• State TI Thinks Resolved
  • Replies 1 reply
  • Answers 1 answer
  • Subscribers 31 subscribers
  • Views 36 views
  • Users 0 members are here
Support feedback
Options
Options
Related

AM2612: ESM clock dependency and functional safety under system clock failure

Ibuki Endo
Prodigy 80 points

Part Number: AM2612

Hi expert,

I would like to ask about the behavior of the ESM (Error Signaling Module) and its design from a functional safety perspective.
From the TRM and datasheet, I understand that ESM is a module that aggregates and reports errors. However, I could not find a clear description of which clock domain ESM operates on.
Could you please clarify the following points?

1. ESM clock dependency

Is ESM implemented as synchronous logic operating on the system clock?
Does ESM have any independent clock source, or is it fully dependent on the system clock?


2. Behavior under system clock failure
If the system clock stops or becomes unstable:

Is ESM able to process new error events?
Is the nERROR output guaranteed under such conditions?


3. Functional safety
If ESM operation may be limited under system clock failure:

What kind of safety architecture (e.g., WWDT, reset paths, etc.) ensures that the device ultimately transitions to a safe state?

 

Best regard,

Ibuki Endo

  • 0
    TI__Expert 7146 points

    Hello,

    Ibuki Endo said:

    1. ESM clock dependency

    Is ESM implemented as synchronous logic operating on the system clock?
    Does ESM have any independent clock source, or is it fully dependent on the system clock?

    Yes, ESM operates on the system clock as shown in TRM (snippet below):

    Ibuki Endo said:

    2. Behavior under system clock failure
    If the system clock stops or becomes unstable:

    Is ESM able to process new error events?
    Is the nERROR output guaranteed under such conditions?

    The error I/O pin can either operate in level or PWM mode. Failure in system clock can seize the clock going to ESM. In PWM mode operation, this causes the PWM waveform on the safety error pin to seize. Hence, the PWM mode of error pin is the recommended mode for safety critical applications. At this point, the external system monitoring the Error Pin needs to intervene, and ESM cannot operate.

    Ibuki Endo said:

    3. Functional safety
    If ESM operation may be limited under system clock failure:

    What kind of safety architecture (e.g., WWDT, reset paths, etc.) ensures that the device ultimately transitions to a safe state?

    As mentioned in the previous answer, the PWM toggling on the Error pin would stop when the clock to ESM stops, and hence that can be used by the external monitor to trigger the transition to safe state.

    Regards,

    Sahana