www.ti.com
C2000 MCU Architecture Safety Mechanisms and Assumptions of Use
Essentially, CPUs, registers or subsystem failures usually remain dormant or inactive unless a software or
hardware mechanism monitors them periodically. Table 3 lists the commonly used safety diagnostic
functions that enable safety features and attributes across subsystems. These functions are referenced in
Table 6.
These functions are the recommended common methods that can be enhanced as needed to suite each
application with its internal or external hardware assist mechanisms.
Table 3. Functional Descriptions of Safety Modules in C2000 MCUs
Safety Diagnostics Functions to
Enable Safety Attributes and
Features Description
Self Test , Autocoverage Periodic execution enables inherent self-checking features. This helps to detect latent faults.
Periodic read back of configuration registers can provide a diagnostic for inadvertent writes or
disturb of these registers. Error response, diagnostic testability, and any necessary software
Periodic Read Back
requirements are defined by the software implemented by the system integrator. This is a
recommended operation.
In order to ensure proper configuration of memory-mapped control registers, it is highly
Read Back of Written Configuration recommended that software implement a test to confirm proper operation of all control register
writes.
C28x CPUs support interrupt controllers, each have expansion modules to address wide range of
interrupts. These interrupts sources are managed by enable and mask registers for prioritization.
Interrupt Sweep Interrupt sweep tests are internal self-tests that trigger interrupts when each CPU sets the interrupt
flag registers. This function enables all the interrupt flags, sequentially, blocking the peripheral
sources to check periodicity and correct occurrence of interrupts. This is a recommended function.
This function is a practical and easy method to trace the program execution to detect orderly
execution of the critical interrupts among the configured peripherals. In most systems, program code
Run Time Code Trace jumps and branches in a predetermined code execution path, particularly in critical control loops.
Tracing the hardware or software semaphores as a signature of orderly entry and exit checks
proper timing of interrupts and peripheral functionality. This is a highly recommended function.
Piccolo and Delfino MCUs do not support ECC and parity logic for memory blocks to provide error
correction. To enable the memory safety and autocoverage, a CRC calculation and periodic
CRC and Read and Write
memory read and write operation has to be implemented. This function is a highly recommended
function.
Not all communication ports have data integrity check during transmit sessions. However, most of
these peripherals do have an internal loopback. This function is intended to periodically enable
Loopback Tests loopback mechanism and check for data integrity. It is recommended these tests are done with IO
mux in input mode to avoid external signal visibility at the pin level, during test. This function is a
recommended function.
Clock timing and frequency check is necessary to guarantee proper operations of the clocking
mechanisms. This ensures the overall timing dependencies are with operating conditions. Scale
factor Optimizer (SFO) functions are software libraries that are built with internal hardware assist
SFO Clock Accuracy Check
logic in C2000 MCU devices that can help to measure and clock accuracies. Details of SFO
functions are in explained in the TMS320x2806x Piccolo Technical Reference Manual (SPRUH18).
This is a highly recommended function.
Parallel signature analysis is a hardware assist safety unit, part of C28x architecture that can
calculate 40-bit CRC across specified memory buses. This function is a software function with
PSA Function specific instructions to enable the PSA feature and calculate the CRC of memory reads and writes
and program fetches. This function is available as part of the IEC60730 library function to the C28x
CPU. This is a highly recommended function.
All of the dual CPU (CPU +CLA) systems require periodic interprocessor communication exchange
for safe operation and to implement virtual dual channel topologies. Implementing software and
hardware linked handshake function, during runtime help to maintain timing and system integrity.
Handshake Function
These are user application specific functions and can be easily adapted to build the system level
handshakes. This ensures reliable data exchange and status monitoring. This is a highly
recommended function.
Most MCU firmware implements custom hardware or software functions (IP intellectual property) to
differentiate the application. These are either ROM/Flash or RAM-based functions invoked during
Custom Application Module runtime of the applications. These functions should have explicit data integrity checks (program
code CRC) and functional checks using test vectors ensuring the custom software block will function
correctly for the intended application.
One of two channels scheme is a method to implement software voting of correct functioning using
similar peripherals, with one of the spare peripherals acting as a reference to compare. For
1oo2 Software Voting
example, use spare and redundant Timer resources to compare the correct functioning of the
primary Timer resources. This is a recommended function.
25
SPRUHI3A–April 2013–Revised August 2013 Safety Manual for C2000™ MCUs in IEC60730 Safety Applications
Submit Documentation Feedback
Copyright © 2013, Texas Instruments Incorporated
To Next Page
Loading...
Need help?
General
