CCS/TMS570LS0232: Some questions based on TMS570LS0232 function safety

Hello Xinyu,

I will try to address your comments one by one.

Xinyu Wang said:

1. My project requirement is that the system should be ASIL C. If I configure TMS570LS0232 as ASIL D, it could be more helpful for other components. So how to configure TMS570LS0232 as function safety ASIL D. Could you give us some examples?

There is no ASIL D specific configuration. ASIL is assigned based on the Hazard and Risk Assessment to arrive at the required system ASIL level. Certainly, there could be value in targeting a higher ASIL rating on some components so they consume a smaller portion of the overall safety metrics alloted for a system to achieve a certain rating.

In order to full understand how to "configure" the device, you will need to identify your safety goal(s) and determine which feature in the MCU are being used in protecting/performing that safety goal along with all of the other components in the critical path of the safety goal. On the MCU side, you would then determine which of the diagnostics are required to achieve the appropriate diagnostic coverages and to achieve the required safety metrics. This is where the FMEDA tool from TI comes into play. It allows customization of the calculation of the FIT rates and, more importantly, the safety metrics to your specific application. These metrics can then be used in conjunction with the metrics at the system level to help you achieve your targeted safety levels with respect to the identified safety goal/safety function.

In short, what you are referring to as the configuration of the device to meet ASIL D is dependent on you system level needs and your safety goal as well as the system level implementation. We provide guidelines and tools that help you achieve these targets but we are only a component in your system that has to be used in accordance with our provided documentation (see the safety manual that is publicly available on the device specific product page, safety analysis reports which are under NDA and avialable only through the SafeTI Private forum (request access here:) and all other device associated collaterals such as the TRM, Datasheet, and Errata documents.

Xinyu Wang said:

2. In safety manual, I have seen TMS570LS0232 ADC self test. I want to know how to use HalCoGen to configure ADC self test. Or which function could be used to run ADC self test?

Setting up and running the ADC selftest is described in the TRM and may require you write this code yourself if you are not using the SafeTI Diagnostic Library (SDL) which includes code for this diagnostic. The SDL is available here: 

Xinyu Wang said:

3. In ESM, I found most function was used to check the parity. What is the parity test? It include self test or not?

In the device you are using, most of the peripheral RAMs are protected using Parity. Without specific examples of the functions you are referring to, I assume the tests in question are performing a 'proof of function' type of test where we introduce a parity error then read the location to trigger the error notification. This provides assurance that the Parity diagnostic is working properly. It is a latent fault or test for diagnostic test.

Xinyu Wang said:

4. In HalCoGen, I found SAFETY INIT page. If I configure all enable in this page, the self test could be reached function safety ASIL D requirements?

No, but it depends. As part of defining your safety goal in your system you need to determine your FTTI or Fault Test Time Interval. If each power cycle is less than the FTTI, then simple boot time tests could be sufficient. However, this is almost never the case and there is a need to do some periodic testing. Also, the Safety Init would need to be validated by you/your company as part of you system level implementation. i.e., you need to be certain these tests are testing everything you need to acheieve your safety goal. Many of the tests in the Safety Init  function are tests for latent faults. This helps with the LFM metric but not SPFM so much.

In summary, I would strongly encourage you to review the DIA information within the Safety Manual and to understand the System Integrator Responsibilities vs the device manufacturer responsibilities. There are many steps that I think you have overlooked in the definition of your project and in the traceability of requirements, requirements generation, etc. These all feed back to following the required safety development process identified in the ISO26262 standards. For a very basic training on safety, please have a look at the 4-part safety training we have posted on TI.com at this location: training.ti.com/functional-safety-4-part-training-series