AM2732-Q1: CC6X.RAM2-Memory Parity and C66X.RAM3 Memory ECC

Part Number: AM2732-Q1

In the safety manual <SWRU569_AM273x_Safety_Manual_22_sep_revA.pdf>:

6.3.3 A Repeated Test and Sanity Checking With Previous Results Test of Function
To detect permanent and transient errors in the GPADC computation for calibration, repeated GPADC computation can be triggered by CPU on the same input data and outputs compared and evaluated for consistent results by the CPU.

How to understand this description and how to implement it in the software  ?

Part Number: AM2732-Q1

In the safety manual <SWRU569_AM273x_Safety_Manual_22_sep_revA.pdf>:

Hardware and software diagnostics
•
GIO1A - Boot time Software Test of Function Using I/O Loopback
•
GIO1B - Periodic Software Test of Function Using I/O Loopback
•
GIO2 - Information redundancy techniques
•
GIO3 - Periodic software readback of static configuration registers
•
GIO4 - Software readback of written configuration

I have two questions here ,

1 How to understand I/0 Loopback ? it is a test pin or it can work on a normal pin ?

2 How to understand "Information redundancy techniques" , can you give me an example ? if we have GIP redundancy, why we still need other safety mechanism in GIO ?

Part Number: AM2732-Q1

72

In the safety manual <SWRU569_AM273x_Safety_Manual_22_sep_revA.pdf>:

EDMA1 - Software test of basic functionality including error tests

For functional safety design, why we need to do this ? how can we do it on EDMA ? startup or cycle?

Part Number: AM2732-Q1

71

In the safety manual <SWRU569_AM273x_Safety_Manual_22_sep_revA.pdf>:

REG2 - Software test of basic functionality including error tests

How to implement this safety mechanism in software design ? and in other IPs, It has the smilar safety mechanism ?

Part Number: AM2732-Q1

Safety manual : SWRU569_AM273x_Safety_Manual_22_sep_revA.pdf:

RTI5 - Software test of basic functionality including error tests

For the RTI5, Why it is needed for customer ? if so , how customer do on it ?

Part Number: AM2732-Q1

Safety manual : SWRU569_AM273x_Safety_Manual_22_sep_revA.pdf:

6.3.1 1oo2 Software Voting Using Secondary Free Running Counter
1 out of 2 (1oo2) channel architecture is a technique defined by the IEC 61508 safety standard. In this case 1oo2 architecture, is a two channel system where either of the two channels can perform the safety function. They then can be compared to ensure they match.
The RTI module contains at minimum two up-counters that can be used to provide an operating system time-tick. While one up-counter is used as the operating system time-base, it is possible to use the second up counter as a diagnostic on the first, via periodic check via software of the counter values in the two timers.
The PMU CPU cycle counter inside the Cortex-R5F CPU can also be used to support such a diagnostic.
Error response, diagnostic testability, and any necessary software requirements are defined by the software implemented by the system integrator. The use of a second counter to diagnose faults in RTI is recommended

For this safety mechanism, how customer do in software side ? just like the yellow part, it is done in the mcu hardware module already, customer only need to config ??

Part Number: AM2732-Q1

Safety manual : SWRU569_AM273x_Safety_Manual_22_sep_revA.pdf:

In chapter 5.25 MDO/Aurora

The following tests can be applied as functional safety mechanisms for this module (to provide diagnostic coverage on a specific function):
•
To be added in subsequent release of SM

whether do you have a new version of safety maunal to supplement here ?

Part Number: AM2732-Q1

6.3.84 PCR Access Management
The peripheral central resource (PCR) provides two diagnostic mechanisms that can limit access to peripherals. Peripherals can be clock gated per peripheral chip select in the PCR. This can be utilized to disable unused features such that they cannot interfere with active safety functions. In addition, each peripheral chip select can be programmed to limit access based on privilege level of transaction. This feature can be used to limit access to entire peripherals to privileged operating system code only. These safety mechanisms are disabled after reset. Software must configure and enable these mechanisms. Use of these mechanisms is highly recommended.

HOW does customer do on this ? on config to hardeare register ?

Part Number: AM2732-Q1

In the safe manual SWRU569_AM273x_Safety_Manual_22_sep_revA.pdf:

5.37 Vectored Interrupt Manager (VIM)
The Vectored Interrupt Manager (VIM) aggregates device interrupts and sends them to the R5F CPU(s). It can be used in either split or lockstep configuration.

here it say interrupt are sent to R5F CPU , If so , how about DSP ,? Whether DSP can receive and response interrupt event ?

Part Number: AM2732-Q1

In the safe manual SWRU569_AM273x_Safety_Manual_22_sep_revA.pdf:

6.3.141 VIM SRAM Data ECC with DED Vector
 The presence of the DED vector provides a mechanism for an orderly transition to a fault detected state. In some cases, it may be possible to recover from double bit errors. A copy of the Vectored Interrupt Manager (VIM) SRAM contents needs to be mirrored in a separate ECC protected memory. The VIM SRAM can be updated either in part or in

who makes the SRAM contents need to be mirrored in ECC memory ? it is done by hardware automatically or it is done by software ?

Part Number: AM2732-Q1

In the safe manual SWRU569_AM273x_Safety_Manual_22_sep_revA.pdf:

5.37 Vectored Interrupt Manager (VIM)

VIM module is specifically designed to work with Cortex R5F and is an improvement over ARMs own VIC module. VIM provides lockstep functionality which is critical to meet ASIL C/D requirements.

whether it means that for VIM itself, it has locstep mode ?

Part Number: AM2732-Q1

In the safe manual SWRU569_AM273x_Safety_Manual_22_sep_revA.pdf:

RST10 - Software test of basic reset functionality

For the safety mechanism of RST10,  does customer need to implement this for our functional safety design ? if we need to , how can we do it ?

Part Number: AM2732-Q1

In the safe manual SWRU569_AM273x_Safety_Manual_22_sep_revA.pdf:

RST1 - External monitoring of warm reset

In the safety manual , it seems that it is a must for customer to implement RST1, Whether it is correct ? whether we can ignor it ?

when and how  TI Field Applications Engineering Team will connect me ? how about close it when all the questions are clear ?

when will you give me feedback of these questions ? I am waiting for it.

When can you give me feedback ?

When can you give me feedback ?

When can you give me feedback ?

When can you give me feedback ?