C2000 MCU Architecture Safety Mechanisms and Assumptions of Use
www.ti.com
4.6 Management of Exception and Errors
The Piccolo and Delfino MCU product architectures leverage CPU interrupt and peripheral interrupt
expansion (PIE) blocks for event triggers and preemption of software functions. These interrupts can be
prioritized using the PIE module and respond to respective interrupt flags from various peripherals. These
interrupts can also be activated using software interrupts instruction such as TRAP. All the hardware
safety mechanism use these interrupt flags to generate error conditions to the CPU. The IEC60730 safety
library routines can be tied to either hardware interrupt flags or software interrupt initiated functions to
preempt CPU to do necessary safety recovery or reach safe state. The IEC60730 libraries support an
error and exception reporting function using the on-chip UART and SCI port, providing an external
communication port-based error function allows system error logging during validation and runtime use of
the application. This function can be easily customized in the end application based on the error reporting
needs. For details of PIE and CPU interrupt mapping, see the Piccolo or Delfino MCU technical reference
manuals (see Table 1).
5 C2000 MCU Architecture Safety Mechanisms and Assumptions of Use
You, as a system and equipment manufacturer or designer, are responsible to ensure that your systems
(any TI hardware or software components incorporated in your systems) meet all applicable safety,
regulatory, and system-level performance requirements. All application and safety related information in
this document (including application descriptions, suggested safety measures, suggested TI products, and
other materials) is provided for reference only. You understand and agree that your use of TI components
in safety critical applications is entirely at your risk, and that you (as buyer) agree to defend, indemnify,
and hold harmless TI from any and all damages, claims, suits, or expense resulting from such use. In this
section, the safety mechanisms for each major functional block of the C2000 MCU architecture are
summarized and general assumptions of use are provided. This information should be used to determine
the strategy for utilizing functional safety mechanisms. The details of each safety mechanism can be
found in the device-specific technical reference manual for the MCU used.
TI classifies technical recommendations for the use of safety mechanisms into a number of categories.
The TI recommendations should not be considered infallible. There are many diverse ways to implement
safe systems and alternate safety mechanisms may be possible that can provide support to achieve
desired safety metrics. The categories of recommendation are as follows:
• Mandatory - A mandatory notation indicates a safety mechanism that is always operable during
normal functional operation and cannot be disabled by user action.
• High Recommended - A highly recommended notation indicates a safety mechanism that TI believes
to provide a high value of diagnostics, which are difficult to implement by other means. The user
retains the choice of whether or not to utilize the safety mechanism in their design, as user action is
either needed to enable the safety mechanism or user action can disable the safety mechanism.
• Recommended - A recommended notation indicates a safety mechanism that TI believes to provide a
valuable diagnostic, which may also be implemented by other means. The user retains the choice of
whether or not to utilize the safety mechanism in their design, as user action is either needed to enable
the safety mechanism or user action can disable the safety mechanism.
• Optional - An optional notation indicates a safety mechanism that TI believes to provide a lower value
diagnostic, which may also be implemented by other means. The user retains the choice of whether or
not to utilize the safety mechanism in their design, as user action is either needed to enable the safety
mechanism or user action can disable the safety mechanism.
5.1 Standard Safety Diagnostic Functions With C2000 MCUs and Subsystems
The C2000 MCU system has several functional safety features that can initiate fault or error interrupts
when the fault occurs. However, except for a few special hardware modules, not all of these safety
modules are able to generate alarms in their dormant state. The IEC60730 class of safety software
libraries help to monitor all the MCU regions, CPU, memory and peripherals and generate error
conditions, if they show any abnormalities. For example, memory locations may show failure due to device
marginality or external influence during application runtime. These error conditions can be detected using
periodic execution of IEC60730 memory check algorithms.
24
Safety Manual for C2000™ MCUs in IEC60730 Safety Applications SPRUHI3A–April 2013–Revised August 2013
Submit Documentation Feedback
Copyright © 2013, Texas Instruments Incorporated
To Next Page
Loading...
Need help?
General
