AM2612: Diagnostics feature for the line between DCC/CCM to ESM

Hideaki Matsumoto

Genius 9120 points

Part Number: AM2612

Tool/software:

Hi,

My customer has questions regarding the diagnostics feature for Functional Safety.

Is there any way to detect a failure if any issue occurs on the line of DCC to ESM and CCM to ESM ?

Also, is there any way to diagnose these lines ?

The customer needs to prepare the explanation to TUV.

Thanks and regards,

Hideaki

3 months ago

0 Nilkanth Pathak 3 months ago

TI__Prodigy 410 points

Matsumoto-san,

As per AM261x ESM implementation,

1. Failure in the 'input lines' from DCC or CCM logic can be detected by a combination of "ESM3 - SW test of basic functionality" AND (ESM-F3 Redundant pulse inputs OR ESM-F5 continuous sampling of level inputs).
2. Such failure is assumed to be a latent fault and hence can remain undetected unless an actual DCC or CCM logic error needs to be conveyed to ESM. Therefore, this is a part of ESM's latent fault check safety mechanisms.

These failure modes are accounted for in the ESM FMA row items 68 and 69 (shared separately as internal document)

Regards,
Nilkanth

0 Hideaki Matsumoto 2 months ago in reply to Nilkanth Pathak

TI__Genius 9120 points

Hi Nilkanth,

Thank you for your answers. The customer would like to know a little more detail for explaining to TUV. Could you help to answer their questions below ?

Nilkanth Pathak said:
1. Failure in the 'input lines' from DCC or CCM logic can be detected by a combination of "ESM3 - SW test of basic functionality" AND (ESM-F3 Redundant pulse inputs OR ESM-F5 continuous sampling of level inputs).

Could you tell them in the concrete how it can be performed ?

If there is a specific method, can you tell them ?

For example, is it diagnosing periodically if DCC or ESM works correctly by generating a pseudo error by ESM3-SW test against ESM-F3 Redundant pulse diagnostic function or ESM-F5 continuous sampling function ?

Could you tell them if there is any specific method ?

Nilkanth Pathak said:
2. Such failure is assumed to be a latent fault and hence can remain undetected unless an actual DCC or CCM logic error needs to be conveyed to ESM. Therefore, this is a part of ESM's latent fault check safety mechanisms.

Does this mean that it is possible to exclude a undetected matter by periodically performing DCC, CCM, etc. and using input lines to ESM ?

They don’t understand much about “part of ESM’s latent fault check safety mechanisms”, so it would be helpful if they can receive more detailed explanation of it.

Thanks and regards,

Hideaki

+1 Sahana H G 2 months ago in reply to Hideaki Matsumoto

TI__Expert 5416 points

Matsumoto-san,

Hideaki Matsumoto said:
Could you tell them if there is any specific method ?

As mentioned in the Safety Manual description of ESM3 - "To test the basic functionality of this module, it is recommended to create a test fault condition that would be reported by the ESM. This test can be run periodically to check the error interrupts are generated as expected. Additionally, this test can be run to check the error output pin itself. In this case, the system needs to be in a state where it is expecting a test error signal, such as before the safety function begins." Hence in this case, it would mean to inject a fault in the DCC and CCM modules and check whether that fault is reported through the ESM.

One way to inject a fault into the DCC would be to perform a DCC clock comparison with EXT_REFCLK without actually providing any clock to the EXT_REFCLK, which would result in a DCC error.

On how to inject a fault into the CCM module, you can refer to section 7.1.3.13.2.1.3 Error Forcing Mode in the device TRM here: AM261x Sitara Microcontrollers Technical Reference Manual (Rev. B).

ESM-F3 and ESM-F5 are enabled by default in hardware, and hence nothing additional needs to be implemented on that.

Regards,

Sahana

Arm-based microcontrollers

Arm-based microcontrollers forum

AM2612: Diagnostics feature for the line between DCC/CCM to ESM