# Functional Safety Manual for MSPM0Lx22x-Q1

Functional Safety Information



Literature Number: SFFS948 MAY 2025

# Table of Contents

# TEXAS INSTRUMENTS

| 1 Introduction                                                                                                                    | 5  |
|-----------------------------------------------------------------------------------------------------------------------------------|----|
| 2 MSPM0Lx22x-Q1 Hardware Component Functional Safety Capability                                                                   | 6  |
| 3 Development Process for Management of Systematic Faults                                                                         |    |
| 3.1 TI New-Product Development Process                                                                                            |    |
| 3.2 TI Functional Safety Development Process                                                                                      | 8  |
| 4 MSPM0Lx22x-Q1 Component Overview                                                                                                | 9  |
| 4.1 Targeted Applications                                                                                                         | 10 |
| 4.2 Hardware Component Functional Safety Concept                                                                                  | 10 |
| 4.3 Functional Safety Constraints and Assumptions                                                                                 | 10 |
| 5 Description of Hardware Component Parts                                                                                         |    |
| 5.1 ADC                                                                                                                           | 13 |
| 5.2 Comparator                                                                                                                    |    |
| 5.3 CPU                                                                                                                           |    |
| 5.4 RAM                                                                                                                           |    |
| 5.5 FLASH                                                                                                                         |    |
| 5.6 GPIO                                                                                                                          |    |
| 5.7 DMA                                                                                                                           |    |
| 5.8 SPI                                                                                                                           |    |
| 5.9 I2C                                                                                                                           |    |
| 5.10 UART                                                                                                                         |    |
| 5.11 Timers (TIMx)                                                                                                                |    |
| 5.12 Power Management Unit (PMU)                                                                                                  |    |
| 5.13 Clock Module (CKM)                                                                                                           |    |
| 5.14 Events                                                                                                                       |    |
| 5.15 IOMUX                                                                                                                        |    |
| 5.16 VREF                                                                                                                         |    |
| 5.17 WWDT and IWDT                                                                                                                |    |
| 5.18 CRC                                                                                                                          |    |
| 6 MSPM0Lx22x-Q1 Management of Random Faults                                                                                       |    |
| 6.1 Fault Reporting                                                                                                               |    |
| 6.2 Functional Safety Mechanism Categories                                                                                        |    |
| 6.3 Description of Functional Safety Mechanisms.                                                                                  |    |
| A Summary of Recommended Functional Safety Mechanism Usage                                                                        |    |
| B Distributed Developments.<br>B.1 How the Functional Safety Lifecycle Applies to TI Functional Safety Products                   |    |
| B.1 How the Functional Salety Lifecycle Applies to 11 Functional Salety Products<br>B.2 Activities Performed by Texas Instruments |    |
| B.2 Activities Performed by Texas Instruments.                                                                                    |    |
| C Revision History                                                                                                                |    |
|                                                                                                                                   |    |

# List of Figures

| Figure 3-1. TI New-Product Development Process | . 7 |
|------------------------------------------------|-----|
| Figure 4-1. MSPM0Lx22x-Q1 Device Block Diagram | 9   |
| Figure 4-2. MSPM0Lx22x-Q1 Typical Application  | 10  |

# List of Tables

| Table 3-1. Functional Safety Activities Overlaid on top of TI's Standard Development Process | 8  |
|----------------------------------------------------------------------------------------------|----|
| Table 5-1. ADC Safety Mechanisms                                                             |    |
| Table 5-2. Comparator Safety Mechanisms                                                      | 15 |
| Table 5-3. CPU Safety Mechanisms                                                             |    |



| Table 5-4. RAM Safety Mechanisms                                                      | 17 |
|---------------------------------------------------------------------------------------|----|
| Table 5-5. Flash Safety Mechanisms                                                    | 17 |
| Table 5-6. GPIO Safety Mechanisms                                                     |    |
| Table 5-7. DMA Safety Mechanisms                                                      | 19 |
| Table 5-8. SPI Safety Mechanisms                                                      | 20 |
| Table 5-9. I2C Safety Mechanisms                                                      | 21 |
| Table 5-10. UART Features                                                             | 22 |
| Table 5-11. UART Safety Mechanisms                                                    |    |
| Table 5-12. TIMx Instance Configuration                                               |    |
| Table 5-13. TIMx Cross Trigger Map (PD0)                                              |    |
| Table 5-14. Timers Safety Mechanisms                                                  |    |
| Table 5-15. PMU Safety Mechanisms                                                     | 25 |
| Table 5-16. CKM Safety Mechanisms                                                     | 27 |
| Table 5-17. Events Safety Mechanisms                                                  | 27 |
| Table 5-18. IOMUX Safety Mechanisms                                                   |    |
| Table 5-19. VREF Safety Mechanisms                                                    |    |
| Table 5-20. WWDT and IWDT Safety Mechanisms                                           |    |
| Table 5-21. CRC Safety Mechanisms                                                     |    |
| Table 6-1. Configuration Registers Associated With Different Safety Mechanisms        | 32 |
| Table 6-2. IOMUX Coverage                                                             |    |
| Table 6-3. Safety Mechanisms Covering Common Cause Failures                           |    |
| Table A-1. Legend of Functional Safety Mechanisms                                     |    |
| Table A-2. Summary of Safety Features and Diagnostics                                 | 43 |
| Table B-1. Activities Performed by Texas Instruments Versus Performed by the Customer |    |
| Table B-2. Product Functional Safety Documentation.                                   |    |
|                                                                                       |    |



This document is a functional safety manual for the Texas Instruments MSPM0Lx22x-Q1 component. The specific orderable part numbers supported by this functional safety manual are as follows:

- MSPM0L2228-Q1 (Orderable Part Numbers: M0L2228QPTRQ1, M0L2228QPNRQ1, M0L2228QPMRQ1)
- MSPM0L1228-Q1 (Orderable Part Numbers: M0L1228QRGZRQ1, M0L1228QRGERQ1, M0L1228QRHBRQ1, M0L1228QPNRQ1, M0L1228QPMRQ1, M0L1228QPTRQ1)
- MSPM0L2227-Q1 (Orderable Part Numbers: M0L2227QPMRQ1, M0L2227QPTRQ1, M0L2227QPNRQ1)
- MSPM0L1227-Q1 (Orderable Part Numbers: M0L1227QRGERQ1, M0L1227QPMRQ1, M0L1227QPTRQ1, M0L1227QRGZRQ1, M0L1227QPNRQ1, M0L1227QRHBRQ1)

This functional safety manual provides information needed by system developers to help in the creation of a functional safety system using a MSPM0Lx22x-Q1 component. This document includes:

- An overview of the component architecture
- · An overview of the development process used to decrease the probability of systematic failures
- An overview of the functional safety architecture for management of random failures
- · The details of architecture partitions and implemented functional safety mechanisms

The following information is documented in the MSPM0Lx22x-Q1 Functional Safety Analysis Report and is not repeated in this document:

- Summary of failure in time (FIT) rates of the component
- Summary of functional safety metrics of the hardware component for targeted standards (for example IEC-61508, ISO-26262)
- Quantitative functional safety analysis (also known as FMEDA, Failure Modes, Effects, and Diagnostics Analysis) with detail of the different parts of the component, allowing for customized application of functional safety mechanisms
- · Assumptions used in the calculation of functional safety metrics

The following information is documented in the Functional Safety Report and is not repeated in this document:

· Results of assessments of compliance to targeted standards

The user of this document needs a general familiarity with the MSPM0Lx22x-Q1 component. For more information, refer to the MSPM0Lx22x-Q1 data sheets. This document is intended to be used in conjunction with the pertinent data sheets, technical reference manuals, and other component documentation.

For information that is beyond the scope of the listed deliverables, contact your TI sales representative or go to TI Functional Safety.

#### Trademarks

Microwire<sup>™</sup> and TI E2E<sup>™</sup> are trademarks of Texas Instruments.

FlexRay<sup>™</sup> is a trademark of FlexRay Consortium.

Arm<sup>®</sup> and Cortex<sup>®</sup> are registered trademarks of Arm is a registered trademark of Arm Limited (or its subsidiaries) in the US and/or elsewhere.

Motorola<sup>®</sup> is a registered trademark of MOTOROLA TRADEMARK HOLDINGS, LLC.

All trademarks are the property of their respective owners.

# Chapter 2 MSPM0Lx22x-Q1 Hardware Component Functional Safety Capability



This section summarizes the component functional safety capability.

This hardware component:

- Was developed as a functional Safety Element out of Context (SEooC)
- Was developed according to the relevant requirements of ISO 26262:2018
- Achieves systematic integrity level of ASIL-D
- · Includes sufficient functional safety mechanisms for random fault integrity up to ASIL-B

# Chapter 3 Development Process for Management of Systematic Faults



For functional safety development, it is necessary to manage both systematic and random faults. Texas Instruments follows a new-product development process for all of its components which helps to decrease the probability of systematic failures. This new-product development process is described in Section 3.1. Components being designed for functional safety applications will additionally follow the requirements of TI's functional safety development process, which is described in Section 3.2.

# 3.1 TI New-Product Development Process

Texas Instruments has been developing components for automotive and industrial markets since 1996. Automotive markets have strong requirements regarding quality management and product reliability. The TI new-product development process features many elements necessary to manage systematic faults. Additionally, the documentation and reports for these components can be used to assist with compliance to a wide range of standards for customer's end applications including automotive and industrial systems (for example, ISO 26262-4, IEC 61508-2).

This component was developed using TI's new product development process which has been certified as compliant to ISO 9001 / IATF 16949 as assessed by Bureau Veritas (BV).

The standard development process breaks development into phases:

- Assess
- Plan
- Create
- Validate

Section 3.1 shows the standard process.



Figure 3-1. TI New-Product Development Process

# 3.2 TI Functional Safety Development Process

The TI functional safety development flow derives from ISO 26262 and IEC 61508 a set of requirements and methodologies to be applied to semiconductor development. This flow is combined with TI's standard new product development process to develop TI functional safety components. The details of this functional safety development flow are described in the TI internal specification - TI Functional Safety Hardware.

Key elements of the TI functional safety-development flow are as follows:

- Assumptions on system level design, functional safety concept, and requirements based on TI's experience with components in functional safety applications
- Qualitative and quantitative functional safety analysis techniques including analysis of silicon failure modes and application of functional safety mechanisms
- · Base FIT rate estimation based on multiple industry standards and TI manufacturing data
- Documentation of functional safety work products during the component development
- Integration of lessons learned through multiple functional safety component developments, functional safety standard working groups, and the expertise of TI customers

Table 3-1 lists these functional safety development activities which are overlaid atop the standard development flow in Figure 3-1.

Refer to Appendix B for more information about which functional safety lifecycle activities TI performs.

The customer facing work products derived from this TI functional safety process are applicable to many other functional safety standards beyond ISO 26262 and IEC 61508.

| Assess                                                             | Plan                                                                                        | Create                                                                    | Validate                                                   | Sustain and End-of-Life                                               |
|--------------------------------------------------------------------|---------------------------------------------------------------------------------------------|---------------------------------------------------------------------------|------------------------------------------------------------|-----------------------------------------------------------------------|
| Determine if functional<br>safety process execution<br>is required | Define component target<br>SIL/ASIL capability                                              | Develop component<br>level functional safety<br>requirements              | Validate functional safety design in silicon               | Document any reported issues (as needed)                              |
| Nominate a functional safety manager                               | Generate functional safety plan                                                             | Include functional safety<br>requirements in design<br>specification      | Characterize the functional safety design                  | Perform incident reporting<br>of sustaining operations<br>(as needed) |
| End of Phase Audit                                                 | Verify the functional safety plan                                                           | Verify the design specification                                           | Qualify the functional<br>safety design (per AEC-<br>Q100) | Update work products (as needed)                                      |
|                                                                    | Initiate functional safety case                                                             | Start functional safety design                                            | Finalize functional safety case                            |                                                                       |
|                                                                    | Analyze target<br>applications to generate<br>system level functional<br>safety assumptions | Perform qualitative<br>analysis of design (i.e.<br>failure mode analysis) | Perform assessment of project                              |                                                                       |
|                                                                    | End of Phase Audit                                                                          | Verify the qualitative analysis                                           | Release functional safety manual                           |                                                                       |
|                                                                    |                                                                                             | Verify the functional safety design                                       | Release functional safety<br>analysis report               |                                                                       |
|                                                                    |                                                                                             | Perform quantitative<br>analysis of design (i.e.<br>FMEDA)                | Release functional safety report                           |                                                                       |
|                                                                    |                                                                                             | Verify the quantitative analysis                                          | End of Phase Audit                                         |                                                                       |
|                                                                    |                                                                                             | Iterate functional safety design as necessary                             |                                                            |                                                                       |
|                                                                    |                                                                                             | End of Phase Audit                                                        |                                                            |                                                                       |

# Table 3-1. Functional Safety Activities Overlaid on top of TI's Standard Development Process

# Chapter 4 MSPM0Lx22x-Q1 Component Overview

# Texas Instruments







# 4.1 Targeted Applications

The MSPM0Lx22x-Q1 component is targeted at general-purpose functional safety applications. This is called Safety Element out of Context (SEooC) development according to ISO 26262-10:2018. In this case, the development is done based on assumptions on the conditions of the semiconductor component usage, and then the assumptions are verified at the system level. This section describes some of the target applications for this component, the component safety concept, and then describes the assumptions about the systems (also know as Assumptions of Use or AoU) that were made in performing the safety analysis.

Example target applications include, but are not limited to, the following:

- Automotive Person occupancy detection
- Automotive Lighting
- Automotive Seat heaters
- Automotive Window control

Figure 4-2 shows a typical block diagram in which the MSPM0 MCUs can be used. This diagram is only an example and does not necessarily represent a complete system.



Figure 4-2. MSPM0Lx22x-Q1 Typical Application

# 4.2 Hardware Component Functional Safety Concept

In case of internal errors in the component, one or more of the following actions can be taken:

- Take the actuator output pins to a safe state (for example, the fault logic in timers can take the outputs to a safe state).
- · Reset the device.
- Communicate the error to the host CPU and let system take the appropriate action.

# 4.3 Functional Safety Constraints and Assumptions

In creating a functional Safety Element out of Context (SEooC) concept and doing the functional safety analysis, TI generates a series of assumptions on system level design, functional safety concept, and requirements. These assumptions (sometimes called Assumptions of Use) are listed below. Additional assumptions about the detailed implementation of safety mechanisms are separately located in Section 6.3.

The MSPM0Lx22x-Q1 Functional Safety Analysis was done under the following system assumptions:

- [SA\_1] The MSPM0Lx22x-Q1 MCU has interfaces to external sensors.
- [SA\_2] The MSPM0Lx22x-Q1 MCU has interfaces to external actuators.
- [SA\_3] The MSPM0Lx22x-Q1 MCU has interfaces to communicate with an external host controller.
- **[SA\_4]** The MSPM0Lx22x-Q1 MCU has a programmable CPU to execute a controller function taking sensor inputs and controlling an actuator.

TEXAS

NSTRUMENTS

- **[SA\_5]** The system integrator reviews the recommended diagnostics in the safety analysis report (FMEDA) and safety manual and determines the appropriate diagnostics to include in the system. These diagnostics are implemented according to the device safety manual and data sheet.
- **[SA\_6]** The external power supply provides the appropriate power on for each of the power inputs. These rails are monitored for deviations outside the device specifications and a reset asserts, if the voltage is outside the range.
- [SA\_7] The MSPM0Lx22x-Q1 MCU monitors failures on the external clock (if present).
- [SA\_8] The MSPM0Lx22x-Q1 MCU monitors failures on external sensors.
- [SA\_9] The MSPM0Lx22x-Q1 MCU monitors failures on external actuators.
- **[SA\_10]** In case of internal errors in the MSPM0Lx22x-Q1 MCU or the interfacing sensors and actuators, the MSPM0Lx22x-Q1 MCU can be reset. The host controller monitors communication loss and determines that the MSPM0Lx22x-Q1 MCU is in a faulted state.
- **[SA\_11]** The system integrator provisions an actuator disable-mechanism controller by the host controller.
- **[SA\_12]** The system is assumed to require architectural metrics (random fault) complying to (up to) ASIL-B.
- [SA\_14] The system is assumed to have a FTTI > 10ms.
- [SA\_15] The system integrator connects VBAT and VDD power pins to the same power source.
- **[SA\_16]** The system integrator considers all potential failure modes and mitigation measures associated with communication interfaces while implementing any end-to-end communication protection diagnostics techniques.
- [SA\_16] The DEBUG function is considered as not safety critical.
- [SA\_17] The RTC function is considered as not safety critical.
- [SA\_18] The AES function is considered as not safety critical.
- [SA\_19] The TRNG function is considered as not safety critical.
- [SA\_20] The TAMPER function is considered as not safety critical.
- [SA\_21] The BACKUP function is considered as not safety critical.
- [SA\_22] The LCD function is considered as not safety critical.
- [SA\_23] The KEYSTORE function is considered as not safety critical.
- **[SA\_24]** The QM IPs are not used in safety-critical applications.
- [SA\_25] TI assumes that the internal low power modes are not used in safety-critical applications.
- **[SA\_26]** The system integrator considers all potential failure modes and mitigation measures associated with communication interfaces while implementing any end-to-end communication protection diagnostics techniques.
- [COEX0] The following components are assumed not safety related (NSR components):
  - RTC
  - TRNG
  - AES
  - TAMPER
  - BACKUP RAM
  - LCD
  - KEYSTORE
  - DFT
  - DEBUG
- [COEX1] TI recommends that unused components are disabled in the application software.
- **[COEX2]** TI recommends that the unused interrupt sources of components are disabled.
- **[COEX3]** TI recommends that DMA unused triggers of components are disabled.
- [COEX4] TI recommends that unused fault inputs in timers are disabled.
- **[COEX5]** If external safety mechanisms are used, the system integrator is responsible for completing a dependent failure analysis at the system level.
- [COEX6] TI assumes that the NSR components are not used in the safety context.
- [COEX7] TI recommends that debug is disabled in safety-critical applications.
- **[COEX8]** TI recommends that a default interrupt service routine is coded for even the unused interrupts.
- **[COEX9]** TI recommends that the application does not use IPs as the trigger source of other IPs when those IPs are not safety related.
- [COEX10] TI recommends that the application does not program flash during safety-critical tasks.



There are some safety mechanisms required to cover dependent failures, refer to section on Section 6.3.63 for more details.

During integration activities these assumptions of use and integration guidelines described for this component shall be considered. Use caution if one of the above functional safety assumptions on this component cannot be met, as some identified gaps can be unresolvable at the system level.

# Chapter 5 Description of Hardware Component Parts



A semiconductor component can be divided into parts to enable a more granular functional safety analysis. This can be useful to help assign specific functional safety mechanisms to portions of the design where the mechanisms provide coverage ending up with a more complete and customizable functional safety analysis. This section includes a brief description of each hardware part of this component and lists the functional safety mechanisms that must be applied to attain ASIL-B. This section is intended to provide additional details about the assignment of functional safety mechanisms that can be found in the Safety Analysis Report. The content in this section is also summarized in Appendix A.

More details of the hardware components can be found in *MSPM0Lx22x-Q1 Microcontrollers Technical Reference Manual*.

# 5.1 ADC

The 12-bit analog-to-digital converter (ADC) module in these devices supports fast, 12-bit conversions with single-ended inputs. ADC features include:

- 12-bit output resolution at up to 1.68Msps with greater than 11-bit ENOB
- · Hardware averaging enables a 14-bit conversion resolution at 105ksps
- Up to 26 external input channels
- Internal channels for temperature sensing, supply monitoring, and analog signal chain
- Software selectable reference:
  - Configurable internal dedicated ADC reference voltage of 1.4V and 2.5V (VREF)
  - MCU supply voltage (VDD)
  - External reference supplied to the ADC through the VREF+ and VREF- pins
- Operates in RUN, SLEEP, and STOP modes and supports triggers from STANDBY mode

The following tests must be applied for the targeted ASIL as functional safety mechanisms for this module (to provide diagnostic coverage on a specific function):

| Safety Mechanism             | Description                                                      | Faults   Failure Modes                                                                                                                                                                                                                                        |
|------------------------------|------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| ADC1                         | Periodic software read back of static<br>configuration registers | Targeted toward configuration registers in ADC.                                                                                                                                                                                                               |
| ADC2                         | Software Test for Functionality                                  | Targeted toward the ADC functionality,<br>including the sample pulse generation, ADC<br>conversion, logic which captures the result,<br>interrupt flag setting, DMA trigger generation,<br>proper function of the analog-to-digital circuit,<br>and so forth. |
| ADC3                         | ADC trigger overflow                                             | Targeted toward ADC triggering circuit related faults.                                                                                                                                                                                                        |
| ADC4                         | ADC window comparator                                            | Covers faults in analog-to-digital conversion<br>logic, and also covers faults in ADC inputs<br>which result in the converted result going out<br>of range.                                                                                                   |
| ADC5 (latent fault coverage) | Test of window comparator                                        | This is a test to cover faults in the window<br>comparator (the window comparator being a<br>safety mechanism). This test covers latent<br>faults within the window comparator.                                                                               |

| Table 5-1. ADC Safety | Mechanisms |
|-----------------------|------------|
|-----------------------|------------|



| Table 5-1. ADC Salety Mechanisms (continued) |                                           |                                                                                                                                                                                                                                                                                                          |  |
|----------------------------------------------|-------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--|
| Safety Mechanism                             | Description                               | Faults   Failure Modes                                                                                                                                                                                                                                                                                   |  |
| ADC6                                         | ADC trigger and output plausibility check | This is an application-specific check. Based<br>on the application, software can check on<br>signal properties, like range, bandwidth,<br>sampling rate, and so forth. This check can<br>potentially cover faults in ADC sampling and<br>conversion, triggering logic, interrupt logic,<br>and so forth. |  |
| WDT                                          | Windowed watchdog event                   | Used to cover faults in sample generation,<br>interrupt generation, DMA trigger generation,<br>and event triggering to other IPs. Any<br>periodic event which does not occur, or<br>occurs at a different rate than expected, can<br>be covered.                                                         |  |
| IWDT                                         | Independent watchdog timer                | Used to cover faults in sample generation,<br>interrupt generation, DMA trigger generation,<br>and event triggering to other IPs. Any<br>periodic event which does not occur.                                                                                                                            |  |

### Table 5-1. ADC Safety Mechanisms (continued)



•

# 5.2 Comparator

The comparator peripheral in the device compares the voltage levels on two input terminals and provides a digital output (based on this comparison). The comparator supports the following key features:

- Programmable hysteresis
- Programmable reference voltage:
  - External reference voltage (VREF I/O)
  - Dedicated Internal reference voltage (1.4V, 2.5V) available in RUN, SLEEP, STOP, and STANDBY modes.
- Integrated 8-bit reference DAC
- Configurable operation modes:
  - High-speed mode
  - Lower-power mode (not to be used in safety critical applications)
- Programmable output glitch filter delay
- Supports output wake-up device from all low power modes (not to be used in safety critical applications)
- · Output is connected to an advanced timer fault handling mechanism
- The IPSEL and IMSEL bits in comparator registers can be used to select the comparator channel inputs from device pins or from internal analog modules.

The following tests must be applied for the targeted ASIL as functional safety mechanisms for this module (to provide diagnostic coverage on a specific function):

| Safety Mechanism | Description                                                      | Faults   Failure Modes                                                                                                                                                                     |
|------------------|------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| COMP1            | Periodic software read back of static<br>configuration registers | Targeted toward configuration registers in comparator.                                                                                                                                     |
| COMP3            | Comparator test using an external pin as a test input            | Targeted to test the comparator functioning using an external pin as test input.                                                                                                           |
| COMP4            | Comparator hysteresis                                            | This is a fault avoidance technique, which<br>can be used to filter the noise on the input<br>to the comparator.                                                                           |
| WDT              | Windowed watchdog event                                          | Targeted toward interrupt generation logic.<br>If a periodic interrupt is expected from the<br>comparator watchdog, this mechanism can<br>be used to detect faults in the interrupt logic. |

#### Table 5-2. Comparator Safety Mechanisms



# 5.3 CPU

The CPU subsystem (MCPUSS) implements an Arm<sup>®</sup> Cortex<sup>®</sup>-M0+ CPU, an instruction prefetch and cache, a system timer, a memory protection unit, and interrupt management features. The Arm Cortex-M0+ is a 32-bit CPU which delivers high performance and low power to embedded applications. Key features of the CPU subsystem includes:

- Arm Cortex-M0+ CPU supporting clock frequencies up to 32MHz
  - ARMv6-M thumb instruction set (little endian) with single-cycle 32×32 multiply instruction
  - Single-cycle access to GPIO registers through Arm single-cycle I/O port
  - Prefetch logic to improve sequential code execution, and I-cache with four 64-bit cache lines
- System timer (SysTick) with 24-bit down counter and automatic reload
- Memory protection unit (MPU) with eight programmable regions
- · Nested vectored interrupt controller (NVIC) with four programmable priority levels and tail-chaining
- Interrupt groups, for expanding the total interrupt sources, with jump index for low-interrupt latency

The following tests must be applied for the targeted ASIL as functional safety mechanisms for this module (to provide diagnostic coverage on a specific function):

| Safety Mechanism | Description                                                                                                    | Faults   Failure Modes                                                                                                                                                                          |
|------------------|----------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| CPU1             | ARM software test library                                                                                      | Targeted toward the Cortex-M0+ CPU and NVIC.                                                                                                                                                    |
| CPU2             | Writes and reads back data to different regions of memory to detect faults in the bus interconnect components. | Targeted toward the bus decoders and<br>interface logic in the CPU subsystem. These<br>decoders route the CPU access to different<br>components based on the address.                           |
| CPU3             | Software diversified redundancy                                                                                | Used to target CPU functioning. This is<br>an application-specific check, in which the<br>same computation is performed in two<br>different software functions and the results<br>are compared. |
| CPU4             | Periodic software read back of static configuration registers                                                  | Targeted toward the configuration registers in the CPU subsystem (registers in the interrupt grouping logic, and so forth).                                                                     |
| SYSCTL11         | Boot process timeout                                                                                           | Targeted toward boot ROM.                                                                                                                                                                       |
| WDT              | Windowed watchdog event                                                                                        | Targeted toward CPU control flow, any CPU bus related faults, faults in the CPU interrupt logic, and so forth.                                                                                  |

#### Table 5-3. CPU Safety Mechanisms

# 5.4 RAM

The MSPM0 MCUs include a low-power, high-performance SRAM with zero wait state access across the supported CPU frequency range of the device. The MSPM0 MCUs also provide up to 32KB of ECC protected SRAM with hardware parity. SRAM can be used for storing volatile information, such as, the call stack, heap, global data, and code. The SRAM content is fully retained in RUN, SLEEP, STOP, and STANDBY modes and is lost in shutdown mode. A write-execute, mutual-exclusion mechanism is provided to allow the application to partition the SRAM into two sections:

- 1. A read-write (RW) partition
- 2. A read-execute (RX) partition

The RX partition occupies the upper portion of the SRAM address space. Write protection is useful when placing executable code into SRAM, as the write protection provides a level of protection against unintentional overwrites of code by either the CPU or DMA. Placing code in SRAM can improve performance of critical loops by enabling a zero wait state operation and lower power consumption.



The following tests must be applied for the targeted ASIL as functional safety mechanisms for this module (to provide diagnostic coverage on a specific function):

| Safety Mechanism                | Description                 | Faults   Failure Modes                                                                                             |
|---------------------------------|-----------------------------|--------------------------------------------------------------------------------------------------------------------|
| SYSMEM1                         | Software read of memory DMA | Targeted toward the DMA bus decoder in the SRAM controller and the arbitration logic.                              |
| SYSMEM2                         | Software read of memory CPU | Targeted toward the CPU bus decoder in the SRAM controller and the arbitration logic.                              |
| SYSMEM7                         | RAM ECC                     | Targeted toward the faults in SRAM.                                                                                |
| SYSMEM9                         | RAM software test           | Targeted towards multipoint latent faults in SRAM.                                                                 |
| SYSMEM8 (latent fault coverage) | ECC logic test              | This is a test of diagnostic. This test is used to test the function of the ECC checker logic.                     |
| WDT                             | Windowed watchdog event     | Targeted toward arbitration logic. Any fault<br>which leads to a CPU bus hang can be<br>covered by this mechanism. |

#### Table 5-4. RAM Safety Mechanisms

# 5.5 FLASH

A dual bank of nonvolatile flash memory (up to 128KB or 256KB total) is provided for storing executable program code and application data. Key features of the flash include:

- Hardware ECC protection (encode and decode) with single-bit error correction and double-bit error detection
- In-circuit program and erase operations supported across the entire recommended supply range
- Small 1KB sector sizes (minimum erase resolution of 1KB)
- Up to 100000 program and erase cycles on the lower 32KB of the flash memory, with up to 10000 program and erase cycles on the remaining flash memory (devices with 32KB support 100000 cycles on the entire flash memory)

The following tests must be applied for the targeted ASIL as functional safety mechanisms for this module (to provide diagnostic coverage on a specific function):

| Safety Mechanism               | Description                               | Faults   Failure Modes                                                                                                                                                                                     |
|--------------------------------|-------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| CPU3                           | Software diversified redundancy           | Targeted toward the arbitration logic. If due to fault in arbitration logic, incorrect data is returned, this test can be used to cover such faults.                                                       |
| DMA2                           | Software DMA transfer test                | Targeted toward DMA bus decoder and the arbitration logic.                                                                                                                                                 |
| FLASH1                         | Flash ECC                                 | Targeted toward the faults in the flash memory.                                                                                                                                                            |
| FLASH2                         | Flash CRC                                 | Targeted towards multipoint latent faults in the flash memory.                                                                                                                                             |
| FXBAR2                         | Periodic software read back of flash data | Targeted toward the decoding logic on the CPU read bus.                                                                                                                                                    |
| FXBAR3 (latent fault coverage) | Software check of ECC checker logic       | This is a test of diagnostic, used to check the function of the ECC checker.                                                                                                                               |
| FXBAR4                         | Write protection of flash                 | Targeted toward the faults in the programming interface.                                                                                                                                                   |
| WDT                            | Windowed watchdog event                   | Targeted toward the arbitration logic and<br>flash read interface. Any fault in this logic<br>which results in incorrect data being returned<br>to CPU causing a CPU decoding an incorrect<br>instruction. |

#### Table 5-5. Flash Safety Mechanisms



# 5.6 GPIO

The general purpose input output (GPIO) peripheral provides the user with a means to write data out, read data into the device pins, and read data from the device pins. Through the use of the Port A and Port B GPIO peripherals, these devices support up to 60 GPIO pins.

The key features of the GPIO module include:

- Zero wait state MMR access from the CPU
- · Set, clear, and toggle, multiple bits without the need of a read-modify-write construct in software
- GPIOs with Standard with Wake drive functionality able to wake the device from SHUTDOWN mode
- The FastWake feature enables low-power wakeup from STOP and STANDBY modes for any GPIO port
- User controlled input filtering

The following tests must be applied for the targeted ASIL as functional safety mechanisms for this module (to provide diagnostic coverage on a specific function):

| Safety Mechanism | Description                                                  | Faults   Failure Modes                                                                                                                                                                                                                                           |  |
|------------------|--------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--|
| GPIO1            | Online monitoring using I/O loopback                         | Targeted toward the GPIO DOUT register and the interface to I/O.                                                                                                                                                                                                 |  |
| GPIO2            | Periodic Software Readback of Static Configuration Registers | Targeted toward GPIO configuration registers.                                                                                                                                                                                                                    |  |
| GPIO3            | GPIO multiple (redundant) inputs and outputs                 | This is an application-level test. For critical GPIOs, a redundancy mechanism can be employed to get high coverage.                                                                                                                                              |  |
| WDT              | Windowed watchdog event                                      | This is targeted toward the interrupt<br>generation logic in GPIO. If an interrupt<br>is expected to occur periodically, this<br>mechanism can be used.<br>WDT is also used to cover pin failures in<br>case the pin is used as an external interrupt<br>source. |  |

### Table 5-6. GPIO Safety Mechanisms

# 5.7 DMA

The direct memory access (DMA) controller allows movement of data from one memory address to another without CPU intervention. For example, the DMA can be used to move data from ADC conversion memory to SRAM. The DMA reduces system power consumption by allowing the CPU to remain in low-power mode, without having to wake to move data to or from a peripheral.

The DMA in these devices support the following key features:

- Seven independent DMA transfer channels
  - Four basic channel supports (single transfer modes)
  - Three full-feature channel supports (repeated transfer modes)
- Configurable DMA channel priorities
- Byte (8-bit), short word (16-bit), word (32-bit), and long word (64-bit) or mixed byte and word transfer capability
- Transfer counter block size supports up to 64k transfers of any data type
- Configurable DMA transfer trigger selection
- · Active channel interruption to service other channels
- Early interrupt generation for ping-pong buffer architecture
- · Cascading channels upon completion of activity on another channel
- Stride mode to support data reorganization, such as 3-phase metering applications

The following tests must be applied for the targeted ASIL as functional safety mechanisms for this module (to provide diagnostic coverage on a specific function):

TEXAS INSTRUMENTS

www.ti.com

|                  | Table 5-7. DMA Safety Mechanisms                              |                                                                                                                                                                                                                                                        |  |  |  |
|------------------|---------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--|--|--|
| Safety Mechanism | Description                                                   | Faults   Failure Modes                                                                                                                                                                                                                                 |  |  |  |
| DMA1             | Periodic software read back of static configuration registers | Targeted toward configuration registers of DMA.                                                                                                                                                                                                        |  |  |  |
| DMA2             | Software DMA transfer test                                    | Targeted toward DMA bus interface logic<br>and the DMA channel which sequences the<br>read and write access based on the channel<br>configuration.                                                                                                     |  |  |  |
| DMA3             | Software DMA channel test                                     | Targeted toward the channels used in the application context.                                                                                                                                                                                          |  |  |  |
| DMA4             | CRC check of the transferred data                             | Targeted toward DMA bus interface which results in data corruption.                                                                                                                                                                                    |  |  |  |
| SYSCTL11         | Boot process timeout                                          | DMA is used to transfer trims during the<br>boot process. This test targets the DMA logic<br>which is used for this.                                                                                                                                   |  |  |  |
| WDT              | Windowed watchdog event                                       | Target faults which result in either DMA<br>transfer not starting (triggers not getting<br>generated, for example) or transfers not<br>completing (DMA channel faults and bus<br>hangs) resulting in the CPU program<br>sequence also malfunctioning.  |  |  |  |
| IWDT             | Independent watchdog timer.                                   | Target faults which result in either DMA<br>transfer not starting (triggers not getting<br>generated, for example) or transfers not<br>completing (DMA channel faults and bus<br>hangs); resulting in the CPU program<br>sequence also malfunctioning. |  |  |  |

# Table 5-7. DMA Safety Mechanisms



# 5.8 SPI

The serial peripheral interface (SPI) peripherals in these devices support the following key features:

- Support ULPCLK/2 bit rate and up to 16Mbit/s in both controller and peripheral mode
- · Configurable as a controller or a peripheral
- Configurable chip select for both controller and peripheral
- Programmable clock prescaler and bit rate
- Programmable data frame size from
- Programmable data frame size from 7-bits to 16-bits (peripheral mode)
- · Separated transmit and receive FIFOs support DMA data transfer
- Supports TI mode, Motorola<sup>®</sup> mode, and National Microwire<sup>™</sup> format

The following tests must be applied for the targeted ASIL as functional safety mechanisms for this module (to provide diagnostic coverage on a specific function):

| Safety Mechanism | Description                                                      | Faults   Failure Modes                                                                                                                                                                                                                                                                                         |
|------------------|------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| SPI1             | Software test of function using I/O loopback                     | Targets the transmit and receive function,<br>including the clocking, shift registers, FIFOs,<br>and the associated control logic.                                                                                                                                                                             |
| SPI2             | Periodic software read back of static<br>configuration registers | Targets the static configuration registers in SPI.                                                                                                                                                                                                                                                             |
| SPI3             | SPI periodic safety message checks                               | This is an application-level check, in<br>which safety messages can be exchanged<br>periodically. This mechanism covers faults,<br>which result in communication breakdown.<br>These faults can be in the external line,<br>I/Os, the transmit and receive logic, interrupt<br>generation logic, and so forth. |
| SPI4             | Information redundancy techniques including end-to-end safing    | This is an application-level check, in which<br>additional information (for example, the CRC<br>of the message) is included along with the<br>message. These checks can be used to<br>cover faults resulting in data corruption. For<br>example, faults in FIFO, in the shift registers,<br>and so forth.      |
| SPI5             | Transmission redundancy                                          | This test is an application-level check, in<br>which the same message is transmitted<br>multiple times. This test is effective for<br>detecting transient faults resulting in some<br>messages getting corrupted. For example,<br>transient faults in FIFOs.                                                   |
| WDT              | Windowed watchdog event                                          | Targeted toward faults which result in missing<br>interrupts (periodic interrupts) affecting the<br>program sequence of the CPU. These faults<br>can be faults in the interrupt logic, the logic<br>which sets the interrupt flags, and so forth.                                                              |

# Table 5-8. SPI Safety Mechanisms

# 5.9 I2C

The inter-integrated circuit interface (I2C) peripherals, in these devices, provide bidirectional data transfers with other I2C devices on the bus and support the following key features:

- 7-bit and 10-bit addressing mode with multiple 7-bit target addresses
- Multiple-controller transmitter or receiver mode
- Target receiver or transmitter mode with configurable clock stretching
- Support standard-mode (Sm), with a bit rate up to 100kbit/s
- Support fast-mode (Fm), with a bit rate up to 400kbit/s
- · Support fast-mode plus (Fm+), with a bit rate up to 1 Mbit/s
- Separated transmit and receive FIFOs support DMA data transfer



- Support SMBus 3.0 with PEC, ARP, timeout detection, and host support
- Wakeup from low-power mode on address match
- Support analog and digital glitch filter for input signal glitch suppression

The following tests must be applied for the targeted ASIL as functional safety mechanisms for this module (to provide diagnostic coverage on a specific function):

| Safety Mechanism | Description                                                   | Faults   Failure Modes                                                                                                                                                                                                                                                                                     |
|------------------|---------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| I2C1             | Software test of function using I/O loopback                  | Targets the transmit and receive function,<br>including the clocking, shift registers, FIFOs,<br>and the associated control logic.                                                                                                                                                                         |
| I2C2             | Periodic software read back of static configuration registers | Targets the static configuration registers in I2C.                                                                                                                                                                                                                                                         |
| I2C3             | Information redundancy techniques including end-to-end safing | This is an application-level check, in which<br>additional information (for example, the CRC<br>of the message) is included along with the<br>message. These checks can be used to<br>cover faults resulting in data corruption. For<br>example, a fault in FIFO, in the shift registers,<br>and so forth. |
| I2C4             | Transmission redundancy                                       | This test is an application-level check, in<br>which the same message is transmitted<br>multiple times. This test is effective to detect<br>transient faults resulting in some messages<br>getting corrupted. For example, transient<br>faults in FIFOs.                                                   |
| I2C5             | Timeout monitoring                                            | This is an application-level check, in<br>which safety messages can be exchanged<br>periodically. This covers faults which result in<br>communication breakdown. These faults can<br>be in the external line, I/Os, the transmit and<br>receive logic, interrupt generation logic, and<br>so forth.        |
| I2C6             | Test of CRC function                                          | I2C has a CRC checker when configured<br>in the SMBUS mode. This checker checks<br>the proper function of the CRC checker logic<br>by sending corrupt messages as part of the<br>application.                                                                                                              |
| 12C7             | Packet error check in SMBUS mode                              | This targets faults which result in data corruption, for example, faults on the external line, in the FIFOs, shift registers, and so forth.                                                                                                                                                                |
| WDT              | Windowed watchdog event                                       | Targeted toward faults which result in missing<br>interrupts (periodic interrupts) affecting the<br>program sequence of the CPU. These faults<br>can be faults in the interrupt logic, the logic<br>which sets the interrupt flags, and so forth.                                                          |



# 5.10 UART

The UART peripherals (UART0, UART1, UART2, UART3, and UART4) provide the following key features:

- Standard asynchronous communication bits for start, stop, and parity
- Fully programmable serial interface
  - Five, six, seven, or eight data bits
  - Even, odd, stick, or no-parity bit generation and detection
  - One or two stop bit generation
  - Line-break detection
  - Glitch filter on the input signals
  - Programmable baud rate generation with oversampling by 16, 8, or 3
  - Local interconnect network (LIN) mode support
- Separated transmit and receive FIFOs support DAM data transfer
- · Support transmit and receive loopback mode operation
- See Table 5-10 for detailed information on supported protocols

#### Table 5-10. UART Features

| UART Features                       | UART0, UART1 (Extend) | UART2, UART3, and UART4 (Main) |  |  |  |  |
|-------------------------------------|-----------------------|--------------------------------|--|--|--|--|
| Active in stop and standby mode     | Yes                   | Yes                            |  |  |  |  |
| Separate transmit and receive FIFOs | Yes                   | Yes                            |  |  |  |  |
| Supports hardware flow control      | Yes                   | Yes                            |  |  |  |  |
| Supports 9-bit configuration        | Yes                   | Yes                            |  |  |  |  |
| Supports LIN mode                   | Yes                   | -                              |  |  |  |  |
| Supports DALI                       | Yes                   | -                              |  |  |  |  |
| Supports IrDA                       | Yes                   | -                              |  |  |  |  |
| Supports ISO7816 Smart Card         | Yes                   | -                              |  |  |  |  |
| Supports Manchester coding          | Yes                   | -                              |  |  |  |  |
|                                     |                       |                                |  |  |  |  |

The following tests must be applied for the targeted ASIL as functional safety mechanisms for this module (to provide diagnostic coverage on a specific function):

#### Table 5-11. UART Safety Mechanisms

| Safety Mechanism | Description                                                      | Faults   Failure Modes                                                                                                                                                                                                                                                                                   |
|------------------|------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| UART1            | Software test of function using I/O loopback                     | Targets the transmit and receive function,<br>including the clocking, shift registers, FIFOs,<br>and the associated control logic.                                                                                                                                                                       |
| UART2            | Periodic software read back of static<br>configuration registers | Targets the static configuration registers in UART.                                                                                                                                                                                                                                                      |
| UART3            | Information redundancy techniques including end-to-end safing    | This is an application-level check, in which<br>additional information (for example, the CRC<br>of the message) is included along with the<br>message. These checks can be used to<br>cover faults resulting in data corruption. For<br>example, fault in FIFO, in the shift registers,<br>and so forth. |
| UART4            | Transmission redundancy                                          | This test is an application-level check, in<br>which the same message is transmitted<br>multiple times. This test is effective to detect<br>transient faults resulting in some messages<br>getting corrupted. For example, transient<br>faults in FIFOs.                                                 |



| Safety Mechanism | Description             | Faults   Failure Modes                                                                                                                                                                                                                                                                              |
|------------------|-------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| UART5            | Timeout monitoring      | This is an application-level check, in<br>which safety messages can be exchanged<br>periodically. This covers faults which result in<br>communication breakdown. These faults can<br>be in the external line, I/Os, the transmit and<br>receive logic, interrupt generation logic, and<br>so forth. |
| UART6            | UART error flags        | This safety mechanism provides detection for<br>some typical failures which result in protocol<br>violations and can cover faults in the transmit<br>and receive control logic or on the external<br>line.                                                                                          |
| UART7            | UART glitch filter      | This mechanism is a fault-avoidance measure against glitches on the RX line.                                                                                                                                                                                                                        |
| WDT              | Windowed watchdog event | Targeted toward faults which result in missing<br>interrupts (periodic interrupts) affecting the<br>program sequence of the CPU. These faults<br>can be faults in the interrupt logic, the logic<br>which sets the interrupt flags, and so forth.                                                   |

#### Table 5-11. UART Safety Mechanisms (continued)

# 5.11 Timers (TIMx)

There are two timer peripherals in these devices (which support the following key features); (1) TIMGx (generalpurpose timer) and (2) TIMAx (advanced timer). The TIMGx is a subset of TIMAx, which means these timers share many common features that are compatible in software. For specific configuration, see Table 5-12:

Specific features for the general-purpose timer (TIMGx) include:

- 16-bit and 32-bit timers with up, down, or up-down counting modes, with repeat-reload mode
- Selectable and configurable clock source
- 8-bit programmable prescaler to divide the counter clock frequency
- Two independent CC channels for
  - Output compare
  - Input capture
  - PWM output
  - One-shot mode
- Support quadrature encoder interface (QEI) for positioning and movement sensing available in TIMG8
- Support synchronization and cross trigger among different TIMx instances in the same power domain
- Support interrupt and DMA trigger generation and cross peripherals (such as ADC) trigger capability
- Cross trigger event logic for Hall sensor inputs (TIMG8)

Specific features for the advanced timer (TIMAx) include:

- 16-bit timer with up, down, or up-down counting modes, with repeat-reload mode
- Selectable and configurable clock source
- · 8-bit programmable prescaler to divide the counter clock frequency
- Repeat counter to generate an interrupt or event only after a given number of cycles of the counter
- · Up to four independent CC channels for
  - Output compare
  - Input capture
  - PWM output
  - One-shot mode
- Two additional capture and compare channels for internal events (CC4 and CC5)
- Shadow register for load and CC register available in TIMA0
- Complementary output PWM
- Asymmetric PWM with programmable dead band insertion



- Fault handling mechanism to verify the output signals in a safe user-defined state when a fault condition is encountered
- Support synchronization and cross trigger among different TIMx instances in the same power domain
- Support interrupt and DMA trigger generation and cross peripherals (such as ADC) trigger capability
- Two additional capture and compare channels for internal events

|          |                 |                       |           |                   |                                            |                             |               | <b>j</b>       |               |          |                  |                             |
|----------|-----------------|-----------------------|-----------|-------------------|--------------------------------------------|-----------------------------|---------------|----------------|---------------|----------|------------------|-----------------------------|
| Instance | Power<br>Domain | Counter<br>Resolution | Prescaler | Repeat<br>Counter | CCP<br>Channels<br>(External/<br>Internal) | External<br>PWM<br>Channels | Phase<br>Load | Shadow<br>Load | Shadow<br>CCs | Deadband | Fault<br>Handler | QEI / Hall<br>Input<br>Mode |
| TIMG0    | PD0             | 16-bit                | 8-bit     | -                 | 2                                          | 2                           | -             | -              | -             | -        | -                | -                           |
| TIMG4    | PD0             | 16-bit                | 8-bit     | -                 | 2                                          | 2                           | -             | Yes            | Yes           | -        | -                | -                           |
| TIMG5    | PD0             | 16-bit                | 8-bit     | -                 | 2                                          | 2                           | -             | Yes            | Yes           | -        | -                | -                           |
| TIMG8    | PD0             | 16-bit                | 8-bit     | -                 | 2                                          | 2                           | -             | -              | -             | -        | -                | Yes                         |
| TIMG12   | PD0             | 32-bit                | -         | -                 | 2                                          | 2                           | -             | -              | Yes           | -        | -                | -                           |
| TIMA0    | PD0             | 16-bit                | 8-bit     | Yes               | 4/2                                        | 8                           | Yes           | Yes            | Yes           | Yes      | Yes              | -                           |

# Table 5-12. TIMx Instance Configuration

# Table 5-13. TIMx Cross Trigger Map (PD0)

| TSEL.ETSEL<br>Selection | TIMA0                           | TIMG0        | TIMG4        | TIMG5        | TIMG8        | TIMG12       |
|-------------------------|---------------------------------|--------------|--------------|--------------|--------------|--------------|
| 0                       | TIMA0.TRIGO                     | TIMA0.TRIGO  | TIMA0.TRIGO  | TIMA0.TRIGO  | TIMA0.TRIGO  | TIMA0.TRIGO  |
| 1                       | TIMG0.TRIGO                     | TIMG0.TRIGO  | TIMG0.TRIGO  | TIMG0.TRIGO  | TIMG0.TRIGO  | TIMG0.TRIGO  |
| 2                       | TIMG4.TRIGO                     | TIMG4.TRIGO  | TIMG4.TRIGO  | TIMG4.TRIGO  | TIMG4.TRIGO  | TIMG4.TRIGO  |
| 3                       | TIMG5.TRIGO                     | TIMG5.TRIGO  | TIMG5.TRIGO  | TIMG5.TRIGO  | TIMG5.TRIGO  | TIMG5.TRIGO  |
| 4                       | TIMG8.TRIGO                     | TIMG8.TRIGO  | TIMG8.TRIGO  | TIMG8.TRIGO  | TIMG8.TRIGO  | TIMG8.TRIGO  |
| 5                       | TIMG12.TRIGO                    | TIMG12.TRIGO | TIMG12.TRIGO | TIMG12.TRIGO | TIMG12.TRIGO | TIMG12.TRIGO |
| 6 to 15                 | Reserved                        |              |              |              |              |              |
| 16                      | Event Subscriber Port 0 (FSUB0) |              |              |              |              |              |
| 17                      | Event Subscriber Port 1 (FSUB1) |              |              |              |              |              |
| 18-31                   |                                 |              | Rese         | erved        |              |              |

The following tests must be applied for the targeted ASIL as functional safety mechanisms for this module (to provide diagnostic coverage on a specific function):

#### Table 5-14. Timers Safety Mechanisms

| Safety Mechanism             | Description                                                         | Faults   Failure Modes                                                                                                                                                              |
|------------------------------|---------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| TIM1                         | Test for PWM generation                                             | Targeted toward PWM generation logic,<br>including the counters, compare registers,<br>clocking logic, output generation logic, and so<br>forth.                                    |
| TIM2                         | Periodic software read back of IP static<br>configuration registers | Targets the static configuration registers in timer.                                                                                                                                |
| TIM3 (latent fault coverage) | Test for fault generation                                           | This test is a test for diagnostic, which checks<br>the functioning of fault detection logic in<br>timer.           Note           This test is applicable only to           TIMAx. |



| Table 5-14. Timers Satety Mechanisms (continued) |                                                |                                                                                                                                                                                                                                                                                                                                                                                                     |  |  |  |  |  |
|--------------------------------------------------|------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--|--|--|--|--|
| Safety Mechanism                                 | Description                                    | Faults   Failure Modes                                                                                                                                                                                                                                                                                                                                                                              |  |  |  |  |  |
| TIM4                                             | Fault detection to take the PWMs to safe state | This safety mechanism can be used to<br>detect faults which result in system-level<br>failures like overvoltage and undervoltage<br>and overcurrent and undercurrent. The<br>external faults can be monitored using the<br>fault pins or the analog comparators. The<br>faults which can be covered include the<br>faults in the PWM generation logic, faults in<br>external drivers, and so forth. |  |  |  |  |  |
|                                                  |                                                | Note                                                                                                                                                                                                                                                                                                                                                                                                |  |  |  |  |  |
|                                                  |                                                | This test is applicable only to                                                                                                                                                                                                                                                                                                                                                                     |  |  |  |  |  |
|                                                  |                                                | TIMAx.                                                                                                                                                                                                                                                                                                                                                                                              |  |  |  |  |  |
|                                                  |                                                |                                                                                                                                                                                                                                                                                                                                                                                                     |  |  |  |  |  |
| TIM5                                             | Input capture on two or more timer instances   | This test is used to cover the faults in the capture mode logic. The faults can be in clocking, capture logic, counter logic, and so forth.                                                                                                                                                                                                                                                         |  |  |  |  |  |
| TIM6                                             | Timer period monitoring.                       | This test is a run time check, in which<br>the duration between two interrupts can be<br>measured (using another timer). This check<br>is useful in detecting faults which result in<br>the counter taking more or less time than<br>expected and can also cover the clocking<br>related faults.                                                                                                    |  |  |  |  |  |
| WDT                                              | Windowed watchdog event                        | Targeted toward faults which result in missing<br>interrupts (periodic interrupts) affecting the<br>program sequence of the CPU. These faults<br>can be faults in the interrupt logic, the logic<br>which sets the interrupt flags, the logic which<br>generates hardware triggers for other IPs<br>(ADC, for example), and so forth.                                                               |  |  |  |  |  |

#### Table 5-14. Timers Safety Mechanisms (continued)

# 5.12 Power Management Unit (PMU)

The power management unit (PMU) generates the internally regulated core supplies for the device and provides supervision of the external supply (VDD). The PMU also contains the band gap voltage reference used individually by the PMU as well as analog peripherals. Key features of the PMU include:

- A dedicated battery-backup domain supply and dedicated pin (VBAT)
- Power-on-reset (POR) supply monitor
- Brown-out-reset (BOR) supply monitor with early warning capability using three programmable thresholds
- Core regulator with support for RUN, SLEEP, STOP, and STANDBY operating modes to dynamically balance performance with power consumption.
- Parity-protected trim to immediately generate a power-on-reset (POR) in the event that a power management trim is corrupted.

The following tests must be applied for the targeted ASIL as functional safety mechanisms for this module (to provide diagnostic coverage on a specific function):

| Safety Mechanism | Description                     | Faults   Failure Modes                                                                                                                                              |
|------------------|---------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| CPU3             | Software diversified redundancy | Targeted toward faults which can result in incorrect clock frequency (resulting in some computation failures) or failure to do a reset when required, and so forth. |

#### Table 5-15. PMU Safety Mechanisms

| Safety Mechanism                 | Description                                                      | Faults   Failure Modes                                                                                                                                                                                                                                 |  |
|----------------------------------|------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--|
| GEN_IP_READ_STATIC_CONFIGURATION | Periodic software read back of IP static configuration registers | Targeted toward logic which is used to enable<br>and disable IPs. If a fault results in an IP<br>not getting enabled, the software read of the<br>configuration registers of the IP detects such<br>failures.                                          |  |
| SYSCTL10                         | External voltage monitor                                         | This is a system-level diagnostic to detect faults on the internal LDO.                                                                                                                                                                                |  |
| SYSCTL14                         | Brownout voltage monitor                                         | This is a safety mechanism which monitors<br>the power supply to the chip and can detect<br>undervoltage conditions early (generates an<br>NMI).                                                                                                       |  |
| SYSCTL16                         | External watchdog timer                                          | This is a system-level diagnostic which<br>can be used to cover faults in the reset<br>generation logic (reset asserted when not<br>required). In general, this diagnostic covers<br>any fault which results in incorrect program<br>execution timing. |  |
| SYSCTL16 (latent fault coverage) | External watchdog timer                                          | This mechanism (if used) can also detect faults in the MCLK monitor circuit.                                                                                                                                                                           |  |
| SYSCTL8                          | Brownout reset (BOR) supervisor                                  | This is a safety mechanism, which monitors<br>the power supply to the chip and can detect<br>undervoltage conditions (generates a reset).<br>This mechanism is triggered if the voltage<br>falls below the specified range.                            |  |
| SYSCTL8 (latent fault coverage)  | Brownout reset (BOR) supervisor                                  | In case brownout supervisor is not<br>functioning, this mechanism can trigger when<br>the voltage falls below the specified range.                                                                                                                     |  |
| VBAT1                            | VBAT supply monitor                                              | This safety mechanism can be used to monitor the external voltage pin.                                                                                                                                                                                 |  |
| VBAT2                            | Periodic software read of static configuration register          | Targets the static configuration registers in VBAT.                                                                                                                                                                                                    |  |

#### Table 5-15. PMU Safety Mechanisms (continued)

# 5.13 Clock Module (CKM)

The clock module provides the following oscillators:

- LFOSC: Internal, low-frequency oscillator (32kHz)
- SYSOSC: Internal, high-frequency oscillator (4MHz or 32MHz with factory trim, 16MHz or 24MHz with user trim)
- LFXT/LFCKIN : Low-frequency, external, crystal oscillator or digital clock input (32kHz)
- HFXT/HFCKIN: High-frequency, external, crystal oscillator or digital clock input (4MHz to 32MHz)

The following clocks are distributed by the clock module for use by the processor, bus, and peripherals:

- MCLK: Main system clock for PD1 peripherals, derived from SYSOSC, LFCLK, or HSCLK, active in RUN and SLEEP modes
- CPUCLK: Clock for the processor (derived from MCLK), active in RUN mode
- ULPCLK: Ultra-low power clock for PD0 peripherals, active in RUN, SLEEP, STOP, and STANDBY modes
- MFCLK: 4MHz fixed, mid-frequency clock for peripherals, available in RUN, SLEEP, and STOP modes
- MFPCLK: 4MHz fixed, mid-frequency, precision clock, available in RUN, SLEEP, and STOP modes
- LFCLK: 32kHz fixed, low-frequency clock for peripherals or MCLK, active in RUN, SLEEP, STOP, and STANDBY modes
- · ADCCLK: ADC clock, available in RUN, SLEEP and STOP modes
- CLK\_OUT: Used to output a clock externally, available in RUN, SLEEP, STOP, and STANDBY modes
- HFCLK: High-frequency clock derived from HFXT or HFCLK\_IN, available in RUN and SLEEP mode
- HSCLK: High-speed clock derived from HFCLK or the SYSPLL, available in RUN and SLEEP mode



The following tests must be applied for the targeted ASIL as functional safety mechanisms for this module (to provide diagnostic coverage on a specific function):

| Safety Mechanism            | Description                                                   | Faults   Failure Modes                                                                                                                                              |
|-----------------------------|---------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| CPU3                        | Software diversified redundancy                               | Targeted toward faults which can result in incorrect clock frequency (resulting in some computation failures) or failure to do a reset when required, and so forth. |
| SYSCTL1                     | MCLK monitor                                                  | This safety mechanism is targeted toward faults which result in MCLK frequency going very low or MCLK not toggling.                                                 |
| SYSCTL11                    | Boot process timeout                                          | This safety mechanism can detect faults in logic which interacts with the boot software to indicate boot completion, boot failures, and so forth.                   |
| SYSCTL2                     | HFCLK start-up monitor                                        | This safety mechanism can be used to check if HFCLK is functioning before switching the clock source to HFCLK.                                                      |
| SYSCTL3                     | LFCLK monitor                                                 | This safety mechanism is used detect failures on LFCK.                                                                                                              |
| SYSCTL5                     | Periodic software read back of static configuration registers | Targets the static configuration registers in SYSCTL.                                                                                                               |
| SYSCTL9                     | Clock frequency measurement                                   | This safety mechanism can be used to do a periodic check of the clock frequency.                                                                                    |
| WDT                         | Windowed watchdog event                                       | Targeted toward faults which result in incorrect clock frequencies and covers faults in various clocking components.                                                |
| WDT (latent fault coverage) | Windowed watchdog event                                       | This mechanism also acts as a backup in case the MCLK monitor malfunctions, for example.                                                                            |

| Table | 5-16.   | СКМ           | Safety | Mechanisms  |
|-------|---------|---------------|--------|-------------|
| Tuble | · · · · | <b>O</b> 1.00 | ouncey | meenanismis |

# 5.14 Events

The event manager transfers digital events from one entity (for example, a peripheral) to another (for example, a second peripheral, the DMA, or the CPU). The event manager implements event transfer through a defined set of event publishers (generators) and subscribers (receivers) which are interconnected through an event fabric containing a combination of static and programmable routes. Events that are transferred by the event manager include:

- Peripheral event transferred to the CPU as an interrupt request (IRQ) (static event)
- Example: RTC interrupt is sent to the CPU
- Peripheral event transferred to the DMA as a DMA trigger (DMA Event)
  - Example: UART data receives a trigger to DMA to request a DMA transfer
- Peripheral event transferred to another peripheral to directly trigger an action in hardware (generic event)
  - Example: The TIMx timer peripheral publishes a periodic event to the ADC subscriber port, and the ADC uses the event to trigger start-of-sampling

The following tests must be applied for the targeted ASIL as functional safety mechanisms for this module (to provide diagnostic coverage on a specific function):

| Safety Mechanism | Description             | Faults   Failure Modes                                                          |
|------------------|-------------------------|---------------------------------------------------------------------------------|
| ADC3             | AL)(C triager overflow) | Covers faults in the event fabric which can result in spurious triggers to ADC. |
|                  |                         | Targets the static configuration registers in event fabric.                     |

### Table 5-17. Events Safety Mechanisms



| Table 3-17. Events Salety Mechanisms (continued) |                         |                                                                                                                                                                                                                                                                  |
|--------------------------------------------------|-------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Safety Mechanism                                 | Description             | Faults   Failure Modes                                                                                                                                                                                                                                           |
| GPIO3                                            |                         | The GPIO module can be triggered by other<br>IPs and this mechanism, which is defined to<br>cover faults in GPIO, can also cover faults in<br>the event fabric which results in one of the<br>GPIOs missing the trigger.                                         |
| WDT                                              | windowed watchdog event | Targets faults in the event fabric which<br>results in the trigger not propagating through<br>the event fabric (events which are periodic<br>in nature). Such failures can lead to a<br>CPU program sequence getting altered and<br>triggering a watchdog event. |

#### Table 5-17. Events Safety Mechanisms (continued)

# **5.15 IOMUX**

The IOMUX manages the selection of the peripheral function used on a digital I/O. The IOMUX also provides the controls for the output driver, input path, and the wake-up logic for wakeup from SHUTDOWN mode.

The following tests must be applied for the targeted ASIL as functional safety mechanisms for this module (to provide diagnostic coverage on a specific function):

| Safety Mechanism | Description                                                   | Faults   Failure Modes                                                                                                            |
|------------------|---------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------|
| GPIO1            | Online monitoring using I/O loopback                          | This tests the functioning of GPIO. This test<br>also provides coverage for the faults in the<br>IOMUX logic and the I/O drivers. |
| IOMUX1           | Periodic software read back of static configuration registers | Targets the static configuration registers in IOMUX.                                                                              |
| IOMUX2           | IOMUX coverage as part of other IP safety mechanisms          | In general, any fault in IOMUX is covered by the safety mechanisms of the IPs.                                                    |

#### Table 5-18. IOMUX Safety Mechanisms

# 5.16 VREF

The shared voltage reference module (VREF) in these devices contain a configurable voltage reference buffer, which allows users to supply a stable reference to on-board analog peripherals. VREF also supports bringing in an external reference for applications where higher accuracy is required. VREF features include:

- 1.4V and 2.5V user-selectable internal references
- Internal reference supports full speed ADC operation
- Support for bringing in an external reference on the VREF± device pins
- Requires a decoupling capacitor placed on the VREF± pins for proper operation

The following tests must be applied for the targeted ASIL as functional safety mechanisms for this module (to provide diagnostic coverage on a specific function):

| Table 5-19 | . VREF | Safety | Mechanisms |
|------------|--------|--------|------------|
|------------|--------|--------|------------|

| Safety Mechanism | Description                                                   | Faults   Failure Modes                                                                                                                                                                       |
|------------------|---------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| ADC4             | ADC window comparator                                         | If ADC is using the internal reference, faults<br>in the VREF can result in ADC results being<br>out of range. These failure modes can be<br>detected using the window comparator in<br>ADC. |
| COMP3            | External pin input to COMP                                    | If the comparator uses the internal reference,<br>then the test which checks the comparator<br>function also provides coverage of faults in<br>the internal reference.                       |
| REF1             | Periodic software read back of static configuration registers | Targets the static configuration registers in comparator.                                                                                                                                    |



| Table 5-19. VREF Safety Mechanisms (continued) |             |                                                                                                                                 |  |
|------------------------------------------------|-------------|---------------------------------------------------------------------------------------------------------------------------------|--|
| Safety Mechanism                               | Description | Faults   Failure Modes                                                                                                          |  |
| REF2                                           | ·           | VREF can be tested as part of test which checks the ADC functioning by choosing to use the internal reference for the ADC test. |  |

# 5.17 WWDT and IWDT

The windowed watchdog timer (WWDT) can be used to supervise the operation of the device, specifically code execution. The WWDT can be used to generate a reset or an interrupt if the application software does not successfully reset the watchdog within a specified window of time. Key features of the WWDT include:

- 25-bit counter
- Programmable clock divider
- Eight software selectable watchdog timer periods
- Eight software selectable window sizes
- Support for stopping the WWDT automatically when entering a sleep mode
- Interval timer mode for applications which do not require watchdog functionality (Interval mode is not to be used in safety-critical applications, watchdog is used as a safety mechanism)

The independent watchdog timer (IWDT) in the LFSS is a device-independent supervisor which monitors code execution and overall hang up scenarios of the device. Due to the behavior of LFSS, this IWDT has an individual system of independent power and clock source. If the application software does not successfully reset the watchdog within the programmed time, the watchdog generates a POR reset to the device. Key features of the IWDT include:

- A 25-bit counter with closed and open window
- A counter driven from the LFOSC (fixed 32kHz clock path) with a programmable clock divider
- Eight selectable watchdog timer periods

The following tests must be applied for the targeted ASIL as functional safety mechanisms for this module (to provide diagnostic coverage on a specific function):

| Table 3-20. WWDT and WDT Safety Mechanisms |                                                                  |                                                                                                                  |
|--------------------------------------------|------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------|
| Safety Mechanism                           | Description                                                      | Faults   Failure Modes                                                                                           |
| WDT1 (latent fault coverage)               | Periodic software read back of static<br>configuration registers | Targets the static configuration registers in watchdog.                                                          |
| WDT2 (latent fault coverage)               | WWDT counter check                                               | This test is a test of diagnostic which checks the functioning of the counter.                                   |
| WDT3 (latent fault coverage)               | WWDT software test                                               | This test is a test of diagnostic, which targets the reset or NMI generation logic.                              |
| WDT4 (latent fault coverage)               | Redundant WDT                                                    | This is a test of diagnostic which covers<br>the latent faults in the watchdog by using a<br>redundant watchdog. |

#### Table 5-20 WWDT and IWDT Safety Mechanisms

Note

The watchdog is a safety mechanism and only latent faults are considered.

# 5.18 CRC

The cyclical redundancy check (CRC) module provides a signature for an input data sequence. Key features of the CRC module include:

- Support for 16-bit CRC based on CRC16-CCITT
- Support for 32-bit CRC based on CRC32-ISO3309
- Support for bit reversal

Many safety mechanisms involve computing CRC on a block of data. This module can be used to do those checks efficiently (to provide diagnostic coverage on a specific function):

| Safety Mechanism               | Description                                                  | Faults   Failure Modes                                                                              |  |
|--------------------------------|--------------------------------------------------------------|-----------------------------------------------------------------------------------------------------|--|
| CRC (latent fault coverage)    | CRC Checker                                                  | Any fault in CRC computation is covered<br>by the CRC check being different from the<br>golden CRC. |  |
| (`R(`1 (latent fault coverade) | Periodic software readback of static configuration registers | Targets the static configuration registers in CRC.                                                  |  |

# Table 5-21. CRC Safety Mechanisms

# Note

Since CRC is a safety mechanism, only latent faults are considered.

# Chapter 6 MSPM0Lx22x-Q1 Management of Random Faults



For a functional safety critical development it is necessary to manage both systematic and random faults. The MSPM0Lx22x-Q1 component architecture includes many functional safety mechanisms, which can detect and respond to random faults when used correctly. This section of the document describes the architectural functional safety concept for each sub-block of the MSPM0Lx22x-Q1 component. The system integrator shall review the recommended functional safety mechanisms in the functional safety analysis report (FMEDA) in addition to this safety manual to determine the appropriate functional safety mechanisms to include in their system. The component data sheet or technical reference manual (if available) are useful tools for finding more specific information about the implementation of these features.

# 6.1 Fault Reporting

Internal faults are reported to the host controller through the host bus.

# 6.2 Functional Safety Mechanism Categories

This section includes a description of the different types of functional safety mechanisms that are applied to the design blocks of the MSPM0Lx22x-Q1 component.

The functional safety mechanism categories are defined as follows:

| Component<br>Hardware<br>Functional Safety<br>Mechanisms              | A safety mechanism that is implemented by TI in silicon which can communicate error status upon the detection of failures. The safety mechanism may require software to enable its functionality, to take action when a failure is detected, or both.                                                                                                                                                                                                                 |
|-----------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Component<br>Hardware and<br>Software Functional<br>Safety Mechanisms | A test recommended by TI which requires both, safety mechanism hardware which has<br>been implemented in silicon by TI, and which requires software. The failure modes of<br>the hardware used in this safety mechanisms are analyzed or described as part of<br>the functional safety analysis or FMEDA. The system implementer is responsible for<br>analyzing the software aspects for this safety mechanism.                                                      |
| Component<br>Software Functional<br>Safety Mechanisms                 | A software test recommended by TI. The failure modes of the software used in this safety mechanism are not analyzed or described in the functional safety analysis or FMEDA. For some components, TI may provide example code or supporting code for the software functional safety mechanisms. This code is intended to aid in the development, but the customer shall do integration testing and verification as needed for their system functional safety concept. |
| System Functional<br>Safety Mechanisms                                | A safety mechanism implemented externally of this component. For example an external monitoring IC would be considered to be a system functional safety mechanism.                                                                                                                                                                                                                                                                                                    |
| Test for Safety<br>Mechanisms                                         | This test provides coverage for faults on a safety mechanism only. It does not provide coverage for the primary function.                                                                                                                                                                                                                                                                                                                                             |
| Alternative Safety<br>Mechanisms                                      | An alternative safety mechanism is not capable of detecting a fault of safety mechanism hardware, but instead is capable of recognizing the primary function fault (that another safety mechanism may have failed to detect). Alternate safety mechanisms are typically used when there is no direct test for a safety mechanism.                                                                                                                                     |



# 6.3 Description of Functional Safety Mechanisms

This section provides a brief summary of the functional safety mechanisms available on this component.

# 6.3.1 ADC1, COMP1, DMA1, GPIO2, TIM2, I2C2, IOMUX1, SPI2, UART2, SYSCTL5, CPU4, CRC1, EVENT1, REF1, WDT1, VBAT2:

### Periodic Read of Static Configuration Registers

A periodic software read of static configuration registers is one of the methods listed in ISO26262 (Table D-4, Chapter 5). This mechanism involves the software verifying the values of static configuration registers against a known reference. One of the methods is to compute a reference CRC signature for the static configuration register values. During the course of the application, the CRC is computed periodically and compared with the reference CRC signature.

| SM          | Configuration Registers                                                                                                                          |
|-------------|--------------------------------------------------------------------------------------------------------------------------------------------------|
| UART2       | ADDR, AMASK, CLKDIV2, CTL0, FBRD, GFCTL, IBRD, IFLS,<br>IRCTL, LCRH, TDR, IMASK, CLKSEL, CLKDIV, PDBGCTL                                         |
| SPI2        | CTL0, CTL1, CLKCTL, IFLS, IMASK, CLKSEL, CLKDIV                                                                                                  |
| I2C2        | GFCTL, CCR, CCTR, CFIFOCTL, CSA, CTPR, PECCTL, TCTR,<br>TFIFOCTL, TOAR, TOAR2, TIMEOUT, IMASK, CLKSEL, CLKDIV,<br>TEST0, PDBGCTL                 |
| CPU4        | NVIC.IRQEN, NVIC.IRQLVL, SYST_CSR, SYST_RVR, MPU_CTRL                                                                                            |
| DMA1        | IMASK, DMATSEL, DMACTL, DMAPRIO                                                                                                                  |
| CRC1_latent | CRCCTRL, CRCPOLY                                                                                                                                 |
| WDT1        | WDT: WDTCTL0, WDTCTL1, IMASK, PDBGCTL IWDT: WDTCTL, WDTDBGCTL and WDTEN                                                                          |
| EVENT1      | CHANID                                                                                                                                           |
| GPIO2       | CLKOVR, CTL, DMAMASK, FASTWAKE, FILTEREN, IMASK,<br>PDBGCTL, POLARITY, SUB0CFG, SUB1CFG, TEST0                                                   |
| IOMUX1      | PINCM                                                                                                                                            |
| COMP1       | CTL0, CTL1, CTL2, CTL3, IMASK                                                                                                                    |
| TIM2        | LD, PL, CTRCTL, CCACT, CCCTL, IFCTL, IMASK, CCLKCTL,<br>CCPD, CLKDIV, CLKSEL, CPS, CTRIGCTL, FSCTL, ODIS,<br>PDBGCTL                             |
| ADC1        | CLKFREQ, CTL0, CTL1, CTL2, DEBUG1, DEBUG2, DEBUG3,<br>DEBUG4, MEMCTL, SCOMP0, SCOMP1, TEST0, TEST1, TEST2,<br>TEST3, TEST4, TEST5, WCHIGH, WCLOW |
| REF1        | CTL0, CTL1, CTL2                                                                                                                                 |
| SYSCTL5     | FLASHSRAMCFG, GENCLKCFG, GENCLKEN, HFCLKCLKCFG,<br>HSCLKCFG, HSCLKEN, MCLKCFG, PMODECFG, SYSOSCCFG                                               |

# Table 6-1. Configuration Registers Associated With Different Safety Mechanisms

#### Note

Static configuration registers, are those registers whose contents are configured once and remain constant through the course of application.

# 6.3.2 ADC2: Software Test of Functionality

In this method, the internal DAC output is used to set up a known voltage on the ADC input channel and the other parameters of the ADC, for example, the sampling time, reference sources, and sequencer modes are set up similar to the actual application. A software trigger can be utilized to trigger the ADC. The output of the ADC can be compared against the expected range. The test can include multiple samples to check various features of ADC being used in the application context (for example, averaging, check for offset errors, and so forth).



### 6.3.3 ADC3: ADC Trigger Overflow Check

If a trigger to ADC fires, while a sample or conversion operation is in progress, the TOVIFG flag sets. This flag can be configured to generate an interrupt and appropriate action can be taken.

### 6.3.4 ADC4: Window Comparator

There is one window comparator unit available in the ADC which can be used to check if the input signal is within predefined threshold values set by software. The ADC result (digital value corresponding to the input signal level) that goes into MEMRES or FIFO is what gets checked against the threshold values of the window comparator.

Based on the comparison, the result can generate three interrupt conditions:

- 1. LOWIFG Conversion result is below the low threshold (WCLOW)
- 2. HIGHIFG Conversion result is above the high threshold (WCHIGH)
- 3. INIFG Conversion result is in between, or equal to, the low and high thresholds

The low and high threshold values of the window comparator are global for all channels and the window comparison feature can be enabled for each channel (as needed) using the WINCOMP bit in the MEMCTL register.

When the result data format (CTL2.DF) or resolution (CTL2.RES) of the ADC configuration is changed, the threshold values of the window comparator are not reset by hardware and are retained as is. The software application is expected to reconfigure the threshold values (as appropriate) after changing the data format or resolution configuration (or both).

### 6.3.5 ADC5: Test of Window Comparator

This test checks if the window comparator is working. As part of the ADC2 test, or a separate test, the ADC2 can be set so the threshold results in the ADC crossing the predefined thresholds. The test can check if the window comparator logic detects these conditions.

# 6.3.6 ADC6: ADC Trigger, Output Plausibility Checks

This checks the plausibility of inputs being sampled by ADC. For example, if information is related to:

- Expected bandwidth of the input signal
- Range of the signal
- Expected sampling rate

Checks can be performed to see if the readings meet these plausibility conditions. In addition to doing checks on the ADC output, the time duration from the last interrupt can be checked in software and compared against the expected ADC sampling rate. If the duration from the last interrupt is beyond the acceptable range, corrective actions can be taken.

#### 6.3.7 COMP3: External Pin Input to COMP

In case the 12-bit DAC is unavailable, an external input can be connected to the positive terminal input and the negative terminal is fed by internal DAC8 (COMPDAC). Software can vary the DAC8 setting and check the output from COMP (for example, 0 or 1).

#### 6.3.8 COMP4: Comparator Hysteresis

The comparator supports programmable hysteresis voltages for fast and ultra-low-power modes to avoid spurious output transitions in case of noisy input signals. This comparator support can be used as a fault avoidance measure against noise in the input.

# 6.3.9 WDT: Windowed Watchdog Timer

TI recommends using the windowed watchdog timer to monitor the application program sequence. The WWDT can be used to generate a reset or an interrupt if the application software does not successfully reset the watchdog within a specified window of time. Key features of the WWDT include:



- 25-bit counter
- Programmable clock divider
- · Eight software-selectable watchdog timer periods
- Eight software-selectable window sizes
- Support for stopping the WWDT automatically when entering a sleep mode
- · Interval timer mode for applications which do not require watchdog functionality

For more details, see the *WWDT* chapter of the *MSPM0Lx22x-Q1 Microcontrollers Technical Reference Manual*.

### 6.3.10 WDT2: WWDT Counter Check

At start-up, the counter can be configured in the interval-timer mode and the clock dividers can be configured to smaller values so that the counter overflows fast. In the interrupt routine, WDT can be reset using the RSTCTL register. If the WDT timer does not timeout in the given time, an error is flagged.

### 6.3.11 WDT3: WWDT Software Test

The WWDT module can be tested periodically by inducing a fault condition and checking that the fault is triggering a reset or NMI. The test can include checking that counter is operational.

#### 6.3.12 WDT4: Redundant WDT

To obtain latent fault coverage on WDT, two WDTs can be simultaneously enabled with the same configuration. This configuration enables covering latent faults in WDT.

### 6.3.13 IWDT: Independent Watchdog Timer

The independent watchdog timer is similar to a windowed watchdog timer but without the windowing. This safety mechanism can be used in case of failures, which results in software hang.

### 6.3.14 REF2: VREF to ADC Reference Input

The internal reference voltage given out from VREF is used as a reference voltage in ADC for ADC operations, and the ADC converted result is compared against the expected digital value.

# 6.3.15 CPU1: CPU Test Using Software Test Library

The Cortex®M0+ CPU and MPU are tested using the ARM® software test library (M0+ STL rev. r0p0).

#### 6.3.16 CPU2: Software Test of CPU Data Busses

This test method involves writing a known value to different addresses in the memory map, reading back the values, and checking the read-back value. The peripheral region is covered when the respective static register tests execute. Depending on the application use, the flash and SRAM regions can be tested so the address is in powers of two.

#### 6.3.17 CPU3: Software Diversified Redundancy

In this method, the computation done by the primary function is also computed in an alternate function (different algorithm or implementation), and the results of the primary and alternate functions are compared. This provides redundancy in software and uses the same underlying hardware.

#### 6.3.18 SYSMEM1: Software Read of Memory, DMA Write

In this method, different data values can be written to different address locations in SRAM from DMA, and the data can be verified by CPU reads (a CRC check can also be performed).

# 6.3.19 SYSMEM2: DMA Read from SRAM, CPU Write

Different data values can be written to different address locations within SRAM by CPU, and DMA can be configured to copy this data to another region in SRAM. The CPU can be used to verify the transferred data.



### 6.3.20 SYSMEM7: ECC Protection on SRAM

The RAM in MSPM0Lx22x-Q1 parts have ECC check bits associated with each 64 bits of data. When RAM contents are read, an ECC check is performed which can do single-error correction and double-error detection.

### 6.3.21 SYSMEM8: ECC Logic Test

In this method, an incorrect ECC value (for the corresponding data) is written and a read from the same location is performed. The test checks that an ECC error occurs (single or double-bit error, depending on how many bits were corrupted). Using unchecked memory aperture, data bits can be written independent of ECC bits. When the same location is accessed from the region which was checked through ECC, an ECC error occurs. This method can be used to check the ECC logic.

### 6.3.22 SYSMEM9: RAM Software Test

To cover the multipoint latent faults in SRAM, a software test can be executed at start-up to cover all the locations used in the application. This test gives coverage for multiple bit fails in locations not normally accessed during application run time.

**Note** Only when multiple test patterns (or March C algorithms, and so forth) are used, can the DC reach medium level.

# 6.3.23 FLASH1: Flash Single-Error Correction, Double-Error Detection Mechanism

The flash in MSPM0Lx22x-Q1 parts have ECC check bits associated with data bits. When flash contents are read, the expected code bits are computed in hardware and compared against the stored code bits. This mechanism can correct single-bit errors and can detect double-bit errors. The address bits are also included in the code computation to cover errors in address decoding logic.

#### 6.3.24 FLASH2: Flash CRC

This test provides increased coverage on multipoint latent faults (locations in FLASH which are accessed only on specific exception conditions that cannot be accessed during multiple on and off cycles). These locations can develop multipoint faults over time. To cover these kind of locations, a CRC test is done on the regions that are expected to be used by application.

# 6.3.25 FXBAR2: Periodic Software Read Back of Flash Data

In this method, a known set of test data values are stored in flash and periodically this flash data is read and compared against expected data.

#### 6.3.26 FXBAR3: Software Test of ECC Checker Logic

In this method, a few locations in flash can have corrupted data or ECC bits. These locations can be read to check that the ECC checker logic and interrupt or NMI generation is working properly.

#### 6.3.27 FXBAR4: Write Protection of Flash

MSPM0 MCUs implement a static write protection scheme to lock out user-defined sectors in the main flash from unintended program and erase.

#### 6.3.28 DMA2: Software Test of DMA Function

In this test mechanism, one of the DMA channels is dedicated to a diagnostic test. This channel can be configured to do transfers of known data content from a fixed source (SRAM or flash) to a fixed destination (SRAM or CRC engine). Periodically, the diagnostic channel can be triggered in software and the proper transfer of data can be checked in software.



# 6.3.29 DMA3: Software DMA Channel Test

In this method, DMA channels in use are periodically triggered after changing the source address to flash and destination address to SRAM. Known data is transferred from flash to SRAM and the data in SRAM is compared to the data in flash. In addition, a timer can be set up to monitor completion within a reasonable time.

### 6.3.30 DMA4: CRC Check of the Transferred Data

In this method, on a DMA transfer-done interrupt, data coherency can be checked. The data packet can include an expected CRC value. In software, a CRC is computed and checked against the expected CRC.

#### Note

Medium coverage can be claimed under the following circumstances:

- 1. Medium overall coverage of failure modes in data transmission; a Hamming distance of three or more.
- 2. A CRC value for message information is embedded in message; with a CRC size of 8 bits and a 0x97 polynomial results in a Hamming distance of four for a data length of less than 119 bits. The transmitter includes the CRC value mentioned and the receiver confirms the data after calculating and comparing the CRC value (typically used in a LIN bus).
- 3. A CRC value for message information and message ID is embedded in the message; with a CRC size of 10 bits and a 0x319 polynomial results in a Hamming distance of four for a data length of less than 501 bits. The transmitter includes the CRC value mentioned and the receiver confirms the data after calculating and comparing the CRC value.
- 4. A CRC value for message information and message ID is embedded in the message; with a CRC size of 15 bits and a 0x4599 polynomial results in a Hamming distance of five for a data length of less than 127 bits. Additionally, burst errors of a length up to 15 can be detected. The transmitter includes the CRC value mentioned and the receiver confirms the data after calculating and comparing the CRC value (as used in CAN).
- 5. A CRC value for message information is embedded in the message, with a CRC size of 24 bits and a 0x5D6DCB polynomial results in a Hamming distance of the CRC of six for a data length of less than, or equal to, 248 bytes and a Hamming distance of the CRC of four for a data length of greater than 248 bytes. The transmitter includes the CRC value mentioned and the receiver confirms the data after calculating and comparing the CRC value (as used in FlexRay<sup>™</sup> for the frame CRC).
- 6. A CRC value for message header (including the message ID) is embedded in the message; with a CRC size of 11 bits and a 0x385 polynomial results in a Hamming distance of six for a data length of less than, or equal to, 20 bits. The transmitter includes the CRC value mentioned and the receiver confirms the data after calculating and comparing the CRC value (as used in FlexRay<sup>™</sup> for the header CRC).

#### 6.3.31 GPIO1: Online Monitoring Using I/O Loopback

In this test method, the GPIO pin is setup with a known value and the status of the pin can be read back using the DIN register. The loopback happens at the I/O driver, and hence, can read the pin status. This method can be applied when the GPIO is configured as an output.

#### 6.3.32 GPIO3: GPIO Multiple (Redundant) Inputs/Outputs

If GPIO is controlling critical functions, the same outputs can be generated on two or more pins and an external function can be controlled based on majority voting. In the event a trigger mechanism (triggers can be from other peripherals, like GP timers, and so forth) is used to change the state of the GPIO pins, one subscriber can be used for one set of pins and another subscriber can be used for the other set of pins.

In the case of critical inputs being read through the GPIO, the same signal can be connected to two, or more, pins and the values that are read on the different pins can be compared to detect differences.



#### Note

The redundant pins must not be adjacent to prevent any coupling. TI recommends that the redundant pins are from two different GPIO instances.

#### 6.3.33 TIM1: Test for PWM Generation

In this test, a second timer can be used to check the pregenerated PWM signal properties. To conduct the test, the PWM output from the main timer is looped to another timer. The measuring timer can then be used to measure the pulse width and period of the PWM waveform.

|                                     | Note |
|-------------------------------------|------|
| Use the same clock for both timers. |      |

### 6.3.34 TIM3: Test for Fault Generation

In this method, when the timer is idle, the polarity of the fault pin can be changed (FCTL.FSENEXTx) to the alternate value. This triggers a fault that can be checked by reading the status register. This method can be used to check if the fault detection circuit is working as expected.

#### 6.3.35 TIM4: Fault Detection to Take the PWMs to Safe State

If the timer outputs are driving power stages, the overcurrent (undercurrent) or overvoltage (undervoltage) signals from the power stage can be connected to fault pins. These fault signals can be monitored by the timer. The timer can be configured to take the output to a safe state by appropriately configuring the fault entry action. For more details, refer to the TIMx chapter of *MSPM0Lx22x-Q1 Microcontrollers Technical Reference Manual*.

#### 6.3.36 TIM5: Input Capture on Two or More Timer Instances

In the case where timing parameters of safety-critical inputs are measured, two or more spins can be connected to the same signal (redundancy), and the measured parameters (in different timer instances) can be compared to determine if the parameters are within the acceptable range. Input capture must be done on different timer instances. This covers faults in the clock divider as the measured timing parameters deviate from the expected values on the second instance.

#### 6.3.37 TIM6: Timer Period Monitoring

The timer generates periodic interrupts. In the interrupt routine, the timer period can be monitored to check if there is any deviation.

### 6.3.38 I2C1: Software Test of I2C Function Using Internal Loopback Mechanism

The I2C modules can be placed into an internal loopback mode for diagnostic or debug work by setting the LPBK bit in the I2C controller configuration I2Cx.MCR register. In loopback mode, the SDA and SCL signals from the controller part of the I2C are tied to the SDA and SCL signals of the target part of the I2C module to allow internal testing of the device without having to connect the I/Os.

This loopback mechanism can be used to transmit known data from transmit to receive. The I2C configuration can be similar to the application configuration, regarding the bit rate, FIFO usage, and so forth. The completion of the test can be timed to be within expected limits to detect any faults in the bit rate timing.

**Note** The loopback does not cover failures of I/O pins. These failures are covered by other safety mechanisms.

### 6.3.39 I2C3, SPI4, UART3, MCAN2: Information Redundancy Techniques Including End-to-End Safing

End-to-end safing includes a combination of techniques like information redundancy (adding CRC checks to the payload, for example), redundant transmissions, time diversity in transmissions, and so forth. Most commonly, checksums are added to the payload section of a transmission to verify the correctness of a transmission. The checksums, sequence counter, and timeout expectation (or time stamp) are applied, in addition to any

protocol-level parity and checksums. As these parameters are generated and evaluated by the software, at either end of the communication, the whole communication path is safed, resulting in end-to-end safing.

# Note

Medium coverage using CRC can be claimed under following circumstances:

- 1. Medium overall coverage of failure modes in data transmission; a Hamming distance of three or more.
- A CRC value for message information is embedded in message; with a CRC size of 8 bits and a 0x97 polynomial results in a Hamming distance of four for a data length of less than 119 bits. The transmitter includes the CRC value mentioned and the receiver confirms the data after calculating and comparing the CRC value (typically used in a LIN bus).
- 3. A CRC value for message information and message ID is embedded in the message; with a CRC size of 10 bits and a 0x319 polynomial results in a Hamming distance of four for a data length of less than 501 bits. The transmitter includes the CRC value mentioned and the receiver confirms the data after calculating and comparing the CRC value.
- 4. A CRC value for message information and message ID is embedded in the message; with a CRC size of 15 bits and a 0x4599 polynomial results in a Hamming distance of five for a data length of less than 127 bits. Additionally, burst errors of a length up to 15 can be detected. The transmitter includes the CRC value mentioned and the receiver confirms the data after calculating and comparing the CRC value (as used in CAN).
- 5. A CRC value for message information is embedded in the message, with a CRC size of 24 bits and a 0x5D6DCB polynomial results in a Hamming distance of the CRC of six for a data length of less than, or equal to, 248 bytes and a Hamming distance of the CRC of four for a data length of greater than 248 bytes. The transmitter includes the CRC value mentioned and the receiver confirms the data after calculating and comparing the CRC value (as used in FlexRay<sup>™</sup> for the frame CRC).
- 6. A CRC value for message header (including the message ID) is embedded in the message; with a CRC size of 11 bits and a 0x385 polynomial results in a Hamming distance of six for a data length of less than, or equal to, 20 bits. The transmitter includes the CRC value mentioned and the receiver confirms the data after calculating and comparing the CRC value (as used in FlexRay<sup>™</sup> for the header CRC).

# 6.3.40 I2C4, SPI5, UART4: Transmission Redundancy

This is an application-level diagnostic where information is transferred several times in sequence using the same module instance and then compared. When the same data path is used for duplicate transmissions, transmission redundancy is only useful for detecting transient faults. The diagnostic coverage can be improved by sending inverted data during the redundant transmission.

# 6.3.41 I2C5, UART5: Timeout Monitoring

Periodic safety messages (an application-level technique) can be transmitted and received. When a safety message is not received in the expected time interval, the event can indicate loss of data communication. This monitoring is done continuously in the application.

# 6.3.42 I2C6: Test of CRC Function

I2C has a packet error check mechanism in the SMBUS mode. To check this function, messages are sent with corrupted data and a check is made to see if the CRC logic flags an error.

# 6.3.43 I2C7: Packet Error Check in SMBUS Mode

When I2C is used in SMBUS mode, the packet error check is done in hardware as part of the protocol. This is a fault-avoidance measure.



# 6.3.44 IOMUX2: IOMUX Coverage as Part of Other IP Safety Mechanisms

The majority of faults in the IOMUX logic are covered by the safety mechanisms of the blocks interfacing with the IOMUX (refer to Table 6-2).

| Signal Category            | Diagnostics That Address IOMUX                                         |  |  |  |  |  |  |
|----------------------------|------------------------------------------------------------------------|--|--|--|--|--|--|
| Serial ports               | I2C1, I2C3, SPI1, SPI4, SPI5, UART1, UART3, UART4, UART5, MCAN1, MCAN2 |  |  |  |  |  |  |
| Timers                     | TIM1, TIM3, TIM4, TIM5                                                 |  |  |  |  |  |  |
| GPIO static pins           | GPIO1, GPIO3                                                           |  |  |  |  |  |  |
| GPIO interrupts (periodic) | WDT                                                                    |  |  |  |  |  |  |
| Clock inputs               | SYSCTL1, SYSCTL3, SYSCTL9                                              |  |  |  |  |  |  |

### Table 6-2. IOMUX Coverage

### 6.3.45 SPI1: Software Test of SPI Function

The SPI can be placed into an internal loopback in controller mode by setting the LBM bit in the SPI.CTL1 register. In loopback mode, data transmitted on the TX output is received on the RX input. FIFO related faults can be diagnosed using this test. For checking the clock setting, the test execution time can be timed using timers.

**Note** The loopback does not cover failures of I/O pins. These failures are covered by other safety mechanisms.

# 6.3.46 SPI3: SPI Periodic Safety Message Exchange

An application-level check can be added to periodically send and receive test message when the SPI is in peripheral mode. In software, a timeout mechanism needs to be implemented to cover this check.

### 6.3.47 UART1: Software Test of UART Function

The UART can be placed into an internal loopback mode for diagnostic or debug work by setting the LBE bit in the UART.CTL0 register. In loopback mode, data transmitted on the TXD output is received on the RXD input. Data received on the RXD I/O pin is ignored when loopback is enabled. A timer can be used to check if the communication completed within the expected amount of time.

#### Note

The loopback does not cover failures of I/O pins. These failures are covered by other safety mechanisms.

### 6.3.48 UART6: UART Error Flags

UART has error flags for frame error, break error, parity error, and overrun error.

### 6.3.49 UART7: UART Glitch filter

A set of analog and digital glitch filters are present on the RX line. These filters can be used as a fault-avoidance measure for the glitches on the RX line.

# 6.3.50 SYSCTL1: MCLK Monitor

A digital clock monitor is provided to verify that MCLK is alive. An MCLK fault is asserted by the MCLK monitor if there is no MCLK activity within a period of 1-12 LFCLK cycles. An MCLK fault is always considered fatal to the system and generates a BOOTRST.

The MCLK monitor can be enabled once LFCLK is configured and running. To enable the MCLK monitor, set the MCLKDEADCHK bit in the MCLKCFG register in SYSCTL. When enabled, the MCLK monitor runs in all operating modes except for STANDBY1 and SHUTDOWN.



# 6.3.51 SYSCTL2: HFCLK Start-Up Monitor

The HFXT takes time to start after being enabled. A start-up monitor is provided to indicate to the application software if the HFXT has successfully started, at which point the HFCLK can be selected to source a variety of system functions. The HFCLK start-up monitor also supports checking the HFCLK\_IN digital clock input for a clock stuck fault.

When HFXT is started, or the HFCLK\_IN is selected as the HFCLK source, the HFCLKGOOD and HFCLKOFF bits in the CLKSTATUS register in SYSCTL are cleared.

# 6.3.52 SYSCTL3: LFCLK Monitor

A low-power analog circuitry clock monitor is provided to verify that LFCLK is running when LFCLK is not sourced internally (for example, in cases when LFCLK is sourced from LFXT or LFCLK\_IN and not from LFOSC). The LFCLK monitor is only intended to check for clock stuck faults. The LFCLK monitor is not intended to be used to verify that the frequency of LFCLK is within a specific tolerance.

# 6.3.53 SYSCTL8: Brownout Reset (BOR) Supervisor

The brownout reset (BOR) supervisor monitors the external supply (VDD) and asserts or deasserts a BOR violation to SYSCTL.

# 6.3.54 SYSCTL9: FCC Counter Logic to Calculate Clock Frequencies

The frequency clock counter (FCC) enables flexible in-system testing and calibration of a variety of oscillators and clocks on the device. The FCC counts the number of clock periods seen on the selected source clock within a known trigger period (derived from a secondary reference source) to provide an estimation of the frequency of the source clock.

# 6.3.55 SYSCTL10: External Voltage Monitor

Use an external voltage monitor on VCORE PAD to monitor the LDO output.

### 6.3.56 SYSCTL11: Boot Process Monitor

In the event of a boot fail during execution of the boot configuration routine (BCR), SYSCTL asserts a BOOTRST to reattempt a successful boot. A boot fail can be caused by any of the following:

- 1. Boot configuration data integrity error (this can be used for BOOTROM and flash)
- 2. Device trim integrity error (this can be used for flash)
- 3. BCR timeout (BCR takes significantly longer than expected to complete for any other reason; this can be used for BOOTROM)

# 6.3.57 SYSCTL14: Brownout Voltage Monitor

The brownout circuit can be configured to monitor the external supply (VDD) above the BOR reset level. If tripped, the monitor generates a non-maskable interrupt (NMI) event and reconfigures the BOR circuit to be a BOR supervisor reset. This allows software to either warn the user of a depleting battery or initiate a graceful shutdown of the system application, before the BOR circuit issues a BOR supervisor reset.

### 6.3.58 SYSCTL15: External Voltage Monitor

An external voltage supervisor can be used to monitor the power supplies (main supply and the internal LDO output).

# 6.3.59 SYSCTL16: External Watchdog Timer

An external watchdog monitor can be employed to check (sanity check) the working of MCU. In case watchdog monitor flags an error, the system software can take the required action.

# 6.3.60 CRC: CRC Checker

The hardware CRC module can be used to speed up some of the safety mechanisms involving CRC computation. Any fault within the CRC logic is detected when the CRC signature is incorrect.



### 6.3.61 VBAT1: VBAT Supply Monitor

The brownout reset (BOR) supervisor on VBAT monitors the external supply (VBAT) and asserts or deasserts a BOR violation to SYSCTL.

### 6.3.62 Safety Mechanisms Covering PIN Failures

Package pin-related failures are covered by one or more of the safety mechanisms described. There are two different types of pins.

- GPIOs: These pins multiplex the signals from different IPs; depending on the application context, one of the possible signals can be chosen.
- Dedicated pins: These pins can be power or reset pins.

In the case of GPIO pins, depending on the signal chosen in the context of the application, the safety mechanism applicable to the corresponding IP covers the pin failures. For cases where the pins are reset or power pins, the safety mechanisms covering reset or power are used. For more information, refer to the safety analysis report.

### 6.3.63 Safety Mechanisms Covering Common Cause Failures

Safety analyses to assess common cause failures and dependent failures were performed, and Table 6-3 summarizes the safety mechanisms applicable to such failures.

### Table 6-3. Safety Mechanisms Covering Common Cause Failures

| Failure Applicable                                             | Safety Mechanism                                          |
|----------------------------------------------------------------|-----------------------------------------------------------|
| MCLK failure                                                   | SYSCTL1                                                   |
| VDD failure                                                    | SYSCTL14, SYSCTL15                                        |
| Reset failure                                                  | SYSMEM1, SYSMEM2                                          |
| Failure on common access bus between SRAM ECC checker and SRAM | SYSMEM1, SYSMEM2                                          |
| Common configuration bus failure                               | Typically covered by static configuration register tests. |

Note

These safety mechanisms must always be applied independent from the selection in the FMEDA.



# Appendix A Summary of Recommended Functional Safety Mechanism Usage



Appendix A summarizes the functional safety mechanisms present in hardware or recommended for implementation in software or at the system level as described in Chapter 5. Table A-1 describes each column in Table A-2 and gives examples of what content can appear in each cell.

| Functional Safety Mechanism           | Description                                                                                                                                                                                                                                                                                                                                                                                                                          |
|---------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| TI Safety Mechanism Unique Identifier | A unique identifier assigned to this safety mechanism for easier tracking.                                                                                                                                                                                                                                                                                                                                                           |
| Safety Mechanism Name                 | The full name of this safety mechanism.                                                                                                                                                                                                                                                                                                                                                                                              |
| Safety Mechanism Category             | <b>Safety Mechanism</b> - This test provides coverage for faults on the primary function. It may also provide coverage on another safety mechanism. These tests also provide coverage of primary function multiple-point faults if it covers permanent faults.                                                                                                                                                                       |
|                                       | Test for Safety Mechanism - This test provides coverage for faults of a safety mechanism only. It does not provide                                                                                                                                                                                                                                                                                                                   |
|                                       | coverage on the primary function.                                                                                                                                                                                                                                                                                                                                                                                                    |
|                                       | Fault Avoidance - This is typically a feature used to improve the effectiveness of a related safety mechanism.                                                                                                                                                                                                                                                                                                                       |
| Safety Mechanism Type                 | Can be either hardware, software, a combination of both hardware and software, or system. See Section 6.2 for more details.                                                                                                                                                                                                                                                                                                          |
| Safety Mechanism Operation Interval   | The timing behavior of the safety mechanism with respect to the test interval defined for a functional safety requirement / functional safety goal. Can be either continuous, or on-demand.<br><b>Continuous</b> - the safety mechanism constantly monitors the hardware-under-test for a failure condition.                                                                                                                         |
|                                       | Periodic or On-Demand - the safety mechanism is executed periodically, when demanded by the application. These tests                                                                                                                                                                                                                                                                                                                 |
|                                       | have to be performed within the FTTI (Fault tolerant time interval) determined by the application. The test of diagnostics                                                                                                                                                                                                                                                                                                           |
|                                       | have to be performed once within the multiple-point fault detection interval. This includes Built-In Self-Tests that are executed one time per drive cycle or once every few hours.                                                                                                                                                                                                                                                  |
| Test Execution Time                   | Time period required for the safety mechanism to complete, not including error reporting time.<br>Note: Certain parameters are not set until there is a concrete implementation in a specific component. When component<br>specific information is required, the component data sheet must be referenced.<br>Note: For software-driven tests, the majority contribution of the Test Execution Time is often software implementation- |
|                                       | dependent.                                                                                                                                                                                                                                                                                                                                                                                                                           |
| Action on Detected Fault              | The response that this safety mechanism takes when an error is detected.                                                                                                                                                                                                                                                                                                                                                             |
|                                       | Note: For software-driven tests, the Action on Detected Fault can depend on software implementation.                                                                                                                                                                                                                                                                                                                                 |

#### Table A-1. Legend of Functional Safety Mechanisms



| Functional Safety Mechanism     | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
|---------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Time to Report                  | Typical time required for safety mechanism to indicate a detected fault to the system.<br>Note: For software-driven tests, the majority contribution of the Time to Report is often software implementation-<br>dependent.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
| Diagnostic Evaluation           | <ul> <li>Basis of diagnostic coverage evaluation:</li> <li>Injection - Diagnostic coverage evaluation is based on TI-driven fault injection campaign</li> <li>Insertion - Diagnostic coverage evaluation is based on customer-driven fault insertion campaign</li> <li>Calculation - Diagnostic coverage evaluation is based on analytical or independent experimental data</li> <li>Estimation - Diagnostic coverage evaluation is based on expert judgment</li> <li>Note: Insertion refers to the ability of a system integrator to inject faults using external test fixtures, e.g. an Ethernet CRC check can be tested by sending in Ethernet packets with a bad CRC. Insertion is not expected to replace functional verification performed by TI. The intention of insertion is first, that the system can verify that the diagnostic is working and the system response to the diagnostic. The second is that a system integrator can, if necessary, measure overall diagnostic effectiveness in the context of their system. For example, the overall diagnostic coverage for methods protecting Ethernet can be measured at the system level by having the entire solution (hardware + software) running and sending in bad packets. The customer can choose to perform these techniques to update the DC values with more accurate numbers pertaining to their use cases. For these diagnostic where insertion is used as DC evaluation method, TI provides the DC coverage based on assumed safety use case in a SEOOC development.</li> </ul> |
| Diagnostic Detection Capability | <ul> <li>Permanent - Diagnostic is capable of detecting permanent faults and runs within FTTI. The diagnostic is also capable of detecting primary function multiple-point faults.</li> <li>Transient - Diagnostic is capable of detecting transient faults and runs within FTTI.</li> <li>Permanent /Transient - Diagnostic is capable of detecting permanent and transient faults and runs within FTTI.</li> <li>Latent - Diagnostic is capable of detecting multiple-point latent faults and runs within MPFTTI.</li> </ul>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |

Table A-1. Legend of Functional Safety Mechanisms (continued)

| TI Safety<br>Mechanism<br>Unique Identifier | Safety Mechanism<br>Name                                               | Safety Mechanism<br>Category | Safety Mechanism<br>Type | Safety Mechanism<br>Operation Interval | Test Execution<br>Time   | Action on<br>Detected Fault | Time to Report           | Diagnostic<br>Evaluation | Diagnostic<br>Detection<br>Capability |
|---------------------------------------------|------------------------------------------------------------------------|------------------------------|--------------------------|----------------------------------------|--------------------------|-----------------------------|--------------------------|--------------------------|---------------------------------------|
| ADC1                                        | Periodic Software<br>Read Back of<br>Static Configuration<br>Registers | Safety Mechanism             | Software                 | Periodic or On-<br>Demand              | Application<br>Dependent | Refer to Section 4.2        | Application<br>Dependent | Estimation               | Permanent or<br>Transient             |
| ADC2                                        | ADC Software Test<br>of Functionality                                  | Safety Mechanism             | Hardware +<br>Software   | Periodic or On-<br>Demand              | Application<br>Dependent | Refer to Section 4.2        | Application<br>Dependent | Insertion                | Permanent                             |
| WDT                                         | Windowed<br>Watchdog Event                                             | Safety Mechanism             | Hardware +<br>Software   | Continuous                             | Application<br>Dependent | Reset the Device            | <1µs                     | Estimation               | Permanent or<br>Transient             |
| IWDT                                        | Watchdog Event                                                         | Safety Mechanism             | Hardware +<br>Software   | Continuous                             | Application<br>Dependent | Reset the Device            | <1µs                     | Estimation               | Permanent or<br>Transient             |
| ADC3                                        | ADC Trigger<br>Overflow                                                | Safety Mechanism             | Hardware                 | Continuous                             | Application<br>Dependent | Generate an<br>interrupt    | <100 bus clock<br>cycles | Estimation               | Permanent or<br>Transient             |

# Table A-2. Summary of Safety Features and Diagnostics



| WWW. | tı. | com |
|------|-----|-----|
|      |     |     |

| TI Safety<br>Mechanism<br>Unique Identifier | Safety Mechanism<br>Name                                                                                                        | Safety Mechanism<br>Category | Safety Mechanism<br>Type   | Safety Mechanism<br>Operation Interval | Test Execution<br>Time   | Action on<br>Detected Fault | Time to Report           | Diagnostic<br>Evaluation | Diagnostic<br>Detection<br>Capability |
|---------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------|------------------------------|----------------------------|----------------------------------------|--------------------------|-----------------------------|--------------------------|--------------------------|---------------------------------------|
| ADC4                                        | ADC Window<br>Comparator                                                                                                        | Safety Mechanism             | Hardware                   | Continuous                             | Application<br>Dependent | Generate an<br>interrupt    | <100 bus clock<br>cycles | Estimation               | Permanent or<br>Transient             |
| ADC5                                        | Test of Window<br>Comparator                                                                                                    | Test for Safety<br>Mechanism | Software                   | Periodic or On-<br>Demand              | Application<br>Dependent | Refer to Section 4.2        | Application<br>Dependent | Insertion                | Latent                                |
| ADC6                                        | ADC Trigger or<br>Output Plausibility<br>Check                                                                                  | Safety Mechanism             | Software                   | Periodic or On-<br>Demand              | Application<br>Dependent | Refer to Section 4.2        | Application<br>Dependent | Insertion                | Permanent or<br>Transient             |
| COMP1                                       | Periodic Software<br>Read Back of<br>Static Configuration<br>Registers                                                          | Safety Mechanism             | Software                   | Periodic or On-<br>Demand              | Application<br>Dependent | Refer to Section 4.2        | Application<br>Dependent | Estimation               | Permanent or<br>Transient             |
| COMP3                                       | External Pin Input to COMP                                                                                                      | Safety Mechanism             | System Level<br>Diagnostic | Periodic or On-<br>Demand              | Application<br>Dependent | Refer to Section 4.2        | Application<br>Dependent | Insertion                | Permanent                             |
| COMP4                                       | Comparator<br>Hysteresis                                                                                                        | Fault Avoidance              | Hardware                   | Continuous                             | Application<br>Dependent | N/A                         | N/A                      | N/A                      | N/A                                   |
| CPU1                                        | ARM® Software<br>Test Library                                                                                                   | Safety Mechanism             | Software                   | Periodic or On-<br>Demand              | Application<br>Dependent | Refer to Section 4.2        | Application<br>Dependent | Injection                | Permanent                             |
| CPU2                                        | Write or Read<br>Back of Data to<br>Different Regions<br>of Memory to<br>Detect Faults in the<br>Bus Interconnect<br>Components | Safety Mechanism             | Software                   | Periodic or On-<br>Demand              | Application<br>Dependent | Refer to Section 4.2        | Application<br>Dependent | Insertion                | Permanent                             |
| SYSCTL11                                    | Boot Process<br>Timeout                                                                                                         | Safety Mechanism             | Hardware +<br>Software     | Periodic or On-<br>Demand              | Application<br>Dependent | Reset the Device            | 10 bus clock cycles      | Estimation               | Permanent or<br>Transient             |
| CPU3                                        | Software Diversified Redundancy                                                                                                 | Safety Mechanism             | Software                   | Periodic or On-<br>Demand              | Application<br>Dependent | Refer to Section 4.2        | Application<br>Dependent | Insertion                | Permanent or<br>Transient             |
| CPU4                                        | Periodic Software<br>Read Back of<br>Static Configuration<br>Registers                                                          | Safety Mechanism             | Software                   | Periodic or On-<br>Demand              | Application<br>Dependent | Refer to Section 4.2        | Application<br>Dependent | Estimation               | Permanent or<br>Transient             |
| CRC                                         | CRC Checker                                                                                                                     | Safety Mechanism             | Hardware +<br>Software     | Periodic or On-<br>Demand              | Application<br>Dependent | Refer to Section 4.2        | Application<br>Dependent | Estimation               | Permanent or<br>Transient             |
| CRC1                                        | Periodic Software<br>Read Back of<br>Static Configuration<br>Registers                                                          | Test for Safety<br>Mechanism | Software                   | Periodic or On-<br>Demand              | Application<br>Dependent | Refer to Section 4.2        | Application<br>Dependent | Insertion                | Latent                                |
| DMA1                                        | Periodic Software<br>Read Back of<br>Static Configuration<br>Registers                                                          | Safety Mechanism             | Software                   | Periodic or On-<br>Demand              | Application<br>Dependent | Refer to Section 4.2        | Application<br>Dependent | Insertion                | Permanent or<br>Transient             |
| DMA2                                        | Software DMA<br>Transfer Test                                                                                                   | Safety Mechanism             | Software                   | Periodic or On-<br>Demand              | Application<br>Dependent | Refer to Section 4.2        | Application<br>Dependent | Insertion                | Permanent                             |

Table A-2. Summary of Safety Features and Diagnostics (continued)



| TI Safety<br>Mechanism<br>Unique Identifier | Safety Mechanism<br>Name                                                  | Safety Mechanism<br>Category | Safety Mechanism<br>Type | Safety Mechanism<br>Operation Interval | Test Execution<br>Time   | Action on<br>Detected Fault | Time to Report           | Diagnostic<br>Evaluation | Diagnostic<br>Detection<br>Capability |
|---------------------------------------------|---------------------------------------------------------------------------|------------------------------|--------------------------|----------------------------------------|--------------------------|-----------------------------|--------------------------|--------------------------|---------------------------------------|
| DMA3                                        | Software DMA<br>Channel Test                                              | Safety Mechanism             | Software                 | Periodic or On-<br>Demand              | Application<br>Dependent | Refer to Section 4.2        | Application<br>Dependent | Insertion                | Permanent                             |
| DMA4                                        | CRC Check of the<br>Transferred Data                                      | Safety Mechanism             | Hardware +<br>Software   | Periodic or On-<br>Demand              | Application<br>Dependent | Refer to Section 4.2        | Application<br>Dependent | Estimation               | Permanent or<br>Transient             |
| EVENT1                                      | Periodic Software<br>Readback of<br>Static Configuration<br>Registers     | Safety Mechanism             | Software                 | Periodic or On-<br>Demand              | Application<br>Dependent | Refer to Section 4.2        | Application<br>Dependent | Estimation               | Permanent or<br>Transient             |
| GPIO3                                       | GPIO Multiple<br>(Redundant) Inputs/<br>Outputs                           | Safety Mechanism             | Hardware +<br>Software   | Continuous                             | Application<br>Dependent | Refer to Section 4.2        | Application<br>Dependent | Insertion                | Permanent or<br>Transient             |
| FXBAR2                                      | Periodic Software<br>Read Back of Flash<br>Data                           | Safety Mechanism             | Software                 | Periodic or On-<br>Demand              | Application<br>Dependent | Refer to Section 4.2        | Application<br>Dependent | Estimation               | Permanent                             |
| FLASH1                                      | Flash ECC Checker                                                         | Safety Mechanism             | Hardware                 | Continuous                             | Application<br>Dependent | Generate an<br>interrupt    | <100 bus clock<br>cycles | Calculation              | Permanent or<br>Transient             |
| FLASH2                                      | Flash CRC                                                                 | Safety Mechanism             | Software                 | Periodic or On-<br>Demand              | Application<br>Dependent | Refer to Section 4.2        | Application<br>Dependent | Insertion                | Latent                                |
| FXBAR3                                      | Software Test of<br>ECC Checker Logic                                     | Test for Safety<br>Mechanism | Software                 | Periodic or On-<br>Demand              | Application<br>Dependent | Refer to Section 4.2        | Application<br>Dependent | Insertion                | Latent                                |
| FXBAR4                                      | Write Protection of<br>Flash                                              | Safety Mechanism             | Hardware                 | Continuous                             | Application<br>Dependent | Refer to Section 4.2        | Application<br>Dependent | Estimation               | Permanent or<br>Transient             |
| GPIO1                                       | Online Monitoring<br>Using I/O Loopback                                   | Safety Mechanism             | Hardware +<br>Software   | Periodic or On-<br>Demand              | Application<br>Dependent | Refer to Section 4.2        | Application<br>Dependent | Insertion                | Permanent                             |
| GPIO2                                       | Periodic Software<br>Readback of<br>Static Configuration<br>Registers     | Safety Mechanism             | Software                 | Periodic or On-<br>Demand              | Application<br>Dependent | Refer to Section 4.2        | Application<br>Dependent | Estimation               | Permanent or<br>Transient             |
| TIM1                                        | Test for Basic PWM<br>Generation                                          | Safety Mechanism             | Hardware +<br>Software   | Periodic or On-<br>Demand              | Application<br>Dependent | Refer to Section 4.2        | Application<br>Dependent | Insertion                | Permanent                             |
| TIM2                                        | Periodic Software<br>Read Back of IP<br>Static Configuration<br>Registers | Safety Mechanism             | Software                 | Periodic or On-<br>Demand              | Application<br>Dependent | Refer to Section 4.2        | Application<br>Dependent | Estimation               | Permanent or<br>Transient             |
| TIM3                                        | Test for Fault<br>Generation                                              | Test for Safety<br>Mechanism | System                   | Periodic or On-<br>Demand              | Application<br>Dependent | Refer to Section 4.2        | Application<br>Dependent | Insertion                | Latent                                |
| TIM4                                        | Fault Detection to<br>Take the PWMs to<br>Safe State                      | Safety Mechanism             | Hardware +<br>Software   | Continuous                             | Application<br>Dependent | Refer to Section 4.2        | <100 bus clock<br>cycles | Estimation               | Permanent or<br>Transient             |
| TIM5                                        | Input Capture on<br>Two or More Timer<br>Instances                        | Safety Mechanism             | Hardware                 | Continuous                             | Application<br>Dependent | Refer to Section 4.2        | Application<br>Dependent | Insertion                | Permanent or<br>Transient             |

# Table A-2. Summary of Safety Features and Diagnostics (continued)



| TI Safety<br>Mechanism<br>Unique Identifier | Safety Mechanism<br>Name                                                   | Safety Mechanism<br>Category                      | Safety Mechanism<br>Type | Safety Mechanism<br>Operation Interval | Test Execution<br>Time   | Action on<br>Detected Fault | Time to Report           | Diagnostic<br>Evaluation | Diagnostic<br>Detection<br>Capability |
|---------------------------------------------|----------------------------------------------------------------------------|---------------------------------------------------|--------------------------|----------------------------------------|--------------------------|-----------------------------|--------------------------|--------------------------|---------------------------------------|
| TIM6                                        | Timer Period<br>Monitoring                                                 | Safety Mechanism                                  | Hardware +<br>Software   | Continuous                             | Application<br>Dependent | Refer to Section 4.2        | Application<br>Dependent | Insertion                | Permanent or<br>Transient             |
| I2C1                                        | Software Test of<br>Function Using I/O<br>Loopback                         | Safety Mechanism                                  | Hardware +<br>Software   | Periodic or On-<br>Demand              | Application<br>Dependent | Refer to Section 4.2        | Application<br>Dependent | Insertion                | Permanent                             |
| I2C2                                        | Periodic Software<br>Read Back of<br>Static Configuration<br>Registers     | Safety Mechanism                                  | Software                 | Periodic or On-<br>Demand              | Application<br>Dependent | Refer to Section 4.2        | Application<br>Dependent | Estimation               | Permanent or<br>Transient             |
| I2C3                                        | Information<br>Redundancy<br>Techniques<br>Including End-to-<br>End Safing | Safety Mechanism                                  | Hardware +<br>Software   | Periodic or On-<br>Demand              | Application<br>Dependent | Refer to Section 4.2        | Application<br>Dependent | Insertion                | Permanent or<br>Transient             |
| I2C4                                        | Transmission<br>Redundancy                                                 | Safety Mechanism                                  | Software                 | Periodic or On-<br>Demand              | Application<br>Dependent | Refer to Section 4.2        | Application<br>Dependent | Insertion                | Transient                             |
| I2C5                                        | Timeout Monitoring                                                         | Safety Mechanism<br>  Test of Safety<br>Mechanism | Software                 | Continuous                             | Application<br>Dependent | Refer to Section 4.2        | Application<br>Dependent | Insertion                | Permanent                             |
| I2C6                                        | Test of CRC<br>Function                                                    | Test for Safety<br>Mechanism                      | Hardware +<br>Software   | Periodic or On-<br>Demand              | Application<br>Dependent | Refer to Section 4.2        | Application<br>Dependent | Insertion                | Latent                                |
| I2C7                                        | Packet Error Check<br>in SMBUS Mode                                        | Fault Avoidance                                   | N/A                      | Continuous                             | Application<br>Dependent | N/A                         | N/A                      | N/A                      | N/A                                   |
| IOMUX1                                      | Periodic Software<br>Readback of<br>Static Configuration<br>Registers      | Safety Mechanism                                  | Software                 | Periodic or On-<br>Demand              | Application<br>Dependent | Refer to Section 4.2        | Application<br>Dependent | Estimation               | Permanent or<br>Transient             |
| IOMUX2                                      | IOMUX Coverage<br>as Part of Other IP<br>Safety Mechanisms.                | Safety Mechanism                                  | Hardware +<br>Software   | Periodic or On-<br>Demand              | Application<br>Dependent | Refer to Section 4.2        | Application<br>Dependent | Insertion                | Permanent                             |
| SPI1                                        | Software Test of<br>Function Using I/O<br>Loopback                         | Safety Mechanism                                  | Hardware +<br>Software   | Periodic or On-<br>Demand              | Application<br>Dependent | Refer to Section 4.2        | Application<br>Dependent | Insertion                | Permanent                             |
| SPI2                                        | Periodic Software<br>Read Back of<br>Static Configuration<br>Registers     | Safety Mechanism                                  | Software                 | Periodic or On-<br>Demand              | Application<br>Dependent | Refer to Section 4.2        | Application<br>Dependent | Estimation               | Permanent or<br>Transient             |
| SPI3                                        | SPI Periodic Safety<br>Message Checks                                      | Safety Mechanism                                  | Software                 | Periodic or On-<br>Demand              | Application<br>Dependent | Refer to Section 4.2        | Application<br>Dependent | Insertion                | Permanent                             |
| SPI4                                        | Information<br>Redundancy<br>Techniques<br>Including End-to-<br>End Safing | Safety Mechanism                                  | Hardware +<br>Software   | Periodic or On-<br>Demand              | Application<br>Dependent | Refer to Section 4.2        | Application<br>Dependent | Insertion                | Permanent or<br>Transient             |

Table A-2. Summary of Safety Features and Diagnostics (continued)



| TI Safety<br>Mechanism<br>Unique Identifier | Safety Mechanism<br>Name                                               | Safety Mechanism<br>Category | Safety Mechanism<br>Type   | Safety Mechanism<br>Operation Interval | Test Execution<br>Time   | Action on<br>Detected Fault | Time to Report           | Diagnostic<br>Evaluation | Diagnostic<br>Detection<br>Capability |
|---------------------------------------------|------------------------------------------------------------------------|------------------------------|----------------------------|----------------------------------------|--------------------------|-----------------------------|--------------------------|--------------------------|---------------------------------------|
| SPI5                                        | Transmission<br>Redundancy                                             | Safety Mechanism             | Software                   | Periodic or On-<br>Demand              | Application<br>Dependent | Refer to Section 4.2        | Application<br>Dependent | Insertion                | Transient                             |
| SYSCTL1                                     | MCLK Monitor                                                           | Safety Mechanism             | Hardware +<br>Software     | Continuous                             | Application<br>Dependent | Reset the Device            | <1µs                     | Estimation               | Permanent or<br>Transient             |
| SYSCTL2                                     | HFCLK Start-up<br>Monitor                                              | Fault Avoidance              | Hardware                   | Periodic or On-<br>Demand              | Application<br>Dependent | N/A                         | N/A                      | N/A                      | N/A                                   |
| SYSCTL3                                     | LFCLK Monitor                                                          | Safety Mechanism             | Hardware +<br>Software     | Periodic or On-<br>Demand              | Application<br>Dependent | Generate an<br>interrupt    | <100 bus clock<br>cycles | Estimation               | Permanent or<br>Transient             |
| SYSCTL5                                     | Periodic Software<br>Read Back of<br>Static Configuration<br>Registers | Safety Mechanism             | Software                   | Periodic or On-<br>Demand              | Application<br>Dependent | Refer to Section 4.2        | Application<br>Dependent | Estimation               | Permanent or<br>Transient             |
| SYSCTL8                                     | Brownout Reset<br>(BOR) Supervisor                                     | Safety Mechanism             | Hardware                   | Periodic or On-<br>Demand              | Application<br>Dependent | Generate an interrupt       | <100 bus clock<br>cycles | Estimation               | Permanent                             |
| SYSCTL9                                     | Clock Frequency<br>Measurement                                         | Safety Mechanism             | Hardware +<br>Software     | Periodic or On-<br>Demand              | Application<br>Dependent | Refer to Section 4.2        | Application<br>Dependent | Estimation               | Permanent or<br>Transient             |
| SYSCTL10                                    | External Voltage<br>Monitor                                            | Safety Mechanism             | System Level<br>Diagnostic | Periodic or On-<br>Demand              | Application<br>Dependent | Refer to Section 4.2        | Application<br>Dependent | Estimation               | Permanent                             |
| SYSCTL14                                    | Brownout Voltage<br>Monitor                                            | Safety Mechanism             | Hardware                   | Periodic or On-<br>Demand              | Application<br>Dependent | Reset the Device            | <1µs                     | Estimation               | Permanent                             |
| SYSCTL15                                    | External Voltage<br>Supervisor                                         | Safety Mechanism             | System Level<br>Diagnostic | Periodic or On-<br>Demand              | Application<br>Dependent | Refer to Section 4.2        | Application<br>Dependent | Insertion                | Permanent                             |
| SYSCTL16                                    | External Watchdog<br>Timer                                             | Safety Mechanism             | System Level<br>Diagnostic | Periodic or On-<br>Demand              | Application<br>Dependent | Refer to Section 4.2        | Application<br>Dependent | Insertion                | Permanent or<br>Transient             |
| SYSMEM1                                     | Software Read of<br>Memory DMA                                         | Safety Mechanism             | Software                   | Periodic or On-<br>Demand              | Application<br>Dependent | Refer to Section 4.2        | Application<br>Dependent | Insertion                | Permanent                             |
| SYSMEM2                                     | Software Read of<br>Memory CPU                                         | Safety Mechanism             | Software                   | Periodic or On-<br>Demand              | Application<br>Dependent | Refer to Section 4.2        | Application<br>Dependent | Insertion                | Permanent                             |
| SYSMEM8                                     | ECC Logic test                                                         | Test for Safety<br>Mechanism | Software                   | Periodic or On-<br>Demand              | Application<br>Dependent | Refer to Section 4.2        | Application<br>Dependent | Insertion                | Latent                                |
| SYSMEM7                                     | RAM ECC                                                                | Safety Mechanism             | Hardware                   | Continuous                             | Application<br>Dependent | Generate an<br>interrupt    | <100 bus clock<br>cycles | Calculation              | Permanent or<br>Transient             |
| SYSMEM9                                     | RAM Software Test                                                      | Safety Mechanism             | Software                   | Periodic or On-<br>Demand              | Application<br>Dependent | Refer to Section 4.2        | Application<br>Dependent | Insertion                | Latent                                |
| UART1                                       | Software Test of<br>Function Using I/O<br>Loopback                     | Safety Mechanism             | Hardware +<br>Software     | Periodic or On-<br>Demand              | Application<br>Dependent | Refer to Section 4.2        | Application<br>Dependent | Insertion                | Permanent                             |
| UART2                                       | Periodic Software<br>Read Back of<br>Static Configuration<br>Registers | Safety Mechanism             | Software                   | Periodic or On-<br>Demand              | Application<br>Dependent | Refer to Section 4.2        | Application<br>Dependent | Estimation               | Permanent or<br>Transient             |

# Table A-2. Summary of Safety Features and Diagnostics (continued)



| TI Safety<br>Mechanism<br>Unique Identifier | Safety Mechanism<br>Name                                                   | Safety Mechanism<br>Category                      | Safety Mechanism<br>Type | Safety Mechanism<br>Operation Interval | Test Execution<br>Time   | Action on<br>Detected Fault | Time to Report           | Diagnostic<br>Evaluation | Diagnostic<br>Detection<br>Capability |
|---------------------------------------------|----------------------------------------------------------------------------|---------------------------------------------------|--------------------------|----------------------------------------|--------------------------|-----------------------------|--------------------------|--------------------------|---------------------------------------|
| UART3                                       | Information<br>Redundancy<br>Techniques<br>Including End-to-<br>End Safing | Safety Mechanism                                  | Hardware +<br>Software   | Periodic or On-<br>Demand              | Application<br>Dependent | Refer to Section 4.2        | Application<br>Dependent | Insertion                | Permanent or<br>Transient             |
| UART4                                       | Transmission<br>Redundancy                                                 | Safety Mechanism                                  | Software                 | Periodic or On-<br>Demand              | Application<br>Dependent | Refer to Section 4.2        | Application<br>Dependent | Insertion                | Transient                             |
| UART5                                       | Timeout Monitoring                                                         | Safety Mechanism<br>  Test of Safety<br>Mechanism | Software                 | Continuous                             | Application<br>Dependent | Refer to Section 4.2        | Application<br>Dependent | Insertion                | Permanent                             |
| UART6                                       | UART Error Flags                                                           | Safety Mechanism                                  | Hardware                 | Continuous                             | Application<br>Dependent | Generate an interrupt.      | <100 bus clock<br>cycles | Estimation               | Permanent or<br>Transient             |
| UART7                                       | UART Glitch Filter                                                         | Fault Avoidance                                   | Hardware                 | Continuous                             | Application<br>Dependent | N/A                         | N/A                      | N/A                      | N/A                                   |
| REF1                                        | Periodic Software<br>Read Back of<br>Static Configuration<br>Registers     | Safety Mechanism                                  | Software                 | Periodic or On-<br>Demand              | Application<br>Dependent | Refer to Section 4.2        | Application<br>Dependent | Estimation               | Permanent or<br>Transient             |
| REF2                                        | VREF to ADC<br>Reference Input                                             | Safety Mechanism                                  | Hardware +<br>Software   | Periodic or On-<br>Demand              | Application<br>Dependent | Refer to Section 4.2        | Application<br>Dependent | Insertion                | Permanent                             |
| WDT1                                        | Periodic Software<br>Read Back of<br>Static Configuration<br>Registers     | Test for Safety<br>Mechanism                      | Software                 | Periodic or On-<br>Demand              | Application<br>Dependent | Refer to Section 4.2        | Application<br>Dependent | Estimation               | Latent                                |
| WDT2                                        | WWDT Counter<br>Check                                                      | Test for Safety<br>Mechanism                      | Software                 | Periodic or On-<br>Demand              | Application<br>Dependent | Refer to Section 4.2        | Application<br>Dependent | Insertion                | Latent                                |
| WDT3                                        | WWDT Software<br>Test                                                      | Test for Safety<br>Mechanism                      | Software                 | Periodic or On-<br>Demand              | Application<br>Dependent | Refer to Section 4.2        | Application<br>Dependent | Insertion                | Latent                                |
| WDT4                                        | Redundant<br>Watchdog                                                      | Test for Safety<br>Mechanism                      | Hardware +<br>Software   | Continuous                             | Application<br>Dependent | Refer to Section 4.2        | Application<br>Dependent | Insertion                | Latent                                |
| VBAT2                                       | Periodic Software<br>Read Back of<br>Static Configuration<br>Registers     | Safety Mechanism                                  | Software                 | Periodic or On-<br>Demand              | Application<br>Dependent | Refer to Section 4.2        | Application<br>Dependent | Estimation               | Permanent or<br>Transient             |
| VBAT1                                       | Brownout Reset<br>(BOR) Supervisor                                         | Safety Mechanism                                  | Hardware +<br>Software   | Continuous                             | Application<br>Dependent | Generate an<br>interrupt    | <100 bus clock<br>cycles | Estimation               | Permanent                             |

Table A-2. Summary of Safety Features and Diagnostics (continued)

# Appendix B Distributed Developments

# TEXAS INSTRUMENTS

A Development Interface Agreement (DIA) is intended to capture the agreement between two parties towards the management of each party's responsibilities related to the development of a functional safety system. TI functional safety components are typically designed for many different systems and are considered to be Safety Elements out of Context (SEooC) hardware components. The system integrator is then responsible for taking the information provided in the hardware component safety manual, safety analysis report and safety report to perform system integration activities. Because there is no distribution of development activities, TI does not accept DIAs with system integrators.

TI functional safety components are products that TI represents, promotes or markets as helping customers mitigate functional safety related risks in an end application and/or as compliant with an industry functional safety standard or FS-QM. For more information about TI functional safety components, go to TI Functional Safety.

# B.1 How the Functional Safety Lifecycle Applies to TI Functional Safety Products

TI has tailored the functional safety lifecycles of ISO 26262 and IEC 61508 to best match the needs of a functional Safety Element out of Context (SEooC) development. The functional safety standards are written in the context of the functional safety systems, which means that some requirements only apply at the system level. Since TI functional safety components are hardware or software components, TI has tailored the functional safety activities to create new product development processes for hardware and for software that makes sure state-of-the-art techniques and measures are applied as appropriate. These new product development processes have been certified by third-party functional safety experts. To find these certifications, go to TI Functional Safety.

# **B.2 Activities Performed by Texas Instruments**

The TI functional safety products are hardware components developed as functional Safety Elements out of Context. As such, TI's functional safety activities focus on those related to management of functional safety around hardware component development. System level architecture, design, and functional safety analysis are not within the scope of TI activities and are the responsibility of the customer. Some techniques for integrating the SEooC safety analysis of this hardware component into the system level can be found in ISO 26262-11.

| Functional Safety Lifecycle<br>Activity <sup>(1)</sup>                                                         | TI Execution                                   | Customer Execution |
|----------------------------------------------------------------------------------------------------------------|------------------------------------------------|--------------------|
| Management of functional safety                                                                                | Yes                                            | Yes                |
| Definition of end equipment and item                                                                           | No                                             | Yes                |
| Hazard analysis and risk<br>assessment (of end equipment/<br>item)                                             | No                                             | Yes                |
| Creation of end equipment<br>functional safety concept                                                         | No. Assumptions made for internal development. | Yes                |
| Allocation of end equipment<br>requirements to sub-systems,<br>hardware components, and<br>software components | No. Assumptions made for internal development. | Yes                |

### Table B-1. Activities Performed by Texas Instruments Versus Performed by the Customer

| Functional Safety Lifecycle<br>Activity <sup>(1)</sup>  | TI Execution                                  | Customer Execution |  |
|---------------------------------------------------------|-----------------------------------------------|--------------------|--|
| Definition of hardware component<br>safety requirements | Yes                                           | No                 |  |
| Hardware component architecture and design execution    | Yes                                           | No                 |  |
| Hardware component functional<br>safety analysis        | Yes                                           | No                 |  |
| Hardware component verification and validation (V&V)    | V&V executed to support internal development. | Yes                |  |
| Integration of hardware<br>component into end equipment | No                                            | Yes                |  |
| Verification of IC performance in<br>end equipment      | No                                            | Yes                |  |
| Selection of safety mechanisms to be applied to IC      | No                                            | Yes                |  |
| End equipment level verification and validation         | No                                            | Yes                |  |
| End equipment level functional<br>safety analysis       | No                                            | Yes                |  |
| End equipment level functional<br>safety assessment     | No                                            | Yes                |  |
| End equipment release to<br>production                  | Νο                                            | Yes                |  |
| Management of functional safety issues in production    | Support provided as needed                    | Yes                |  |

# Table B-1. Activities Performed by Texas Instruments Versus Performed by the Customer (continued)

(1) For component technical questions, ask our TI E2E<sup>™</sup> support experts.

# **B.3 Information Provided**

Texas instruments has summarized what it considers the most critical functional safety work products that are available to the customer either publicly or under a nondisclosure agreement (NDA). NDAs are required to protect proprietary and sensitive information disclosed in certain functional safety documents.

| Deliverable Name                        | Contents                                                                                                                                                                                       |
|-----------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Functional Safety Product Preview       | Overview of functional safety considerations in product development and product architecture. Delivered ahead of public product announcement.                                                  |
| Functional Safety Manual                | User guide for the functional safety features of the product, including system level assumptions of use.                                                                                       |
| Functional Safety Analysis Report       | Results of all available functional safety analysis documented in a format that allows computation of custom metrics.                                                                          |
| Functional Safety Report <sup>(1)</sup> | Summary of arguments and evidence of compliance to functional safety standards.<br>References a specific component, component family, or TI process that was<br>analyzed.                      |
| Assessment Certificate <sup>(1)</sup>   | Evidence of compliance to functional safety standards. References a specific component, component family, or TI process that was analyzed. Provided by a 3rd party functional safety assessor. |

### Table B-2. Product Functional Safety Documentation

(1) When an Assessment Certificate is available for a TI functional safety product, the Functional Safety Report may not be provided. When a Functional Safety Report is provided, an Assessment Certificate may not be available. These two documents fulfill the same functional safety requirements and will be used interchangeably depending on the TI functional safety product.

EXAS

RUMENTS

www.ti.com

# **Revision History**

# TEXAS INSTRUMENTS

NOTE: Page numbers for previous revisions may differ from page numbers in the current version.

| DATE     | REVISION | NOTES                                                         |
|----------|----------|---------------------------------------------------------------|
| May 2025 | *        | Advance Information data revised to Production released data. |



This page intentionally left blank.

# IMPORTANT NOTICE AND DISCLAIMER

TI PROVIDES TECHNICAL AND RELIABILITY DATA (INCLUDING DATA SHEETS), DESIGN RESOURCES (INCLUDING REFERENCE DESIGNS), APPLICATION OR OTHER DESIGN ADVICE, WEB TOOLS, SAFETY INFORMATION, AND OTHER RESOURCES "AS IS" AND WITH ALL FAULTS, AND DISCLAIMS ALL WARRANTIES, EXPRESS AND IMPLIED, INCLUDING WITHOUT LIMITATION ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT OF THIRD PARTY INTELLECTUAL PROPERTY RIGHTS.

These resources are intended for skilled developers designing with TI products. You are solely responsible for (1) selecting the appropriate TI products for your application, (2) designing, validating and testing your application, and (3) ensuring your application meets applicable standards, and any other safety, security, regulatory or other requirements.

These resources are subject to change without notice. TI grants you permission to use these resources only for development of an application that uses the TI products described in the resource. Other reproduction and display of these resources is prohibited. No license is granted to any other TI intellectual property right or to any third party intellectual property right. TI disclaims responsibility for, and you will fully indemnify TI and its representatives against, any claims, damages, costs, losses, and liabilities arising out of your use of these resources.

TI's products are provided subject to TI's Terms of Sale or other applicable terms available either on ti.com or provided in conjunction with such TI products. TI's provision of these resources does not expand or otherwise alter TI's applicable warranties or warranty disclaimers for TI products.

TI objects to and rejects any additional or different terms you may have proposed.

Mailing Address: Texas Instruments, Post Office Box 655303, Dallas, Texas 75265 Copyright © 2025, Texas Instruments Incorporated