
critical fault having potential to violate safety goal. Internal sources generate this fault response when the
TMS320F28004x MCU is not able to handle the internal fault condition by itself (for example, CPU1 (master
CPU) is not able to handle NMI by itself). From this state, it is possible to re-enter cold boot and attempt
recovery.
16 Safety Manual for TMS320F28004x SPRUID8C – AUGUST 2019 – REVISED SEPTEMBER 2020
Copyright © 2020 Texas Instruments Incorporated
Submit Document Feedback
www.ti.com
TMS320F28004x Product Overview
• Assertion of CPU Reset: CPU Reset changes the state of the CPU from pre-operational or operational state
to warm boot phase. The CPU Reset is generated from an internal monitor that detects any security
violations. Security violations may be the effect of a fault condition.
• Non Maskable Interrupt (NMI) and assertion of ERRORSTS pin: C28x CPU supports a Non Maskable
Interrupt (NMI), which has a higher priority than all other interrupts. The TMS320F28004x MCU is equipped
with a NMIWD module responsible for generating NMI to the C28x CPU. ERRORSTS pin will also be
asserted along with NMI. Depending on the system level requirements, the fault can be handled either
internal to the TMS320F28004x MCU using software or at the system level using the ERRORSTS pin
information.
• CPU Interrupt: CPU interrupt allows events external to the CPU to generate a program sequence context
transfer to an interrupt handler where software has an opportunity to manage the fault. The peripheral
interrupt expansion (PIE) block multiplexes multiple interrupt sources into a smaller set of CPU interrupt
inputs.
4.2.6 Suggestions for Improving Freedom From Interference
The following techniques and safety measures shall be used as applicable for improving independence of
function when using the TMS320F28004x MCU:
1. Hold peripherals clocks disabled if the available peripherals are unused (CLK14-Peripheral Clock Gating
(PCLKCR)).
2. Hold peripherals in reset if the available peripherals are unused (RST9-Peripheral Soft Reset (SOFTPRES)).
3. When possible, separate critical I/O functions by using non adjacent I/O pins/balls.
4. Partition the memory as per the application requirements to respective processing units and configure the
Access Protection Mechanism for Memories, for each memory instance such that only the permitted masters
have access to memory.
5. The Dual Code Security Module (DCSM) can be used for functional safety where functions with different
safety integrity levels can be executed from different security zones (zone1, zone2, and unsecured zone),
acting as firewalls and thus mitigating the risk due to interference from one secure zone to another. For more
information, see Achieving Coexistence of Safety Functions for EV/HEV Using C2000™ MCUs
6. TMS320F28004x supports SYS10-Peripheral access protection - Type 0. After programming peripheral
access protection registers, each master can exclusively control the peripheral to safeguard usage by
particular application against errant writes or corruption by other masters in the system. This is enabled using
the dedicated access control bits per peripheral which allow or protect against the access from given master.
Each peripheral has two bit qualifier per master to decode the access allowed. For more details, see the
PERIPH_AC_REGS Registers in TMS320F28004x Technical Reference Manual.
7. ADC11-Disabling Unused Sources of SOC Inputs to ADC can help avoid interference from unused
peripherals to disturb functionality of ADC.
8. DMA9-Disabling of Unused DMA Trigger Sources will help minimize interference caused by unintentional
DMA transfers.
9. CLA11-Disabling of Unused CLA Trigger Sources will mitigate risk of interference caused due to the trigger
events.
10.To avoid interference from spurious activity on MCU’s debug port, JTAG1-Hardware Disable of JTAG Port can
be used.
11. Safety applications running on the CPU can be interfered by unintentional faulty interrupt events to PIE
module. PIE7-Maintaining Interrupt Handler for Unused Interrupts and PIE8-Online Monitoring of Interrupts
and Events will detect such interfering failures.
12.MCU resources in supporting CPU execution such as memory, interrupt controller, and so forth could be
impacted by resources from lower safety integrity safety functions coexisting on same MCU. Safety
mechanisms such as SRAM11-Access Protection Mechanism for Memories, SRAM16–Information
Redundancy Techniques, SRAM17-CPU Handling of Illegal Operation, Illegal Results and Instruction
Trapping will be able to detect such interference.
SPRUID8C – AUGUST 2019 – REVISED SEPTEMBER 2020
Submit Document Feedback
Copyright © 2020 Texas Instruments Incorporated
Safety Manual for TMS320F28004x 17
TMS320F28004x Product Overview
www.ti.com
13.Critical configuration registers could be victim of interference from bus masters on MCU which implements
lower safety integrity functions. These can be protected by SYS1-Multi-Bit Enable Keys for Control Registers,
SYS2-Lock Mechanism for Control Registers, SYS8-EALLOW and MEALLOW Protection for Critical
Registers.
4.2.7 Suggestions for Addressing Common Cause Failures
System Integrator needs to execute a common cause failure analysis to consider possible dependent/common
cause failures on the sub-elements of the TMS320F28004x MCU, including pin level connections.
1. Consider a relevant list of dependent failure initiators, such as the lists found in ISO 26262-11:2018. Analysis
of dependent failures should include common cause failures among functional redundant parts and also
between functions and the respective safety mechanisms.
2. Verify that the dependent failure analysis considers the impact of the software tasks running on the
TMS320F28004x MCU, including hardware and software interactions.
3. Verify that the dependent failure analysis considers the impact of the pin or ball level interactions on the
TMS320F28004x MCU package, including aspects related to the selected I/O multiplexing.
The following should be considered for addressing the common cause failures when using the TMS320F28004x
MCU:
1. Redundant functions and safety mechanism can be impacted by common power failure. A common cause
failure on power source can be detected by PWR1-External Voltage Supervisor, PWR2-External Watchdog.
2. In general, a clock source which is common to redundant functions should be monitored and any failures on
the same can be detected by safety mechanisms such as CLK1-Missing Clock Detect (MCD), CLK2-Clock
Integrity Check Using CPU Timer, CLK5-External Clock Monitoring via XCLKOUT and CLK8-Periodic
Software Read Back of Static Configuration Registers. Specifically, to avoid common clock failure affecting
Internal Watchdog (WD) and CPU, it is recommended to use either INTOSC2 or X1/X2 as clock source to
PLL.
3. Failure of common reset signal to redundant functions can be detected by RST1-External Monitoring of Warm
Reset (XRSn), RST2-Reset Cause Information.
4. Common cause failure on Interconnect logic could impact both redundant functions and also functional safety
mechanism in same way. In addition to other safety mechanisms, INC1-Software Test of Function Including
Error Tests can be implemented to detect faults on interconnect logic.
5. Common cause failure could impact two functions used in a redundant way. In case the of communication
peripherals, module specific Information Redundancy Techniques Including End-to-End Safing can be
implemented to detect common cause failures, for example, CAN2-Information Redundancy Techniques
Including End-to-End Safing, SPI2-Information Redundancy Techniques Including End-to-End Safing, SCI3Information Redundancy Techniques Including End-to-End Safing, I2C3-Information Redundancy Techniques
Including End-to-End Safing.
6. Use different voltage references and SOC trigger sources for ADC (see Section 6.5.8).
7. Use ePWM modules from different sync groups for implementing Hardware Redundancy.
8. Use GPIO pins from different groups when implementing Hardware Redundancy for GPIO pins.
9. It is recommended that two PGA modules used in redundant way to not share same ground pin. Refer to
device specific datasheet for details on which PGA's share common ground.
18 Safety Manual for TMS320F28004x SPRUID8C – AUGUST 2019 – REVISED SEPTEMBER 2020
Copyright © 2020 Texas Instruments Incorporated
Submit Document Feedback
www.ti.com TMS320F28004x Product Overview
4.3 C2000 Safety Diagnostics Libraries
The diagnostics libraries designed for the F28004x family of devices comprise of three libraries, namely, the
CLA_STL, C28x_STL and SDL. These libraries are designed to help TI customers, using the F28004x, develop
functionally safe systems that can comply with a wide range of standards for end products in the automotive
(ISO 26262), industrial (IEC 61508) and appliance (IEC 60730) markets. The CLA_STL and the C28x_STL
implements the CLA2 - Software Test of CLA and CPU3 - Software Test of CPU safety mechanisms and the SDL
provides examples for several safety mechanisms provided in the safety manual.
Table 4-1. DC and SCC Targeted for F28004x Diagnostic Libraries
Library
CLA_STL ≥ 90% ASIL D/SIL 3
C28x_STL ≥ 60% ASIL D/SIL 3
SDL Examples Only N/A
Permanent fault Diagnostic
Coverage
The CLA_STL and C28x_STL were independently assessed and found to be suitable for being integrated into
safety related systems up to ASIL D and SIL 3 according to ISO 26262:2018 and IEC 61508:2010 respectively.
The CLA_STL represents a safety mechanism with the capability to detect permanent faults of the Control Law
Accelerator (CLA) with a 90% Diagnostic Coverage. The C28x_STL represents a safety mechanism with the
capability to detect permanent faults of the C28x CPU with a 60% Diagnostic Coverage.
Systematic Capability
Compliance Description
This STL implements CLA2 -
Software Test of CLA
This STL implements CPU3 -
Software Test of CPU
The SDL provides examples of
several safety mechanisms
described in the safety manual
The SDL is generally called a Software Diagnostic Library and is an integral part of the overall safety related
collateral provided by TI. It comprises general example implementations of several safety mechanisms. The SDL
examples are developed using a Baseline Quality software development flow and are not required to be
compliant with any particular standard. As such, the SDL is not certified by TÜV SÜD. Users are expected to
study and adapt the provided examples into their safety related applications and are responsible to for their own
product level third party certifications.
In order to assist customers with getting their own product level certifications, TI has developed an F28004x
Compliance Support Package (CSP). The CSP provides documentation, source code, static analysis results,
MISRA C compliance results, unit test reports, dynamic analysis results, functional tests and integration
examples. The STL (C28x_STL and CLA_STL) libraries and the corresponding source code released in the CSP
demonstrate the product of a software development flow that is compliant with ISO 26262 ASIL D systematic
capability.
WARNING
In order to maintain the diagnostic coverage, the source code of C28x_STL and CLA_STL listed in
Table 4-4 and Table 4-5 must be used as delivered by TI and must not be modified when integrating
the libraries into the customer application. Any modification will certainly result in a compromise of
the safety goal for the final product, resulting in an unsafe operating environment for the end user.
Table 4-2 shows the tools used to develop the F28004x libraries.
Table 4-2. Tools Required for Integration of the F28004x STL
SW/HW/Tool Version Dependency
Code Composer Studio 9.2.0.00013 Integrated Development Environment
CGT 20.2.1.LTS Code Generation Tool Chain (Compiler,
C2000Ware V3.01.00.00 F28004x Header Files
TMDSCNCD280049C Rev. A F280049 controlCARD Information Guide
Assembler, Linker)
SPRUID8C – AUGUST 2019 – REVISED SEPTEMBER 2020
Submit Document Feedback
Copyright © 2020 Texas Instruments Incorporated
Safety Manual for TMS320F28004x 19
TMS320F28004x Product Overview
www.ti.com
The system integrator must consult the C28x_STL and CLA_STL user guides for all the details related to
installation and development.
The STLs were tested on the F28004x controlCARD.
4.3.1 Assumptions of Use - F28004x Self-Test Libraries
This section provides the high level details related to what a system integrator must consider during the process
of defining and building their F28004x based safety architecture.
The software support for the various safety mechanisms in the F28004x can be divided into the following three
categories:
• C28x Self-Test Library
• SDL – Software Diagnostic Library
• CLA Self-Test Library
A safe product built on the F28004x device hierarchically deploys each of the software solutions provided by TI.
The first in the hierarchy is the C28x_STL which detect permanent faults inside the CPU by implementing the
CPU3 - Software Test of CPU safety mechanism. The second in the hierarchy is the SDL which provides a
series of examples of safety mechanisms that are designed to detect permanent faults inside several key
elements within the F28004x device. Lastly, the CLA_STL which implements the CLA2 - Software Test of CLA
safety mechanism, can be deployed to detect permanent faults inside the CLA.
The CLA_STL makes use of, and depends on both the C28x CPU and the CLA to test the CLA. Therefore it is
important to run the C28x_STL first to make sure that the CPU is functioning properly and is capable of
performing the required safety operations. The SDL supports safety mechanisms such as: CLK2 - Clock Integrity
Check Using CPU Timer, CLK10 - Software Test of Watchdog (WD) Operation, CLK12 - Software Test of
Missing Clock Detect Functionality, SRAM14 - Software Test of Parity Logic, SRAM13 - Software Test of ECC
Logic, SRAM3 - Software Test of SRAM and several other key processing elements. The system integrator must
study all the safety mechanisms supported by the SDL and determine their applicability into the safety system
being designed. The safety system must be evaluated with respect to the startup and runtime constraints and
whether the software diagnostic tests can be run during POST, PEST or a combination of both.
The successful completion of the software diagnostics, selected by the system integrator, can be used as the
qualifier to run the test vectors supported by the CLA_STL.
4.3.2 Operational Details - F28004x Self-Test Libraries
The C28x_STL, SDL and the CLA_STL are co-hosted onto an F28004x target in order to enable the
comprehension of safety in the host application. Therefore, it is important for a system integrator to fully
comprehend all aspects of the associated system constraints imposed by the integration of the STLs to
comprehend safety.
4.3.2.1 Operational Details – C28x Self-Test Library
The C28x_STL implements the CPU3 - Software Test of CPU. This library achieves a diagnostic coverage of
60% and certified by TÜV SÜD to meet LFM for ISO26262:2018 ASIL B. The C28x_STL runs directly on the
CPU and effectively tests a subset of CPU Registers, CPU instructions, CPU flags, the FPU, TMU and VCUCRC functionality. The Viterbi and Complex Math instructions in VCU are not covered by C28x_STL and should
not be used for safety related software.
In order to run these tests, the C28x_STL occupies program memory storage space, and dedicated execution
RAM space. All the C28x_STL tests are destructive in nature, and do not have a method to restore the system
back to the original a sate. Since the C28x_STL tests and reports on the health of the CPU itself and the system
state cannot be meaningfully saved and restored, it must be integrated into the startup portion of the application.
System integrator should enable the watchdog to ensure the application is protected against runaway code.
The system integrator must consult the C28x_STL user guides and understand all aspects of integrating the
library into the host application.
20 Safety Manual for TMS320F28004x SPRUID8C – AUGUST 2019 – REVISED SEPTEMBER 2020
Copyright © 2020 Texas Instruments Incorporated
Submit Document Feedback
www.ti.com
TMS320F28004x Product Overview
4.3.2.2 Operational Details – CLA Self-Test Library
The CLA_STL, implements the CLA2 - Software Test of CLA. Similar to the C28x_STL the CLA_STL’s startup
tests are also destructive in nature and should be run during startup operations. The CLA_STL’s run time tests
comprise the bulk of the tests designed to run in conjunction with the host application. The CLA host application
must allocate the time and space for the run time tests. To achieve 90% permanent DC, the CPU must run both
the CLA_STL POST and PEST tests.
The system integrator must consult the CLA_STL user guides and understand all aspects of integrating the
library into the host application.
4.3.2.3 Operational Details – SDL
Table 4-3 is a mapping of SDL software modules and APIs to safety features and diagnostic.
Table 4-3. API Mapping
API Name Unique Identifier
STL_CAN_RAM CAN4, CAN15
STL_CPU_REG None, added for IEC 60730
STL_CRC
STL_March SRAM3
STL_OSC_CT CLK2
STL_OSC_HR OTTO1, CLK3
STL_PIE_RAM PIE6
sdl_ex_flash_ecc_test FLASH6
sdl_ex_mcd_test CLK12
sdl_ex_ram_access_protect SRAM10
sdl_ex_ram_ecc_parity_test SRAM13, SRAM14
sdl_ex_watchdog CLK10
Generic CRC calculation that could be used for any memory or for adding CRC to
communications - probably applies to several mechanisms
4.3.3 C2000 Safety STL Software Development Flow
The C28x-STL and CLA-STL are developed using the TUV-SUD Certified TI internal software development
process specification which targets software development flows for baseline quality, automotive quality and/or
functional safety quality. (for functional safety, specifically the target is systematic capability compliance with the
IEC 61508 and ISO 26262 standards). TUV-SUD certificate for TI's SW development process is available here.
The software development process specification describes the contents of the required deliverables during each
of the four phases, namely, Assess, Plan, Create and Validate. By adhering to this specification and complying
with the underlying processes, including methods and techniques (IEC 61508-3, ISO 26262-6), which are
comprehended in the work-products, it is ensured that a TI SW/FW development achieves a systematic
capability of ASIL D (ISO 26262-6) and SIL 3 (IEC 61508-3).
• Figure 4-12 depicts TI's (TUV-SUD certified) Software Development Life Cycle with respect to the various
quality levels supported by the process.
• Detailed supporting procedures are documented to ensure functional safety throughout the project life cycle.
Additional tools and techniques respecting the safety integrity levels of the targeted standards are applied at
each development phase.
• Functional safety audits and assessments are planned and conducted as per defined procedure. Qualified
personnel with adequate independence as required by the targeted standards and safety levels do these
audits and assessments.
SPRUID8C – AUGUST 2019 – REVISED SEPTEMBER 2020
Submit Document Feedback
Copyright © 2020 Texas Instruments Incorporated
Safety Manual for TMS320F28004x 21
TMS320F28004x Product Overview www.ti.com
Figure 4-12. TI Software Development Lifecycle - Quality Level
4.3.4 Software Delivery Form (SDF) for STLs
The source code delivered with both C28x_STL and the CLA_STL must be validated with the reference MD5
information provided in Table 4-4 and Table 4-5 respectively. This is strongly recommended as a precautionary
step to ensure that the source code is exactly the same as what was certified by TÜV SÜD.
Table 4-4. MD5 Signatures for C28x-STL
c28x_stl.c 84a196c75d5ffabebf7c9041cd3ab4ca
c28x_stl.h 8c87c78bffddb4f8a803278d16b6e8a9
c28x_stl_s.asm 615df2a99ad9fced513cdca3e45aaa04
c28x_stl_tg00.asm d244f2f993ae616c4d417a93d01d3b3f
c28x_stl_tg01.asm d232dfb25921b336bf9b20a630d8d890
c28x_stl_tg02.asm 37077dbb7f7b0225d7a74a389a2f2710
MD5 Signature
c28x_stl_tg03.asm 56f2c5bdb0872bfe1d4e175165a14688
c28x_stl_tg04.asm aa2954de7fa798adf2e1de0fca768cb0
c28x_stl_tg05.asm 38eddd1531564c2c988701a735821c99
c28x_stl_tg06.asm 866f9ebce8c5b38e15567caa10656752
c28x_stl_tg07.asm 1514d04858e81aa27eea9039ec072a9c
c28x_stl_tg08.asm 44faeb49184284bbe6a76e7fbecccddb
c28x_stl_tg09.asm fa4940544caa8228d20658babca23825
22 Safety Manual for TMS320F28004x SPRUID8C – AUGUST 2019 – REVISED SEPTEMBER 2020
Copyright © 2020 Texas Instruments Incorporated
Submit Document Feedback
www.ti.com
TMS320F28004x Product Overview
Table 4-5. MD5 Signatures for CLA-STL
stl_cla_pest.c 41ec9de76bf24afc76fbd48b5b1ee197
stl_cla_post.c 8af146b665c6a5c7f76d87e8f7754181
stl_cla_registers_1.c f5d6c238e71a41e4fdf9554d51cd8bad
stl_cla_registers_2.c 4b055558d5bb49bc52fc7d2453cafadb
MD5 Signature
stl_cla_registers_3.c a2ebbc79d3f1d8a5ab347dd47443b324
stl_cla_s.asm 01c9c8f5839cf821846e97d7441a234e
stl_cla_utils.c aceeae34b58a96a403ec65bde3ec0888
stl_claswbist_s.asm 3eeb54030a2a08efef2a0a06039a5d65
stl_cla.h 3acb93691a464c7ae39020a77023d35d
stl_cla_internal.h 05b82e678c762b3250e9c5e0a4f11d74
4.4 TMS320F28004x MCU Safety Implementation
4.4.1 Assumed Safety Requirements
The following assumed safety requirements need to be implemented using external components by the Level 3
checker (VDA E-gas concept).
• External voltage monitor to supervise the power supply provided to the TMS320F28004x MCU
• External Watchdog timer that can be used for diagnostic purposes
• Components required for taking the system to safe state as per the TMS320F28004x MCU safe state defined
in Section 4.2.3.
4.4.2 Example Safety Concept Implementation Options on TMS320F28004x MCU
TMS320F28004x class of devices supports a pair of diverse processing units (C28x and CLA) with
heterogeneous asymmetric architectures, instruction sets and software tools. Either of the processing units can
be used to execute the intended function (the main real-time control function). The safety functions, which
ensure that each safety goal can be met, can be implemented by one of the processing units, utilizing the other
processing unit for diagnostic of random hardware failure by running Reciprocal Comparison by Software in
separate processing units providing high diagnostic coverage for the processing units (ISO 26262-5:2018, Table
D.4 and IEC 61508-2:2010, Table A.4). Safety mechanisms such as CPU Handling of Illegal Operation, Illegal
Results and Instruction Trapping, CLA Handling of Illegal Operation and Illegal Results, Internal Watchdog (WD)
and so forth, can also be utilized. Software Test of CLA and Software Test of CPU can be used to implement
latent fault coverage of the diagnostic function. Heterogeneous CPU cores minimize possibility of common mode
failures while implementing this reciprocal comparison, thereby improving confidence in its Diagnostic Coverage.
For common cause failures such as clock, power and reset, an external watchdog should be used. Here are
some definitions:
• Intended Function: Control application implemented on TMS320F28004x (PFC, DCDC, traction-inverter etc.)
• Safety Function: Achieves risk reduction and implemented for safety goals identified from HARA
– Example: prevent over-current, over/under voltage, over temperature, forward/reverse torque etc.)
– Shall meet >= 90% SPFM for both permanent and transient faults
• Diagnostic Function: Ensures safety-function will operate correctly when required
– Shall meet >= 60% LFM for ISO 26262:2018 (ASIL B compliance targeted) systems
The following are the safety concept options which can be implemented on TMS320F28004x.
SPRUID8C – AUGUST 2019 – REVISED SEPTEMBER 2020
Submit Document Feedback
Copyright © 2020 Texas Instruments Incorporated
Safety Manual for TMS320F28004x 23
`
Power
Electronics
Ref
+
C28x
PFC+Safety
Actuation
Sensing
CLA
DC-DC
Actuation
Ref
+
Sensing
±
±
+
Power
Electronics
+
C2000 Microcontroller
TMS320F28004x Product Overview
4.4.2.1 Safety Concept Implementation: Option 1
Figure 4-13. Safety Concept Implementation Option 1
www.ti.com
• Intended Function: can be implemented on both C28x and CLA.
• Safety Function: Implement on C28x or CLA.
– SPFM can be met by Reciprocal Comparison by Software
• Diagnostic Function: Implement on the other processing unit.
– LFM can be met by Software Test of CLA or Software Test of CPU
24 Safety Manual for TMS320F28004x SPRUID8C – AUGUST 2019 – REVISED SEPTEMBER 2020
Copyright © 2020 Texas Instruments Incorporated
Submit Document Feedback
`
Power
Electronics
Ref
+
C28x
PFC
Actuation
Sensing
CLA
DC-DC
Actuation
Ref
+
Sensing
±
±
+
Power
Electronics
+
PPB
ADC
+
±
CMP
TRIP-PWM
ERRORSTS
C2000 Microcontroller
DAC
www.ti.com
4.4.2.2 Safety Concept Implementation: Option 2
TMS320F28004x Product Overview
Figure 4-14. Safety Concept Implementation Option 2
• Intended Function: can be implemented on both C28x and CLA.
• Safety Function: Implement using hardware modules such as ADC-PPB, CMPSS, SDFM secondary filter,
CLB, and so forth.
– SPFM of the safety goal can be met by hardware redundancy between the modules used in implementing
safety function, Periodic Software Read Back of Static Configuration Registers and so forth.
• Diagnostic Function: Implement with hardware modules such as ADC-PPB, CMPSS, SDFM secondary filter,
CLB, and so forth
– LFM can be met by Software Test of Function Including Error Tests and so forth.
SPRUID8C – AUGUST 2019 – REVISED SEPTEMBER 2020
Submit Document Feedback
Copyright © 2020 Texas Instruments Incorporated
Safety Manual for TMS320F28004x 25
D.2 E/E System
D.5 Digital I
D.7 Power Supply
D.5 Digital I
D.6 Bus
interface
D.4
Processing Unit
RAM
D.5 Digital 0
D.5 Analogue 0
D.3 Relay
ROM
D.8 Clock
D.2 E/E System
D.3
Harnesses
D.10
Actuator
D.3
Harnesses
D.10
Actuator
D.3
Harnesses
D.10
Actuator
D.3
Harnesses
D.9
Sensor
D.3
Harnesses
D.9
Sensor
Brief Description of Safety Elements
www.ti.com
5 Brief Description of Safety Elements
This section contains a brief description of the elements on the TMS320F28004x MCU device family, organized
based on the classification of parts of generic hardware of a system as indicated in Figure 5-1. For a full
functional description of any of these modules, see the device-specific technical reference manual. The brief
description of the hardware part is followed by the list of primary safety mechanisms that can be employed to
provide diagnostic coverage to the hardware part. Some safety standards have the requirement to provide
diagnostic coverage for the primary diagnostic measures (for example, Latent Fault Metric requirement from ISO
26262:2018). These measures are called as test of diagnostics. Primary diagnostics of type “Software” and
“Hardware/Software” involves execution of the software on the processing units and also use many of the MCU
parts like Interconnect, Memory (Flash, SRAM and ROM) and TMS320F28004x MCU infrastructure components
(Clock, Power, Reset and JTAG). In order to ensure integrity of the implemented primary diagnostics and their
associated diagnostic coverage values, measures to protect execution of primary diagnostics on respective
processing units needs to be implemented. Appropriate combination of test of diagnostics is recommended to be
implemented for parts of the MCU contributing the successful operation of the processing units. For diagnostics
for these parts, see the respective sections in this safety manual.
In case, separate test of diagnostic measures exist for a primary diagnostic measure, they are mentioned along
with the respective hardware part.
Figure 5-1. Generic Hardware of a System
5.1 TMS320F28004x MCU Infrastructure Components
5.1.1 Power Supply
The C2000 MCU device family requires an external device to supply the necessary voltage and current for
proper operation. Separate voltage rails are available for core (1.2 V), Analog (3.3 V), Flash (3.3 V) and I/O logic
(3.3 V). Following mechanisms can be used to improve the diagnostic coverage of C2000 MCU power supply.
• External Voltage Supervisor
• External Watchdog (using GPIO or a serial interface)
• Internal Watchdog (WD)
• Brownout Reset (BOR)
• Multi-Bit Enable Keys for Control Registers
• Lock Mechanism for Control Registers
• Software Read Back of Written Configuration
• Periodic Software Read Back of Static Configuration Registers
26 Safety Manual for TMS320F28004x SPRUID8C – AUGUST 2019 – REVISED SEPTEMBER 2020
Copyright © 2020 Texas Instruments Incorporated
Submit Document Feedback
www.ti.com
Brief Description of Safety Elements
• Online Monitoring of Temperature
• EALLOW and MEALLOW Protection for Critical Registers
Note
• Having independent voltage supervision at system level is an assumption used while performing
safety analysis.
• Devices can be implemented with multiple power rails that are intended to be ganged together on
the system PCB. For proper operation of power diagnostics, it is recommended to implement one
voltage supervisor per ganged rail.
• Common mode failure analysis of the external voltage supervisor along with TMS320F28004x
MCU is useful to determine dependencies in the voltage generation and supervision circuitry.
• Customer can consider using TI's TPS6538x power supply and safety companion device for
voltage supervision at system level.
5.1.2 Clock
The TMS320F28004x MCU device family products are primarily synchronous logic devices and as such require
clock signals for proper operation. The clock management logic includes clock sources, clock generation logic
including clock multiplication by phase lock loops (PLLs), clock dividers, and clock distribution logic. The
registers that are used to program the clock management logic are located in the system control module. The
following tests can be applied as diagnostics for this module (to provide diagnostic coverage on a specific
function):
• Missing Clock Detect (MCD)
• Clock Integrity Check Using CPU Timer
• Clock Integrity Check Using HRPWM
• Dual clock comparator (DCC) - Type0
• External Monitoring of Clock via XCLKOUT
• Internal Watchdog (WD)
• External Watchdog
• Periodic Software Read Back of Static Configuration Registers
• Software Read Back of Written Configuration
• PLL Lock Profiling Using On-Chip Timer
• Peripheral Clock Gating (PCLKCR)
• Efuse ECC
The following tests can be applied as test-for-diagnostics on this module to meet Latent Fault Metric
Requirements:
• Software Test of Watchdog (WD) Operation
• Software Test of Missing Clock Detect Functionality
Note
• Higher diagnostic coverage can be obtained by setting tighter bounds when checking clock
integrity using Timer2.
• TI recommends the use of an external watchdog over an internal watchdog for mitigating the risk
due to common mode failure. TI also recommends the use of a program sequence, windowed, or
question and answer watchdog as opposed to a single threshold watchdog due to the additional
failure modes that can be detected by a more advanced watchdog.
• Driving a high-frequency clock output on the XCLKOUT pin may have EMI implications. The
selected clock needs to be scaled suitably before sending out through IO.
SPRUID8C – AUGUST 2019 – REVISED SEPTEMBER 2020
Submit Document Feedback
Copyright © 2020 Texas Instruments Incorporated
Safety Manual for TMS320F28004x 27
Brief Description of Safety Elements
www.ti.com
5.1.3 Reset
The power-on reset (PORn) generates an internal warm reset signal to reset the majority of digital logic as part
of the boot process. The warm reset can also be provided at device level as an I/O pin (XRSn) with open drain
implementation. Diagnostic capabilities like NMI watchdog and Watchdog are capable of issuing a warm reset.
For more information on the reset functionality, see the device-specific data sheet.
The following tests can be applied as diagnostics for this module to provide diagnostic coverage on a specific
function.
• External Monitoring of Warm Reset (XRSn)
• Reset Cause Information
• Software Test of Reset
• Glitch Filtering on Reset Pins
• NMIWD Shadow Registers
• Periodic Software Read Back of Static Configuration Registers
• Software Read Back of Written Configuration
• NMIWD Reset Functionality
• Peripheral Soft Reset (SOFTPRES)
• Internal Watchdog (WD)
• External Watchdog
The following tests can be applied as test-for-diagnostics on this module to meet Latent Fault Metric
Requirements:
• Software Test of Watchdog (WD) Operation
Note
• Internal watchdogs are not a viable option for reset diagnostics as the monitored reset signals
interact with the internal watchdogs.
• Customer can consider using TI TPS6538x power supply and safety companion device for reset
supervision at system level.
5.1.4 System Control Module and Configuration Registers
The system control module contains the memory-mapped registers to configure clock, analog peripherals
settings and other system related controls. The system control module is also responsible for generating the
synchronization of system resets and delivering the warm reset (XRSn). The configuration registers include the
registers within peripherals that are not required to be updated periodically.
The following tests can be applied as diagnostics for this module (to provide diagnostic coverage on a specific
function):
• Multi-Bit Enable Keys for Control Registers
• Lock Mechanism for Control Registers
• Software Read Back of Written Configuration
• Periodic Software Read Back of Static Configuration Registers
• Online Monitoring of Temperature
• Peripheral Clock Gating (PCLKCR)
• Peripheral Soft Reset (SOFTPRES)
• EALLOW and MEALLOW Protection for Critical Registers
• Software Test of ERRORSTS Functionality
• Peripheral access protection - Type 0
28 Safety Manual for TMS320F28004x SPRUID8C – AUGUST 2019 – REVISED SEPTEMBER 2020
Copyright © 2020 Texas Instruments Incorporated
Submit Document Feedback
www.ti.com
Brief Description of Safety Elements
Note
• Review the Clock and Reset sections as these features are closely controlled by the system
control module.
• Customer can consider using TI TPS6538x power supply and safety companion device for
ERRORSTS pin supervision at system level.
5.1.5 Efuse Static Configuration
The TMS320F28004x MCU device family supports a boot time configuration of certain functionality (such as trim
values for analog macros) with the help of Efuse structures. The Efuses are read automatically after power-on
reset by an autoload function.
The following tests can be applied as diagnostics for this module (to provide diagnostic coverage on a specific
function):
• Efuse Autoload Self-Test
• Efuse ECC
The following tests can be applied as a test-for-diagnostic on this module:
• Efuse ECC Logic Self-Test
• SRAM ECC
• SRAM Parity
• Software Test of SRAM
• VCU CRC Check of Static Memory Contents
5.1.6 JTAG Debug, Trace, Calibration, and Test Access
The TMS320F28004x MCU device family supports debug, test, and calibration implemented over an IEEE
1149.1 JTAG debug port. The physical debug interface is internally connected to a TI debug logic (ICEPICK),
which arbitrates access to test, debug, and calibration logic. Boundary scan is connected in parallel to the
ICEPICK to support usage without preamble scan sequences for easiest manufacturing board test. The following
tests can be applied as diagnostics for this module (to provide diagnostic coverage on a specific function):
• Hardware Disable of JTAG Port
• Internal Watchdog (WD)
• External Watchdog
5.2 Processing Elements
5.2.1 C28x Central Processing Unit (CPU)
The CPU is a 32-bit fixed-point processor with Floating point, Viterbi, Complex Math and CRC Unit (VCU) and
Trigonometric Math Unit (TMU) co-processors. This device draws from the best features of digital signal
processing; reduced instruction set computing (RISC); and microcontroller architectures, firmware, and tool sets.
The CPU features include a modified Harvard architecture and circular addressing. The RISC features are
single-cycle instruction execution, and register-to-register operations. The modified Harvard architecture of the
CPU enables instruction and data fetches to be performed in parallel. The CPU does this over six separate
address/data buses. Its unique architecture makes it amenable to integrate safety features external to CPU but
on chip, to provide improved diagnostic coverage.
The following tests can be applied as diagnostics for this module (to provide diagnostic coverage on a specific
function):
• Reciprocal Comparison by Software
• Software Test of CPU
• Periodic Software Read Back of Static Configuration Registers
• Access Protection Mechanism for Memories
• CPU Handling of Illegal Operation, Illegal Results and Instruction Trapping
SPRUID8C – AUGUST 2019 – REVISED SEPTEMBER 2020
Submit Document Feedback
Copyright © 2020 Texas Instruments Incorporated
Safety Manual for TMS320F28004x 29
Brief Description of Safety Elements
www.ti.com
• Internal Watchdog (WD)
• External Watchdog
• Information Redundancy Techniques
• Stack Overflow Detection
• Embedded Real Time Analysis and Diagnostic (ERAD)
The following tests can be applied as test-for-diagnostics on this module:
• VCU CRC Auto Coverage
Note
Measures to mitigate Common Cause Failure in CPU Subsystem: Common-cause failures are one of
the important failure modes when a safety-related design is implemented in a silicon device. The
contribution of hardware and software dependent failures is estimated on a qualitative basis because
no general and sufficiently reliable method exists for quantifying such failures. System Integrator
should perform a detailed analysis based on the inputs from ISO 26262-11:2018, Section 4.7 and IEC
61508-2:2010 Annex E (BetaIC method).
5.2.2 Control Law Accelerator
The Control Law Accelerator (CLA) is an independent, fully-programmable, 32-bit floating-point math accelerator
with independent ISA and independent compiler and it helps concurrent control-loop execution. The low
interrupt-latency of the CLA allows it to read ADC samples "just-in-time." This significantly reduces the ADC
sample to output delay to enable faster system response and higher MHz control loops.
The following tests can be applied as diagnostics for this module (to provide diagnostic coverage on a specific
function):
• Reciprocal Comparison by Software
• Software Test of CLA
• CLA Handling of Illegal Operation and Illegal Results
• Software Read Back of Written Configuration
• Periodic Software Read Back of Static Configuration Registers
• Information Redundancy Techniques
• CLA Liveness Check Using CPU
• Access Protection Mechanism for Memories
• Disabling of Unused CLA Trigger Sources
The following tests on SRAM allocated for CLA can be applied as a test-for-diagnostic on this module:
• Periodic Software Read Back of Static Configuration Registers
• Software Test of Function Including Error Tests
5.3 Memory (Flash, SRAM and ROM)
5.3.1 Embedded Flash Memory
The embedded Flash memory is a non-volatile memory that is tightly coupled to the C28x CPU. Each CPUSS
have its own dedicated flash memory. The Flash memory is not accessible by CLA or DMA. The Flash memory
is primarily used for CPU instruction access, though data access is also possible. Access to the Flash memory
can take multiple CPU cycles depending upon the device frequency and flash wait state configuration. Flash
wrapper logic provides prefetch and data cache to improve performance.
The following tests can be applied as diagnostics for this module (to provide diagnostic coverage on a specific
function):
• Flash ECC
• VCU CRC Check of Static Memory Contents
• Bit Multiplexing in Flash Memory Array
30 Safety Manual for TMS320F28004x SPRUID8C – AUGUST 2019 – REVISED SEPTEMBER 2020
Copyright © 2020 Texas Instruments Incorporated
Submit Document Feedback
Loading...